Why Your Organization Needs Security Policies

February 2022 | Michael Wetherald

What is a Security Policy?

A security policy defines what is and is not to be done to protect your organization from cybersecurity threats. A well defined policy must be realistic in implementation and enforceable.

It is important to keep in mind that a security policy defines what is to be done, not how. The how is defined via procedures and are more likely to change as the environment or circumstances change.

What are the Benefits of a Security Policy?

A well written security policy lets employees know what is and isn't allowed within your organization. These policies should be measured and tailored to your organizations risk tolerance and prioritize protection against high impact cybersecurity risks.

A security policy gives your security staff the authority to act in ways which are necessary to protect the organization. Sometimes these decisions go against the desires of end users, and having a well defined and enforceable policy gives your staff the ability to act in a manner necessary to protect your organization.

Aspects of a Security Policy

Security policies are going to be unique to each organization, but including the following aspects is a good place to start.

Purpose: What are the overarching goals/reasoning for the policy?

Scope: Identify who or what are covered by this policy. Is it for everyone? Is it for a particular type of hosts?

Policy: This is the actual statement of policy. What is to be done? What isn't allowed?

Actions: Specify what actions are related to this policy, and when they are to be performed.

Penalties for Non-Compliance: What happens when this policy is violated?

Responsibilities: Who is responsible for the previously defined actions? Who is responsible for enforcing the policy?

Example Security Policy

Let's go through an example policy for a hypothetical customer.

Purpose: The purpose of this policy is to limit the risk that comes with insecure passwords in the environment. Insecure passwords are low-hanging fruit for adversaries to cause damage to our organization.

Scope: This policies applies to all users, accounts, and hosts in the environment.

Policy:

• All default passwords must be changed before being deployed in the environment.
• Passwords must not be reused.
• All passwords must be greater than 12 characters long and randomly generated.
• All passwords must expire no greater than 90 days after last update.

Actions:

• Staff responsible for creating new accounts will use a randomly generated password.
• All staff will update their password no greater than 90 days.
• System administrators will update security configurations to ensure passwords expire after no greater than 90 days.
• System administrators will ensure when deploying new services and hosts that they update any default passwords.
• Security staff will frequently scan for default and insecure passwords on all systems and accounts.
• Security staff will review all found insecure passwords to determine how they came to be before updating the passwords. Any indications of intentional circumvention will be reported to HR and the employee's manager for review.

Penalties for Non-Compliance: Typical violations of this policy are incidental and will be remediated by IT staff, however employees intentionally circumventing of any of these policies will be met with reprimands and in the event of repeated warnings and violations, may be met with termination.

Responsibilities: System administrators are responsible for initial accounts and hosts configured with secure passwords and security policies requiring updates within 90 days. Security staff are responsible for scanning the environment for default and insecure passwords. Security staff are responsible for notifying HR and management in the event of intentional circumvention. HR staff will be responsible for reviewing cases of violations of this policy and determining whether warnings, reprimands, or termination are appropriate.

What challenges come with implementing a security policy?

There are several challenges which come with designing and implementing security policies in any organization. Initially you will need to accurately determine and calculate the inevitable trade-offs that come with your security policy. Sometimes the cost of user productivity is not worth the benefit of implementing a security policy, and accurately reviewing your environment and determining those costs and benefits is key to implementing good policies. Once you have determined a policy which will have net positive trade-offs, it is necessary to get both management and user buy-in.

Management should be sold on the financial reasoning for implementing the policy. Emphasize the costs of security events which this policy intends to reduce risk of. Management must help shift the culture of security in your environment, and if you have their support you will have the momentum necessary to make company-wide shifts toward greater security.

End users should be informed of the reasoning for the policies and when selling the policy to them, the emphasis should be on how the policy benefits them, for example through added protection or improved productivity. Sometimes it's inevitable that a security policy negatively impacts users. It's important to emphasize the need for the security policy, and to have management buy in to help shift the culture around complying with the new policy.

If your organization would like assistance in determining what security policies make sense for you Contact us today for a free consultation.