As a security consultancy company, we advise every year many organization’s on their information security policy. In this blog, we provide you with some tips and show you common mistakes organizations make in their Information security policy.
Common Information Security Policy Mistakes
1. Not having a policy at all
This mistake can range from not having any policy at all to only having one that is informally discussed by management but is not written down or distributed to anyone. Make sure a complete information security policy is available and accessible to all employees.
2. Not updating the security policy
Assuming you don’t fall victim to mistake number one, you will become aware of a crucial security point: simply having a nicely written policy is not enough for improved security. Companies that do not regularly review and update their security policy with changes in the environmental risk having holes in their threat posture.
Inevitably, there will be changes made to the company network as well as business processes; the security risks and compliance requirements will also change. It makes sense that, as both threats and corporate landscapes evolve, so must the security policy.
3. Not tracking compliance with the security policy
A security policy becomes practically and sometimes even legally useless if a company does not track whether the policy is followed or even whether or not employees are aware of its stipulations. First, to be able to enforce the policy, a company must make sure that the policy is disseminated to all employees and that regular awareness training is conducted, especially when the policy is updated. Further, to ensure the usefulness of the policy, ongoing activity monitoring is essential.
4. Having a “tech only” policy
Another common slip-up involves the focus of the policy. A policy that only covers technological security (e.g. password complexity, firewall rules, IPS alerting, anti-virus updates, etc.) and forgets the discussion of people and their activities leaves the company vulnerable to “softer” threats: insider privilege abuse, personal use of computing resources, etc. While it is important to describe the technical safeguards and to make sure that they are driven by the security policy and not deployed in an ad hoc fashion, the policy must cover all three of the “people, process, technology” triad
5. Having a policy that is large and unwieldy
Put simply, a security policy has to be written in such a way that it is understandable to those who are required to follow it. If a policy occupies 130 pages, most employees will not even try to understand what it describes. Similarly, policies that are written too strictly and ban what most employees do on a daily basis to fulfil their job duties, will likely drive employees to massive non-compliance. An education effort will be needed even before the policy is put in place.
Thus, creating a clear and understandable policy from the very beginning and following our advice above will contribute a lot to future policy compliance levels.
For more information about an Information Security Policy for your organization, feel free to contact us.