Secure IT – the security policy in the organization

The CIA Triangle

We live in the information age, and the information holders have the advantage. Not surprisingly, cybersecurity, meaning the total actions we take to protect data and infrastructure from damage and unauthorized access, is increasingly important. And that is why we are devoting more resources to it. What does security mean in IT, and especially in IT systems? Simply put, it is the creation of the aforementioned procedures in an organization – the ones that ensure the confidentiality, integrity, and availability of IT systems. These procedures constitute the security policy.

About policy in a moment, first a brief explanation of the terms mentioned above:

• Confidentiality defines the scope of making data available to authorized entities or persons. This scope is usually determined by encryption and access control.
• Integrity is nothing but data consistency. Security is understood here as the prevention of deliberate data modification, usually done by using advanced techniques to hide the change.
• Availability refers to the ability to use the information at a specific time, by an authorized entity or a person.

Security policy starts… on paper

Referring to the security policy – it is much more than just a concept. A document that enables the effective and comprehensive management of the information security gathered in a company, especially in its information systems, is at its core.

What does such a document contain? First of all, a description of strategies and actions aimed at ensuring data security. The document is supposed to not only facilitate the understanding of the purpose of those activities, for example, the procedures I mentioned earlier, but also to raise employees’ awareness of security threats and related risks.

Security policy is one of the most important documents in a company. It should be written in a relatively accessible language which in the case of describing procedures can be quite a challenge. It must also be available for every employee or person authorized to use company IT resources.

The security policy is not always formulated in the same way. Its final shape and content depend on the company. You may encounter a comprehensive approach to the issue of security policy or only in the context of the Personal Data Protection Act. Sometimes, the document relates to a selected IT system or only a part of the data. Until recently, individual standards or procedures were always described in separate documents, but now there is no such requirement. Often, there is only one document that contains both theory and practice.

Security policy – how to put it into words?

Are there any requirements that the document in question must meet? In my opinion, the most important distinctions are as follows:

• Consistency and precision (accuracy) of information.
• Completeness – the described rules and procedures must take into account each level of data, from single documents through larger catalogs to the whole of IT resources.
• A complete description of the organization’s data flow process – how it is collected, managed and shared.
• Determination of the method to protect individual resources.
• Description of possible types of security breaches, as well as handling scenarios to avoid incidents in the future.
• Definition of correct and incorrect use of data resources.

How to facilitate the creation of such a document? Security policy is created based on current laws and regulations. You can also draw inspiration, for example, from ISO standards and adapt them as ready-made elements of the future document.

When designing information protection mechanisms, it is also necessary to define such elements as the security model, access control methods, or privilege levels. However, one must not forget about the everyday comfort of using data – increasing the security level is almost always comes at the expense of convenience, productivity, and efficiency. Therefore, the security policy must be tailored strictly to the company’s and employee’s specific needs, otherwise, it will not be followed.

Document and what next?

However, preparing a document and making it available to the employees is only the first stage of the whole process, which can be called conducting security policy. The next steps should include educating employees and verifying compliance with internal security standards. Information on these activities should also be included in the document. Otherwise, it will be just a paper with provisions that nobody will observe.

One of the biggest problems associated with the implementation of security policy is management’s wrong approach. The most common mistake is putting the responsibility for security solely on the IT department. Meanwhile, the responsibility lies within the company’s management. Only then can compliance be effectively enforced. The second common mistake is that the management itself does not comply with the procedures. Nowadays, it’s the executives who work at all hours and log on to unsecured networks that are most vulnerable to attacks from cybercriminals.

We must remember that the weakest link in this process is the individual. In The Art of Deception, the legendary Kevin Mitnick stated himself, “I broke people, not passwords.” The people that didn’t follow the procedures themselves gave him access to the data that allowed him to go deeper and deeper.

Having a security policy and following it is one thing, but it is equally important to adapt it to current conditions. It is not a one-time action but a continuous process and, like security, it should be understood as such.