Every company should have a security policy in place, but what kind of information goes into an information security standards checklist? Read on to find out.
slide 1 of 2
Before you can really evaluate your security posture, you’ve got to see if you have an adequate security policy. If you don’t have a security policy in place, now is the time to start writing one. The complexity of your organization’s security policy will likely depend on the type of business you do. If you process credit cards, you’ll be held accountable to some pretty strict standards set by the PCI Security Standards Council. On the other hand, if you’re a manufacturer of scratch and sniff stickers, your security standards may not need to be as stringent (maybe they will be – what do I know about scratch and sniff?). In any case, if you’ve got a computer network – no matter if it’s a handful of workstations or thousands of machines – you should still have a security policy in place.
You can find some great policy examples on the SANS (SysAdmin, Audit, Network, Security) Institute website located here.
Below is a brief list of “basic" security requirements most any business should have. This should help you get started in writing your overarching policy.
slide 2 of 2
Getting Started - What to Include in a Security Policy
8+ characters in length
Mix of upper\lower case letters, numbers and symbol
No dictionary words or names
Forced password changes on set schedule (6 months or less)
Passwords for core infrastructure will be unique for each device\system
Passwords are not shared amongst users
Restrict access to company resources based on least privilege need – if someone only needs read access, don’t give them write access to a resource
All assets and resources are properly password protected
User accounts are not shared amongst users
Only corporate assets are allowed on the network
Guest access will be limited to a DMZ with no access to corporate resources
Unused data ports will be disabled
Locations with critical data or assets such as servers, financial or other confidential or proprietary information shall be physically secured by key or card access
Only authorized personnel will have access to secure physical locations
Web surfing will be limited to business purposes only
Email will be limited to business purposes only
Wireless access points are not to be set up unless authorized by corporate IT
Strong encryption methods (WPA2, WPA2 Enterprise) will be used at all times on corporate access points
Strong WPA keys will be used
Security software will be installed and maintained by corporate IT including antivirus and anti-malware software
Security software must remain installed and running at all times
Computers will be patched on a regular basis in order to obtain security fixes
Other things to include in your policy
Responsibility – who is responsible for what? Does IT enforce policy or create and enforce policy? Do you have a separate security group that will handle security incidents? How is HR involved?
Security incidents – how will incidents be handled? Will the same process be used for handling a virus outbreak versus an intrusion?
There are so many things you could include in a policy - it's not possible to list them all here. There are some good books on this subject and as I pointed out before, the SANS Institute is a great starting place to get templates and ideas for writing your security policy.