Security Policy Development

Do you have published IT Security Policies and Procedures? If not, you need them!

All businesses should have written IT Policies and Procedures, and many are required by statute to maintain and report on them to governing organizations.

For example, in 2016 New York State enacted new Cybersecurity Regulations known as 23 NYCRR 500, which requires ANY organization that deals with Insurance, Banking, or Financial Services Laws, even peripherally, to do several things, and file compliance documents with the State.

Regulations aside, all businesses should have published, comprehensive policies and procedures for Information Technology.

We’ll Develop and Publish Your Custom IT Policies Document

Meetings with key personnel
Discuss regulatory responsibilities and requirements
Develop baseline document inclusions
HR policies and procedures coordination
Employee education and training needs
Outside vendors expectations

Ongoing Risk Assessment Services Available:

Penetration Testing
Website Intrusion Testing
Social Engineering Testing

Key Policy Components

According to NIST* a complete IT Policy and Procedures Document will contain the following topics:

Access Control
Awareness and Training
Audit and Accountability
Configuration Management
Identification and Authentication
Incident Response
Maintenance
Media Protection
Personnel Security
Physical Protection
Risk Assessment
Security Assessment
System and Communications Protection
System and Information Integrity

Your Policies & Procedures Document will include over 100 pages of:

General

  • Acceptable Encryption Policy
  • Acceptable Use Policy
  • Clean Desk Policy
  • User Awareness Training Policy
  • Data Destruction Policy
  • Data Breach Response Policy
  • Disaster Recovery Plan Policy
  • Digital Signature Acceptance Policy
  • Email Policy
  • Ethics Policy
  • Pandemic Response Planning Policy
  • Password Construction Guidelines
  • Password Protection Policy
  • Security Response Plan Policy
  • End User Encryption Key Protection Policy

Application Security

  • Web Application Security Policy

Network Security

  • Acquisition Assessment Policy
  • Bluetooth Baseline Requirements Policy
  • Remote Access Policy
  • Remote Access Tools Policy
  • Router and Switch Security Policy
  • Wireless Communication Policy
  • Wireless Communication Standard

Server Security

  • Database Credentials Policy
  • Technology Equipment Disposal Policy
  • Information Logging Standard
  • Lab Security Policy
  • Server Security Policy
  • Software Installation Policy
  • Workstation Security (For HIPAA) Policy

Is it a Policy, a Standard, or a Guideline?

What’s in a name? We frequently hear people use the names “policy”, “standard”, and “guideline” to refer to documents that fall within the policy infrastructure.

According to the SANS Institute:

A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.

A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows 10 workstation for placement on the network. People must follow this standard exactly if they wish to install a Windows 10.1 workstation on an external network segment. In addition, a standard can be a technology selection, e.g. Company Name uses XYZ AntiVirus for all systems, and supporting policies and procedures define how it is used.

A guideline is typically a collection of system specific or procedural specific “suggestions” for best practice. They are not requirements to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.