SANS ISC: Cyber Security Awareness Tip #6: Developing policies and Distribution

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

One of the cornerstones of security is policy and as much as most of us dislike writing them, without them we are all pretty much floundering around.  So today’s tips relate to developing and distributing policies. 

We’ll get the basics out of the way.  Why do we need policies?  Policies outline the do’s and don’ts for the organisations.  Staff and management both know where they stand in relation to important issues.  Policies also help modify behaviour, people are surfing for porn, you put a policy in place to help modify that behaviour.

So what do we need?  These are the few of the duh points, but important nonetheless:

• Make sure you have senior management support.
• Write SMART policies. Specific, Measurable, Achievable, Realistic, Time based policies
• Keep the audience in mind when writing policies. 
• If it doesn’t have the word MUST in it maybe move it to a guideline or standard. Or in other words keep policies as policies, guidelines as guidelines and procedures as procedures.  You’ll only confuse the message if you mix them.
• Make sure you have a compliance statement, people need to know what happens if the policy is not followed.
• Make sure it is available to everyone
• Regularly review the policy
• Get legal to check them out.
• Collaborate with stakeholders in developing the policy.
• Make sure you cover items of specific risk in the organisation
• Make sure the policy is in line with the corporate objectives and overall security posture
• Get people to sign that they have read and understood the polices.
• Reinforce the message regularly

After writing the polices you will need to make sure it is disseminated.  There have been plenty of examples over the years where people have been sacked and then re-instated because of weak or policies that weren’t enforced or enforced inconsistently.   The traditional methods are publishing on the intranet, as part of the induction process, document management systems, etc.  A good idea is to develop a quiz which must be taken by staff.  That way the lessons are reinforced and you have a register of who has read and understood the policy. 

So which polices do you need?  It depends on the organisation and if you are working to standards like ISO/IEC 27001, or SOX, etc.  The basic ones I think you should consider are:

• Information security policy
• Acceptable usage policy (make sure you cover internet and email usage)
• Remote access
• Access control policy
• Information Classification Policy

That’s a quick start to the day, send in tips for disseminating policies, reinforcing the message, some good practices and the bad. 

Cheers

Mark   H - Shearwater