Building Information Security Policies With Ease
Why do we need security policies?
At NSF we like to think of security policies and a security framework just like we think of preventative care for our health. A security framework is essential to help ensure an organization has procedures and policies in place in the event of an incident or cyber-attack.
Key components of a security policy
The exact components of a policy can vary based on the policy type, its complexity, and the specific focus of the policy. Typically though, they include a purpose; why the policy has been developed and who it applies to, the scope; where and how the policy will be applied, policy statement, and roles and responsibilities; who will be responsible for implementing and overseeing the policy.
The policy should also include definitions, procedures, exceptions, compliance measures, review and revision history, reference to any related documents, and the approval date.
Achieving a robust security policy
Perform a risk assessment
Identify potential threats and vulnerabilities in your organization.Conduct a gap analysis
Review what information security measures you currently have in place and pinpoint areas that could be strengthened. For example, you could identify a risk of unauthorized people gaining access to your building. To treat that risk you may implement a policy around the use of employee badges to gain access to your organization’s building and a visitor sign-in process.Define clear objectives and scope of the policy
Develop and document the policy
Engage your key stakeholders, structure the policy to include key components, and write in clear and simple language.
Creating a security-aware culture
Most of us understand that having a strong, secure password is essential. However, 80% of breaches today are due to poor passwords.1 And cyber-attacks happen every 39 seconds.2
Haley reminds us, “Employees are your first line of defense. Creating a security-aware culture and deploying effective training for your employees helps prepare your organization for the steps it needs to take in the event of a cyber-attack”.
When sharing policies and training your employees, here are some suggestions from our expert team to help engagement and retention.
- Explain the ‘why’ - set out why security policy is so important, and the crucial role they play.
- Provide training that includes simulations or real-life scenarios - keep employees engaged; make it relatable, fun and relevant. Remember security training doesn’t have to be highly technical. It could be as simple as strong passwords.
- Share easily digestible materials.
- Regularly provide updates and refreshers.
- Encourage feedback and questions.
NSF has recently launched an internal phishing contest for its employees to keep security top of mind. The challenge is for employees to report the most phishing emails, and the winner gets a prize. This is just one example of how we are fostering a security-aware culture with our own teams.
Key takeaways
Haley and Megan Turner, Audit Manager at NSF, leave us with these key takeaways on security policies:
- Security policies are fundamental for all organizations, big and small, for risk management, compliance, and fostering trust with your stakeholders and customers.
- Customize policies to meet your organization’s needs and review them regularly.
- Training is paramount. Ensure your team understands and adheres to the policies.
Haley concludes, “We want to think about information security just like we think about preventative care”.
Please note that any suggestions made in this article do not constitute consulting and following any of these suggestions is not linked in any way to the granting of certification.
Sources
1www.securityescape.com/cybersecurity-spending-statistics/
2www.securityescape.com/password-reuse-statistics/
How NSF Can Help You
Get in touch to find out how we can help you and your business thrive.