/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsBegin your security policy with objectives. Define the challenges in front of your organization, your immediate and long-term focus and the scope of the document in terms of applicability. Differentiate between NSP, IS SP and Physical SP.
| Say no to viruses and spam |
| Viruses and spam are the two biggest worries for every enterprise today. For large enterprises, keeping their machines updated can be a major challenge. While every anti-virus can do a live update, keeping track of whether they're happening can be quite a task. Another issue is that the investments can be huge for a good anti-virus solution, so you'll need to choose one carefully. Some anti-virus software can do both virus and spam filtering, which could also be a good option. In case you're not managing your own mail servers, you might want to go for a third-party solution mail service like Fastmail.fm, which can provide you with e-mail accounts that are protected from viruses and spam, at a fixed cost per year. This could be a good option for smaller organizations. |
Security organization
This is the right place to talk about how your security setup will be organized. Though, it is preferred to have a dedicated individual or team to take care of your security aspects, it is all right for SMB/SOHO organizations to use a shared security organization or an outsourced one, as long as the objectives and deliverables are clearly defined.
Asset classification and control
This part should contain policies to maintain appropriate protection of corporate assets and to ensure that information assets receive an appropriate level of protection. The assets can be broadly classified as physical, intellectual property (information assets and intangible IPR) and people. It deals with the establishment/identification of assets in an asset register for hardware, software and information and offers advice on classifying and labelling assets to obtain proper accountability. You may want to define explicit accountable persons for each identified asset.
| Patch troubles |
| While there are solutions available to automatically roll out patches and updates to all machines on your network, complete automation is just not possible. A large enterprise is likely to have a heterogeneous network environment having various OSs in place for different tasks. In this situation, would your patch-management application be able to keep track of and update patches on all the OSs and applications? You can achieve some automation with Windows clients (covered elsewhere in this story), but what your mobile users who would be traveling and possibly connecting to other networks? Worse, there can be situations where you'll be brining in rented machines to your premises. Chances are that they won't be patched. Therefore, both incoming and outgoing machines can pose a security threat as you may not be able to keep them updated. |
Personnel security
Perhaps the single biggest threat to an organization's security is uneducated employees, so it's important to have a separate personnel security policy. Create guidelines around security that can be incorporated in every employee's job description and key result areas. Build processes to minimize any risk to the organization due to human error. Using public IMs or free e-mail sites, for instance, could be a security risk to the organization, so it's important to provide guidelines on such issues. Establish a framework to ensure that security incidents and suspected breaches/weaknesses are removed. Provide for deviation management because different individuals have different needs. So implement and enforce policies, but at the same time, also provide for exceptions through formal channels.
Physical security
The focus here shifts to the physical security of the organization, facilities, computer and network infrastructure. Place here the short-term and the long-term guidance for physical security. It is a good place to talk about the access-control system-either manual or electronic. This section should focus on preventing loss, damage or compromise of assets and interruption to business activities. Discuss the need for a surveillance system, at the very least, and talk about guidelines for the server room, critical billing and data room, visitor entry, etc.
| Security Policy Myths | |||||||
|
Communications and operations management
Keeping in pace with the emerging criticality of a communication system, care should be taken to put in place policies and guidelines that ensure the correct and secure operations of information processing facilities. Provide guidelines that protect the integrity and availability of software, information and communication. Document your policies to regulate the type of software to be used, media handling, network security and tools that end users can run, etc. You may also want to put in place the AUP (Acceptable Use Policy) in this section.
System access control
Identifying individuals that access your organisation is a critical component. Create guidelines on what kind of assets can be accessed by what set of users. This includes both physical domains as well as network access. Further, create policies that will enable the organisation to detect and to prevent un-authorised access. In today's world of mobile computing, ensure information security for users even when connecting remotely or through a public network.
System development
This section can be ignored if you do not do software development either in-house or outsourced. However, if your IT department writes some modules, software or scripts, it is important to document the process to be adopted for developed software to be put into the production environment. Put in place a version-control mechanism for your new software. Place guidelines to ensure that no malicious code is placed in your production system.
Business-continuity management
The guidelines in this section should help in mitigating the business risk, in the event of a failure, disaster or catastrophe. Provide guidelines on how to identify risk and categorise them on the basis of impact.
The business continuity is typically addressed as Facilities, Application, Process and People. Wherever possible, a backup policy must always refer to Cold backup (on site or off-site), Warm standby or even Disaster Recovery site, if your organization needs one.
Compliance
To avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements, it is recommended that policies and guidelines are framed here. Provide guidelines for not only compliance to external entities, but also on the internal policy, audit and other recommendations.
Alok Sinha,Chief of Information Security, Bharti Group
The views presented here are of the author and may not reflect the views of the employer
Is your policy easy to understand?
The Fog Index has its origins in the University of Minnesota and is a proven method of analyzing written material with respect to the ease of understanding. The optimal Fog Index level will hover at around 7 or 8. A level above 12 indicates the policy document sample is too hard for most people to read and comprehend. For effective calculation, the sample must be more than 100 words.
-
Count the number of words in the sample 192
-
Count the number of sentences 15
-
Count the number of big words (3 or more syllables) 22
-
Calculate the average sentence length.Divide the number of sentences into the number of words 192/15 = 13
-
Calculate the percentage of big
words.
Divide the number of words into the number of big words 22/192 = 11% -
Add the avg sentence length to the % of big words 11 + 13 = 24
-
Multiply the result by .4 24 x .4 = Fog Index 9.6