0

I currently work in the Information Security team at my company. I have been requested by company management to assist in reviewing and revising our current IT security policies. I am a trusted, respected member of the IT Security team, and previously management has requested me in assisting them to review the content of annual security training

Our current suite of policies are very comprehensive,covering topics from personnel security, Cloud security, physical security, logical access security...etc. However, only the IT security team and IT function in general is affected by a good portion of these policies. Examples:

  • Portions that talk about access administration is probably not relevant to a customer service representative working in a call center.

  • If you are not in IT, requirements for degaussing of backup media is probably not of use / concern.

My concern with everyone, regardless of their job role, having to acknowledge all policies is that they may pay less attention to the policies that actually pertain to them - e.g: storage of sensitive data for HR or social engineering safeguards for a CSR in the call center. Simply put, the amount of reading may turn people off, or they may just click through the policies simple to complete the tedious task, and not recognize the importance of what they are reading to the IT security mission of the company. We are an insurance company and work with sensitive customer credit card and private health information. We must also comply with PCI DSS, SOX 404, and state DOI regulations.

Based on feedback in my linked question, I am thinking of discussing with my management to leave common education requirements such as incident reporting, and acceptable use as untouched in the changes going forward. In this way, all users get a common foundation of the security requirements. Certain processes such as incident response can only work effectively with end user cooperation via timely reporting, so this seems like a no brainer.

Question

  • Is customizing corporate security policy acknowledgments based on what is actually relevant to a particular employee's job role a good idea?

  • If yes, what can be used to measure the applicability of security policies as they pertain any given job role?

Anthony
  • 1,736
  • 1
  • 12
  • 22

2 Answers2

2

Yes, the security policy should be based on what is actually relevant to a particular employee's job role. I did write GDPR and security policies including for some very large companies and this was always a case to debate. Now-days most serious companies want data access on need-to-know basis so customizing security policy is important. In many cases I find that 3 levels/cases of policy are sufficient: one for general users, one for IT staff and one for IT Security staff. In today's context it becomes more and more important that IT staff respect various policies (specially regarding accounts and passwords) so making a special policy for them is mandatory. Also, the security level of IT must have additional rules because they are the ones with most privileges.

A lot of things can be used to measure the applicability of security policies. but everything start and ends with the users. There must be a system in place to be able to measure their compliance with the policies. If there is not, you must at least be able to make random polls/tests of their compliance. Without such things everything will eventually become very chaotic and uncontrollable and the overall IT infrastructure will be very exposed.

Overmind
  • 8,779
  • 3
  • 19
  • 28
0

Security policies can be Role Based, Discretionary (eg. delegation), Mandatory (eg. special privileges given on breach), etc..

Role Based is effective but become complicate growing exponentially on large and heterogeneous environments.

On my experience, users do not recognize the importance of policies mainly for 2 reasons: 1. policies are too much tighten and not user-friendly 2. user don't care

This have the negative impact that users will seek alternative ways to "bypass" them. (e.g. send/receive sensitive data by uncheckable personal email account)

As Overmind say, "customizing security policy is important" and my further suggestion is “kiss" the rules (kiss = keep it simple and stupid).

Frameworks, standards, golden rules help a lot but only a good knowledge of your company (jobs, data and processes) can give you the right answer on how to tailoring policies.

IT company and healthcare company will have some common security policies (e.g. check https://www.sans.org/security-resources/policies), but will have also lot different ones.

WaltZie
  • 339
  • 1
  • 3