Security Policy Development
Do you have published IT Security Policies and Procedures? If not, you need them!
All businesses should have written IT Policies and Procedures, and many are required by statute to maintain and report on them to governing organizations.
For example, in 2016 New York State enacted new Cybersecurity Regulations known as 23 NYCRR 500, which requires ANY organization that deals with Insurance, Banking, or Financial Services Laws, even peripherally, to do several things, and file compliance documents with the State.
Regulations aside, all businesses should have published, comprehensive policies and procedures for Information Technology.
Your Policies & Procedures Document will include over 100 pages of:
- Acceptable Encryption Policy
- Acceptable Use Policy
- Clean Desk Policy
- User Awareness Training Policy
- Data Destruction Policy
- Data Breach Response Policy
- Disaster Recovery Plan Policy
- Digital Signature Acceptance Policy
- Email Policy
- Ethics Policy
- Pandemic Response Planning Policy
- Password Construction Guidelines
- Password Protection Policy
- Security Response Plan Policy
- End User Encryption Key Protection Policy
- Web Application Security Policy
- Acquisition Assessment Policy
- Bluetooth Baseline Requirements Policy
- Remote Access Policy
- Remote Access Tools Policy
- Router and Switch Security Policy
- Wireless Communication Policy
- Wireless Communication Standard
- Database Credentials Policy
- Technology Equipment Disposal Policy
- Information Logging Standard
- Lab Security Policy
- Server Security Policy
- Software Installation Policy
- Workstation Security (For HIPAA) Policy
Is it a Policy, a Standard, or a Guideline?
What’s in a name? We frequently hear people use the names “policy”, “standard”, and “guideline” to refer to documents that fall within the policy infrastructure.
According to the SANS Institute:
A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.
A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows 10 workstation for placement on the network. People must follow this standard exactly if they wish to install a Windows 10.1 workstation on an external network segment. In addition, a standard can be a technology selection, e.g. Company Name uses XYZ AntiVirus for all systems, and supporting policies and procedures define how it is used.
A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.