Implementing & Maintaining a Secure Framework
Following the results obtained from your security risk assessment, the security management cycle enters a phase of implementation and maintenance, where appropriate security protection measures and safeguards are implemented in a way that builds a secure protection framework. This includes developing security policies and guidelines, assigning security responsibilities and implementing technical and administrative security measures. All these steps are crucial in contributing to the safeguards of your business assets.
A good security policy sets out the basic rules for information security within your organisation. These rules are mandatory and must be observed throughout the organisation. Since security requirements vary from one organisation to another, so should the security policy. Therefore, it is of the utmost importance that the security policy be in accordance with requirements and the organisation's business goals and policies such that it is supported by all employees, and is enforceable.
In fact, a security policy can be very high-level and technology-neutral or detailed and technology-specific. A security policy can be categorised into three basic types:
The System-specific policy focuses on policy issues which management has decided for a specific system. It addresses only one system. The program-level policy and issue-specific policy both address policy from a broad level, usually encompassing the entire organisation.
The choice to develop a particular type of policy depends on your organisation's requirements. However, the most important thing is that policy sets the direction, and that it can be used as the basis for making other lower level decisions.
A Bird-eye View of the Development Cycle of a Security Policy
An I.T. security policy should cover the company's expectations of the proper use of its computer and network resources as well as the procedures to prevent and respond to security incidents. During the drafting of the policy, the company's own requirements on security should be considered. The drafting of the policy should consider the following aspects:
You may refer to IT Security Standards and Best Practices for some internationally recognised information security standards, guidelines and effective security practices.
Depending on the direction and parameters set out in the Security Policy, management and administration processes will need to be set up to support policy implementation.
These are the major management and administrative activities:
Assign Roles and Responsibilities
Development of an IT security policy requires active support and ongoing participation of individuals from multiple ranks and functional units. Thus, clear definitions and proper assignment of accountability and responsibility for securing the company's information and system assets is necessary and may involve the following roles depending on the business needs and environment:
Guidelines and Standards
Guidelines and standards are tools used to implement the security policy. Because a policy may be written at a broad level, it is essential to develop standards, guidelines and procedures to offer users, administrators, computer personnel and top management a clearer approach with regards to implementing the security policy and meeting their departmental goals.
Security Awareness and Training
Security Awareness is crucial to ensuring that all related parties understand the risks, and accept and adopt the good security practices. Training and education can provide users, developers, system administrators, security administrators and other related parties with the necessary skills and knowledge for implementation of security measures.
No policy is considered to have been implemented unless users or related parties have commitment and communication. This means users and related parties:
This refers to the task of enforcement of rights arising from implementation of the policy and redress for violations of those rights. The company should set up procedures to provide prompt assistance in investigative matters relating to breaches of security. Establishing a company incident management team and setting up a security incident handling procedure can improve the effectiveness of any enforcement policy.
On-going Involvement of All Parties
An effective security policy also relies on continuous exchange of information, consultation, co-ordination and co-operation among users and companies. Injection of knowledge on standards, methods, codes of practice and other expertise on IT security from all parties involved will also help to keep the security policy up-to-date and relevant.
Besides management and administrative processes, the implementation of a Security Policy might involve technological measures through selection and implementation of appropriate technologies and products. These technological measures should undergo proper testing before entering operation.