Building Information Security Policies & TrainingMay 26, 2011
By Mike Chapple
Get Executive Approval, Craft A Thoughtful Policy & Convey That Policy to Your Employees
Does your organization have a formal information security policy in place and a training program to ensure that that policy is clearly communicated to employees? If not, you may be behind the curve, exposing your organization to both security risk and legal liability.
Policies form the cornerstone of an organization's information security program, underscoring management support in the minds of employees and providing clear statements of the organization's security philosophy and requirements. Richard Starnes, president of the Bluegrass Chapter of the Information Systems Security Association (www.issa.org), feels that there are two main drivers for these policies in practice. "Largely, the need for information security policies is driven by regulatory compliance and the need for good governance," Starnes says. Organizations subject to the requirements of PCI DSS, GLBA, or HIPAA are among the many that must maintain an information security policy, while others should do so as a matter of best practice.
If laws or regulations affecting your industry do not explicitly require the presence of a security policy, it still may be prudent from a legal perspective, according to Dallas-based attorney Ben Wright. "An information security policy can help an enterprise avoid (or reduce) legal liability for security mistakes, such as a leakage of personally identifiable information," Wright says. He cites the precedent of Guin v. Brazos Higher Ed. Service Corp, Inc., where the court cited the fact that the company had a written security policy as one of the reasons the company was not liable after losing a laptop containing information about student loan recipients.
When designing a security policy, Starnes feels that the most important starting point is a statement of support from executive management. "If that does not exist, the rest of the policy isn't worth the paper it's printed on," Starnes says. Without such a statement, the policy is likely to gather dust on a shelf rather than becoming a living part of the organization's security culture.
Jim Lippie, president of Thrive Networks (www.thrivenetworks.com), says that information security policies should be data-focused and designed to protect an organization against the consequences of a data breach. "As a result, it's important that policies take a precautionary, proactive stance on security," Lippie adds. He suggests several key elements that should be included in any information security policy:
- Password policies should provide guidelines for password length, complexity, and expiration date. Many organizations require that passwords be at least eight characters long and contain a mixture of uppercase and lowercase letters, numbers, and special characters. Lippie also recommends a 90-day password change cycle.
- Lost or stolen devices should also be addressed in the policy. In addition to requiring encryption for data stored on mobile devices, organizations should require that employees promptly report their loss to allow for the activation of remote wiping technology. "Though employees may not want to admit when their device is lost or stolen for fear of embarrassment or getting in trouble, it's important that they do so right away," Lippie says.
- Access policies should dictate who may be granted access to information and the process for approving access permission additions, modifications, and removals. The policy should also require a process for de-provisioning accounts for users when their roles within the organization change or they are terminated.
- Information handling policies provide details on acceptable uses of information within your organization. You may include requirements for encrypting sensitive information, physically destroying hardware at the end of its useful life, limiting the use of electronic mail for sensitive data, and similar requirements.
Of course, this list is just a starting point. The actual contents of an organization's security policy should be driven by the firm's unique business requirements, culture, and operating environment.
Training & Awareness Programs
Developing an information security policy is just the beginning of your adventure. Once you've created the policy, you should remember Starnes' warning about it gathering dust on a shelf. One way to do this is to have a comprehensive training program for your staff. "At a minimum, employees should receive training annually, and your awareness program should touch an employee once a quarter," Starnes says. "Remember, in many instances, a trained and aware employee may be your first and last line of defense."
There are many different methods you can use to promote security awareness in your organization. "The key to formats is to be inventive, memorable, and change them up," Starnes says. He suggests hosting an information security fair and giving away small prizes to those who excel on security quizzes.
Other organizations use more conventional techniques, such as in-person and Web-based training sessions, posters, and security awareness stories in company newsletters.
Developing a solid security policy and backing it up with recurring training provides an important foundation for your organization's risk management program. Lippie sums it up well: "The ramifications of not having such a policy can be dire, spanning financial and reputational damage should a breach occur." These programs help mitigate the risk of security incidents and may limit your legal liability if they do occur.