Policies are an essential part of an overall security strategy and are many times under-valued or overlooked completely. Organizations of all sizes often struggle with developing a comprehensive information security strategy due to the challenges of prioritizing where to begin. Strong and effective policies provide an excellent set of resources to help set expectations, provide long and short term goals, and identify gaps that may need to be closed. No matter the maturity level of your organization’s information security strategy, well written policies put you on the right path for continued development.
Below we take a brief look at the top 10 most important security policies that your organization can develop and implement. It's important to remember – an effective policy has nothing to do with its length. We often have customers who approach us with policies that are far too complex and cumbersome to ever be effective. An effective policy is often only a few pages in length – what is important is that it captures the core elements that your organization values in a way that is clear and concise, provides clear roles and responsibilities as well as remediation steps.
Top 10 Security Policies
Written Information Security Plan (WISP): This document provides the foundation of your organization’s security -strategy. It provides the basis for your organization’s minimum security controls, compliance requirements, and the security policies that support them.
Asset Management Policy: Asset management is essential to understanding an organization’s technology footprint which is critical in order to provide foundational security controls.
Acceptable Use Policy: This policy defines what acceptable usage is when using any system, network, or resource. All employees, contractors, and third parties should have a clear understanding of what an organization’s resources can and cannot be used for prior to being granted access.
System and Device Baseline Security Policy: Systems and network devices should always have a minimum-security configuration implemented before being put into use, and is a requirement of many security frameworks. This policy defines what is required for device and operating system baseline hardening.
Account and Password Policy: More than just setting minimum password length and complexity, this policy should define the different types of accounts, their use and management lifecycle, as well as any additional controls to be used such as One Time Passwords (OTP) or Multi-Factor Authentication (MFA).
Security Logging Policy: Centralized logging is essential to monitoring, response, and investigation during security incidents. A sound logging policy and strategy implemented prior to a security incident will make response and mitigation much more effective.
Endpoint Security Policy: This policy defines the minimum security controls that will be put in place on an organization’s endpoints. Providing a sound endpoint security strategy and solution can be one of the most effective controls to reduce the risk of a successful attack.
Vulnerability Management Policy: Vulnerability management is essential to understanding an organization’s risk posture as well as how effective system and device patching processes are.
Mobile Device Management and Access Policy: This policy is essential for any organizations that have a mobile workforce. It defines what types of devices can access an organization’s resources and what minimum controls are required for authorization.
Security Incident Response Policy: Incidents are inevitable, and having an understanding of responsibilities, communication strategy, containment, and reporting processes is critical to minimizing loss and damage to an organization. This is a foundational policy that is required as a first step in an overall organizational Incident Response Strategy.
Other Policies to Consider
- Cloud Services
- Cloud Provider Governance (Azure/AWS/GCP)
- Data Protection and Privacy
- Penetration Testing
- Privileged Access Management (PAM)
- Perimeter Security
Please contact us if you're interested in learning more about how we can help support your security strategy or to hear more about our managed IT services.