By John Bennett, Strategic Security Consultant, GFI
Monday, 10 October 2005 14:36 EST

If asked the following question, “How good is your Security Policy?” what would the response be from your organisation? Chances are that most respondents would initially reply in a positive manner.

But what does ‘good’ really mean in the context of a security policy?

Does it mean the policy effectively meets the business requirement? Is it meant to imply that it has been updated recently to include the latest piece of legislation? Does ‘good’ mean it’s clearly written and easy to understand by all your staff, or does it simply mean that it now includes a section dealing with mobile devices such as PDAs and USB sticks?

In reality, to be considered ‘good’, your security policy should address all of these issues and more besides.

The primary aim of your information security policy must be to enable your organisation and all of your employees to operate in a safe and secure manner. An appropriate policy, effectively applied, should minimise the potential for security breaches, adhere to the latest standards and ensure your organisation remains legally compliant.

A well-constructed policy provides you with the basis for consistent understanding and enforcement across your organisation. It provides your security staff with specific rules and guidelines for carrying out their duties. It also should include clear guidance regarding how much and what kinds of security measures are necessary to achieve an agreed and acceptable level of risk.

Security policies have a number of human, financial and legal consequences. Because of this, great care needs to be taken to ensure that such policies accurately reflect the current situation. Your security policy is, by its very nature, a dynamic document that must be updated regularly so as to keep pace with changes in organisational structure, revised security standards, evolving technology and communications infrastructure, and legislative requirements.

It is not unusual for organisations to have a number of disparate documents distributed throughout the business, each addressing various issues such as acceptable use of company e-mail and the Internet, physical security of company assets, and so on. Although, the size and nature of the business, its network infrastructure and its security requirements may well have changed considerably since these documents were introduced, often some or all of them have not been reviewed or updated for some considerable time – if ever!

Certainly, the legal requirements for the protection of personally sensitive data have changed dramatically of late and it is common to discover that individual organisations’ security policies have not kept pace. It is highly likely that your own policy may need to be reviewed and updated to ensure it not only meets your current security requirements, but also that your organisation remains compliant with all applicable UK and European law.

Additional legislation dealing with the protection of data and monitoring in the workplace has been introduced recently that may have a significant impact on both public and private sector organisations. Many, however, fail to appreciate the impact that legislative changes can have on their organisations. Serious repercussions, including adverse financial consequences, can occur if organisations do not make the necessary changes to the way they operate.

Furthermore, many organisations are required to demonstrate to external and internal auditors that they meet prescribed standards in the way in which they secure and operate their businesses and in how they interact with, for example, business partners and customers. Correctly interpreting how the various pieces of legislation and corporate governance guidelines apply to your organisation is a serious challenge and one where mistakes potentially can prove very costly.

Security standards in the UK are based on a recognised industry standard - British Standard BS-7799. Part 1 of BS-7799 is an International standard - ISO 17799. The standard provides an approved framework from within which businesses can operate securely. Wherever possible, therefore, organisations should strive to ensure their security policy complies with it.

Best practise (BS-7799/ISO-17799) recommends that security polices are updated regularly so as to ensure organisations continue to protect themselves from the risk of security breaches whilst remaining legally compliant.

In order to ascertain if your organisation’s security policy could benefit from an update, consider the following:

• Does your current policy incorporate sufficient procedures to cover the use of Personal Digital Assistants (PDAs) and similar mobile devices?
• Does your organisation have a policy to control the use of USB memory sticks?
• Do you monitor staff use of e-mail and the Internet?
• Does your organisation use CCTV and, if so, do you comply with the relevant guidelines for its use?
• Do any of your personnel work remotely or on the move and, if so, are they connecting securely?
• Are you aware of the main areas contained within ‘The Telecommunications Lawful Business Practise Regulations’ and ‘The Employment Practices Data Protection Code’ in respect of the monitoring of communications?
• Does the Civil Contingencies Bill (which came into force last year) apply to your organisation?

If you are unsure about any of these issues – and this is by no means an exhaustive list – it is highly likely that your security policy needs reviewing and updating. Only by doing so will you ensure that your organisation continues to meet both its legal requirements and its security objectives.

GFI Informatics are exhibiting at Infosecurity Europe 2006 which is Europe's number one information Security Event. Now in its 10th anniversary year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 250 exhibitors and 10,000 visitors from every segment of the industry. Held on the 26th – 28th April 2006 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security. www.infosec.co.uk