What is an IT security policy?
An IT security policy should mandate a foundation of information and IT security throughout the organization, to the network edge, and with partners and vendors. The policy will guide employee behavior by laying out the rules from management to promote the company’s IT security culture and state specific expectations for using and protecting IT assets and data.
Two roles of an IT security policy
An IT security policy has two main roles. First, an IT security policy applies security to the needs of the business. The policy should support the business goals of the company’s executives.
The second role of an IT security policy is to guide employees in helping the business be secure. When end-users understand and are accountable for following the company’s security policy, they can play an important role in preventing security breaches, data loss and downtime.
IT security policies are strengthened by a security-first culture
A culture that puts security first must be infused throughout the organization, not treated as an add-on document. Building an IT security policy and security culture start from the top with business goals, industry and government regulations, and security risks specific to your organization.
The CIA triad (also known as the AIC triad) can help guide your IT security policies but will require the addition of a rigorous IT security program that promotes defense-in- depth and technology-based controls. The three components of the triad are:
- Confidentiality: Limit information access and disclosure to authorized users.
- Integrity: Monitor data sources and ensure only appropriate changes to the data are allowed.
- Availability: Ensure security measures do not hinder authorized access to information.
For IT security controls, I recommend the NIST Special Publication 800 series, which provides specific guidance for computer security. NIST 800 provides guidelines, recommendations and technical specifications for information system security to support the security and privacy needs of the U.S. government. You can also use this security publication as a source of valuable best practices for your IT security.
Create an IT security policy with mandates
An IT security policy can help your employees contribute to IT security in many ways every day. Basically, an IT security policy is a series of mandates, as in “Thou shalt” do this or thou shalt not do that. If it’s not a mandate, it doesn’t belong in your IT security policy.
Keep in mind that your IT security policy and procedures must be both understandable and enforceable. Be brief. Provide clear expectations. Be sure they can and will be enforced – ideally through IT security controls and monitoring technology.
Consider your business and the security threats it faces when laying out the contents of your IT security policy. The following are components that may apply to your business and its IT security policy. Some of these areas, such as patch management, may delegated to sub-policies managed at a sub-organizational level:
- Types of critical data, access control and data encryption
- Use of third-party cloud storage
- Data retention, backups and disaster recovery
- Building access and other physical IT security
- Workstation and device security, and data encryption
- Acceptable use policy
- Remote work and use of mobile devices
- Security incident reporting including breaches and lost/stolen devices
- Authorized software
- Change management, including software updates
- Password security
- Email use, malicious links and attachments
- Threat management, such as virus protection and intrusion detection
- Exception handling
- Consequences of non-compliance and penalties for violations
- Audit and third-party review requirements
- Employee training requirements
- Communication plan to engage staff to achieve awareness and adherence to the IT security policy.
InfoSec provides helpful information in its Key Elements of an Information Security Policy.
7 best practices to implement your IT security policy
An IT security policy can’t stop with a paper-based plan. It must be enforceable, preferably with technology-based controls. I recommend these seven actions to ensure your IT security policy is fully implemented and enforceable.
1. Push security to the edge - You don’t want the enemy at your front door. A defense-in-depth model starts with monitoring and mitigating threats at the edge of your network. I have found that AI and machine learning can help teach employees about what may or may not be a security incident in a way that is clearer than paper-based training. In addition, correlation and regression testing can identify activity and incidents that a security professional might miss.
2 . Put controls in place - Prevent employees from violating your IT security policy by never allowing access to critical data, if the employee doesn’t need access to that data to do their job.
3. Rule through technology - Ensure security by design across your entire infrastructure using technology that it is not adjusted by employees.
4. Inspect what you expect - Monitor data access such that if critical data is accidentally or maliciously accessed, you log and alert on the event and have a record of the IP address that tried to access the data.
5. Hire a third-party to audit your IT security implementation - Bring in third-party experts to ensure your organization’s compliance with relevant mandates such SOC 1, PCI DSS, HIPAA, HITRUST, NIST 800-53, NERC, and GDPR.
6. Monitor industry trends - Keep an eye on where the industry is moving and what changes your organization needs to make to respond to customer requirements and changing standards for compliance. For example, HIPAA is getting replaced by HI-TRUST, which requires a more granular level of IT security testing.
7. Promote continuous improvement - Actively seek to find security flaws in your organization and to close them. This continuous-improvement work will help make your organization’s IT security smarter and better. Make your IT security policy a living document and update the policy and employee training at least every year.
TierPoint helps our clients meet their security mandates
As a leading data center provider, TierPoint often assists our clients in documenting compliance for their governance, audits and security controls, so they can successfully pass their audits. The success of our business is predicated on never wavering from our IT security foundations, including TierPoint’s own IT security policy. Learn more about our Security & Compliance products.