Raise your hand if the question, “What are we doing to make sure we are not the next ransomware victim?” is all too familiar. If you’re a CISO, CIO, or IT director you’ve probably been asked that a lot lately by senior management. While it might be tempting to try out the latest one-trick-pony technical solution, truly protecting your organization and its data requires a broad, comprehensive approach. And there’s no better foundation for building a culture of protection than a good information security policy.
In this article, we’ll explore what a security policy is, discover why it’s vital to implement, and look at some best practices for establishing an effective security policy in your organization.
- What is a security policy?
- Four reasons a security policy is important
- Three types of security policies
- Seven elements of an effective security policy
- Ten questions to ask when building your security policy
- Security policy examples
- Security policy templates and more
- Security policy FAQ
- Final thoughts
Get a Free Data Risk Assessment
What is a security policy?
A security policy (also called an information security policy or IT security policy) is a document that spells out the rules, expectations, and overall approach that an organization uses to maintain the confidentiality, integrity, and availability of its data. Security policies exist at many different levels, from high-level constructs that describe an enterprise’s general security goals and principles to documents addressing specific issues, such as remote access or Wi-Fi use.
A security policy is frequently used in conjunction with other types of documentation such as standard operating procedures. These documents work together to help the company achieve its security goals. The policy defines the overall strategy and security stance, with the other documents helping build structure around that practice. You can think of a security policy as answering the “what” and “why,” while procedures, standards, and guidelines answer the “how.”
Four reasons a security policy is important
Security policies may seem like just another layer of bureaucracy, but in truth, they are a vitally important component in any information security program. Some of the benefits of a well-designed and implemented security policy include:
1. Guides the implementation of technical controls
A security policy doesn’t provide specific low-level technical guidance, but it does spell out the intentions and expectations of senior management in regard to security. It’s then up to the security or IT teams to translate these intentions into specific technical actions.
For example, a policy might state that only authorized users should be granted access to proprietary company information. The specific authentication systems and access control rules used to implement this policy can change over time, but the general intent remains the same. Without a place to start from, the security or IT teams can only guess senior management’s desires. This can lead to inconsistent application of security controls across different groups and business entities.
2. Sets clear expectations
Without a security policy, each employee or user will be left to his or her own judgment in deciding what’s appropriate and what’s not. This can lead to disaster when different employees apply different standards.
Is it appropriate to use a company device for personal use? Can a manager share passwords with their direct reports for the sake of convenience? What about installing unapproved software? Without clear policies, different employees might answer these questions in different ways. A security policy should also clearly spell out how compliance is monitored and enforced.
3. Helps meet regulatory and compliance requirements
Documented security policies are a requirement of legislation like HIPAA and Sarbanes-Oxley, as well as regulations and standards like PCI-DSS, ISO 27001, and SOC2. Even when not explicitly required, a security policy is often a practical necessity in crafting a strategy to meet increasingly stringent security and data privacy requirements.
4. Improves organizational efficiency and helps meet business objectives
A good security policy can enhance an organization’s efficiency. Its policies get everyone on the same page, avoid duplication of effort, and provide consistency in monitoring and enforcing compliance. Security policies should also provide clear guidance for when policy exceptions are granted, and by whom.
To achieve these benefits, in addition to being implemented and followed, the policy will also need to be aligned with the business goals and culture of the organization.
Three types of security policies
Security policies can vary in scope, applicability, and complexity, according to the needs of different organizations. While there’s no universal model for security policies, the National Institutes of Standards and Technology (NIST) spells out three distinct types in Special Publication (SP) 800-12:
1. Program policy
Program policies are strategic, high-level blueprints that guide an organization’s information security program. They spell out the purpose and scope of the program, as well as define roles and responsibilities and compliance mechanisms. Also known as master or organizational policies, these documents are crafted with high levels of input from senior management and are typically technology agnostic. They are the least frequently updated type of policy, as they should be written at a high enough level to remain relevant even through technical and organizational changes.
2. Issue-specific policy
Issue-specific policies build upon the generic security policy and provide more concrete guidance on certain issues relevant to an organization’s workforce. Common examples could include a network security policy, bring-your-own-device (BYOD) policy, social media policy, or remote work policy. These may address specific technology areas but are usually more generic. A remote access policy might state that offsite access is only possible through a company-approved and supported VPN, but that policy probably won’t name a specific VPN client. This way, the company can change vendors without major updates.
3. System-specific policy
A system-specific policy is the most granular type of IT security policy, focusing on a particular type of system, such as a firewall or web server, or even an individual computer. In contrast to the issue-specific policies, system-specific policies may be most relevant to the technical personnel that maintains them. NIST states that system-specific policies should consist of both a security objective and operational rules. IT and security teams are heavily involved in the creation, implementation, and enforcement of system-specific policies but the key decisions and rules are still made by senior management.
Seven elements of an effective security policy
Security policies are an essential component of an information security program, and need to be properly crafted, implemented, and enforced. An effective security policy should contain the following elements:
1. Clear purpose and objectives
This is especially important for program policies. Remember that many employees have little knowledge of security threats, and may view any type of security control as a burden. A clear mission statement or purpose spelled out at the top level of a security policy should help the entire organization understand the importance of information security.
2. Scope and applicability
Every security policy, regardless of type, should include a scope or statement of applicability that clearly states to who the policy applies. This can be based around the geographic region, business unit, job role, or any other organizational concept so long as it's properly defined.
3. Commitment from senior management
Security policies are meant to communicate intent from senior management, ideally at the C-suite or board level. Without buy-in from this level of leadership, any security program is likely to fail. To succeed, your policies need to be communicated to employees, updated regularly, and enforced consistently. A lack of management support makes all of this difficult if not impossible.
4. Realistic and enforceable policies
While it might be tempting to base your security policy on a model of perfection, you must remember that your employees live in the real world. An overly burdensome policy isn’t likely to be widely adopted. Likewise, a policy with no mechanism for enforcement could easily be ignored by a significant number of employees.
5. Clear definitions of important terms
Remember that the audience for a security policy is often non-technical. Concise and jargon-free language is important, and any technical terms in the document should be clearly defined.
6. Tailored to the organization’s risk appetite
Risk can never be completely eliminated, but it’s up to each organization’s management to decide what level of risk is acceptable. A security policy must take this risk appetite into account, as it will affect the types of topics covered.
7. Up-to-date information
Security policy updates are crucial to maintaining effectiveness. While the program or master policy may not need to change frequently, it should still be reviewed on a regular basis. Issue-specific policies will need to be updated more often as technology, workforce trends, and other factors change. You may find new policies are also needed over time: BYOD and remote access policies are great examples of policies that have become ubiquitous only over the last decade or so.
Ten questions to ask when building your security policy
For a security policy to succeed in helping build a true culture of security, it needs to be relevant and realistic, with language that’s both comprehensive and concise. If that sounds like a difficult balancing act, that’s because it is. While there are plenty of templates and real-world examples to help you get started, each security policy must be finely tuned to the specific needs of the organization.
Whether you’re starting from scratch or building from an existing template, the following questions can help you get in the right mindset:
- How will you align your security policy to the business objectives of the organization?
- Who will I need buy-in from? Is senior management committed?
- Who is the audience for this policy
- What is the policy scope?
- How will compliance with the policy be monitored and enforced?
- What regulations apply to your industry? For instance GLBA, HIPAA, Sarbanes-Oxley, etc.
- What is the organization’s risk appetite?
- What kind of existing rules, norms, or protocols (both formal and informal) are already present in the organization?
- How often should the policy be reviewed and updated?
- How will policy exceptions be handled?
Security policy examples
A large and complex enterprise might have dozens of different IT security policies covering different areas. The policies you choose to implement will depend on the technologies in use, as well as the company culture and risk appetite. That said, the following represent some of the most common policies:
- Program or organizational policy: This high-level security blueprint is a must for all organizations, and spells out the goals and objectives of an information security program. The program policy also specifies roles and responsibilities, compliance monitoring and enforcement, and alignment with other organizational policies and principles.
- Acceptable use policy: This is an issue-specific policy that defines the acceptable conditions under which an employee can access and use the company’s information resources.
- Remote access policy: This issue-specific policy spells out how and when employees can remotely access company resources.
- Data security policy: Data security can be addressed in the program policy, but it may also be helpful to have a dedicated policy describing data classification, ownership, and encryption principles for the organization.
- Firewall policy: One of the most common system-specific policies, a firewall policy describes the types of traffic that an organization’s firewall(s) should allow or deny. Note that even at this level, the policy still describes only the “what”; a document describing how to configure a firewall to block certain types of traffic is a procedure, not a policy.
Security policy templates and more
As we’ve discussed, an effective security policy needs to be tailored to your organization, but that doesn’t mean you have to start from scratch. Security policy templates are a great place to start from, whether drafting a program policy or an issue-specific policy. Here’s a quick list of completely free templates you can draw from:
- SANS Institute security policy templates: The highly respected SANS Institute has a collection of mostly issue-specific security policies that have been created through a consensus between some of the most experienced subject matter experts out there. These templated policies are completely free to use, but remember to customize them to your organization.
- PurpleSec security policy templates: Security consulting firm PurpleSec also provides free to use security templates as a community resource. You’ll find password policies, email security policies, network security policies and more on their website.
- HealthIT.gov security policy template: This template from the National Learning Consortium and The Office of the National Coordinator for Health Information Technology focuses on topics relevant to the healthcare industry, particularly electronic medical records.
Several online vendors also sell security policy templates that are more suitable for meeting regulatory or compliance requirements like those spelled out in ISO 27001. Keep in mind though that using a template marketed in this fashion does not guarantee compliance.
You can also draw inspiration from many real-world security policies that are publicly available. However, simply copying and pasting someone else’s policy is neither ethical nor secure.
- UC Berkeley security policy: The published security policies from this well-known university are both comprehensive and easy to read, proving that an impressive security policy can be both.
- City of Chicago security policy: America’s third-largest city also maintains an easily digestible index of security policies for its staff, contractors, and vendors.
- Oracle security policy: This lengthy security policy from technology giant Oracle provides an unusual look at a major corporate security policy, which is often not distributed externally.
Security policy FAQs
Q: What is the main purpose of a security policy?
A: A security policy serves to communicate the intent of senior management with regards to information security and security awareness. It contains high-level principles, goals, and objectives that guide security strategy.
Q: What are major security policies?
A: Three types of security policies in common use are program policies, issue-specific policies, and system-specific policies. Program policies are the highest-level and generally set the tone of the entire information security program. Issue-specific policies deal with a specific issues like email privacy. System-specific policies cover specific or individual computer systems like firewalls and web servers.
Q: Do I need to have a security policy?
A: Many pieces of legislation, along with regulatory and security standards, require security policies either explicitly or as a matter of practicality. Having at least an organizational security policy is considered a best practice for organizations of all sizes and types.
Q: How do I create a security policy?
A: There are many resources available to help you start. NIST’s An Introduction to Information Security (SP 800-12) provides a great deal of background and practical tips on policies and program management. The SANS Institute maintains a large number of security policy templates developed by subject matter experts.
A security policy is an indispensable tool for any information security program, but it can’t live in a vacuum. To provide comprehensive threat protection and remove vulnerabilities, pass security audits with ease, and ensure a quick bounceback from security incidents that do occur, it’s important to use both administrative and technical controls together. The Varonis Data Security Platform can be a perfect complement as you craft, implement, and fine-tune your security policies. Contact us for a one-on-one demo today.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Robert is an IT and cyber security consultant based in Southern California. He enjoys learning about the latest threats to computer security.