Information security cannot be achieved by technical means alone. Firewalls, intrusion detection devices, and similar tools all contribute greatly to protecting information in your institution. However, the human element of security is often the weakest aspect. Security policies, which must address both aspects, are the foundation of information security. With careful planning, they provide an essential guide for officers and employees in the implementation of an information security program. However, many security breaches can be traced back to weaknesses in an ineffective security policy. 

What is a security policy?

Policies are high level statements that set direction and provide information, but they do not specify the technical controls and programs necessary to achieve compliance (that is contained in standards and procedures). High level policies are needed by each institution that the board of directors can understand and approve and that are management and board-level policy and direction rather than operational procedures. Once the high level policies are board-approved, the next step would be to develop supporting policies and related documents (for example, documenting specific technical controls) that are more detailed and operational in nature, and include those that are specific to the institution’s IT systems and processes.

What are common pitfalls in security policies?

Security policies fail for a variety of reasons. These include:

• Policies have large gaps in accountability: Security responsibilities of the Chief Security Officer, board, management, IT staff, and employees may not be specifically defined in policies. Policies to control the security of information assets entrusted to external service providers may be lacking.
• Poorly written policies: Policies that are lengthy and painfully detailed are often never read, and thus never followed. Alternatively, while policies are meant to be high-level documents (they are not detailed how-to procedures), some are unfocused, or written in vague terms that obscure the intent.
• Missing critical elements: In other situations, policies are written without completing prerequisite work; thus they lack critical content, and fail to identify the information assets that must be protected.
• Policies lack board-level involvement and backing: The board may have limited visibility as to whether or not the institution has good information security, or may have limited involvement. The board does not understand the institution’s information security program or the board’s security responsibilities after having approved numerous detailed, piecemeal policies, some of which are too technical for the board to understand.
• Policies are impractical to implement: Security measures inherently present obstacles or impediments to business. While they are designed to mitigate security risks, they often obstruct basic work processes, especially if they are implemented with little consideration for how the measures impact day-to-day work. If the policy is not viable or effective in an institution’s workflow processes, it will become a burden with little perceived benefit, and people will ultimately abandon the policy or find shortcuts that undermine the policy.
• Too little or no education of staff: Security is a learned behavior. A policy provides no value if the institution’s employees do not know that it exists, or if they do not know how to implement it.
• Lack internal monitoring and audit: A policy may be missing internal audit procedures based on information security risk. Some employees may have virtually unlimited access to a wide range of sensitive information, with limited review and monitoring. Periodic risk assessments are required.
• Little or no executive-level support: Executives send mixed signals regarding the importance of security when they assign little/no budget, staff, or authority to appropriately create and implement security policies. And when they demand to be exempt from certain rules like complex passwords, the “do as I say, not as do” message seriously undermines the policy.

How can you create effective information security policies?

Creating an effective security policy requires much more than simply finding sample policies to use as a template for your institution. To create effective policies, architect your information security program in a manner that will tailor it to your business environment, and then create policies with the following guidelines:

• Start the process with an information security risk assessment: The only way to know what security measures are needed in a policy is to first discover your risks. Policies should be developed to manage risk. What needs to be protected? Why is at risk? What is the priority? This process includes identifying the information assets that must be protected, assessing the threats to those assets, learning the degree of vulnerability to those threats, and identifying appropriate countermeasures to mitigate your risks. Only after you understand your vulnerabilities can you articulate a policy that can effectively manage risks.
• Define responsibilities and accountabilities within your institution. Security policies must determine the roles of management, the board, and the institution’s employees across business units.  They specify, for example, responsibilities for audit reports for management and board assurance of security.  A Chief Security Officer from senior management must be appointed. Also clearly identify the consequences of non-compliance where appropriate for your organization. Identify areas where dual controls may be required, such as for sensitive activities that involve changing access privileges on core processing functions or changing firewall rules. 
• Develop policies that support your business processes: Obtain the input of the people across the business functions within your institution in order to create a workable policy that supports business goals and processes. Work with your team to evaluate whether a policy imposes any unacceptable burdens, given the size of the organization and the current technology state.
• Clearly and concisely document your security policies. Document information assets and define security policies to protect each asset. Focus on measures that address your security risks. Use plain, simple language, and be direct.
• Clearly identify monitoring and audit processes: A policy is only useful if people follow it. Determine how compliance with the policy will be measured. The persons who monitor compliance with a policy should be independent of the persons implementing the policy to avoid conflicts of interest. Identify the frequency of testing compliance to policies, and how results will be communicated to management and the board of directors.
• Provide adequate training:  A key to acceptance and compliance with security policies is education. Educate all employees on the need for security. Use seminars, awareness campaigns, and frequent communications to help provide this education. Incorporate appropriate security policies, such as email and internet usage guidelines, in the Employee handbook as a code of practice for all employees.
• Provide executive-level support: For any policy to be accepted throughout the organization, top management must first set an example of how to follow the security policies. Management must demonstrate commitment by ensuring that there is adequate staff, budget, and authority assigned to develop and implement security policies.

How Alebra
can help

Alebra offers specific services to help you assess and improve your security policies, as well as your overall information security program. We can:

• Review your existing Information Security Program, detailed security policies and acceptable use guidelines and suggest improvements.
• Alebra’s Information Security Program Charter and policy architecture define a policy structure that starts with board approved policies and extends down to a coordinated set of specific policies that protect all information assets.
• Conduct security awareness training programs for your employees.
• Complete a comprehensive Risk Assessment that will provide you with detailed, practical findings.

Alebra’s consultants can assist your organization in being proactive in your defense against internal and external threats.
Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.