Potted history and context
Not too long ago (in my mind), in the 1980s, the software revolution was in full swing. The Personal Computer had been invented and the Enterprise was discovering the benefits of in-house software to perform number crunching and share information rapidly. It seemed that all you had to worry about, from a security perspective, was making sure your premises were secure at night.
In the 1990s we all became connected via the Internet and Businesses that were particularly in need of robust security would often ignore this new connectivity, perhaps restricting interactions for internal use only.
Over time it became harder to ignore the concept of email but the usual strategy was still to ring fence your core business information assets and ensure a reasonable set of policies. These were around permitted software, how emails should be used and so on. At one time, email was treated like a fax machine – just one PC in the corner of an office.
As access management was starting to become more sophisticated, networks were becoming more diverse software security (firewalls and anti-virus measures) became more robust. Enterprises were learning about the need to have IT policies that protected and allowed swift recovery in the event of an incident.
Mobile changes everything
The ring fence strategy became somewhat challenged when mobile devices entered the equation. As well as having a secure office businesses had to consider if or how to allow remote access to data on smart phones and tablets. With an increase in flexibility of staff working (flexible hours, working at home, catching up whilst on the move) a flexible IT system became a requirement for many enterprises.
The proliferation of Wi-Fi became another security concern. The problem with traditional ring-fencing is that it’s more like a brick wall than a gateway and if businesses do not address this, savvy staff will just bypass the IT department and implement their own solutions. And before you know it, sensitive company data is being stored on users personal cloud accounts and is being exchanged over insecure “coffee shop” WiFi networks.
More recently we have moved into the realm of relying upon 3rd parties to manage and access our data (both business and personal) and in this modern age of security breaches this has become a huge concern. We wouldn’t for example, recommend that employees sign in to access Office Apps using their Facebook password.
Added to the fact that there are professional hackers out there, in some cases sponsored by foreign agencies, then the need to have a robust security system with appropriate policies has become an absolute necessity.
SCA Group fits in to this mix by supporting the in-house IT teams of enterprise businesses, providing expert advice for all, or a specialised part of, the overall IT solution. Although we are largely discussing enterprise level solutions in this article, the same principles apply for all businesses…
Policies, Standards and Procedures
Most organisations will define a set of policies, standards and procedures relating to how IT should be deployed and used within the business unit. This is where the security policy meets the business goals, the company’s strategic plan and overall vision. There is likely to be an Information Security Policy which would be a set of rules for the protection of the company’s information assets.
The Information Security Policy
This is an executive level document that sets the strategic direction and scope of all security efforts. It is a guide to help with the development, implementation and management of the security system. This would normally be written by the Chief Information Officer (CIO) and would address baseline areas such as
Enterprise information security policies (EISP)
Issue-specific security policies (ISSP)
Systems-specific security policies (SysSP)
The Enterprise Policies should cover items such as:
- Statement of purpose
- IT security roles and responsibilities
- Data breach response
- Disaster recovery
- Clean desk policy
The Issue-specific Policies addresses specific areas of technology and is a document that may need updating often. It would cover:
- Use of company owned networks and the Internet
- Use of electronic mail & collaborative tools
- Specific minimum configurations to defend against threats, viruses etc
- Home use of company equipment such as laptops or tablets
- Use of personal equipment on company networks
System-Specific policies should cover issues not included in other policy documents, such as
- Detailed technical specifications
- Technical controls
- Access control lists/access control matrix
- Configuration rules
It may well be that you have to (or opt to) comply with industry standards and frameworks such as ISO/IEC 27001 or even military grade standards. Smaller businesses can also use standards like Cyber Essentials. This should all be documented too.
If you need a helping hand you should be able to find examples of IT policies or speak to us, of course.
Creating your policy
Writing a policy is the first step. There should, of course, be a plan to ensure that staff are trained and educated in the use of the policy. It is useful to run awareness campaigns or perform regular checks to ensure that staff fully understand and are complying with the defined policies. It is equally important that the technical team holds regular reviews to catch up on any changes. The policies should also take account of the future, things such as the expected introduction of technology upgrades, new operating systems, replacement of equipment, company growth and so on.
A really good example of a security campaign around social engineering is KnowBe4’s info sheet, designed as both an education piece and also a reference guide, you can download a copy direct from KnowBe4 – https://info.knowbe4.com/hs-fs/hub/241394/file-26212286.jpg
Security policy is an area where SCA Group can add significant value. We do arrange regular review meetings with our Enterprise clients and with our foresight and expertise we can help ensure that all bases are covered.
We hope that we have given you some food for thought, even if only as a review of your current good practices. We are always willing to partner with Enterprise organisations and see how we can help them become even more secure.
For more information please contact us or reach out directly – firstname.lastname@example.org