Information security policy is an extremely important topic of discussion that is often not discussed at all due to a number of reasons. Organizations often find that after they create and implement their Enterprise Information Security Policy (EISP) security architecture, they tend to put it on the back burner until the time comes to update it for compliance purposes. This shouldn’t be the case though.
Ponemon detailed in a 2018 report that a single ransomware attack costs companies an average of roughly $5 million, with $1.25 million being attributed to system downtime, and another $1.5 million to IT and end-user productivity loss. Sure, ransomware attacks can happen in a myriad of unique ways, but when an organization is collectively on the same page, it can help drive growth while protecting critical information within your network. Let’s discuss how to configure a comprehensive, yet easy to understand EISP that can be regularly updated as your company continues to successfully scale.
Organizational Need for IT security
According to 2018 IDG Security Priorities Study, 69% of companies see compliance mandates driving spending. As such, we can see the benefits of having an integrated security framework woven into and across every aspect of your evolving network. IT security has the ability to enable things like unified policy creation, centralized orchestration, and consistent enforcement, thus bringing about positive changes in the organization as a whole.
Enterprise Information Security Policy (EISP)
In short, an Enterprise Information Security Policy (EISP) details what a company’s philosophy is on security and helps to set the direction, scope, and tone for all of an organization’s security efforts. This type of management-level document is usually written by the company’s Chief Executive Officer (CEO) or Chief Information Officer (CIO) or someone serving in that capacity. When completed, the EISP will be used as a roadmap for the development of future security programs, setting the tone for how the company handles specific security matters.
The EISP does the job of explaining the organization’s belief on how their security program should be structured as it pertains to the different types of roles and responsibilities that exist in the company’s security arena that ensure that key information is safe from an intrusion. The document should also identify the relevant foundational principles of an effective security policy and determine the proper security levels through security standards and guidelines. The EISP must also ensure that the appropriate responsibilities are assigned to the applicable organizational components so that maximum security effectiveness is achieved.
Unlike other enterprise security policies, standards and procedures that need to be constantly modified, the key elements of an Enterprise Information Security Policy will usually not need to be modified after it is completed the first time. The only time an EISP is usually modified is if there is a change in the strategic direction of the organization.
Statement of Purpose
Noting the specific security language that focuses on the goals of the organization within the EISP allows the company to integrate their organizational mission statement and objectives into their functional structure in a way that can enhance and further the organization’s purpose. The policy language of the statement of purpose should be crafted in such a way that guarantees complete consensus amongst executives and employees alike.
The statement of purpose needs to be generically stated, but still pointed enough to ensure that those who should be held accountable for a task should institute a specific approval process for that instance. The purpose should also showcase that the organization maintains a prominent culture that is driven by self-discipline, attention to detail, self-inspection, and motivation. This effective organizational security stance helps to shape the security philosophy of the organization’s IT environment which directly supports its underlying mission and value statements.
The preferred use of an EISP will ultimately vary from one company to another based on the purpose of the organization itself. A hospital that handles a plethora of Protected Health Information (PHI) in electronic form may specify in their EISP that their goals are focused on safeguarding PHI against authorized access or accidental dissemination. Denoting these goals within the basis of the EISP protects the reputation of the company with respect to its ethical and legal responsibilities.
For example, the security policy of a company that deals exclusively with the public will have a different approach to legal compliance via their EISP than that of a government organization that handles sensitive and/or classified information. The EISP must address the appropriate use of penalties and disciplinary actions based on the legal compliance requirements that its organization must adhere to. These legal compliance policies help to guide the development of procedures and guidelines that can resolve the question of what should be done in a specific scenario and who would then take responsibility for it.
Organizations should strive to compose well-defined objectives concerning security and strategy within their EISP that the entire organization is on board with implementing. Keeping these objectives simple and easy to understand will help to smooth away any and all differences that individuals may have about the objectives and guarantee a consensus is reached amongst security management staff. Doing this will ensure that any dissonances in the context of the objectives are ironed out and that the organization is in prime position to implement the plan successfully.
EISP objectives should never include the use of ambiguous expressions that can cause more confusion and detract from the underlying goals that the executive team have set. EISP objectives should use direct language measures that also avoids redundancy of the policy’s wording. This, too, can make the EISP objectives sound too long-winded and out of sync with the company’s main security framework.
Formulating the EISP objectives requires the executive team to look inward on the goals of the organization from a high level to ensure continued Integrity, Confidentiality, and Availability:
- Integrity – this objective calls for the organization to focus on the protection of information from unauthorized access and misuse. Implementing safeguards and processes that increase the chance of catching hackers via ongoing monitoring, testing, and training is key.
- Confidentiality – this objective calls for the protection of policies, processes, or systems from intentional or accidental unauthorized modification. This objective is affected by both instrumentation vulnerabilities and human error which makes developing safeguards that protect against the loss of integrity so important.
- Availability – this objective calls for the timely and reliable access to, and use of, information, no matter what is currently affecting the world around the organization. This includes threats such as natural disasters, hardware failures, programming errors, human errors, distributed denial of service (DDoS) attacks, and malicious code. Organization must implement safeguards that address availability to ensure efficient and effective emergency incident response preparedness and disaster recovery planning when the time comes.
Authority & Access Control Policy
EISPs typically adhere to a hierarchical tiered structure that ensures that lowered tiered employees are only given access to the necessary information that pertains to their role unless otherwise specified. An EISP must specify what level of access an executive or technology department responsible for data manipulation will have to move data around on any type of media. This ensures that only those executives are given the authority to make a decision on what data can be shared and with whom.
This hierarchy-based delegation of control ensures that the highest member on the access totem pole (usually the CIO or CEO) holds the authority over specific project files belonging to a group he is appointed to, whereas the systems administrator has authority solely over the system files. The hierarchy should also be structured in a way to observe those individuals who require access on a “need-to-know” basis for particular information.
Physical or digital access to an organization’s network and servers should be configured via unique logins that require authentication in the form of either passwords, biometrics, ID cards, or tokens. Executives must find the perfect habitable zone within the access controls policies in the EISP to ensure those who need to use the data as part of their job are not denied access when that time comes. Data keyholders must implement further safeguards that focus on system monitoring of login attempts for those with the appropriate access to ensure enterprise data security is secure at all times.
Classification of Data
Data classification helps companies to categorize their data in a way that conveys the confidentiality, integrity, and availability of the information. An EISP data classification policy may arrange the entire set of information as follows:
|Restricted Data||Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the organization or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected by confidentiality agreements. The highest level of security controls should be applied to Restricted data.|
|Private Data||Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the organization or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.|
|Public Data||Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the organization and its affiliates. Examples of Public data include press releases, course information and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.|
Data classification policies help companies understand which data should be used by whom in which scenarios and where those authorized data sources are located. Implementing a data classification policy ensures that the organization can efficiently categorize and protect their critical, sensitive, and classified data. Without these types of classification controls, sensitive data may get into the wrong hands and affect the organization from a financial standpoint which might also affect their reputation with customers or vendors.
Developing a data classification policy will inherently serve as the foundation of your organization’s effective security measures. Having an ironclad data classification policy in your organization’s EISP can aid you in meeting regulatory compliance obligations as well as industry best practices and customer expectations which can help sustain InfoSec operations well into the future.
Training & Awareness
Consistent cybersecurity awareness training sessions should be outlined within the EISP to engage employees in the development of their InfoSec knowledge base. The basis of these security sessions will focus on giving employees a high-level (yet digestible) overview of the procedures and mechanisms that are put in place to protect the data. They should also be privy to the hierarchy to ensure that they know who to turn to when a specific InfoSec scenario were to occur that required critical attention from the highest echelon of executives.
These training sessions should also touch on vital topics such as data & records handling to ensure the confidentiality and privacy of sensitive information. If your organization is customer facing or requires employees to bring their own device (BYOD) to supplement their office communication components, these training sessions should also cover the correct usage of resources away from the office as well. Following each training session, make sure that all employees read and sign to acknowledge that they understand any new policies and procedures, rather than just passively completing the course due to their job responsibilities.
Developing a focused EISP for your organization will allow employees and executives of all levels to share and correlate information fluidly between them and participate in a coordinated threat response when the time comes. Organizations seeking to coordinate this level of collaboration for InfoSec tasks maintain a high level of clarity for their objectives, understand their data classification structure, and define the applicable IT best practices needed to develop an EISP. Following the formulation of the EISP, the company must maintain InfoSec policies via focused training and a security awareness program to continue to optimize their organizational efficiencies and safely sustain their level of productivity in the future.