Before we talk about the necessity of an Information Security Policy, let me introduce myself, my name is Antara Mane and I’m working as an InfoSec Analyst/Auditor for the past 2+ years.
You might be having a question concerning “Why an obligation to understand Information Security, and what is exactly InfoSec Policy?”
Well, even if you might had this questioned arisen in your mind or not I will discuss everything you need to know about InfoSec Policy, and when I say InfoSec I actually mean “Information Security”. Let’s begin.
Information Security → is to shield the information and systems on which the information is stored from all the bad guys, which we commonly refer to as unauthorized users who might gain unauthorized access to use, modify or disrupt any sensitive information of the organization, which sounds unpleasant right? For example, It is obvious that you need not want your personal WhatsApp chat to be open out to some outsider (Hacker) likewise organizations also need not want their personal information to be open out to the outside world, so in order to avoid this, we need to build some preventive measures.
Information Security Objective — CIA: Confidentiality, Integrity, Availability
If you have been into the Information Security profession for a while, you might know that Information Security is threefold. Nonetheless, for those who are a newbie into this Security domain, Information Security involves three crucial components named, Confidentiality, Integrity, Availability.
Confidentiality: to prevent the information from unauthorized access
Integrity: to prevent data from any unauthorized alteration
Availability: to make sure the reliable and timely access of the information to the authorized users
Why build an Information Security Policy?
All IT Organizations often opt for having an Information Security Policy because “ISO 27001” says so or “it is required at times of audit”. Yes, this is correct, but not the primary purpose for having this policy built.
An Information Security Policy or Policies are intended to lessen the risks associated with the Information. The policy will include high-level statements that are intended to develop and meet the organization’s strategic aspirations. The security policy on its own is not enough to avoid or mitigate any cyber risk. Employees here play a very important role in safeguarding the security of the organization. All the non-IT people who are a part of the organization shall understand the importance of protecting the data and assets of the organization and the purposes why the security standards are developed.
Security Measures are a set of restrictions that are written in a policy for processing the technologies and procedures to maintain, manage compliance, and accomplish the organization’s aims and aspirations.
As discussed above, it is very important for all the non-IT people to understand the security aspects and respond accordingly. Also, to spread awareness on social engineering, clean desk policy, acceptable internet usage policy, to conduct training sessions for your employees, and discuss all the security procedures and mechanisms which are created as a part of the InfoSec Policy.
The Information Security types are as follows:
- Application Security
- Infrastructure Security
- Cloud Security
- Incident response
- Vulnerability management
- Disaster management and recovery
We will not drive deep into the topics mentioned above as our goal is to understand the need for InfoSec Policy. But if your willing to understand and learn these topics we will discuss it in my next blog.
Let’s quickly take a look at the common Information Security risks in the real world.
Common Information Security Risk
- Social Engineering attacks
- Distributed Denial of Service (DDoS)
- Man In The Middle (MiTM)
- Ransomware attacks
- Advance Persistent Attacks (APTs)
Are you interested in knowing the best practices in creating the Information Security Policy? Yes, let’s discuss
Best Practices to follow while creating the Information Security Policy.
For creating a security policy, I would suggest writing it specifically as per the organization’s imperative aspirations, risks, and administering the weaknesses of the organization if any, and appending the fixation accordingly.
While addressing the security policy, the language in which it will be written should be in an understandable manner and should fulfill all the Security incidents and response plans.
Closely monitor the below points while documenting the InfoSec policy:
- Acceptable use guidelines for end-user
- Vendor management
- Guidelines on password requirements
- Allowance on personal devices and mobile
- Physical Security
- Data Classification & Retention
- Awareness training to all the users
- Data Security and Privacy regulations
- Standard measures for wireless networking
- Identity & access management