Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

How to Create a Good Security Policy

CIOs have taken note of the nightmarish scenarios data breaches can bring – remember Sony and Target? To combat this ticking time bomb, they’ve beefed up their security budgets. The Computer...
Michael Buckbee
2 min read
Published May 6, 2015
Last updated June 2, 2023

CIOs have taken note of the nightmarish scenarios data breaches can bring – remember Sony and Target? To combat this ticking time bomb, they’ve beefed up their security budgets. The Computer Emergency Response Team (CERT) at Carnegie-Mellon University also recommends creating a security policy which you can to refer to if your systems are compromised.

Why You Need a Security Policy

A security policy contains pre-approved organizational procedures that tell you exactly what you need to do in order to prevent security problems and next steps if you are ever faced with a data breach. Security problems can include:

  • Confidentiality – people obtaining or disclosing information inappropriately
  • Data Integrity – information being altered or erroneously validated, whether deliberate or accidental
  • Availability – information not being available when it is required or being available to more users than is appropriate

At the very least, having a security policy will ensure everyone in the IT department is on the same page on security processes and procedures.

What a Good Security Policy Looks Like

Get a Free Data Risk Assessment

You might have an idea of what your organization’s security policy should look like. But if you want to verify your work or additional pointers, go to the SANS Information Security Policy Templates resource page. They’ve created twenty-seven security policies you can refer to and use for free.

I’ve looked through them and also scoured the internet for what a good security policy looks like – here’s what all good policies have:

  • Purpose: Clear goals and expectations of the policy.
  • Policy Compliance: Federal and State regulations might drive some requirements of a security policy, so it’s critical to list them.
  • Last Tested Date: Policies need to be a living document and frequently tested and challenged.
  • Policy Last Updated Date: Security policy documents need to be updated to adapt to changes in the organization, outside threats, and technology.
  • Contact: Information security policies are supposed to be read, understood and followed by all individuals within an organization and so if there are questions, there needs to be an owner.

Questions to Ask When Creating Your Security Policy

When you’re creating a security policy, it helps to ask questions because in answering them, you’ll learn what’s important to your organization and the resources you’ll need to create and maintain your security policy and implement zero trust. Here are a few questions to get you started:

  • Who will you need buy-in from?
  • Who will be the owner of this security policy?
  • Who is my audience for this policy?
  • What regulations apply to your industry (for instance GLBA, HIPAA, Sarbanes-Oxley etc)?
  • Who needs access to your organization’s data?
  • Who owns the data you manage? Your organization? Your customers?
  • How many requests are received per week to provide access to data?
  • How are these requests fulfilled?
  • How and when is access reviewed?
  • How can you ensure that no container will be open to a global access group (Everyone, Domain Users, Authenticated Users, etc) without explicit authorizations from the data owner(s) and appropriate management?
  • How will all access provisioning activity be recorded and available to audit?
  • If data has not been accessed for 18 months, how will it be identified and restricted so that only the data owner(s) have access until an access request by another individual is made?
  • How will you align your security policy to the business objectives of the organization?

Final Words of Advice

Security policies work best when they are succinct and to the point. Policies should also support and be driven by business needs. With regular maintenance, your organization’s security policy will help protect the organization’s assets.

 

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

what’s-new-in-varonis:-december-2023
What’s new in Varonis: December 2023
This month brings you several new features to help security teams manage and secure their critical cloud data.
what’s-new-in-varonis:-june-2023
What’s new in Varonis: June 2023
This month brings more cloud security features to help you better govern your SaaS and IaaS security posture.
varonis-uncovers-another-new-strain-of-the-qbot-banking-malware
Varonis Uncovers Another New Strain of the Qbot Banking Malware
Varonis has discovered and reverse engineered another new strain of Qbot, a sophisticated, well-known type of malware that collects sensitive data, such as browser cookies, digital certificate information, keystrokes, credentials, and session data from its victims to commit financial fraud.
what’s-new-in-varonis:-jan-2024
What’s new in Varonis: Jan 2024
This month brings you a fresh set of updates designed to improve your cybersecurity journey.