Prototype of a policy

The DTI's recent Information Security Breaches Survey found that three out of four UK businesses have no security policy. Danny...

The DTI's recent Information Security Breaches Survey found that three out of four UK businesses have no security policy. Danny Bradbury offers a policy template for secure businesses culled from sources including a 1998 study from the US General Accounting Office, and from UK security consultancy Tech-Connect

General
Map risks to business resources:

First, evaluate some of the potential risks, such as denial of service attacks, hacking, and theft of information by employees. You can only begin to develop a coherent security policy if you understand how different risks will affect your business.

Assess the potential impact of attacks
Evaluate the different areas of your business and analyse the impact to them should the various risks occur. Resources are limited, and many companies spend only a tiny percentage of their IT budget on security so it is important to understand which areas of the business are most exposed so that you can intelligently allocate funds. Many project managers address risk assessment by creating a grid with two axes - one measuring the probability of a risk occurring, and the other measuring the potential damage it could cause. You could apply this method to different business units or processes.

Establish a chain of responsibility
Define a central group to control and enforce security procedures. Consistency across the organisation is the key to a good security policy.

Establish a central authority for all aspects of security within your company including data security and physical protection. It is also important that you give the group the support and attention of senior management, ideally at board level. If the team is to be effective, proper funding is necessary. Changes to corporate policy could be unpopular so they need to be endorsed from the top.

Use an emergency response team
Create emergency response positions in the central group so that troubleshooters will be able to limit the damage and fix the problem in the event of a security flaw.

Make business line managers accountable
Make it clear that your line-of-business managers are directly responsible for implementing and maintaining security procedures in their business units. This will make it easier to enforce any security procedures that your central control unit subsequently defines.

Encourage end-user responsibility
Put the onus on employees to manage their own security. Make sure that they are educated about security risks, and give them a clear set of guidelines to follow, spelling out the disciplinary implications should they fail to do so.

Enforce common security procedures
Different companies will doubtless have their own security needs, but they are nonetheless some common requirements that should be in effect, no matter what sector you work in.

Make back-ups
Take regular back-ups that are verified and tested on a regular basis. Ideally, take them off-site in case of physical damage to the building, or burglary.

Conduct regular network scans
Make sure that you scan your network regularly, using a tool such as the popular Satan ( www.fish.com/satan). Better still, pay for your network to be scanned by a security consultancy such as Internet Security Systems.

Proactively manage accounts
Make sure that passwords are changed on a regular basis, and that they are not immediately obvious. Insert random numbers in them, for example, and ensure that a minimum number of characters are used. Reject user names and common words.

Manage staff departures
Allocate the responsibility of global password termination to a particular individual or group. Better still, employ a network directory system that can be used to manage employee lifecycles in a structured manner. When people join an organisation, accounts and passwords are created. When they leave, some can be left operational if no one is in charge of termination. Such loopholes in the system can be exploited by former staff. If employees leave under a cloud, this can be particularly dangerous.

Hardware and software configuration
Ensure that your firewalls are configured properly, with the right ports open and closed. Make sure that they log incoming and outgoing access.

Switch on security options in hardware and software. Most wireless Lans come with the Wep security protocol disabled, for example. Often, software is configured with security options off to make it more user-friendly. Turn it on.

Use security auditors to evaluate the configuration of your hardware and software, and assess possible security flaws in your infrastructure.

Monitor your security policy
Change your policy as necessary. Above all, your security policy must be iterative. Review the potential risks, and their impact on your business, on a regular basis.

Evaluate success
Evaluate the success of your security procedures and use them to hold staff accountable. Also, keep track of new techniques and tools for monitoring your system security, because outside attackers certainly will. Include security in employee and manager performance reviews.

Users
Educate your users
Enforce a rule that if anyone's password is found written down anywhere in the office, everyone in the company will change their passwords. It will hammer home the importance of protecting passwords.

Make sure that users are briefed about social engineering attacks. Warn them never to give passwords to anyone in the organisation, even if they claim to be from the systems department.

Make your policy on the use of e-mail and Web surfing clear, detail the types of information that may not be sent online, and the types of Web site that may not be visited. Put it all in the employee handbook and induction sessions.

Reinforce security policies by distributing them to employees via media such as start-up screens.

Physical security
Lock away servers and restrict access to the IT room.

Strip workstations to their bare essentials - remove disc drives from those systems that do not need them.

Protect potentially sensitive corporate information by making sure that it is well secured, and render unreadable any physical equipment that is being discarded. Make sure that computer hard drives are erased before disposal using specialist software (a high-level reformat will not be enough), and shred or otherwise destroy any paper-based information that you throw out, including equipment manuals.

Change control procedures
When any change to hardware or software is made, security-test it first.

Check for patches to operating systems and applications on a regular basis. Be sure that they have been tested first, ideally by contacting other customers via newsgroups, for example - patches have been known to introduce system problems as well as solve them.

Separate Web servers from the network
Web servers with publicly accessible content should be placed in a zone that is not directly connected to the Internet network. Ideally, information needed from databases should be accessed using server-side scripts.

Protect e-mail from attachments and scripts
Either configure client e-mail systems to reject attachments and embedded scripts, or configure a server to monitor incoming and outgoing e-mails for these risks.

Protect mobile data
Protect data held on laptops and personal digital assistants by encrypting it, and by instructing users in basic security techniques such as not leaving laptops unattended in public places. If possible, minimise the amount of sensitive information stored on laptop computers.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close