VIEWPOINT: Cyber-“Ish” Tips: The Importance of Policy

Whether your organization calls it cybersecurity, information security, or information assurance, a strong security program is an important element in determining the durability and success of your business. Without the proper policies, security controls, and trained staff, how will your business survive a cyber incident? Denial-of-service attacks, malware, ransomware, cyber extorsion, and more have all been receiving […]

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

Whether your organization calls it cybersecurity, information security, or information assurance, a strong security program is an important element in determining the durability and success of your business. Without the proper policies, security controls, and trained staff, how will your business survive a cyber incident? Denial-of-service attacks, malware, ransomware, cyber extorsion, and more have all been receiving a lot of media coverage lately as small, medium, and large businesses across the globe have fallen victim to malicious actors.

Security policies are the cornerstone of protecting an organization and often required for compliance with federal laws such as HIPAA (Health Insurance Portability and Accountability Act) or industry regulations like PCI (Payment Card Industry), as well as various state laws. An organization’s policies outline what is allowed, why, and how and are approved by senior management, so they have weight and authority. Properly written policies serve two purposes. Initially, they are proactive and establish guidelines for how the business will perform and secure things during its day-to-day operations. Policies such as “Acceptable Use” tell staff what they can and cannot do and advise them of the consequences of actions that might put the organization at risk. Other policies such as “Asset Management” help track vital (and expensive) equipment to prevent loss or theft. Secondly, well-written policies can help give guidance and help steer an organization during times of trouble or crisis. Important reactive policies like “Incident Response”, “Disaster Recovery” and “Business Continuity Planning” clearly establish the roles of staff, direct them how to proceed during trouble, and establish the importance of security within the organization.

A well-written policy should be phrased simply, with guidelines and directions that do not rely upon heavy technical terms, easy to follow guidance that allow all employees to understand and follow, even during times of stress. 

According to PolicyAdvice.net: “Only 20% of businesses have offered cybersecurity training to their employees, whereas only 27% have actual cyber-security policies implemented to help prevent and deal with the aftermath of an attack.” How secure is your organization, does it have the proper security related policies to survive an “event?” Here is a list of 10 IT security policies that you should already have in place:

1. Information Security Policy: This policy is intended to document an organization’s protections and give guidance to limit the access and distribution of data to only those with authorized access. It is the master policy and should include policies and procedures to inform all users and networks within the organization meet minimum IT security and data-protection requirements.

2. Acceptable Use Policy (AUP): Guidance for the acceptable use and limitations of an organization’s IT assets and data. This policy should outline what the organization expects from its users, while they are using the organization’s computing assets. How users utilize these technologies can incur costs, or increase risk to the organization, this policy ensures that users understand the risks and limitations.

3. Remote Access Policy (RAP): A policy to outline and define acceptable methods of remotely connecting to the organization’s network from any endpoint (laptop, mobile phone, tablet, home desktop etc.) not located within the enterprise. The purpose of the RAP is to reduce risk introduced from devices outside the security perimeter.

4. Communications/Email Policy: How employees communicate with the public reflects on the business providing that communication. This policy is intended to formally document how to use the various communications media, what is acceptable and unacceptable use. Communications methods should include official social media, SMS (text), chat, blogs, and email.

5. Incident Response Policy (IRP): Security incidents happen, this policy helps your organization prepare and respond to the incident in a systematic way to minimize the impact to business, the loss and destruction of data, and accomplish a return of operations to a stable state. Whether it is a data breach, malware, insider, external attacker, or some other threat, having a proper IRP can mean the difference between a minor event to a catastrophic or crippling blow.

6. Business Continuity (BCP) / Disaster Recovery Policy (DRP): Business continuity and disaster recovery in the face of crisis are two of the more important policies. Too many businesses fail to establish (and test) their plans properly and formally for what to do when catastrophe strikes. These policies describe how the organization will operate in an emergency. When bad things happen, restoration and recovery are critical to the survival of a business.

7. 3rd-Party Vendor Policy: Partner organizations that provide data, software, hardware, or other goods and services all pose various degrees of risk to your organization. Whether it is on your premises or in the cloud, any third party that might have access to your data, critical systems, or networks could be used to gain access to your assets, or vice versa. This policy documents and details the process of validate, verification, controls, and mitigations for that relationship to define and minimize risk.

8. Change Management Policy (CMP): Change can be good, but unauthorized and unapproved changes can cause chaos and introduce unforeseen risks. A good CMP formalizes a process for requesting, reviewing, approving, implementing, and even reversing (if needed) IT and security-related changes within your organization.

9. Asset Management Policy: If you do not know where the devices that store your data are, how can you protect them? This policy outlines, directs, and governs how hardware and software are acquired, managed, and tracked for accountability. Understanding the lifecycle and location of an organization’s hardware and software is vital if it is to be properly protected.

10. Password Management & Standards Policy: Password policies often seem to make most users groan in agony, yet the creation, rotation, and management of passwords is a rather important issue. Password complexity and diversity are important concepts in protecting who can access what resources. This policy needs to outline the organization’s requirements so that users (who typically make their own passwords) use secure passwords. This policy should also address multi-factor authentication, an extremely strong security control to enhance usernames and passwords by utilizing an out-of-band extra factor for authentication.

Policies are not meant to be written and then sit on a shelf. The documents need to change and grow with the organization, being reviewed regularly, updated whenever there are significant changes, and tested to ensure they work. Policies should be briefed and shared with all staff as part of an organization’s security awareness and training programs so that they are part of your security apparatus. Industry best practices recommend that all policies be updated, reviewed, and tested for accuracy at least once a year.       

Jeffrey Isherwood is a cybersecurity analyst at M.A. Polce Consulting Inc., a Rome–based provider of managed IT and security services to businesses and nonprofit organizations.

Jeffrey Isherwood: