I am working in Information Security for last 9 years; my general
observation is most of people do not like documentations because they are
thinking “Documentation is not their cup of tea and different skill sets are
required”. Many people are good in doing practical e.g. conducting information
security audit, verifying records, identifying new or unknown risks, technology
review audit etc.
To give you a perspective, in the field of information security,
Documentation skill will make you “End to End Professional”. In my view none of
the information security activities would start unless there is defined
information security policy. A documentation skill gives you an opportunity to
convert “Management Thinking” into “Line Item”.
I have listed key Information Security Policies and Key Considerations while designing IS policy.
- Information
Security Policy
- Management’s
commitment towards information security
- Information
Security Risk Management
- Define
objective and scope of risk management
- How information
criticality shall be evaluated
- What
parameters shall be identified to arrive at risk value e.g. threat,
likelihood, vulnerability etc
- Define how
risk value shall be calculated
- What is
acceptable level of risk value
- Information
classification
- Define
information classification scheme e.g.
i.
Strictly
confidential
ii.
Confidential
iii.
Internal
iv.
Public
- Minimum
protection requirement for each information classification scheme
- Users
awareness on information classification and protection requirement
(information handling requirements)
- Information
labeling
- Organization
of Information Security
- Setup
information security steering committee
- Setup
InfoSec team
- Define
roles and responsibility for steering committee and InfoSec team
- Define
frequency and agenda for IS steering committee meeting
- Human
Resource
- Background
check prior to joining
- Communicate
and take acknowledgement towards IS roles and responsibility on first day
of joining
- Periodic
information security refresher training
- Sign
organization’s terms and conditions
- Information
backup
- Prepare
backup plan which defines “What information to backup”, “Where to
backup”, “Frequency of backup” and information owner.
- Offsite
backup requirement
- Secure
transportation between primary site and offsite backup location
- Encryption
- Backup
requirement reconciliation
- Change
Management
- Define
what is change, types of changes
- How to
raise change management request / change management template
- Who should
approve change management request
- Define
emergency change
- Test the
changes
- Communication
to relevant users about changes being done.
- Malicious
code Policy
- Central
Anti-Virus solution
- Install on
every desktops, laptops, servers, mobile devices
- Regular
Anti-Virus signature updation
- Weekly
Anti-Virus report to IT Team
- Restrict
users to disable antivirus settings
- Daily/weekly
full system scan for virus/malware
- Disable
USB/CD/DVD drive
- Scan third
party device before connecting to organization’s network
- Network
Security
- Firewall between
internal and external word
- Specific
ports open on firewall based on business requirements
- Regular
firewall rulebase review
- Change
management to follow to make any changes in firewall
- Periodic
VAPT
- Firewall
hardening to protect network from malicious attack/hacking
- Regular
patching
- Redudancy
- Server OS
Security Policy
- Strong
authentication policy
- Access
requirement e.g. who should have access to server
- Server
hardening
- Patch
management
- High
availability requirement / redundancy
- Log
monitoring policy
- Identify
critical servers to monitor
- Configure
audit logs as per best industry practice
- Implement
central log server which pull logs from all critical devices
- Dedicated
log monitoring team
- Read only
access to admin
- Monitor
administrator’s log
- Incident
management process
- Third party
/ service level policy
- NDA and confidentiality
agreement with third party
- Third
party’s capability and skill with respect to information security
- Information
security benchmark
- Right to
audit
- Physical
security
- Physical
perimeter security
- Access
control to facility and data center
- Stuffiest
power supply with UPS and DGSet
- Fire fight
equipments e.g. smoke detectors, fire extinguishers, water detectors,
water splinters, FM200 for data center etc
- Regular
preventive maintenance for facility management equipments
- Access control
- How to
raise request for access
- Approval
from information owner
- Access
control matrix or levels
- Regular
access reconciliation
- Restrict
administrator to limited users
- business
continuity
- business
impact analysis
- RPO and
RTO
- Critical
business requirement to be made available from DR
- Periodic
DR Drill
- Share
findings with IS steering committee
- Information
Security incident management
- Define
what is incident
- Create
awareness on “What is incident”
- Incident
reporting channel
- Who can
report incident (generally any uses should be able to report incident)
- Maintain
privacy for users who has raised incident
- Incident
analysis and gather evidence
- Disciplinary
actions
- Preserve
evidence and take corrective actions
Every organization
has unique requirement, adopt organization’s philosophy and key points
(mentioned above) to frame “Good information security policy statements”
Lets take an example from one of above key point.
Policy Document: Information Security Incident Management (Point no 15 Above)
Key point: Incident analysis and gather evidence
Lets take an example from one of above key point.
Policy Document: Information Security Incident Management (Point no 15 Above)
Key point: Incident analysis and gather evidence
Organization’s information security team shall take the
ownership of incident analysis and shall gather the evidences towards reported
incident.
Keep below philosophy in mind while you are doing documentation:
Keep below philosophy in mind while you are doing documentation:
"Document what you DO" and then "DO what you have DOCUMENTED"
Hope this would be useful…..
No comments:
Post a Comment