When we talk to clients as part of an IT audit we often find that policies are a concern, either the policies are out of date or just not in place at all. This often stems from the fact that no-one has been assigned to a permanent security role. It’s left for IT to do when they have time. Of course IT never has time for security and compliance because they are rolling out new and fixing last week’s technology.
+ PART 1 OF THIS SERIES: Critical IT policies you should have in place +
We will cover 10 critical IT policies at a high level for the purpose of understanding their purpose as a foundation for data governance. The following are not complete policies, but summaries that can serve as a general framework for training purposes.
As mentioned in May, policies are not exciting and not many people like to write them but they are a necessary foundation for systems security management. Policies don’t have to be long or too wordy; If you have too many or they are too complicated they will probably just be ignored. Regarding policies we often state “say what you do, and do what you say”, that way no one will likely use them against you. Don’t just implement a generic template unless you are very diligent in making it yours, each enterprise or small business is often unique and as such policies must match the culture, technology, compliance standard and business priorities! IE: Risk appetite in a DoD environment vs a car dealership is very different. Here are the IT policies that should be covered:
- AUP (Acceptable Use Policy)
- Security Awareness
- Information Security
- Change Management
- Incident Response
- Remote Access
- Vendor Access
- Media destruction, Retention & Backups
We covered policies 1 through 5 in the first part. So let’s now cover the remaining five policies.
1. Incident response.
Incident response covers everything from an infected desktop, laptop, smartphone or a DDos attack. It also ties to business continuity. For example a DDos attack impacts business continuity and so you need an incident response plan to handle this event. A good place to start on incident response plans is NIST 800-61. Computer Security Incident Handling Guide.
Per this NIST guide, establishing an incident response capability should include the following actions:
- Creating an incident response policy and plan
- Developing procedures for performing incident handling and reporting
- Setting guidelines for communicating with outside parties regarding incidents
- Selecting a team structure and staffing model
- Establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)
- Determining what services the incident response team should provide
- Staffing and training the incident response team
Let’s first define an incident. A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of incidents are:
A user sees a pop up indicating that all their files are now encrypted and are prompted to pay a fee, a ransom to get the key to unlock their files.
An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash.
Users are tricked into opening a “quarterly report” sent via email that is actually malware; running the tool has infected their computers and established connections with an external host.
The following table illustrates the major parts of incident handling.
To wrap up incident response policies: Follow guidance on page 7 of NIST 800-612.3 Incident Response Policy, Plan, and Procedure Creation This section discusses policies, plans, and procedures related to incident response, with an emphasis on interactions with outside parties.
2.3.1 Policy Elements Policy governing incident response is highly individualized to the organization. However, most policies include the same key elements: Statement of management commitment and purpose and objectives of the policy.
Here are the remaining policy templates.
2. Remote access
With space constraints, remote offices, teleworkers, and outsourced vendor activities increasing in frequency, the need to develop standards for protecting the corporate network while allowing remote access is critical as the following policy addresses these concerns.
Purpose: The purpose of this policy is to define standards for connecting to your company network from any host. These standards are designed to minimize the potential exposure to your company from damages which may result from unauthorized use of your company resources.
Scope: This policy applies to all your company employees, contractors, vendors and agents with a your company -owned or personally-owned computer or workstation used to connect to the your company network.
- It is the responsibility of your company employees, contractors, vendors and agents with remote access privileges to your company's corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to your company.
- General access to the internet for recreational use by household members through your company network on personal computers is not permitted.
- Secure remote access must be strictly controlled. Control will be enforced via the use of multi factor authentication through Secure Encrypted VPN Tunnels and hardware tokens.
- At no time should any your company employee provide their login or email password to anyone, not even family members.
- Your company employees with remote access privileges must ensure that their your company-owned computer or workstation, which is remotely connected to your company's corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.
- Your company employees and contractors with remote access privileges to your company's corporate network must not use non-your company email accounts.
Disciplinary actions: Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; or dismissal for interns and volunteers. Additionally, individuals are subject to loss of your company information technology access privileges.
1. Devices must use the following operating systems: Android 6.0 or later, iOS 9.x or
2. Devices must store all user-saved passwords in an encrypted password store.
3. Devices must be configured with a secure password that complies with Company X’s password policy. This password must not be the same as any other credentials used within the organization.
4. With the exception of those devices managed by IT, devices are not allowed to be connected directly to the internal corporate network.
1. Users must only load data essential to their job onto their mobile device(s).
2. Users must report all lost or stolen devices to Company X IT immediately.
3. If a user suspect’s unauthorized access to company data via a mobile device, they must report the incident in alignment with Company X’s incident handling process.
4. Devices must not be jailbroken or rooted* or have any software/firmware installed designed to gain access to prohibited applications.
5. Users must not load pirated software or illegal content onto their devices.
6. Applications must only be installed from approved sources such as Google Play or the Apple app store. Installation of apps from un-trusted sources is forbidden. If you are unsure if an application is from an approved source, contact Company X IT.
7. Devices must be kept up to date with manufacturer or network provided patches. As a minimum patches should be checked weekly and applied at least once a month.
8. Devices must not be connected to a PC without up-to-date and enabled anti-malware protection or which does not comply with corporate policy.
9. Devices must be encrypted in line with Company X’s compliance standards.
10. Users must be cautious about the merging of personal and work email accounts on their devices. They must only send company data through the corporate email system. If a user suspects that company data has been sent from a personal email account, either in body text or as an attachment, they must notify Company X IT immediately.
11. (If applicable to your organization) Users must not use corporate work stations to back up or synchronize device content such as media files, unless such content is required for legitimate business purposes.
*Jailbreaking (iOS) and rooting (Android) refers to removing restrictions imposed by the manufacturer. This gives a user access to the operating system to unlock features and install unauthorized software.
4. Vendor access
This policy defines the basic elements required for the your company information systems vendor management. Vendors play an important role in the support of hardware and software management, and operations for customers. Vendors can remotely view, copy and modify data and audit logs, they correct software and operating systems problems, they can monitor and fine tune system performance, they can monitor hardware performance and errors; they can modify environmental systems, and reset alarm thresholds. Setting limits and controls on what can be seen, copied, modified and controlled by vendors will eliminate or reduce the risk of loss of revenue, liability, loss of trust, and embarrassment to your company.
Purpose: The purpose of the your company vendor access policy is to establish the rules for vendor access to your company information systems and support services (A/C, UPS, PDU, fire suppression, etc.), vendor responsibilities, and protection of your company information.
Scope: The your company vendor access policy applies to all individuals that are responsible for the installation of new information systems assets, and the operations and maintenance of existing information systems and who do or may allow vendor access for maintenance, monitoring and troubleshooting purposes.
Vendors must comply with all applicable your company policies, practice standards and agreements, including, but not limited to:
Vendor agreements and contracts must specify:
- Your company will provide a IT point of contact for the vendor. The point of contact will work with the vendor to make certain the vendor is in compliance with these policies.
- Add more statements as appropriate……
Safety, Privacy, Security, Auditing, Software Licensing, & Acceptable Use Policies
- The your company information the vendor should have access to
- How your company information is to be protected by the vendor
- Acceptable methods for the return, destruction or disposal of your company information in the vendor’s possession at the end of the contract
- The vendor must only use your company information and information systems for the purpose of the business agreement
- Any other your company information acquired by the vendor in the course of the contract cannot be used for the vendor’s own purposes or divulged to others
Disciplinary actions: Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; or dismissal for interns and volunteers. Additionally, individuals are subject to loss of your company Information Technology access privileges, civil, and criminal prosecution.
5. Media destruction, retention and backups
Data Retention and Backups Policy
Electronic backups are a business requirement to enable the recovery of data and applications in the case of events such as natural disasters, system disk drive failures, espionage, data entry errors or system operations errors.
Purpose: The purpose of the your company data retention and backup policy is to establish the rules for the backup and storage of critical your company electronic information.
Scope: The your company data retention and backup policy apply to all individuals within the your company enterprise who are responsible for information systems installation, support and security.
Policy: All critical information systems as designated in the systems matrix will be backed up to removable storage media at least weekly, all backups must be encrypted in accordance with the data backup proceedure document which can be found in the Your Company IT Proceedures Manual.
- The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the data owner and the applicable risk assessment.
- The Your Company information systems backup and recovery process for each system must be documented, annually reviewed and periodically exercised to ensure data can be recovered from the backups.
- Backups must be periodically tested to ensure that they are recoverable.
- Add more statements as appropriate