Before you can really evaluate your security posture, you’ve got to see if you have an adequate security policy. If you don’t have a security policy in place, now is the time to start writing one. The complexity of your organization’s security policy will likely depend on the type of business you do. If you process credit cards, you’ll be held accountable to some pretty strict standards set by the PCI Security Standards Council. On the other hand, if you’re a manufacturer of scratch and sniff stickers, your security standards may not need to be as stringent (maybe they will be – what do I know about scratch and sniff?). In any case, if you’ve got a computer network – no matter if it’s a handful of workstations or thousands of machines – you should still have a security policy in place.
You can find some great policy examples on the SANS (SysAdmin, Audit, Network, Security) Institute website located here.
Below is a brief list of “basic” security requirements most any business should have. This should help you get started in writing your overarching policy.
Getting Started - What to Include in a Security Policy
- 8+ characters in length
- Mix of upper\lower case letters, numbers and symbol
- No dictionary words or names
- Forced password changes on set schedule (6 months or less)
- Passwords for core infrastructure will be unique for each device\system
- Passwords are not shared amongst users
- Restrict access to company resources based on least privilege need – if someone only needs read access, don’t give them write access to a resource
- All assets and resources are properly password protected
- User accounts are not shared amongst users
- Only corporate assets are allowed on the network
- Guest access will be limited to a DMZ with no access to corporate resources
- Unused data ports will be disabled
- Locations with critical data or assets such as servers, financial or other confidential or proprietary information shall be physically secured by key or card access
- Only authorized personnel will have access to secure physical locations
- Web surfing will be limited to business purposes only
- Email will be limited to business purposes only
- Wireless access points are not to be set up unless authorized by corporate IT
- Strong encryption methods (WPA2, WPA2 Enterprise) will be used at all times on corporate access points
- Strong WPA keys will be used
- Security software will be installed and maintained by corporate IT including antivirus and anti-malware software
- Security software must remain installed and running at all times
- Computers will be patched on a regular basis in order to obtain security fixes
Other things to include in your policy
- Responsibility – who is responsible for what? Does IT enforce policy or create and enforce policy? Do you have a separate security group that will handle security incidents? How is HR involved?
- Security incidents – how will incidents be handled? Will the same process be used for handling a virus outbreak versus an intrusion?
There are so many things you could include in a policy - it’s not possible to list them all here. There are some good books on this subject and as I pointed out before, the SANS Institute is a great starting place to get templates and ideas for writing your security policy.