Key Elements of a Strong IT Security Policy

Quick Definition: An IT security policy is a document that explicitly states the actions the organization will take and the rules it will follow to secure the confidentiality, integrity, and availability of data and services.  

When a construction crew builds a house they have a plan. The company has its own set of rules to follow, and the construction industry itself has a set of standards and regulations to ensure the safety of the crew and the people who will ultimately purchase the house. The field of cybersecurity is no different. Every organization needs an IT security policy.

Different standards and regulations affect an organization's security based on its business type and the information it handles. While many are legally required, organizations have flexibility in crafting their IT security policies. In this article, we will explain what an IT security policy is, its purpose, the key components, and some best practices.

What is an IT Security Policy?

At its core, an IT security policy is a document (which often references another set of documents such as other policies and standards) that explicitly states the actions the organization will take, the rules it will follow, and the behaviors that will not be tolerated as they relate to securing and maintaining the confidentiality, integrity, and availability of data and services. This last part, known as the C-I-A Triad, is crucial, as it encompasses the bare minimum of what should be protected. 

Securing the C-I-A Triad requires information security policies and standard operating procedures (SOPs) that not only clearly state a goal and how to meet that goal but also a way to enforce it.

For example, suppose a security policy states passwords need to be changed every 90 days. In that case, the policy should also state the consequence for not changing that password within the allotted time, which, in most cases, would result in the account being locked out. 

Security policies can be broken into several smaller, more specific policies focusing on just one or two key components of security. Some of the policies you might see include the following:

• Acceptable Use

• Incident Response

• Disaster Recovery

• Business Continuity

• System Hardening and Patching

• Access Control

• Encryption

Much of the information in these policies can and often should be mapped to the security controls and requirements established by regulations and frameworks such as NIST (National Institute of Standards and Technology), PCI (Payment Card Industry), and FedRAMP, to name a few. Mapping your organization’s policies and SOPs to match those of the frameworks applicable to you helps ensure your security posture is at or near a compliant level. 

How to Harden IT Systems

Much of what security policies cover includes hardening standards. Hardening is a broad term used to describe all the efforts to make it more difficult for attackers to gain unauthorized access to a system by increasing the security of the systems and network. Hardening includes the use of things like firewall rules, access controls, vulnerability patching, network segmentation, and more. 

Identification

The process of hardening begins with identifying weak points in your network and systems. This could be overly permissive firewall rules and access controls, or it could be outdated software. It could also be weak physical security measures such as allowing anyone to mount a USB drive to systems or not enforcing a rule that all users lock their computers while away from their desks. 

Implementing Mitigating Controls

Once a weakness has been identified, a fix needs to be identified and applied. Using the same examples as the previous sections, mitigating controls can look like deploying more restrictive firewall rules and limiting access to data and services to only those who need access as part of their job. It also includes updating software, upgrading end-of-life (EOL) systems, and limiting the amount of access systems have amongst each other. 

Validation

After implementing security controls, updating software, and upgrading physical security measures, it’s time to confirm that they have the desired positive impact. This validation often comes in the form of vulnerability assessments and penetration tests, but it can also come in the form of a compliance audit. By performing an internal audit, your organization can catch any mistakes and fix them in time without the same penalties associated with a formal audit.

The overall goal of network and system hardening is to reduce your organization’s attack surface. This makes it a bit more difficult for attackers to break into your network and even helps reduce the likelihood of internal users having successful accidents, such as clicking on a malicious link or accessing something they shouldn’t. Even simple measures like disabling unused ports can have a positive impact on security posture.

How to Integrate Security Policy into Hardening Practices

When designing your organization’s IT security policies, it’s important to consider the frameworks you’ll be working with so you can ensure your policies lead your organization in the direction of compliance with those frameworks. 

Your security policies should work to establish a baseline of what your environment’s “normal” looks like. You’ll want to know how many vulnerabilities in your environment are both typical and acceptable, as well as the breakdown of vulnerability criticality and exposure (consider whether a vulnerability is on a public-facing asset). 

You’ll also want to consider how many versions behind the most current available you’re comfortable with your software being. This is often referred to as N-1 or N-x, where you can be one or more versions behind the newest software release. 

Ideally, your organization also has a regularly scheduled vulnerability scanning and patching schedule, with a set and enforced remediation timeline based on the vulnerability’s criticality. More severe vulnerabilities should be patched sooner than less critical issues. 

Security monitoring should also place a priority on assets with zero-day vulnerabilities, or vulnerabilities the vendor is unaware of and for which there is no available patch. Maintaining a secure and compliant environment relies heavily on continuous efforts to identify areas for improvement and implement the necessary fixes. 

What are the Best Practices for Developing Security Policies for Hardening?

Establishing security policies requires stakeholder support. Everyone’s goals need to align – security needs to patch, development needs to innovate, management needs to keep all the pieces moving, and they all need to agree on mutually acceptable terms. Everyone also needs to agree on policy enforcement and consequences for deviation from the policies.

To ensure everyone is aware of the policies and the information in those IT security policies, they should be easily accessible and easy to read. Simple sentences, bullet points, and references to other policies, where necessary, help guarantee everyone is aware of acceptable and unacceptable practices within the organization. 

Finally, policies should be reviewed and updated as needed. Your network will change. You may adopt new frameworks. Changes will occur that require you to update your IT security policies to adapt and meet your organization’s needs. Industry best practices change, and guidance is updated to keep up with evolving exploits and vulnerabilities, so the ability to modify your policies is a must. 

What are the Challenges and Considerations of IT Security Policies?

One of the most common obstacles policies face is the objection to change. Whether you’re implementing a brand new policy or modifying an existing standard, there will likely be some objections, as well as some old habits that lead to policy violations. 

It’s important to clearly and effectively communicate the upcoming changes, providing information about when the change will occur and how it will impact current operations. 

Another objection to IT security policies revolves around balancing security and ease of use. Passwords are a must, but it sure would be easier to not use them at all. That’s why many organizations implement Single Sign-On (SSO), to help reduce the inconvenience of entering a password every time you want to log in to a tool. This is just one example of a constant balancing act between security and user-friendliness. IT security policies should address the balance to satisfy all sides.

Conclusion

IT security policies drive the organization’s security posture. These are the laws that govern what activities are required, acceptable, and prohibited within an organization as they pertain to security management. There are several different policies available to address specific components of security such as device and network hardening, system backups, incident response, and many more. 

Want to learn more about security policies and compliance? The CBT Nugget course Information Security Fundamentals Online Training is a great place to start.