When implementing a security solution for an organization, Operational Policy guides the usage and access needed by organization members to specific resources. From a security standpoint, policies also consider external compliance requirements and organizational security frameworks to ensure adherence to each of their guidance. The key to a successful policy is to guide in a clearly communicated manner, not left for interpretation, and provide clear steps for getting clarification through correct channels. As with other topics covered in this course, policies should be reviewed regularly, especially as significant changes occur in the business, compliance or regulatory requirements, or considerable system changes occur.
There are many areas of focus in creating policy for an organization. Laws, regulations, implementation challenges, and other key outside factors all need to be considered. For this review, the subsections below will focus on defining security policy, what considerations to take around privacy, and implementation challenges organizations may face around policies.
A security policy is a collection of documents that provides guidance around controls, access, actions, and processes for securing an organization. Many policies start at a high level providing general security guidance and get specific as they focus on the security of certain assets. Security policy can also dictate the educational requirements of data users in the environment, setting forth access controls based on qualifications or "need to know" conditions. Security policies also consider the controls in place around security events. This may guide the requirements of incident response or business continuity plans.
Jonson and Easttom call out six types of documents as part of a policy framework:
Principles - These documents set the tone and establish high-level authority to enforce policies.
Policy - These documents set guidance around business functions and transactions to drive the desired outcome
Standard - These documents set a norm or baseline to be implemented organization-wide.
Procedure - Guidance on the steps to implement a process or policy.
Guideline - Optional parameters to help with the implementation of policies.
Definitions - Defining key terms used in the policy to ensure consistency of understanding.
(Johnson & Easttom, 2020)
Data privacy is becoming a standard across all private and public organizations, with many regulations by Federal, State, and Local Governments. As citizens and consumers, we expect that any personal data we give to an organization will be stored securely, shared only with authorized partners, and disposed of in an appropriate way when our data is no longer needed. Privacy policies set the expectations from the consumer side and guidance, standards, and requirements from the organization's side in handling private data.
There are standardized definitions of data types we'd want to secure with privacy policies. A couple of examples of these are called out below, along with regulations that may influence their use.
Personally identifiable information (PII) - PII is information that can distinguish individuals from one another. This information includes names, birthdays, social security numbers, biometrics, addresses, etc. Examples of privacy regulations around PII include the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).
Payment card industry (PCI) data - PCI is information used by organizations to accept, process, store, or transmit credit card information. The PCI Security Standards Council helps set the standards required of an organization to ensure standardization of the handling of personal credit information.
When implementing security policies, it's essential to consider an implementation method as policies are being developed. If a policy goes against the business's needs, successful policy implementation may be impossible. It's also important to consider the knowledge of end-users and those responsible for implementing the security policies. For example, if an end-user is not familiar with the threats associated with email phishing, they may blindly click links in emails from users they don't know. While you can have a policy that calls out technical security controls to have in place to address phishing, one of the best controls is that of an educated user base.
Other challenges are the growth of an organization and its use of technology. Before the pandemic, policies were likely written to ensure data security and privacy of an on-premise workforce. Many organizations have made the shift to a hybrid or fully remote workforce. Implementing pre-pandemic policies in this new norm is difficult and has forced many organizations to revamp their policies to enable the remote workforce.
In my professional career, policies are one of the things that very few of my peers and I would want to write. However, we understand the criticality of policies as we build out successful information systems and security solutions for our organizations. Without these policies, the use of information systems can be a free-for-all, and misuse is sure to follow. In my time at a K12 school district, Acceptable Use Policies for students and staff alike allow for expectations to be set on what resources would be provided, how to use them, and what consequences may follow if misused. As the needs of our organizations changed, and especially as Bring Your Own Device (BYOD) became more popular, it was apparent that policies (and architectures) would need to be revamped to allow for the effective use of these devices. On top of the enablement of the organization, many regulatory and compliance considerations drive the need for strong policies in an organization.
When looking at the artifacts I expanded upon above, it's important to understand what a policy is, how it applies to situations such as data privacy, and what types of challenges you may run into as you implement the policies. Any security professional in a leadership role will need to be able to effectively disseminate the information in existing policies and ensure any new or updated policies address current and future business challenges and regulatory requirements. I chose these artifacts as they represent key starting points for organizations creating policy around cybersecurity and their operations.
From an ethical standpoint, policies are the "laws" that we need to follow to run a business that adheres to the standards and requirements required by its oversight committees. In K12, this was the guidance provided by the State and Federal Departments of Education and information security requirements set forth by the California Data Privacy Act. Having a weak policy in place would leave room for interpretation which may be unwanted when security an information system. Worse yet, lack of discipline called out in a security policy may allow for an internal user with bad intentions to get away with malicious activity.
Overall, security policies are the glue that helps hold together a strong security posture in an organization. They guide building a solid architecture, using threat intelligence, what needs to be done around incident response, and so much more. After running through this course, I have a new appreciation for the importance of effective policies in an organization.
California Department of Justice. (n.d.). California Consumer Privacy Act (CCPA) | State of California - Department of Justice - Office of the Attorney General. California Department of Justice. Retrieved February 20, 2022, from https://oag.ca.gov/privacy/ccpa
General Data Protection Regulation. (n.d.). General Data Protection Regulation (GDPR) – Official Legal Text. Retrieved February 20, 2022, from https://gdpr-info.eu/
Johnson, R., & Easttom, C. (2020). Security Policies and Implementation Issues. Jones & Bartlett Learning, LLC.
Kerner, J., & Bell, H. (n.d.). Top-Five Practices for Changing Security Policies. ScottMadden. Retrieved February 20, 2022, from https://www.scottmadden.com/insight/top-five-practices-changing-security-policies/
NIST. (2021, September 23). Security and Privacy Controls for Federal Information Systems and Organizations. NIST. Retrieved February 20, 2022, from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
PCI Security Standards Council. (n.d.). Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards. Retrieved February 20, 2022, from https://www.pcisecuritystandards.org/