Friday 17 April 2015

Making Effective Information Security Policy


I am working in Information Security for last 9 years; my general observation is most of people do not like documentations because they are thinking “Documentation is not their cup of tea and different skill sets are required”. Many people are good in doing practical e.g. conducting information security audit, verifying records, identifying new or unknown risks, technology review audit etc.

To give you a perspective, in the field of information security, Documentation skill will make you “End to End Professional”. In my view none of the information security activities would start unless there is defined information security policy. A documentation skill gives you an opportunity to convert “Management Thinking” into “Line Item”.

I have listed key Information Security Policies and Key Considerations while designing IS policy.
  1. Information Security Policy
    • Management’s commitment towards information security
  2. Information Security Risk Management
    • Define objective and scope of risk management
    • How information criticality shall be evaluated
    • What parameters shall be identified to arrive at risk value e.g. threat, likelihood, vulnerability etc
    • Define how risk value shall be calculated
    • What is acceptable level of risk value
  3. Information classification
    • Define information classification scheme e.g.
                                                              i.      Strictly confidential
                                                            ii.      Confidential
                                                          iii.      Internal
                                                          iv.      Public
    • Minimum protection requirement for each information classification scheme
    • Users awareness on information classification and protection requirement (information handling requirements)
    • Information labeling
  1. Organization of Information Security
    • Setup information security steering committee
    • Setup InfoSec team
    • Define roles and responsibility for steering committee and InfoSec team
    • Define frequency and agenda for IS steering committee meeting
  2. Human Resource
    • Background check prior to joining
    • Communicate and take acknowledgement towards IS roles and responsibility on first day of joining
    • Periodic information security refresher training
    • Sign organization’s terms and conditions
  3. Information backup
    • Prepare backup plan which defines “What information to backup”, “Where to backup”, “Frequency of backup” and information owner.
    • Offsite backup requirement
    • Secure transportation between primary site and offsite backup location
    • Encryption
    • Backup requirement reconciliation
  4. Change Management
    • Define what is change, types of changes
    • How to raise change management request / change management template
    • Who should approve change management request
    • Define emergency change
    • Test the changes
    • Communication to relevant users about changes being done.
  5. Malicious code Policy
    • Central Anti-Virus solution
    • Install on every desktops, laptops, servers, mobile devices
    • Regular Anti-Virus signature updation
    • Weekly Anti-Virus report to IT Team
    • Restrict users to disable antivirus settings
    • Daily/weekly full system scan for virus/malware
    • Disable USB/CD/DVD drive
    • Scan third party device before connecting to organization’s network
  6. Network Security
    • Firewall between internal and external word
    • Specific ports open on firewall based on business requirements
    • Regular firewall rulebase review
    • Change management to follow to make any changes in firewall
    • Periodic VAPT
    • Firewall hardening to protect network from malicious attack/hacking
    • Regular patching
    • Redudancy
  7. Server OS Security Policy
    • Strong authentication policy
    • Access requirement e.g. who should have access to server
    • Server hardening
    • Patch management
    • High availability requirement / redundancy
  8. Log monitoring policy
    • Identify critical servers to monitor
    • Configure audit logs as per best industry practice
    • Implement central log server which pull logs from all critical devices
    • Dedicated log monitoring team
    • Read only access to admin
    • Monitor administrator’s log
    • Incident management process
  9. Third party / service level policy
    • NDA and confidentiality agreement with third party
    • Third party’s capability and skill with respect to information security
    • Information security benchmark
    • Right to audit
  10. Physical security
    • Physical perimeter security
    • Access control to facility and data center
    • Stuffiest power supply with UPS and DGSet
    • Fire fight equipments e.g. smoke detectors, fire extinguishers, water detectors, water splinters, FM200 for data center etc
    • Regular preventive maintenance for facility management equipments
  11.  Access control
    • How to raise request for access
    • Approval from information owner
    • Access control matrix or levels
    • Regular access reconciliation
    • Restrict administrator to limited users
  12. business continuity
    • business impact analysis
    • RPO and RTO
    • Critical business requirement to be made available from DR
    • Periodic DR Drill
    • Share findings with IS steering committee
  13. Information Security incident management
    • Define what is incident
    • Create awareness on “What is incident”
    • Incident reporting channel
    • Who can report incident (generally any uses should be able to report incident)
    • Maintain privacy for users who has raised incident
    • Incident analysis and gather evidence
    • Disciplinary actions
    • Preserve evidence and take corrective actions

Every organization has unique requirement, adopt organization’s philosophy and key points (mentioned above) to frame “Good information security policy statements”

Lets take an example from one of above key point.

Policy Document: Information Security Incident Management (Point no 15 Above)

Key point: Incident analysis and gather evidence

Lets make good statement which suites to organization's philosophy. See Below..

Organization’s information security team shall take the ownership of incident analysis and shall gather the evidences towards reported incident.

 Keep below philosophy in mind while you are doing documentation:
"Document what you DO" and then "DO what you have DOCUMENTED"


Hope this would be useful…..


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)