SafeBits by Luci

Security Policy Development

Ensure that your organisation can overcome threats and thrive, by integrating cybersecurity management with your business goals.

A security policy is a set of documents that is meant to provide the direction for the desired level of information security.

Security Policy Development

What I can do for you

Whether it’s the developing of a new policy from scratch or the enhancement of an existing one that you’re after, the same few basic steps apply:

  1. We sit down and discuss your requirements and your business.
  2. We establish the scope of the project – the level of detail and the areas to focus on.
  3. I gather information from staff and any relevant third-parties.
  4. Where several options are identified, I support the management team in making the appropriate decisions.
  5. I develop and then present the documents we had agreed on.
  6. I remain on stand-by to provide any necessary support for the implementation of the developed documents.

Why it matters

Two words: due diligence. A cybersecurity policy can be a requirement of industry or government regulations (such as consumer data privacy protections), but, just as importantly, it is meant to ensure an organisation and its stakeholders are adequately protected against risks.

The whole purpose of security management is to ensure that money is well spent protecting assets. Without a clear plan, it may be difficult to analyse whether some measures are worth their cost or whether others reduce risk sufficiently – after all, some threats materialising could, on their own, make it difficult to continue doing business or may impose considerable costs needlessly.

For example, having a backup strategy is considered good practice. But if no important data is kept on a device, other than its operating system, the measure may not be worth its cost. On the other hand, critical accounting data, which may be threatened by accidental deletion, ransomware attacks or inadvertent disclosure, could benefit from periodic backup reviews and restoration simulations.

A well designed security policy will ensure that:

  • resources are allocated efficiently;
  • all operations work concertedly towards the same goals;
  • the management team is aware of residual risks.

The most important thing is that the security policy of a tech giant will look quite different from the one belonging to a niche online store. And yours must work to support your business objectives.

If you already have one

That’s great! In many sectors, you may already be one step ahead of your competitors. But keeping that advantage does rely on a strategy of continuous improvement:

  • expanding your security policy to cover new areas – maybe a new procedure, or guidelines for certain operations that weren’t previously in focus;
  • reviewing existing documents, not just to ensure they provide adequate protection, but also to take advantage of new opportunities.

As an example, an existing measure you have relied on might be replaceable with a technology or service that did not exist a year ago, at a lower cost and with a smaller residual risk.

Having done the right thing by having a security policy in place, you understand just how important it is to hire the right security professional.

What it is

A security policy is a set of documents, the amount of detail within varying to a great extent. What’s common is that they are meant to ensure that information security is there to provide value for your organisation to achieve its mission and goals, rather than hindering it.

So that’s a very abstract and rather unhelpful definition, but one which we can break down. At the very high-level, you can outline a plan. Don’t worry if you only start out with the following – it’s still a start!

Which assets should be the focus of this policy?Just protect the accounting database and staff email, please.
Which regulations apply to your organisation?Only GDPR (Regulation (EU) 2016/679) applies.
Do you have a security budget? If not, how are decisions about investments and purchases made?No security budget, decisions are made on a case-by-case basis by the managing director, having been given a cost analysis.
Is there a well-known framework that is implemented or striven towards (e.g. ISO 27k)?No.
What frequency are risk assessments performed at?We'll perform risk assessments on an yearly basis.
Have you defined an acceptable level of residual risk? Are there different targets for the short, medium and long term?An acceptable level of residual risk will be defined in three years; before that, security controls are implemented based on opportunity and available resources.
Do you perform regular audits or are you audited by a third party? If yes, how often and against which baselines?No.
What other documents form your security policy or which ones are planned for the future?Documents defining implemented security controls form an integral part of the policy. Additionally, the Recommended Procedures document details the list of operations for which security procudures will be defined in the future, according to their assigned priority.

The basic principle is to document decisions, so as to save time in the future and ensure that any efforts put in are aligned with your objectives. Once these are clear, the work would focus on more tangible steps. The following are just examples:

  • The Risk Assessment will outline threats to assets, the associated risks and means to lower those risks (or eliminate some altogether). This should make it easy to prioritise measures that give you the most value for your money.
  • Security Procedures detail the exact steps that need to be taken to execute a function that is particularly sensitive; for example, it may be prudent to ask your staff to not execute any applications or follow any links received in an email, even when it seems to come from a trusted party.
  • Acceptable Use Policies, which may target either clients or staff; for example, you may want to ask your staff to not upload the company’s client data to their own personal Cloud storage folder.

As you can see, it’s organisations and their assets (data, brands, people, etc.) that stand at the forefront of an effective information security policy.

Where do you start

If you don’t already have a cybersecurity policy, I recommend starting with a risk assessment. It would be difficult even to define a high-level strategy without having an overall picture of the assets and threats. Of course, such an initial risk assessment does not need to be very detailed and should probably be qualitative in nature; nor would it need to cover mitigating controls at this stage. Most importantly, it will not just provide a solid foundation for the upcoming security policy, but it will also raise awareness among the organisation’s members about the impact that information security can have.

That being said, each organisation is unique – if you’re wondering what is best for you and you would like to have a chat, get in touch and I would be more than happy to answer any questions you may have.