2018 Top 25 List
2018 Top 25 List of Information Security Policies and Procedures Every Business Needs
Information security policies and procedures are without question one of the most important – and hottest – topics facing businesses today, due in large part to the need for documenting and ensuring the safety and security of critical systems, but also because of the ever-growing data and cyber security breaches, threats, and attacks. Society has changed tremendously in recent years, with information security being a large part of this transformation itself. From increased regulatory compliance mandates, to attacks on the nation’s critical “grid” infrastructure systems, the topic of information security is alive and well, for better or worse. Yet with all the fear of cyber-attacks and other malicious exploits, companies seem almost paralyzed at times when putting in place basic, core best practices for ensuring the confidentiality, integrity, and availability (CIA) of critical information systems.
One of the most basic tenants of sound I.T. practices is that of information security policies and procedures, a topic many companies simply loath, and understandably so. After all, the process of developing, authoring, refining and completing such documentation is incredibly arduous, mundane, and highly taxing at times. Still, the material is an essential “must have” for information security, as employees and other related parties need clear guidance on the use and application of one’s I.T. systems.
Regulatory Compliance – The Driving Force for InfoSec Policies and Procedures
Additionally, let’s not forget about one of the biggest driving forces behind information security policies and procedures, and that’s the ever-growing list of regulatory compliance laws, legislation, and industry specific mandates. From Sarbanes – Oxley to the AICPA reporting framework (SOC 1 SSAE 18, SOC 2 AT 101), HIPAA, FISMA, PCI DSS – and that’s just the tip of the iceberg – information security policies and procedures are a must-have for compliance. From essential network security policy documentation to change control and numerous other mandates, the calling for well-documented, comprehensive information security policies and procedures has never been greater, and it’s only going to continue to grow in scope and complexity. It’s why organizations need to finally – once and for – get serious by obtaining, developing, and putting in place comprehensive information security policies and procedures – now.
Different Framework. Different Information Security Policies?
And while there are a number of organizations and standards advocating such initiatives, such as the Twenty Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG, all entities would greatly benefit from more detailed guidance, as least from a policy and procedure perspective. Let’s not forget about the never-ending list of information security benchmarks, standards, frameworks, and best practices – while appreciative of their work – it often confuses organizations on which I.T. policies and procedures should be in place.
The solution is finding a cohesive set of high-quality information security policies, those that cover the approximated twenty-five (25) must-have documents for effective I.T. security and management, and that also come complete with provisions and supporting procedures from the world’s leading frameworks and best practices. The top twenty-five (25) information security policies and supporting procedures referenced below constitute core documents that every organization should have in place for helping build and maintain a stronger, more resilient I.T. posture.
FLANK's List of the Top 25 Information Security Policies and Supporting Procedures
1. Asset Inventory
While not a direct policy document, assent inventory is essentially a process and procedure for ensuring all information systems are inventoried in a comprehensive manner, using a broad range of identifiers and other elements for ensuring detailed information regarding the “who, what, when, where, and why” of any particular system. As such, organizations need to have in place formalized processes for recording such information, which can range from a detailed spreadsheet (which is quite common and very effective) to customized asset inventory software. Information security is about knowing what all your systems are and where they’re located, thus asset inventory is extremely critical. Remember, you can’t protect what you don’t know you have!
2. Data and Information Classification Policy
Organizations today are faced with copious amounts of data; much of it considered extremely confidential, while other aspects of it are deemed public knowledge, available for all to see. It’s critically important that all organizations have in place a clearly defined data and information classification & security categorization policy and supporting procedures, one that includes the following classification levels:
- Unclassified | Public Information
- Company Confidential
- Client Confidential
- Trade Secret
- Top Secret
3. Security and Patch Management Policy
Time and time again, data breaches and security compromises occur because of a complete failure in securing and patching information systems throughout an enterprise. From updating laptops with anti-virus to patching critical databases, patch management is absolutely essential for ensuring the safety and security of all computing systems, hence the need for an in-depth and well-documented patch management policies and procedures. Simply stated, security and patch management are documents are some of the most important of all information security policies and procedures.
4. Change Management | Change Control Policy
From internally developed applications, to changes regarding enterprise-wide information systems, along with changes to customer facing environments, the need for comprehensive, highly formalized change control measures has never been greater. Organizations often make changes with little or no documentation at all, leaving virtually nothing in place regarding accountability and tracking, hence the reason for a well-written change management | change control policy document.
5. Software Development Life Cycle
The exponential growth in on-demand, web-based services have also resulted in an explosion in software development activities for many I.T. based companies. This in turn requires highly formalized and documented SDLC policies and procedures, whether one utilizes a traditional waterfall model, or perhaps today’s growing agile methodologies. Understanding one’s roles and responsibilities – along with critical documentation steps – is vital for SDLC initiatives, hence the reason for it making the list of essential information security policies and procedures every business needs to have in place.
6. Configuration Management Policy
Technically speaking, configuration management is best defined as “Implementing, establishing, maintaining, recording, and effectively monitoring secure configurations to an organization’s overall information system’s landscape, including, but not limited to the following information systems: network devices, operating systems, applications, internally developed software and systems, and other relevant hardware and software platforms.”
Simply stated, it’s about applying baseline security standards for ensuring the confidentiality, integrity, and availability (CIA) of critical information systems, and continuously monitoring and updating these systems as necessary. Comprehensive configuration initiatives demand well documented information security policies and procedures, making this yet another must-have information security policy document.
7. Vulnerability Management Policy
Identifying, detecting, classifying and prioritizing, along with remediating, validating, and continuously monitoring vulnerabilities relating to critical information systems within an organization is an absolute must. This in turn requires well-document vulnerability management policies and procedures, those that include the following core subject matter for comprehensive vulnerability management:
- IDENTIFICATION | Defining Security Posture and Policies
- DETECTION | Assessing Non-Compliance and Vulnerabilities
- CLASSIFICATION and PRIORITIZATION | Determining Risk and Urgency
- REMEDIATION and VALIDATION | Removing Vulnerabilities and Confirming Security Updates
- CONTINOUS MONITORING | Proactively Assessing Vulnerabilities
8. Incident Response Policy
Knowing how and when to respond to security threats is essential in today’s world of ever-growing cyber security attacks and data breaches. Comprehensive incident response measures require participation and involvement from everyone within an organization - senior management all the way down to end-users of systems - along with being aware of the following core components of incident response:
- Initial Response and Containment
- Security Analysis | Recovery and Repair
- Post Incident Activities and Awareness
- Training and Testing
9. Access Control Policy
It’s critically important to have well-defined policies and procedures regarding user access to all company-wide information systems, along with essential de-provisioning initiatives also. Too often access control is undertaken with little or no documentation, such as not using provisioning and de - provisioning forms and checklists, inadequate approval procedures, and much more. Formalized access control policies and procedures provide much needed guidance and direction to what’s arguably the most important element within any organization – who accesses what systems and why!
10. Personally Identifiable Information (PII) Policy
Personally Identifiable Information (PII) has become a notable topic in information security as organizations are spending vast resources for ensuring the safety and security of such information, much of it revolving around personal consumer financial and health data. With growing cyber security threats and the ever-increasing numbers of data breaches and security compromises, protecting PII is now more important than ever. What's needed for ensuring the confidentiality, integrity, and availability (CIA) of PII are well-documented PII policies and procedures establishing highly-formalized practices for the use and disclosure of such information.
11. Server Specific Policies
Windows, UNIX, Linux – and any other specific operating systems residing on servers – require comprehensive information security policies and procedures for ensuring their proper use and overall safety. Moreover, such documentation should cover basic principles, such as provisioning and hardening, change control functions, patching, and numerous other best practices.
12. Server Specific Hardening Documents
Along with such specific policies and procedures for Windows, UNIX and Linux systems, organizations also need essential provisioning and hardening documents for ensuring the safety and security of one’s information systems. After all, what good are policies and procedures if comprehensive hardening measures have not been undertaken for removing insecure services, assigning proper access rights, etc.? Vendors offer a tremendous amount of information pertaining to system security hardening guidelines. While such hardening documents are not technically information security policies and procedures, they are essential process-based activities that should be performed, so it’s why they make our list!
13. Fraud Policy
There are myriads of fraudulent schemes and activities being perpetrated in today’s world. From identity theft to complex financial statement fraud, no person or business entity is immune to the damaging consequences of fraud. Deterring fraud requires a true commitment by all employees, clients, vendors and other related third-parties. Fraud, which by its very nature encompasses a wide range of deceptive and illegal activities, can occur in any department or division within an organization, resulting in significant threats, losses, and/or damages. As such, businesses, now more than ever, need a comprehensive fraud program in place, one complete with an in-depth fraud policy document and other supporting material. It’s another must-have policy, and it’s why it’s on our list of information security policies and procedures.
14. Wireless Security Policy
While wireless protocols do indeed provide numerous benefits, insecure platforms pose significant risks, potentially leading to security breaches that can be extremely damaging, financially and operationally. Stories abound of poorly provisioned wireless platforms being compromised by malicious individuals, hackers, and other harmful individuals, ultimately compromising the confidentiality, integrity, and availability (CIA) of an organization's overall information systems landscape. A well-written wireless policy covers essential points regarding wireless access points, access rights, continuous monitoring of the wireless environments, and much more.
15. Workstation Security Policy
Protecting your workstation area is an important duty all employees should take very seriously. Employees spend long hours at their workstations, so it's critical to implement the following best practices:
- It's your workstation and that means only you should be using it, and primarily for business purposes only.
- While most passwords will be enforced by group policy settings from I.T. personnel, it’s still important to make them unique, never using information pertaining to your favorites sports team, home address, middle name, etc.
- Make sure your workstation computer has all the required security updates for the operating system and all other applications running.
- Your workstation “should” be configured for maximum security along with performance, so do not attempt to disable or modify configuration settings to the operating system or any other applications.
- Do not download or install into any of the drives or ports additional software that has not been approved as it may contain malicious files, could consume additional resources, or is simply not professionally suitable for the work environment.
- Be careful when opening emails from unknown parties, especially attachments. If it looks suspicious, do not open the email under any circumstances.
- The very best way to implement the aforementioned best practice starts by putting in place a comprehensive workstation security policy and procedures document for your organization.
16. Vendor Management
With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today’s business world. Vendor management principles have been around for many years as common due-diligence practices constituted a normal part of business for any entity relying on another for services. Proper vendor management means conducting extensive due-diligence in vendor selection, assessing current vendors with regards to minimum requirements, reviewing all necessary contractual documentation, along with numerous continuous monitoring activities and management oversight.
What’s resulted in an increased focus on vendor management is the growth in information technology and the need for properly monitoring an organization’s growing list of third-party providers. Using the baseline parameters developed by the banking industry, while also including provisions relating to information technology results in a comprehensive vendor management policy and procedures, for which every business needs
17. Social Media
More of an “operational” policy than that of an information security policy document, the purpose of a social media policy is to set forth the general guidelines, responsibilities, and acceptable use of social media forums. Accordingly, this policy should also adequately discuss and identify unacceptable uses of social media. Simply stated, the use of social media forums must be conducted with due care and professional judgment at all times for ensuring the safety and security of organizational information. Too many times we’ve seen trade secrets, product specifications, or other highly privileged or sensitive company information being sent out via the many social media channels. Just as important in having policies and procedures in place for protecting one’s network is the need for policies highlighting essential social media best practices.
18. Encryption & Key Management
Data breaches, cyber security threats, and untold numbers of other malicious threats are forcing organizations to secure sensitive and confidential data – at rest, and while in transit. The challenge for most organizations with encryption is not so much the effectiveness of it – it works very well – but the adoption and continued commitment for ensuring its use, whenever necessary. From online banking transactions to I.T. engineers establishing secure connections, encryption is a must for organizations, and an excellent place to start is a professionally developed, comprehensive, and well-defined encryption and key management policy and procedure document – and that’s why it makes our list of information security policies and procedures.
19. Anti-Virus and Anti-Malware
Malware is viewed as a hostile and often intrusive software or program code that can seriously impact the confidentiality, integrity, and availability (CIA) of one’s overall information technology architecture. It’s a serious threat that continues to grow more and more, requiring significant resources from all parties (i.e., vendors who sell “anti-malware” products and services, along with organizations that must constantly protect their systems) regarding effective malware initiatives and solutions. It’s therefor critically important to develop a comprehensive malware policy for the entire organization, one that puts in place formalized practices for helping thwart viruses and other forms of malicious software. In fact, this type of document – and its processes – is often considered the most critical of all information security policies and procedures.
20. Data Backup and Recovery
One of the most critical functions any I.T. organization can undertake is ensuring a structured and highly formalized data backup policy and procedures are in place. After all, an organization without its data – or the inability to retrieve and restore such data in a complete, accurate, and timely manner – faces serious issues as a viable entity. Backups are a must, especially considering today’s growing regulatory compliance mandates and the ever-increasing cyber security threats for which businesses face on a daily basis. Yet even without compliance mandates, a well-though out, efficient, and reliable backup and recovery plan is a must for ensuring the confidentiality, integrity, and availability of (CIA) critical data.
21. Firewall Policy
Firewalls are without question one of the most important security components within any organization's network topology as they provide critical services for effectively allowing and denying specific types of network traffic. Properly provisioned, these devices are highly effective in blocking unwanted traffic, while also allowing only approved protocols and ports to send and receive data. However, when provisioned incorrectly and deployed without security in mind, firewalls can result in critical breaches of security for an organization, ranging from data security theft to the placement of malicious software (malware) onto one's network. A well-written firewall policy – and supporting procedures – is without question one of the most important information security policies and procedures any organization can have.
22. Database Policy
Security breaches continue to make front page headlines as thieves relentlessly pursue sensitive information, such as credit card data, Personally Identifiable Information (PII), along with financial, banking and other valuable data. By taking proactive measures in securing and hardening database platforms, organizations are providing the necessary layers of security needed to mitigate and hopefully eliminate data breaches. What’s needed are database policies specific to the utility in use (i.e., MySQL, MS SQL Server, DB2, Oracle, etc.).
23. Web Server Security Policy
Web servers (both the residing hardware and software) work in unison for sending and receiving content to end-users (i.e., clients) by executing any number of processes. From e-commerce systems to Software as a Service (SaaS) platforms, web servers are a vital component for a large and growing number of organizations. However, SQL Injection, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and numerous other damaging tactics can paralyze and bring down web servers, often resulting in data breaches to sensitive information. As such, it's vitally important to secure web servers from today's growing list of attacks.
Additionally, Denial of Service (DoS) attacks and other malicious activities against an organization's network often result in disruption of services from these ever-important web servers. Securing web servers begins with comprehensive policy and procedure documentation.
24. Virtualization Policy
Though virtualization has without question brought about greater speed, efficiencies, and long-term cost savings, great benefits also come with great risks. One of the biggest challenges of virtualization is that of all computing resources being condensed onto one physical computing resource, which can be catastrophic if hardware issues are encountered, from failing disks to physical damage, etc.
Additionally, sharing of resources, information, and other data on virtualized environments also means that malware and other malicious threats can spread just as easily, conceivably infecting an entire virtualized platform. Comprehensive security measures for virtualized platforms begin by implementing in-depth, well-information security policies and procedures covering all essential topics, from provisioning and hardening, change management, patching, just to name a select few initiatives.
25. Remote Access Policy
Advances in technology within recent years have allowed individuals to enable remote access protocols for accessing data and information within an organization’s private, internal network. As for defining what remote access is – definitions are plentiful – some vague, while others quite technical in nature. With that said, it’s best to view remote access as the following:
“The process for which a user must initiate and utilize a known communication protocol (i.e., Internet, but more specifically, the use of DSL, cable modem, dial-up, etc.) and other supporting devices (i.e., modem, etc.). Additionally, remote access is often – but not always – initiated from a network not owned, operated, or maintained by the organization granting such access to said user.”
In short, a well-defined remote access policy is needed for ensuring only approved protocols are used and that only authorized personnel have remote access rights, and it’s why it made the top 25 list of information security policies and procedures.
26. Risk Management
Risk Management has quickly become one of the most notable topics in today’s growing world of regulatory compliance, and for good reason. After all, organizations all throughout the globe are being challenged like never before with ever-mounting risks, ultimately forcing senior management to undertake measures for ensuring the safety, security, and financial solvency of one’s enterprise. Organization always have – and will continue – to face a large number of growing risks, especially with the complexity of the world we all live.
Information technology has completely transformed so many aspects of the world, yet with great benefits also come great risks and challenges. Furthermore, the continued adoption and movement towards a more globally focused economy creates enormous exposure for many organizations, adding yet another layer of risk that just a few years ago was completely absent.
Why is it not on the Top 25 List for information security policies and procedures? Because it’s not really about having a policy in place, it’s about putting forth a comprehensive process for assessing risk on an annual basis, which is much more important than any policy document. If this were an annual list of Top 10
“must-have” security and organizational practices, then it would without question be included, possibly even #1.
There’s arguably numerous other information security and policies and procedures that could be included on our annual Top 25 List, yet for purposes of critical “must-have” documentation, this is the list we’ve compiled. Look for our list next year to see what changes, modifications, and enhancements will be made. With that said, it’s important to recognize the need for high-quality, well-documented security policies, especially in today’s world of growing regulatory compliance mandates and cyber security threats.