How to write your company’s IT security policy
If my consultancy conversations usually start with “so, you think your business is secure?”, they invariably end with a response of “so, what can we do about it then?”. This is where I really confuse them by not immediately talking about solutions and software, but instead about best practices, education and policy.
Formal information-security policies are often seen as the sole territory of larger enterprises, but this couldn’t be further from the truth. Every business – no matter how small – can benefit from implementing such a policy. The benefit runs much deeper than merely having a formal document: it really comes from the process of thinking about what data security means to your business, and creating a written, structured response to those needs. This process of thinking about security – and I mean really thinking about it, from top to bottom – is always an eye-opener for the team involved.
Every business – no matter how small – can benefit from implementing such a policy
Even for those businesses at the smallest end of the SME scale, which are often only one bloke and his dog, this will be a team process. I’d never consider taking on a policy-creation job all by myself. This may not raise your opinion of how consultants work, but the bare truth is that unless policy creation involves those working at the coalface of the business, it’s totally pointless. The reason I can make such a sweeping statement can be best explained by making you understand what actually constitutes a security policy.
Strip it right back to its basics, and an information-security policy can be defined as a commitment to protect all the data that a firm creates and uses. Start fleshing out this simple definition, and the all-encompassing desire for data defence becomes your guide to exactly how the levels of required protection can be both achieved and maintained.
Leaving this to a third party – or even delegating responsibility on a departmental basis – is security suicide: your IT bods (assuming you have such a luxury) may produce a technical draft, which is given a jargon-vacuuming by the personnel department, before finally being rendered totally incomprehensible by the legal department. A sustainable and effective security policy has to be written from the ground up, with input from the top down.
Depending upon the size of your organisation, this could mean the sole proprietor meets with an outside consultant, or the board of directors works with the IT department, personnel, legal and the shop floor. The main point is that everyone must be represented, so your entire business is included; and that all foreseeable risks to the company’s data are mitigated as far as possible as a result.
One of the problems when talking about a security policy lies in ensuring that The Powers That Be truly understand that it should be – indeed must be – something practical and useful at a business level. This is especially true for small businesses, where information security is often regarded as an inconvenient interference with day-to-day work, rather than an integral part of the business process. An information-security policy – as with an acceptable-use policy or even a contract of employment – is useless if it’s merely signed and consigned to a filing cabinet until after a breach has occurred.
I’ve heard IT security consultants talk about a policy document as being a “living, breathing, part of the business”. Frankly, this is a step too far for me and most of the folk I work with. I prefer to think of it as a written information-security programme (WISP). In other words, it isn’t a bunch of boring files, but a collection of policy documents, along with the steps that need to be taken in order to enforce the policies they contain.
Some state governments in the US have even gone so far as to include this WISP requirement within their information-security legislation: Massachusetts, for example, requires every person who “owns or licenses personal information” to “develop, implement, and maintain a comprehensive information-security programme that is written in one or more readily accessible parts”, and which contains administrative, technical and physical safeguards.
I’ve started using this WISP definition as my take-off point when talking to a business about building a meaningful policy. I place that “readily accessible parts” phrase at front and centre of any initial policy-creation meetings. It’s crucial that everyone understands that “readily accessible” means accessible to all employees; this in turn means that suitable training and educational courses are available to them all.