Information security policy – the top three mistakes to avoid
Mike Thompson
One of the most common recommendations I hear in the information security industry is ‘the first thing you need to do is create an information security policy’¾a set of principles or actions designed to protect information (a definition based loosely on the dictionary definition). That sounds simple enough, but the devil is in the detail.
Mistake No.1 – Focusing on prescriptive detail
When I see a massive information security policy document I get very concerned. A good information security policy is not a large document and too much specific control detail is a recipe for disaster.
A good information security policy framework will include three basic layers:
- A high-level principles and responsibilities document
- Security analysis process documentation¾how to analyse and determine optimal security controls
- Specific standards and guidelines focused on the outcomes of the above process.
Core principles, such as segregation of duties and duty of care, and the key security responsibilities within the organisation should form the foundation of the policy document. Supporting documents should refer to the core processes required to analyse and define optimal security, such as risk assessment using data sensitivity analysis and control matching techniques.
Specific standards and guidelines should only be created where they are actually required and on a priority basis. For example, why spend the time to create and distribute specific standards around password management for an application that doesn’t store sensitive information?
Being audited for process compliance is pain-free compared to being audited against specific control statements. For example, an auditor cannot be critical of a weak control you have deemed appropriate for an application if you can demonstrate that you have analysed the sensitivity of information, found the information to be of low sensitivity and put in place matching low-strength controls. The audit must focus on the process used to select the control rather than the strength of the control itself.
Mistake No.2 – Top-down approach
Having reviewed the information security policies for a number of organisations, I often see a document with main headings and basic content copied straight from ISO27002.
Apart from the fact that the standards themselves have some serious issues (a topic of previous blogs), this approach fails to consider the specific risk profile of each organisation. The standards consist of a smorgasbord of suggestions that are not tailored to any particular organisation. For example, ‘password use’ refers to a minimum length of password, password rules etc. It is unlikely that these generic control suggestions are actually matched to the organisation’s security profile ¾some systems may require strong passwords, others will not.
In other words, it is impossible to determine what the appropriate guidelines should be without first understanding the sensitivity of the information and the risk tolerance profile of the organisation. A data-up, not top-down, approach will give a much better result.
Mistake No.3 – The Security Police
Many organisations have a prescriptive approach, where they try to enforce or police a set of standards within the organisation. The policy or standard may include password rules, clean desk and so on, and will state “this is what you have to do and lack of compliance may be grounds for dismissal.” Prescriptive top-down information security policies are not flexible or cooperative, and do not get the best results, as people feel they are being policed rather than supported. Management believes that because they have an information security policy in place, they are covered. The reality is that security is implemented poorly as the business finds work-arounds, or they ignore the policy, leading to a poor information security culture and the exposure of data.
So what is the answer?
The only way to have good information security is a federated approach where the security team directly assists the business and the business itself actively encourages an effective information security culture.
For example, when employed as an information security manager, I worked very closely with the business and tried to encourage the idea that information security was there to help the business and not to police it. As a result of this good working relationship the business voluntarily reported to information security whenever they thought they had an issue, so they were the eyes and ears ‘in the field’. The business reported an anomaly which didn’t make sense to them, information security investigated and we identified a fraud in progress. We would never have found it if we were just acting as police, as it was not something that the information security policy would have identified. Identifying the fraud relied on cooperation with the business, their understanding of how their business worked and their reporting of the anomaly.
Information security needs to empower the business and the business needs to understand that information security is there to help them. A data or business up, not policy down, approach is required.
Blast from the past?
Try our new Space Invaders inspired video game NOW.
What score can you get ?