Online infuses the right amount of security into everything we do – I like to refer to this approach as our “special sauce.” Security is not just important to our Risk, Security, and Privacy (RSP) practice (which lives, breathes, eats, and sleeps security), it’s important to our entire company. We have built security in to our development processes, our service management practice, our customer/digital experience offerings, our internet of things (IOT) offerings, and our cloud-based (AAS) service offerings.
Earlier this year we refreshed Online’s internal security policy. Our old policy was simply too generic and did not represent our organization’s security-first philosophy. When we first shared the new policy internally, many questions surfaced from Onliners and these became the impetus for the blog series you’re reading now. The goal of this series is to ‘humanize’ each section of our own security policy in a way that will hopefully resonate with you the reader, which in turn will help you embrace this thing called information security.
Why a Security Policy?
In today’s business climate where companies are becoming increasingly aware of security and third-party risk, security policies are not only expected, but they are business drivers.
A security policy provides a framework and set of standards that enable an organization to exercise proper due diligence to adequately protect critical assets. The policy is supported by underlying processes (how will we do it?) and standards. It helps an organization make sure they have a consistent strategy to address the protection of critical assets.
In addition, the policy (and underlying processes) is the glue that allows for organizations to go through change (which is inevitable) while helping maintain the right security posture. If an employee switches roles or leaves the company, the new person needs to be able to take the reins not only operationally, but in a way that doesn’t allow security to slip. Documented policies and procedures can help with this.
Scope - How much is just enough?
It is critically important to implement a policy that aligns with your business model – to protect assets (data, systems, networks, applications, etc.) with the right amount of policy, process, controls, technology, and people to be able demonstrate that you are exercising proper due diligence. Just like your security program, your security policy should be right-sized for your organization. The issue many organizations face, however, is that it can be difficult to know just how much security you need. That’s where Online can help, our team of security experts have years of experience developing and implementing security policies for organizations of all sizes and industries.
Do I have to read the whole thing?
The important thing about writing any policy is that it should apply to those with whom it is applicable. When we shared our new policy, we asked all Onliners to read the encryption and key management policy items; in the end, this may not have been the best approach as it applied to only a handful of people – so we refined who that applied to. At my last job, I had to read a two-page asbestos policy (because some of the company’s facilities may have had asbestos) yet I was a virtual worker who never set foot in any of their facilities! In short, you will lose your policy-reading audience if you force them to read portions of a policy that doesn’t apply to them – therefore try to include a pre-amble section of each policy talking to whom it applies.
Make it referenceable
Change is constant – roles, technology, cyberthreats, and clients are all susceptible to it – therefore we need to be able to quickly react to address risk associated with change. The security policy should be located in an easy to find location and should be well indexed so that it can be easily searched. Then, even if your job today doesn’t require any cryptography or key management for example, you can at least know where to find out more.
Remember, just like the voice on the airport intercom says, “Security is everyone’s responsibility,” and this is true for all organizations. In my next post, we will talk about the various roles associated with creating and maintaining your organization’s security policy.
Are you looking for guidance on creating or reviewing your organization’s security policies? Feel free to reach out to me directly or leave a comment below.