How to create and enhance security policies for your business!


As more and more businesses are either voluntarily or forced to increase their security posture, the first step is developing and documenting good security policy and procedure.  There are only a few times where I have not performed this essential step before making changes to the environment.  Writing security policy is a large task that encompasses the HR hiring process, to change management, to audit logging, all the way to HR termination procedure.  Due to the breadth and depth of security policy there are a number of items that need to be performed before starting.

Step 1:  Approach upper management and seek their buy-in and approval.

This may or may not be a quick and easy thing to accomplish.  If your company falls under HIPAA, PCI, SOX or other security regulations, this may be a very simple task.  This task becomes more challenging if upper management does not see the value, nor see need of creating a large number of security policies.

If your organization falls into this latter category here are a few tips to assist in convincing them of the need for increased security.  I will use ISO: 27001:2013 as an example.  Seek certification for ISO 27001 certification can be used as a key selling feature.  Your company can leverage this and market it to its customers as a key feature to help acquire new business.  What would it cost the company in reputation risk if there was a security breach?

Step 2: Perform a risk assessment.

Be honest in assessing what is being performed well in the company, be fair the good and the bad. The first risk assessment will usually not be perfect and that is quite normal.  This risk assessment can be used to help prepare a disaster recovery plan.  A disaster recovery plan is one of the policies that will be needed, as surviving a disaster is good security practice.

Step 3: Assign a project manager or responsible party.

This is a key person that will need to be the glue to keep the project going but also have enough authority to get different departments to work together.  HR, Facilities, Accounting, IT, Development are some of the departments that will be impacted by policy. This means you will need to get someone who is either management, or otherwise capable of making all of the departments work together to be the project manager.

Step 4: Review the security requirements that will be followed, perform training for employees that are involved.

 

Decide on what if any security framework to follow.  I personally like NIST due to it having lots of examples, and what to do and how to perform some of the tasks.  If your company will be audited, it is a really good idea to follow whichever security framework that will be used to evaluate your company.  The auditor will thank you if you follow method that will be used to evaluate your company.

Step 5: One writing format for all employees.

 

Create a single template for all employees that will be writing policy, create a place for them to submit initial version, assign an editor/reviewer, create a numbering schema.

Step 6: Start writing.

   

It is best to write down what the company actually does in the policy, then to evaluate for changes.  Keep in mind, when an auditor comes to review your policy, your company will be asked to show proof that the policy is followed, that people that should know about the policy do know.

Good Luck!   Let me know how your policy writing goes, and check back here for the follow-up posts I will have that goes into each of these steps in more detail, to be published soon!