Policies and Procedures

For both private and public organizations, the idea of implementing an information security program to protect your data from threats such as ransomware, denial of service, and phishing attacks can be overwhelming. Where do you start? Do you first install technical IT security countermeasures to protect your data from outside cyber-attacks, do you start training your staff on security awareness practices to address internal vulnerabilities, do you implement emergency management or business continuity plans to ensure you are ready to deal with a data breach incident or do you immediately invest in a Security Operations Centre (SOC) service to constantly monitor your systems and data for active threats? Unless you are extremely confident that you have 'pin-pointed' your most serious vulnerabilities it can be difficult to know where to start.

With this in mind, one consideration is to first establish a solid governance framework of targeted policies and procedures that will guide a consistent execution of your information security priorities and commitments. It can be argued that once internal processes are in place to address internal vulnerabilities, investments in more technical counter measures will be maximized. While there are differing views on what specific policies and procedures are required to support an information security program, the following examples can be used as a reference for organizations serious about protecting their information.

1. An Overarching Information Security Policy

The success of an information security program begins with the establishment of an 'organization-wide' policy that guides corporate efforts on this issue and communicates the following:

• A commitment from the top that information security is a priority.
• Why this is important to the organization and everyone within the organization.
• An end-state 'vision' of where management strives to be with this priority.
• How the organization will achieve this end-state.
• An outline of the scope and key components of the information security program.
• The roles, responsibilities and expectations of staff and key players involved in delivering the program.
• Expectations and rules regarding the use of social media.
• Secure password practices.
• Requirements for two-factor authentication.

2. Procedures for Handling Sensitive Information

How an organization and its employee's process electronic and non-electronic information is where the 'rubber hits the road'. Without procedures in place to properly handle information, problems will occur. It is essential that procedures are developed, and training is conducted to ensure everyone is clear on the parameters covering how to securely collect, transport, access, transmit and share information. These procedures should also address proper archiving, storing, and destroying processes, and guidelines on the usage of portable storage devices.

3. A Remote Work Policy

The increase in working from home or working from public locations requires a specific focus for organizations to manage the risks posed by this new dynamic. A Remote Work Policy is intended to outline expectations for employees/contractors regarding remote and work-from-home situations to ensure that unique information security risks posed by these situations are addressed. Examples of specific content for this policy include measures for using public Wi-Fi or using home Wi-Fi, enhanced Wi-Fi password protections, storing confidential information at home, using laptops with encrypted hard drives, and requiring the use of Virtual Private Networks (VPNs) to protect data against the increase risks posed by using Wi-Fi.

4. Technology / Equipment Usage Policy

This policy is intended to outline the expectations of employees and contractors regarding the issuance, use, protection and management of corporate technical assets and equipment to best support information security. This policy can outline specific provisions regarding the use of corporate equipment such as prohibiting employees or contractors from downloading software from insecure Internet sites, performing local installations without a valid license, pirating software, or using personal bring software without authorization.

Castellan Information Security is a Winnipeg-based 'end-to-end' information security company that specializes in information security and have worked with both large and smaller private and public organizations to help them reach their information security objectives. If you have questions about this article or would like to speak to us about how our services can help your company protect its information, please feel free to have a look at our website at www.castellaninformationsecurity.com or contact us directly at info@castellaninformationsecurity.com.

View More