Security Policy Examples
One should consider that securing an organisation and its information assets is not just about picking and choosing technical security controls. We have met many so-called information security professionals who can talk about nothing else but security gadgets and gizmos. However technical security controls such as firewalls, IDP,s are only as good as they are managed and configured. Left to their own devices they soon become weakened and ineffective. Security assessments of organisations with state-of-the-art information security technical controls using ineffective or totally absent information security policies usually results in a $20,000 firewall allowing traffic from unknown sources. Or expensive log management and alerting software with no one monitoring it or answering its ever repeating alerts. Organisations buying these expensive technical security controls do so in a hope that they will meet the control requirements of a compliance regulation, or on the advice of an information security vendors to meet certain control objectives.
It is advisable to be very careful as many information security tools are overly priced and too complex to be economically managed on the long-term. This over complexity weakens the security posture of the organisation risking a false state security. Technical controls are very important but they must be managed and configured to enforce the overall corporate risk management strategy, information security policy and information security standards that govern them.
All technical controls must be effective, controlled and understood at all times. Introducing whizz-bang gadgets and complex technical security software outside of your corporate risk management strategy increases the risk of a weakened security posture.
Risk management ensures that effective controls are placed were needed in an area that warrants such an investment. An information security policy will ensure that the correct safeguards are thought about and put in place throughout the organisation pervasively not leaving certain sections of the business wide open to an attacker. Information security standards will ensure that each technical area is configured to a predefined specification based on risk and threat levels.
We have been asked many times about how we know what needs to be assessed and controls that need to be in place to ensure that an organisation has a good defence in depth strategy in place. The answer is to simply use a widely recognised and accepted industry standard for information security management.
As a consultant if we just went into an organisation and made things up as we went along it would be very hard to defend our decisions and controls that we recommended putting in place. However by using widely recognised information security management standard defending our decisions and recommending controls can be very easily explained to our customers.
Security bastion’s information security policy examples are based on the ISO 27002 which is today’s industry best practice for information security management. Our Policy service offering provides an organisation with everything it needs to implement an effective information security management system throughout their organisation from the policies right down to the individual Standards that manage technical controls across an organisation.
A good reference can be found here