Companies need formalised IT Security policies created for a variety of reasons.
- To satisfy larger international companies due diligence processes.
- In order to demonstrate Compliance for example the
PCI DSS in particular requirement 12.
- To obtain a licence to trade, for example an FCA licence.
- A proactive rebuttal against a GDPR non compliance claim.
- To demonstrate that your organisation is a forward thinking, modern and progressive company that understands modern IT Security issues.
- To improve your internal IT function and lower Support calls because of having considered and documented processes and procedures in place.
- As a means to justifiably invoke a HR Disciplinary process due to non compliance with written and acknowledged policies.
IT Security Policies can help protect you against GDPR Issues. The EU does not punish companies for being hacked. The EU punishes companies who get hacked and then cannot demonstrate the work they have done to secure their systems and data through the creation of a secure IT infrastructure and internal processes for staff guidance.
Policies are derived from the best practices and advice in the
- ISO 27001
- SANS Institute
- ISO 27002
- OWASP ASVS V4
- UK Cyber Security Essentials
- NIST 800-30
- UK Government Orange Book
- ISO 27005
- The Open Web Application Security Project (OWASP) top 10
- The Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) v4.0.
- Information Systems Security Assessment Framework (ISSAF)
- ISECOM OSSTMM
- National Institute of Standards and Technology (NIST) 800-61r2
- AWS (Amazon Web Services) best practices
- Microsoft Azure best practices
Full listing of created policies includes
- Acceptable Use Policy
- Backup Policy
- Business Continuity Policy
- Change Management Policy
- Clean Desk Policy
- Configuration Management Policy
- Email Acceptable Use Policy
- Encryption Policy
- Environmental Threats Policy
- Ethics Policy
- Incident Response Policy
- Information Security Classification Policy
- Insider Threat Policy
- Malicious Software Policy
- Monitoring and Logging Policy
- Password Construction and Use Policy
- Patching and Updating Policy
- Physical Security Policy
- Printing Policy
- Remote Access Policy
- Secure Development policy
- Secure Hardware Disposal Policy
- Social Engineering Awareness Policy
- Social Media Policy
- Staff Leaver and Joiners Policy
- Third Party Risk Management Policy
- Wireless Security Policy
- Appendices A through K
- We also provide a separate PDF and Intranet ready web page that provides end users as a first place resource to query if they have an IT Security question or concern. You can discover more about this FAQ document here.
A “high level summary” produced for a client
(Insert your company name here!) Ltd uses a multi-layered approach to IT Security involving technical solutions, industry & government frameworks and advice, proven best practices, user guidance and training all used to provide Company X with a strong and diverse protection which is better than any single technique or technology.
With regards to ensuring the completeness and overall coverage of their IT Security considerations, Company X have drawn on the ISO 27001, SANS Institute, ISO 27002, PCI-DSS and the UK Cyber Security Essentials.
For their secure development framework and best practices, Company X draws on the The Open Web Application Security Project (OWASP) top 10 and Information Systems Security Assessment Framework (ISSAF) and the ISECOM OSSTMM.
In the event of a CyberAttack, Company X bases their Incident Response procedures on the National Institute of Standards and Technology (NIST) 800-61r2.
Finally, Company X have implemented the recommendations put forward in the AWS (Amazon Web Services) best practices publication to secure and monitor the use of its Cloud resources.
Using all these proven and industry-respected best practices and frameworks Company X have created a comprehensive IT Security Policy framework to guide staff in the sensible and secure usage of IT systems. Some of these policies stipulate acceptable technical usage and guidance such a minimal Encryption key strength, implementing multi factor authentication on accounts, or commands to execute on a computer to look for suspicious events and activity. Other policies relate directly to staff and their daily behaviour, such as providing advice to detect a social engineering attacker attempting to garner information, not leaving sensitive documents on a printer or not leaving passwords written on post-it notes and stuck to monitors.
An example final policy created for a client
Social Engineering Awareness Policy
Social Engineering is the act of a malicious actor persuading another person to commit some action that will result in the lessening of IT Security. It is one of the most popular techniques that hackers employ when attempting to breach company security and comes in many guises, via telephone (Vishing), via email (Phishing and Spear Phishing), via SMS/Text (Smishing) via Websites (Watering hole attacks). There are many attack vectors available to persons with malicious intent.
It is no surprise that as companies harden IT Security through technical solutions such as Firewalls, Honeypots, DMZs, Intrusion Detection Systems (IDS) etc, that hackers target the weak link in the security chain. That weak link is unfortunately the staff and employees of a company they are targeting (Receptionists, IT Helpdesk and Salespeople are the most likely targets of social engineers). Put simply, all the technical security products in place are useless against one social engineer who can persuade a user to download and run a file.
Phishing is also covered in the Acceptable Use Policy.
This policy has two purposes
- To make employees aware that
- fraudulent social engineering attacks occur, and
- there are procedures that employees can use to detect and defend against attacks.
- To create specific procedures for employees to follow to help them make the best choice when
- Someone is contacting the employee – via phone, in person, email, fax or online – and exclusively trying to collect XXXX sensitive information.
- The employee is being “socially pressured” or “socially encouraged” or “tricked” into sharing sensitive data.
This policy covers all employees of XXXX, including temporary contractors and part-time employees.
Sensitive information about XXXX will not be shared with an unauthorised individual if they use words and/or techniques such as the following:
- It is recommended that a user may not request a password reset for any other user in the company.
- It is a best practice that emails and faxes are not an acceptable means of requesting a password reset.
- It is a best practice if the user is a remote user to have a predefined secret question that they can be asked to help verify their identity.
- It is a best practice to check that a user is calling from their extension number if they are calling internally.
- If the user is requesting in person and they are unknown, it is a best practice to request to see some form of identification.
- If there is any doubt in establishing a caller’s identification, a known phone number should be taken, (An office number, a home number, mobile number that can be confirmed with another party or HR) and then the requesting user is contacted via that number.
- A “computer virus emergency”.
- Any form of intimidation from “higher level management”.
- Any “name dropping” by the individual which gives the appearance that it is coming from legitimate authorised personnel.
- The requester required release of information that will reveal passwords, model, serial number, brand or quantity of XXXX resources.
- Furthermore it is a best practice not to reveal any information regarding Operating System versions, AntiVirus products, Adobe Acrobat versions, Java versions, Internet Browser versions, Microsoft Office versions or VoIP systems.
- The techniques are used by an unknown (not promptly verifiable) individual via phone, email, online, fax, or in person.
- The techniques are used by a person that declares themselves to be “affiliated” with XXXX such as a subcontractor.
- The techniques are used by an individual that says he/she is a reporter for a well known press editor, TV or radio company.
- The requester is using ego and vanity seducing methods, for example rewarding the front desk employee with compliments about his/her intelligence, capabilities, or making inappropriate greetings (coming from a stranger).
- The most common email subjects most likely to illicit a response from a Phishing Victim
- “Urgent Matter”
- “Forgotten Password”
- From the article 7 Most Prevalent Phishing Subject Lines
- “Assist Urgently”
- “Bank of X”
- “New Notification”
- “Verify your account”
- “Unauthorized login attempt”
- “Document Copy
- “action required: pay your seller account balance”
- General Data Protection Regulation (GDPR) disclosure requests
- Requests from unknown sources for the disclosure of information that an organisation holds about them is a viable attack vector for social engineers and could disclose personal and private data to unauthorised parties.
- Any request made under GDPR legislation for information disclosure must not be completed unless due diligence for the requesting source is completed.
- One of the following criteria must be satisfied.
- A request from a source should come from the Email address that is held on file.
- A request should be accompanied by a “Strong” ID proof. E.g. passport scan.
- It is possible to outsource this process to a third party who undertakes suitable due diligence.
- All persons described in the “scope” section of this policy must attend a security awareness training within 30 days from the date of employment and every 6 months thereafter.
- If there is any suspicion or doubt that the validity or legitimacy of a request by a person the identity of the requester must be verified before carrying out any actions.
- If the identity of the requester cannot be confirmed, then the XXXX employee will seek guidance from their line manager.
- Paper documentation must be disposed of in a secure manner, either via a third party company or shred on site. See the Clean Desk Policy for more information.
- XXXX management will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits and feedback.
- Any exceptions to this policy must be approved by XXXX management in advance.
- Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
OIC Solutions empathises that Policy Documentation is not the most exciting aspect of growing your business, but if you want to secure more clients with less “bureaucratic hoop jumping” then comprehensive respected authority based IT Security Policies open doors and is the service that you need. You can get the process started today and you can contact us at email@example.com or here.