Show
Back in 2017, The Economist declared that the world’s most valuable resource is data. And a cursory look at the 2020 Forbes most valuable brands most valuable brands reveals that indeed tech runs the world now. The downside of this is significant. There’s now great pressure on companies to secure the information in their custody. Recent hacks involving SolarWinds, Twitter, and Garmin indicate that threats to information security continue to evolve, and all organizations have no option but to put in the legwork to establish and maintain required cybersecurity controls, whether their IT is on-premise, on cloud or outsourced. From a governance perspective, an IT Security Policy is at the heart of this effort. (This article is part of our Security & Compliance Guide. Use the right-hand menu to navigate.) Why do we need an IT security policy?According to the ISO 27001:2013 standard, the objective of information security (InfoSec) policies is to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. An IT security policy is a type of administrative control that communicates to all stakeholders involved in IT so that they understand what is expected of them in reducing the risks associated with information security. (It is not limited only to the security team.) It also demonstrates the commitment by the highest level of leadership within the organization to the ideals of the policy, therefore providing direction for the rest of the employees, suppliers, and other stakeholders. (Explore the roles of Chief Information Security Officer and the security team.) Whether at a strategic or tactical level, the IT security policy states ‘why’ the organization has taken a position to secure its IT systems. Most times, the rationale comes from:
This is crucial from a governance perspective as it sets the tone for the design and implementation of IT security controls, and also institutes the relevant roles and responsibilities required for IT security to be managed effectively. What’s in an IT security policy?At the core of any IT security policy is understanding and managing the risks to IT systems and data. How the organization does this is by defining their chosen approach to achieving the required security posture or characteristics through relevant administrative, physical, and technical controls. The ITIL® 4 Information Security Management practice spells out some of these security characteristics as follows:
(Learn more about the CIA triad and additional security characteristics.) The structure and size of an IT security policy varies from one organization to another, depending on their context:
In terms of content, we can borrow from the CMMC model on what to include in your security policy:
Regardless of the structure, what matters in an IT security policy is that you’re sending out a clear message to the entire organization and its stakeholders on what is required from an IT security standpoint. The policy must be clear and unambiguous, with the right level of detail for the audience, and made easy to read and understand, especially for non-security experts. Like other organizational-wide policies, you should create the IT security policy with the input of all relevant stakeholders. It would be imprudent for the IT management to develop a policy by themselves, without the buy-in of business users and external suppliers who they would expect to comply with it. Getting the input of stakeholders ensures broad based support in its implementation and compliance. Alongside this is the need to communicate the policy to users and suppliers. The best bet for entrenching the IT security policy as the first line of defense against cybersecurity risks are these activities:
A risk-based approach should be used for maintaining the IT security policy. As your organization monitors and assesses the evolving risks to your IT infrastructure and data, you’ll need to update this policy to ensure its relevance to the changing context. In addition, measuring compliance to the IT security policy provides feedback to management on whether the policy itself is still effective and relevant. According to COBIT, some sample metrics related to policy compliance include:
IT security policies aren’t optionalAn IT security policy that addresses, in particular, information security, is one of your most critical business policies. Without one, you risk your entire business. Related reading
Download Now: Turbocharge IT Ops and SecurityIncrease management speed and agility across your complex environment These postings are my own and do not necessarily represent BMC's position, strategies, or opinion. See an error or have a suggestion? Please let us know by emailing . BMC Brings the A-GameBMC works with 86% of the Forbes Global 50 and customers and partners around the world to create their future. With our history of innovation, industry-leading automation,
operations, and service management solutions, combined with unmatched flexibility, we help organizations free up time and space to become an Autonomous Digital Enterprise that conquers the opportunities ahead. You may also likeAbout the authorJoseph MathengeJoseph is a global best practice trainer and consultant with over 14 years corporate experience. His passion is partnering with organizations around the world through training, development, adaptation, streamlining and benchmarking their strategic and operational policies and processes in line with best practice frameworks and international standards. His specialties are IT Service Management, Business Process Reengineering, Cyber Resilience and Project Management. Are the tactical and technical implementations of security in the organization?Technical controls are the tactical and technical implementations of security in the organization. A managerial guidance SysSP document is created by the IT experts in a company to guide management in the implementation and configuration of technology.
Which of the following are examples of technical control?Firewalls, intrusion detection systems (IDS), encryption, and identification and authentication mechanisms are examples of technical controls.
What are the 3 types of security policies?Security policy types can be divided into three types based on the scope and purpose of the policy:. Organizational. These policies are a master blueprint of the entire organization's security program.. System-specific. ... . Issue-specific.. Which type of control identifies a security risk that might be present in a policy?Security Risk Assessments
Risk assessments are important because they are used to identify assets or areas that present the highest risk, vulnerability, or exposure to the enterprise. It then identifies the risks that could affect those assets.
|