Editor's note: This article, originally published on May 26, 2016, has been updated to more accurately reflect recent trends.
To say the world has changed a lot over the past year would be a bit of an understatement. From a cybersecurity standpoint, the changes have been significant—in large part because many people continue to work from remote locations or alternate between home offices and corporate facilities. Organisations are also using more cloud services and are engaged in more e-commerce activities.
All this change means it’s time for enterprises to update their IT policies, to help ensure security. Here are some of the more important IT policies to have in place, according to cybersecurity experts.
An acceptable use policy outlines what an organisation determines as acceptable use of its assets and data, and even behavior as it relates to, affects, and reflects the organisation. “The acceptable use policy is the cornerstone of all IT policies,” says Mark Liggett, CEO of Liggett Consulting and a longtime IT and cybersecurity expert. “This policy explains for everyone what is expected while using company computing assets.”
Such a policy provides a baseline that all users must follow as part of their employment, Liggett says. “If you have no other computer-related policy in your organisation, have this one,” he says.
By providing end users with guidance for what to do and limitations on how to do things, an organisation reduces risk by way of the user’s actions, says Zaira Pirzada, a principal at research firm Gartner.
A data classification policy is one of the most critical components of an information security program, yet it is often overlooked, says Pirzada. “Without good, consistent classification of data, organisations are unable to answer important questions like what their data is worth, how they mitigate risks to their data, and how they effectively monitor and manage its governance,” he says.
Business decisions makers, who are now distributed across organisations and beyond the traditional network perimeter, need guidance from IT on how to make informed risk decisions when transacting, sharing, and using sensitive data. To provide that, security and risk management leaders would benefit from the creation of a data classification policy and accompanying standards or guidelines. “Together, they provide both the compass and the path towards the secure use, storage, treatment, and transaction of data,” Pirzada says.
Having a clear and effective remote access policy has become exceedingly important. As many organisations shift to a hybrid work environment or continue supporting work-from-home arrangements, this will not change. “A remote access policy defines an organisation’s information security principles and requirements for connecting to its network from any endpoint,” including mobile phones, laptops, desktops and tablets, Pirzada says.
The purpose of such a policy is to minimise risks that might result from unauthorised use of company assets from outside its bounds. “Those risks include the damage, loss, or misuse of sensitive data and/or systems, of which the repercussions are significant,” Pirzada says.
How should an organisation respond to an incident such as a data breach, hack, malware attack, or other activity that presents risk? The answer could mean the difference between experiencing a minor event or suffering a catastrophic blow to the business.
“Accidents, breaches, policy violations; these are common occurrences today,” Pirzada says. “An incident response policy is necessary to ensure that an organisation is prepared to respond to cyber security incidents so to protect the organisation’s systems, data, and prevent disruption.”
A policy ensures that an incident is systematically handled by providing guidance on how to minimise loss and destruction, resolve weaknesses, restore services, and place preventative measures with the aim to address future incidents, Pirzada says. “This policy should detail the required controls for incident handling, reporting, monitoring, training, testing and assistance in addressing incident response,” he says.
The incident response plan is a live document that needs review and adjustments on an annual basis, if not more often, Liggett says. It should detail the roles and responsibilities in case of an incident and define levels of an event and actions that follow, including the formal declaration of an incident, he says.
The plan brings together company stakeholders including human resources, legal counsel, public relations, management, and insurance, Liggett says. “This understanding of steps and actions needed in an incident reduces errors that occur when managing an incident.” The plan also feeds directly into a disaster recovery plan and business continuity, he says.
Disaster recovery/business continuity
The disaster recovery and business continuity plan (DR/BC) is one of the most important an organisation needs to have, Liggett says. As with incident response, these plans are live documents that need review and adjustments “on an annual basis if not more often,” he says. “These plans should include the routine practice of restoration and recovery.”
The plans also are crucial as they outline orchestration of multiple events, responsibilities, and accountability in a time of crisis, Liggett says. “One of the main reasons companies go out of business after a disaster is a failure of the recovery and continuity plans.”
A third-party security policy contains the requirements for how organisations conduct their third-party information security due diligence. “Third-party risk policy and procedures continue to grow in importance, with higher levels of collaboration outside of the organisation and the increased risk it may bring to systems,” says Pete Lindstrom, vice president of security strategies at International Data Corp. (IDC).
The purpose of this policy is “to gain assurance that an organisation’s information, systems, services, and stakeholders are protected within their risk appetite,” Pirzada says. “The importance of this policy stems from the now common use of third-party suppliers and services.”
These include cloud services and managed service providers that support business-critical projects. “These relationships carry inherent and residual security risks,” Pirzada says. “A third party may have access to critical systems or information, which necessitate controls and mitigation processes to minimise those risks.”
Companies are more than ever connected by sharing data and workstreams with their suppliers and vendors, Liggett says. “The need for this policy should be easily understood and assures how data is treated and protected while at rest and in transit,” he says. The policy should feature statements regarding encryption for data at rest and using secure communication protocols for data in transmission.
It might not be something people would think about including on an IT policy list, especially during a pandemic, but knowing how to properly and securely use technology while traveling abroad is important. The state of Colorado is creating an international travel policy that will outline what requirements must be met, for those state employees who are traveling internationally and plan to work during some part of their trip,” says Deborah Blyth, CISO for the state.
“This policy will include things such as getting the travel pre-approved by the individual's leadership, information on which international locations they plan to visit, and a determination and direction on whether specialised hardware may need to be issued to accommodate that travel,” Blyth says.
For instance, “for some countries where the device being copied or malware being installed is a high-risk threat, the state will likely issue a loaner device, which will have no state data to begin with, and will be wiped immediately upon return,” Blyth says.