An information security policy is a document created to guide behaviour with regards to the security of an organization’s data, assets, systems, etc. The security policy defines the rules of operation, standards, and guidelines for permitted functionality. This plays an extremely important role in an organization’s overall security posture. Information security policies should reflect the risk evaluation of management and therefore serve to establish an associated security mindset within an organization.

According to the 2018 Global Threat Report from the Thales Group, 74% of respondents in a survey of 1,200 organizations feel adherence to compliance requirements is either “very” effective or “extremely” effective. The SANS Institute, which is one of the top information security research and education organizations, refer to “policy”, “standard”, and “guideline” as the terms and documents that are typically implemented into a security policy’s criteria and are defined below.

  • A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.
  • A standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows 8.1 workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows 8.1 workstation on an external network segment. In addition, a standard can be a technology selection, e.g. Company Name uses Tenable SecurityCenter for continuous monitoring, and supporting policies and procedures define how it is used.
  • A guideline is typically a collection of system-specific or procedural-specific “suggestions” for best practice. They are not required to be met, but are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization.

Have you had a practical test of your Security Policy?

Many studies have shown that employee and outsourced contractors’ lack of security awareness have posed an increased cyber-risk to their organizations. The variety of staff and roles necessary within an organization for the business to function effectively can make it difficult to implement security in the areas which require it the most. In most cases the business needs of an organization depend on the flow of communication to be uninhibited, while its security requirements call for a far more restrictive approach. An overly restricted approach to security causes the nature of business to be weighed down, but an overly relaxed one puts the company at risk.

The relationship between business, staff and security can become complex and difficult to manage, and where all parties involved are content. As security professionals, we always believe there is an art to implementing a truly effective security policy. More often, creating a policy that staff find too difficult to follow will lead them to find ways to circumvent the rules, thus defeating the purpose of the policy in the first place. While many organizations rely on the ISO 27000 requirements for certification, these guidelines are simply a minimal standard that leave room for improvement when optimizing your security policy.

What Can Organizations Do?

This is where Packetlabs can help. Our team of cybersecurity specialist are highly trained in auditing and testing methodologies that can evaluate your organizations security policy in a practical hands-on manner to find what areas are working and which ones may be leaving you vulnerable. An objective-based penetration test is an excellent way to see how well your organizations security policy will actually hold up in an attack scenario. It is truly impossible to identify if a security policy is actually working effectively within an organization’s infrastructure without testing its capabilities.

We have finely tuned thousands of security policies based on our highly detailed testing engagement results and rating criteria. Our industry leading reports are amongst the best in the cyber security community providing both an easy to read layout with constructive suggestions on how to improve your organizations security necessities, and detailed technical results evaluating infrastructure, web, and wireless components. Every one of our clients leave our testing engagements with a greater insight into their network architecture so they can fix the problem areas before an attack or breach occurs. Contact us today. We can identify the weakness and together prevent the attack.