The SMB Security Policy – Part 1

I'm not sure why it hasn't been labeled this way yet, but most cyber crimes these days are organized crimes targeting individuals and companies for their valuable information. I have found that a majority of smaller companies neglect to make the proper investment in securing their information infrastructures, and it all starts with the first basic element of security – the security policy.

Your security policy will vary depending on the type of business you are in. For example, a small business that handles credit information (addresses, names, social security numbers, credit card information, and birthdates) would need a much more comprehensive policy than an organization that writes software components for boxed applications.

The security policy should be used as the framework around which the technology infrastructure of your business is protected. Developing a security policy is a very customized and personalized experience. No one-size-fits-all solution applies here. Developing the solution that best fits your organization's operational methods is the only way to truly succeed in securing your technological operations and your business. The vast majority of mid-sized and large corporations use security policies, so how do we take enterprise security principles and apply them to small business challenges? In this article I'll detail 3 of the steps I would advise any small business take to implement a sound security structure.

Step One: Communicate

The most important step to beginning or extending any business process is communication. Communication is necessary at all levels of the organization, no matter how small or how large, to ensure everyone is on the same page. You greatly increase your probabilities for success and the development of a truly comprehensive security policy if everyone is working towards the same well-established, well-discussed goal.

Step Two: Analyze

A 3rd party risk and vulnerability assessment is important for developing a sound security policy for your organization. The reason I always advise companies to use a 3rd party is two-fold. First, there is a greater level of granularity and accountability when using a 3rd party; and secondly it is always a good idea to have an impartial set of eyes look at the organization's technologies as a whole.

The assessment should include penetration testing, vulnerability testing of all critical systems, assessment of the disaster recovery program (even if it is not documented), and finally a risk assessment that compares technological dependencies with operational tolerances. For example, a security policy would look differently in an organization that is governed by a regulatory framework like PCI or HIPAA, than one that is not, making risk assessments vital to developing security plans that are within the scope of the organization's operation.

Step Three: Compose

Compose the security policy with language that is unambiguous, consistent, and most importantly – delivers specific objectives and directives for all employees to abide by. Whether your company has 30 or 300 employees, the security policy must be written in a language that directs activities and mandates technology policy.

The security policy should contain the following elements, at a minimum:

1. Standard of Acceptable Use – which defines under what conditions employees and authorized individuals may access the system. This is critical to ensure your policy defines parameters for use of company resources, from software to hardware.

2. Access Control & Authorization – should answer the questions: who gives access, who requests access, how and when is access requested, how and when is access audited, what happens when an employee leaves or is fired, etc.

3. Information Classification – very important, should cover the requirement for Non-disclosure agreements (NDAs) with 3rd party, customers/partners, and employees. This element should also cover types of data, how it is stored and maintained, and who has access both to the live data and the stored or archive data.

4. Network/Communications – should cover network resource usage both in-office and remote. This is where you would specify what access is allowed to the internet, instant messaging, etc. Make sure to remember policies governing wireless devices, PDAs, and the ubiquitous MP3 players.

5. Intent & Authority – this part is very important…the intent of the various sections should be explained, and their authority clearly identified. For example, who is responsible for enforcement? Who should violations be reported to? What are the consequences of failure to comply; or worse, what are the consequences when a failure to comply results in a breach? This element is the difference between your organization's security policy being a paper weight, or as critical as the company business plan.

6. Standard of Focus – all businesses should strive to standardize to ensure even operation of their infrastructure. This doesn't mean your business has to adopt ITIL tomorrow, but your security policy should follow applicable conventions of a policy framework to ensure uniformity and improve the overall efficiency of the technology operation. Most businesses, regardless of their size, should develop their own methods of standardization. For example, an infrastructure standard might be that your organization only uses a specific brand of server, or specific OS software image, etc. When defining operational standards, be specific but flexible to prevent from having to revise them on a more than annual basis.

7. Modification Requirements – under what circumstances and who can modify the policy? Also, how are exceptions to policy handled, and under what circumstances are exceptions allowed? These sorts of questions should be answered without ambiguity by this element.

This leaves us with a lot to do. Next week we'll discuss the final 3 steps to producing a sound security strategy for your small business.