According to the WEF, 95% of cybersecurity issues can be traced to human error. This number is not surprising, considering that many recent cybersecurity events were the result of human negligence or human malice. Examples include the 2017 data breach of Equifax, and the 2021 ransomware attack on Colonial Pipeline and the 2021 zero-day attack on Microsoft Exchange.
Security procedures and policies can help prevent such catastrophes or at least reduce their probability of occurrence. They clearly state the rules governing the company’s acceptable and unacceptable security behaviors and provide guidelines that enable compliance with these rules.
This article does a deep-dive into security policies and procedures: what they mean, how they are related, types, key components, and best practices for implementation and compliance.
Security Policy vs Security Procedure
A security policy clarifies the behaviors that could prevent security issues and the organization’s approach to protecting its IT assets. Policies work with procedures to provide a strong foundation for enterprise security programs.
A security procedure is a sequence of activities meant to achieve an end result. Its main goal is to strengthen security defenses and help the organization withstand cyberattacks. Procedures build upon or enable policies by providing a clearer, structured approach to implementation. In short, a policy defines the what, who, and why of security, whereas a procedure clarifies the how.
For example, an authentication policy may describe why authentication is required and which users are required to authenticate themselves. The associated procedure could describe how these users will be verified to access an enterprise system. Similarly, a backup policy will address the need to create data backups while its procedure will define backup frequency, location, and execution steps.
Types and Components of Security Policies
The National Institutes of Standards and Technology (NIST) describes three types of information security (IS) policies. Its ideas can be extended to any type of security policy.
Security program policy
This high-level policy is meant to help implement an enterprise security program.
Key components of a security program policy
A security program policy typically consists of all these components:
- Purpose and goals: Examples of goals include stronger protection against unauthorized disclosures, reduced data corruption, and fewer data errors.
- Scope: It describes which resources the security program is meant to protect: hardware, software, information, or people.
- Roles and responsibilities: The responsibilities of security providers and leaders are specified.
- Compliance: This section specifies what is needed to monitor compliance with the program and describes the disciplinary actions to address violations.
Issue-specific security policy
Issue-specific policies address specific security areas, technologies, or threats, and provide specific guidance about the acceptable behaviors concerning these areas. They are regularly reviewed and updated to reflect technological changes in the organization.
Examples of such policies include:
- Internet access policy: It could specify who will have access to the Internet and user authentication requirements to access Internet-connected systems.
- Password policy: defines how passwords will be configured, managed, and updated.
- BYOD policy: specifies the rules around accessing organizational resources from personal devices.
- Cybersecurity policy: explains how the firm will keep out cyber threats and how it will respond if an attack does happen.
- Patching policy: defines how patches will be installed and managed for various enterprise systems.
Key components of issue-specific security policies
For maximum effectiveness and actionable value, issue-specific policies consist of these components:
- Issue statement: It defines the issue and explains the reasons for creating the policy.
- Organization’s decision on the issue: This section defines the organization’s stance on the issue. For example, the BYOD policy may state that employees are only allowed to use personal devices for work inside the enterprise perimeter.
- Applicability (scope): Applicability statements clearly say how and to whom the policy applies and under what conditions.
- Roles and responsibilities: It describes the responsibilities of security providers and leaders.
- Statement of compliance and verification of compliance: It mentions which security laws or regulations the policy aims to comply with, and the activities needed to ensure compliance (e.g., internal security audits)
- Non-compliance penalties: Non-compliance penalties could range from verbal and written reprimands to demotions and terminations.
- Additional information: Supplementary information can be included in the policy, such as points of contact.
System-specific security policy
A system-specific policy (SysSP) is the most granular security policy. It provides information about the actions that are permitted and not permitted on a specific system. It also details the procedures to configure and maintain that system.
Key components of system-specific security policies
A SysSP is most relevant to the personnel that maintains that system and to the managers who design the rules and make decisions about it. It usually includes two components:
- Managerial guidance (security objectives): Information that helps with the implementation and configuration of an IT system so it supports business objectives
- Technical guidance (operational security rules): Detailed information to implement and manage the system and its access
A SysSP can also include the elements included in program and issue-specific policies, such as:
- Goals and scope
- Organization’s stance
- Roles and responsibilities
- Statement of compliance
- Penalties for non-compliance
Key Components of Security Procedures
Effective security procedures detail the various activities or steps needed to perform a specific security task and comply with a specific policy. These steps are given in the right sequence that a user is required to follow.
Tips to Develop and Implement Effective Security Policies and Procedures
One of the best ways to craft and implement effective security policies and procedures is to follow a systematic step-by-step process:
- Step 1: Define its purpose, objectives/goals, and scope (applicability).
- Step 2: Use an available template to save time, and tailor it based on the policy type, purpose, and scope.
- Step 3: Get buy-in from all relevant stakeholders, including top management, department heads, and the IT team.
- Step 4: Publish the policy and share training material with the intended audience (e.g., employees).
- Step 5: Regularly review the policy and update it as required.
These good practices can also help organizations to develop effective policies and procedures:
- Every policy specifies the enforcement mechanism and penalties for non-compliance.
- It should have a clear purpose, objectives/goals, and scope.
- It should clearly define all important terms and abbreviations.
- The language should be as jargon-free as possible.
It’s important for every policy and procedure to be specific so that those it applies to know exactly what is expected of them. For example, the password policy should include how often employees are required to change passwords, and the patching policy should include how often operating systems and software should be updated.
Tips to Ensure Compliance with Security Policies and Procedures
Without strong enforcement mechanisms and non-compliance penalties, the audience may ignore policies and procedures, creating security gaps and increasing the organization’s vulnerability to a cyberattack.
Following these best practices can help ensure compliance with security policies and procedures:
- Leverage enforcement mechanisms humans cannot easily bypass or ignore, such as separation of duties or principle of least privilege.
- Ensure the policies are realistic and not burdensome to comply with.
- Determine the best format for the intended audience so it is easy to understand.
- Share training material so the audience understands what they need to do to comply.
- Periodically assess employees’ understanding of policies and procedures and update the training material accordingly.
It takes years for a company to build its product portfolio, customer base, and reputation, but a lot less time to lose it all. Clearly defined and consistently implemented policies can help to avoid such catastrophes and maintain a strong security posture.
In conclusion, fostering an organization’s security awareness culture is essential for long-term success, risk mitigation, and maintaining a positive reputation. Organizations are better equipped to meet their ethical and corporate social responsibility commitments by having well-crafted security policies and procedures. However, it is important to not only have these things in place, but also to review, update, and train employees on a regular basis. This will ensure that the organization can adapt to any changes in the business environment. By embracing these best practices, organizations can have a more secure and successful future.