Security Program Policies for 2021

Regardless of the size or sector of your organisation, with a constantly evolving threat landscape and many compliance requirements, having a mature security program is undoubtedly now an essential; a foundational element of which is a well-balanced and comprehensive set of security program policies.

Without these policies, it is near impossible to manage, enforce or communicate a security program, leaving your organisation vulnerable to a wide range of information and cyber security threats.

Along with a brief explanation of the aims and elements, below is a list of just some of the types of policies that your organisation may need to incorporate into its security program.

Information Security Policy

Typically, a ‘high level’ policy covering numerous security controls, an information security policy is created to ensure that every employee making use of organisational assets, including devices, networks, and data, do so within an agreed upon set of boundaries.

Covering the ‘end-to-end’ security across your organisation, information security program policies should set out clear objectives and goals, focussing on what information security professionals refer to as the CIA triad – Confidentiality, Integrity and Availability.

Depending on the needs and scope of your organisation this may include stipulations regarding, amongst other things, data classification, responsibilities, rights, general duties, and access control information.

Acceptable Use

As one of the foundational policies required as part of a security program, an Acceptable Use Policy, or AUP, lays out the practices and limitation that an employee using an organisation’s equipment and computing services need to follow.

From what is and is not allowed to be stored upon a work computer, who is or is not allowed access to company assigned devices, to ensuring employees acknowledge their responsibility to promptly report the theft or loss of information, an acceptable use policy should be developed as an ongoing effort by IT, security, HR and legal.

Physical Security Policy

Referring to the measures designed to protect physical locations and assets, a physical security policy should outline the procedures needed to mitigate a variety of potential threats, natural and man-made hazards, crime and insider threats.

Depending on the nature of your organisation there may be restricted zones within your physical property (e.g., server rooms, file storage areas, etc.). A physical security policy needs to alert employees to their responsibilities and roles in protecting assets and preventing unauthorised access, damage or interference to said assets.

Though it may sound basic, having a clearly outlined visitor policy, for example, can go a long way in helping to mitigate easily avoidable security risks, such as the social engineering attack of tail-gaiting.

Incident Response Policy

An incident response policy is an agreement designed to manage and remediate the impact of a variety of different incidents which may potentially impact the operations of an organisation. There to limit damage to operations, profits, customers and reputation, an incident response policy is likely to include the input of many departments of your organisation.

From data breaches, cyber-attacks, to phishing attempts and serious threats to organisational reputation, as well as including staff roles, responsibilities, reporting procedures, this form of policy should first clearly define the parameters of what is and is not considered an ‘incident’.

Again, an incident response policy may be highly specific to your organisation, and in drafting this document, organisation should take great care to consult with all levels of management, as well as bearing in mind the many legislative requirements involved in responding to certain forms of incident.

Password Policy

As with all of us, your employees likely have a plethora of passwords they are required to keep track of as part of their day-to-day duties; and as such, ensuring they these are effective and secure passwords certainly falls under the remit of a robust security program.

Though there are technological elements to developing a secure password policy, such as automated minimum strength, a password policy needs to outline what employees can and can not do with their passwords.

From the explicit agreement that passwords and credentials should not be shared amongst employees, to where passwords should be stored, giving your employees clear guidance is an absolute necessity in developing your security program policies.

Disaster Recovery

Requiring input from cybersecurity and IT teams, as well as executive level management, a disaster recovery plan should be developed as part of the larger business continuity policy.

Reserved for events and incidents which cause or could potentially cause extended delays of service, this policy should describe the procedures needed to recover systems, applications and data as a result of a major ‘outage’.

Detailing instructions of how to respond to unplanned incidents, such as cyber-attacks, a disaster recovery plan is necessary for an organisation to be able to respond and return to normal operations as quickly as feasibly possible.

Remote Work Policy

It is hardly news to anyone that remote work, or working from home, has become extremely common in the past year, and as many organisations have scrambled to reorganize and adapt to these uncertain times, having a remote work/access policy in place quickly became a necessity.

From outlining the basis or regularity an organisation is accepting of employees working out-of-office, to stipulating which roles can be fulfilled in this manner, a remote work policy may need some specific tailoring to individual employee needs.

Depending on equipment, environment and the types of data or information that employees are working with, drafting a remote work policy that meets your organisation’s needs likely requires some thought, but at a time when offices across the world are emptied, and details regarding a ‘return to normality’ uncertain, security program policies regarding remote work have never been more essential.

Business Continuity 

A business continuity plan, (BCP) needs to outline the coordinated efforts needed to respond to a wide variety of threats to business continuity, ideally allowing an organisation to maintain its activities in the face of disruptive challenges.

Unique to every organisation, emergencies come in many different forms. From existential threats to a business’ future, such as a serious ransomware attack, to less ‘security’ centric issues that require the strategic input of board level stakeholders.

Communication Policy

Sometimes referred to as an email policy, a communication policy should formally outline to employees how an organisation’s chosen communications should be used.

Primarily dealing with what is considered acceptable and unacceptable use, a communications policy should ideally be crafted to mitigate the potential threats that channels such as email can pose to an organisation (e.g., data breaches, spear phishing, malware).

From what information can be shared across various platforms or channels, to flagging, archiving and reporting procedures, when so many information security attacks and data breaches begin with seemingly innocuous phishing attacks, the importance of a robust communications policy cannot be overstated.