Creating Security Policies - How to get started

A security policy should encompass not just the technology required to protect the business, but also define the responsibilities and actions of the people it employs too. After all, when employees or subcontractors compromise the company's information security by unknowingly giving away confidential information it can have devastating consequence.

The following is an overview of the steps required to develop a security policy.

Risk Analysis - decide what you want to prevent

To set up a defence you need to decide what you want to prevent your company against. Too often security policies are set up without knowing exactly what to prevent, which is why SoftScan strongly recommends that security policies are based on a risk analysis. This will ensure that the security policy concerns the most critical areas of the business.

The risk analysis should list all of the possible threats to the business. Do not underestimate the scale of this task, SoftScan always recommends setting up a task force to carry out the risk assessment.

Create Task Force

Technical and non-Technical	The task force should include both technical and non-technical people. The non-technical part of the task force should have a good knowledge of the business processes in the company.
External consultants	They have been through this process many times and often know where the problems are hidden.
The management	The final priority of the risks should be done by the management in the company based on business consequences (e.g.: Lost profit in case of disaster).

Determine risks

Probability	Estimate the probability for a threat to occur.
Business Impact	Estimate the impact it will have on your company if the threat occurs
Decision Priority	Let the management decide. The final priority of the risks should be done by the management in the company based on business consequences and the probability of occurrence.

Security Policy

Based on the risk analysis, the task force should define the areas that the security policy needs to cover. Each of these areas should have a policy, a guideline, or a procedure concerning the operation within that area.
The Security organisation SANS has a well thought-out set of policy templates. These templates use US standards and may be more extensive than your business requires and cover legislation that does not apply to your business. However, SoftScan recommends that you use the templates to avoid forgetting something, but adjust them to fit your organisation.
Some examples of security policies could be Email policy, Anti virus procedures, Third Party Agreements, Confidential information policy, Suspicious Data Guidelines, User Contract / Acceptable use policy.
To view the SANS policy templates click here

Approval	Remember to achieve management approval of the security policies and the consequences of a policy breach.
Consequences	Involve all departments, for instance Human Resources may be best placed to decide what the consequences of a breach may be.

Training and Awareness - How to work securely

To ensure compliance with security policies it is important to give all employees proper introduction to the new policies. Remember that policies affect how people do their work. Therefore it's important to train and educate both new and old employees and further maintain their awareness of the security policies.

Explain	Explain why they need to change their routines according to the policies.
Introduction	New employees should be introduced to the policy during the company introduction programme.
Awareness	Existing employees should be kept aware of the policies. Team up with Marketing to keep employees aware - they are the communication experts. Use the communication channels in the company e.g. internal newsletters, intranet, posters, stickers, screen savers, and songs for the Christmas party to communicate the content of the policies.
Test	Test that the awareness has an effect. Use on-line surveys, interviews, or even social engineering checks to test the employee's level of knowledge. This let you know how much your employees are adhering to the policies.