No matter what business or industry you’re in, odds are that you’ll be a target for hackers and cybercriminals at some point in time. According to recent statistics from Accenture, there are over 130 large, enterprise-scale targeted cybersecurity breaches per year. And that number is growing at a rapid rate of 27 percent per year.
That’s not to mention the cost of cyber incidents and attacks that enterprises incur year after year. The average cost of a malware attack to companies is $2.4 million, and costs an average of 50 days for companies to effectively address. Avoiding cyber attacks, and the damage and costs associated with them are why companies are wise to focus a significant portion of their IT budgets and resources on developing (and implementing) an Enterprise Information Security Policy (EISP).
With the threats to enterprise cybersecurity growing at such a rapid pace, companies are now designing an enterprise information security program policy that serves to both minimize risk and help achieve key business goals and objectives.
What is an EISP? And what are the specific elements of an enterprise security policy that’s in alignment with an organization’s overall vision and goals, but also provides concrete strategies and tactics to prevent (and respond to, if necessary) cyber incidents and attacks? Whether you’re deciding to implement an enterprise policy in cybersecurity for the first time, or update one that you already have, read on to find out how to improve your cybersecurity practices with our helpful guide to the elements you need to address.
1. Network Security
First and foremost, your enterprise security policy should cover all the critical elements necessary for assuring the protection of your IT networks and systems. The network security element to your policy should be focused on defining, analyzing, and monitoring the security of your network. It should serve to provide a strong cybersecurity posture, as well as seek to address potential gaps that would-be hackers might seek to exploit.
Your network security architecture and policy should cover all of these main areas:
- Vulnerability Scanning
- Patch Management
- Updated Security Applications (firewalls, proxies, antivirus software, etc.)
- Network Architecture Design (and review)
- Endpoint Controls & Analysis
Your policy should reflect that network security is a shared responsibility, from executive leadership and your IT team, all the way down to rank and file employees. Leave it to your security and IT team to define the technical policies and procedures that should be followed with regards to network security, and make sure to work with managerial and executive personnel to ensure the right business practices are outlined to minimize the risk of your network security being breached.
2. Application Security
The next element of application security is generally designed to thwart risks that arise out of application-based vulnerabilities. This could be anything from a third-party cloud-based application, to internally developed and executed ones. Your policy needs to define strategies to address risks associated with any applications that could potentially be exploited, with all applications in your enterprise being appropriately categorized based on how critical they are (and how sensitive the data they contain is).
These classifications serve to help your cyber security and IT teams make informed decisions about what types of controls and protections are required for each application and then are outlined in the policy. The application security element should include some (if not all) of the following:
- Application Structure Review
- System Development Lifecycle
- Penetration Testing
- Source Code Review
- Patch Management
Typically, your information security team will be the main people focusing on the application security portion of your policy. Make sure to involve all relevant technical cybersecurity staff from the beginning any app design, development, or implementation lifecycle. This helps them gain an understanding of potential weak points in any application that could be a target, and place the proper best practices in your policy to plug any gaps.
3. Risk Management
This third element is comprised of a set of activities that are aimed at lowering the level of cyber-attack risk to what your enterprise deems to be an “acceptable level.” What that is will depend on the nature of your business, systems, and data, and it’s best to work with a trusted cybersecurity partner to understand the basics of cyber risk management to determine what’s “acceptable risk in your unique circumstance.
The risk management portion of your EISP will affect many other areas of the policy, and is typically conducted in the following four steps (typically in conjunction with your cybersecurity partner):
- Risk Assessment: All risks within the scope of your EISP are identified, taking into account your organization’s culture and technical systems. This is where a partner will normally help you perform a Gap Analysis.
- Risk Analysis: Next, risks in your policy are prioritized based on impact, likelihood, and potential cost. This can be done on a qualitative, quantitative, or hybrid basis with the goal of performing a cost-benefit analysis for potential security measures.
- Risk Treatment: Based on the results of the previous two steps, you’ll outline the concrete steps of how to treat (and minimize) those risks. Your policy should state how each risk will be mitigated, transferred, or accepted based on your analysis.
- Risk Monitoring: In this final phase, controls are continually monitored for changes in risk levels or new deficiencies or weaknesses that may rise to the surface over time. Have metrics reporting in place, in addition to periodic auditing, so that your risk level is constantly adjusted to the appropriate level.
4. Compliance Management
Every enterprise has a set of compliance requirements to meet based on the industry they operate in. This could be frameworks like HIPAA for healthcare, PCI-DSS for the financial industry, or GDPR for those operating in Europe. These requirements typically include legal, regulatory, and certification requirements that need to be addressed in your EISP. Legal requirements also include contractual requirements. Your policy needs to identify all legal requirements and outline a program that meets all of those needs. Compliance, in fact, should be treated as another form of risk in your policy. Compliance management is usually done by your legal team, who will need to reach out to (and work with) IT and security teams to make sure all compliance-related policies are in alignment with what’s legally required.
Failure to properly address compliance in your EISP could have severe consequences, including litigation and/or investigation from regulators. Shortcomings might also result in stiff fines, litigation fees, not to mention the damage to your reputation as an organization that seeks to take shortcuts as it relates to regulatory compliance.
5. Disaster Recovery
Disaster recovery, also sometimes referred to as Business Continuity Planning (BCP), deals with how you’ll potentially deal with a successful breach or attack. You’ll need to work with your cybersecurity partner to outline how a Business Impact Assessment (BIA) should take place after a security incident, measuring things like downtime and data loss after (and during) a disaster scenario.
Your policy should spell out concrete metrics and objectives for how long it should take to recover the system, as well as identify what that single point of failure was that allowed the attack to take place. Once those are pinpointed, your policy will outline recovery strategies and tactics that will meet those goals. You should include things like recovery procedures, call trees, action triggering criteria, and scope of action for each employee role to ensure your systems and/or data are recovered as quickly as possible post-breach.
These BCM activities are often done by a team that reports to the chief technology officer, (CTO), chief risk officer (CRO) or directly to the CEO of the organization. Your information
security team, however, will also support BCM activities within the organization since they’re a critical stakeholder in any EISP.
6. Physical Security
The physical & environmental security element of an EISP is crucial to protect assets of the
organization from physical threats. This includes things like computers, facilities, media, people, and paper/physical data. Controls typically outlined in this respect are:
- Fire extinguishers
- Water sprinklers
- Smoke detectors
- Building management systems (BMS)
- Physical locks
- Security guards
- Adequate lighting
- Access control cards issued to employees.
All physical spaces within your organization must be classified based on the information they hold, and controls should be deployed based on the criticality and sensitivity of each area. For example, your policy might state that visitors only be allowed in designated spaces, or that admin staff doesn’t have keys to file cabinets with highly sensitive, cybersecurity-related information.
Areas holding the most critical data should require multiple forms of authentication per your EISP. This could be anything from a designated personal PIN to biometrics. No matter what physical security measures you and your security partner deem to be appropriate, make sure these controls are constantly measured and tested to test employee compliance and readiness.
7. Identity & Access Management
Another important element to your policy should be ways that you’ll identify employees that have access to certain critical systems and data within your organization (i.e identity and access management). This could be the combination of any number of things, including name, age, employee ID number, biometric data or any other forms of personally identifiable information (PII) that you deem appropriate when drafting your policy along with your cybersecurity partner. This can be in addition to usernames and passwords that personnel typically require in order to access systems and data.
Moreover, you need to figure out which employee roles will have access to which types of information. This can be based on key principles such as least privilege, need-to-know, and critical business function. Each role should have their access clearly outlined in your policy, with the best possible levels of security being implemented so that the wrong people don’t accidentally (or purposefully) go into systems that they shouldn’t.
You and your partner should spell out in your EISP processes for annual reviews, as well as procedures in the event that the wrong people gain access to systems or data they shouldn’t. Generally, events of unauthorized access should be reported immediately to key stakeholders in your information security team, with the policy spelling out consequences for users that intentionally do so.
8. Incident Management
Of course, no EISC is complete without documentation for how you’ll immediately respond to a cyber breach or incident. You’ll want to designate which key employees will be a part of your incident management team (IMT) who will assess the technical and business impact of a breach, as well as taking action for containment, elimination, and remediation.
Another extension of risk security management, incident management policies focuses on limiting the damage of a breach, as well as reducing the risk of similar ones in the future. For most organizations, your EISC incident management and response policy will encompass the following six steps:
- Incident Detection & Identification
- Triage & Incident Analysis
- Threat Containment
- Incident Resolution
- Root Cause Analysis
- Incident Reporting
Your incident response policy should serve to develop security controls, people, processes, and technologies that facilitate this six-step process as quickly and effectively as possible. In addition to internal staff, your incident response plan may include third-party partners, cyber forensic experts, virtual teams, and any others you deem appropriate. Your budget, for example, may dictate that it’s more cost effective to outsource certain steps to vendors or service providers. In this respect, a well-developed incident management policy will not only help address a threat quickly but do so in a cost-effective manner.
9. Training & Awareness
Finally, ongoing training and awareness perhaps the most critical element to your EISP. Oftentimes it’s not your systems or technology that prove to be the weakest link, but people themselves. That’s why your policy should carefully outline an ongoing training program and security awareness program and structure, tailored towards each various role and employee profile within your organization. This is where it’s important to work with your cybersecurity partner, to develop modes of training that best suit your personnel.
Your training policy might consist of classroom sessions, quizzes, online training, workshops, simulated “fire drills,” and many other tactics that can be leveraged. Moreover, how you onboard new employees, gauging their initial awareness and filling in any gaps, needs to be in your EISP. Also, make sure that training and awareness is a part of your employee evaluations policies and standards, so there’s an incentive for people to follow through with what they’ve been trained on. Security team members should have goals related to training completion and/or certification, with metrics of comprehensive security awareness being constantly evaluated.
Your enterprise information security policy is the most important internal document that your company will have from a cybersecurity standpoint. Any good one will contain, and continually address, all nine elements outlined above. From network and application security to incident management and ongoing training, don’t forget that your EISC is a “living document” that should be constantly reviewed, revisited, and revised in conjunction with a trusted cybersecurity partner.