What makes a good policy? ♥
- keep it short and concrete
- focuses on goals, roles, responsibilities and tasks
- covers relevant security aspects (personal, office, travel, devices, etc.)
- clearly differentiates between what needs to be done once, regularly or all the time
- helps the reader to take action (spells out internal support, links to resources)
- clear link to organizational mission and identity
- is part of the main working space of an organisation, reflects its (visual) identity
- includes protective measures and incident response
What makes a bad policy?
- focused only on documentation of tools
- one that cannot be found by staff
- can only be understood by experts, champion or IT staff
- too aspirational and too far away from actual practices
- quick hack of a template, bad recycling of other policies
- is one giant document that does not differentiate between different needs and responsibilities
Goals
- Clear standard of practice within the organization.
- Ensure sustainability of practice
- Creating organizational consensus
- Establish initially and use dynamically as organization incorporates practices/environment or organization changes
Prerequisites
- Existing workflow and program activities
- Initial assessment, including resources
- Priorities
- Organigram
- Helpful: existing templates
Elements to be included
- Buy-in and strategy to implement, enforce, and inform policy
- Communication policy
- social media
- Chat
- Mobile
- Branding practices and signatures
- PGP usage, key storage, publishing keys, subject lines
- All should cover access control measures, levels of encryption, personal vs work usage
- Data managements policy
- Where is stored? (cloud, local, etc)
- Access control (new hires, employees leaving, different levels of access)
- Data retention
- Data deletion
- Backup
- Encryption
- Password management
- File naming and storage structure
- Equipment policy
- Personal use
- Taking home
- Installing software
- Pirated software
- Anti-Virus
- Updates
- Disposal of devices
- Training
- When does training happen?
- How often?
- Self-learning resources?
- Funds for professional development
- Employee leaving
- What to exptect when you leave the organization
- Email access
- Equipment handover
- Incident Reporting
- Security reports
- Lost equipment
- Infiltration
- Virus/Hacking
- Field Documentation and Reporting
- Depends on methodology, but considers meta/exif data, physical exposure, mobile use, software tools, physical safety, travel
Security policy templates
- SANS security policy templates (corporate): https://www.sans.org/security-resources/policies/
- Policy used by the BBC (documents in Owncloud), http://www.bbc.co.uk/guidelines/dq/pdf/is/is_policies.pdf
- APC has a generic version that can share
- HURIDOCS has a generic version that we can share
- Linux Foundation: https://github.com/lfit/itpol
Example of the engine room's email encryption policy: https://www.theengineroom.org/what-were-learning-about-keeping-organizational-emails-secure/
In this page:
Additional resources:Baseline Organisational Policies and Practicesby Michael Carbone Security Checklistsby iecology |