When we talk to clients as part of an IT audit we often find that policies are a concern, either the policies are out of date or just not in place at all. This often stems from the fact that no-one has been assigned to a permanent security role. It's left for IT to do when they have time. Of course IT never has time for security and compliance because they are rolling out new and fixing last week's technology.
In the following series we will cover 10 critical IT policies at a high level for the purpose of understanding their purpose as a foundation for data governance. The following are not complete policies, but summaries that can serve as a general framework for training purposes.
It all starts with Governance, so let's first consider the FFIEC cyber security maturity model for governance. Notice below how that as we move from Baseline towards Advanced that the statements are more detailed and proactive vs universal or vague. IE: Baseline: Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs. Advanced: The board or board committee approved cyber risk appetite statement is part of the enterprise-wide risk appetite statement.
IT governance is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. ... The IT Governance Institute (ITGI)
So now that we have our starting point - governance - we can now proceed with a minimum set of 10 IT policies. Your organization may need many more. We will cover five in this article and the remaining five in Part 2 of this series.
I know policies are not exciting and not many people like to write them but they are a necessary foundation for systems security management. Policies don't have to be long or too wordy; If you have too many or they are too complicated they will probably just be ignored. Regarding policies we often state "say what you do, and do what you say", that way no one will ever use them against you. Don't just implement a generic template unless you are very diligent in making it yours, each enterprise or small business is often unique and as such policies must match the culture, technology, compliance standard and business priorities! IE: Risk appetite in a DoD environment, vs a car dealership is very different. Here are the IT policies that should be covered:
- AUP (Acceptable Use Policy)
- Security Awareness
- Information Security
- Change Management
- Incident Response
- Remote Access
- Vendor Access
- Media destruction, Retention & Backups
1 AUP (Acceptable Use Policy)
Purpose: To inform all users on the acceptable use of technology.
The AUP sets the stage for all employees to assure that they know the rules of the road. In this policy we cover defining corporate resources: The company's computer network, host computers, file servers, application servers, communication servers, and mail servers, fax servers, etc. Also remember to consult your legal department when writing and releasing policies that impact the corporation. Your legal department may even have a standard AUP that you can use. The following are important areas to cover in an AUP.
- Use of Computer Resources
- No expectation of privacy
- Legitimate business purpose
- Responsibility for passwords
- Standard footers for e-mail
- Communication of trade secrets
- Duty not to waste computer resources
- Illegal copying
- Inappropriate or unlawful material
- Altering attribution information
- Accessing other user's files
- Accessing other computers and networks
- Computer security
- Use of encryption software
- Monitoring of Computer Resources
- Remote Access
- Personal equipment
- No maintenance, modification or addition
Sign up for CIO Asia eNewsletters.