Quick and dirty guide to security policy creation

Read part 1 of this series: Unsecured and unaware: Why your business needs cyber security policies now! and the the introduction to this article: Security policy 101: How to develop security policies for your business.

Consider the following discussion points when developing your security policy. This list is by no means complete, but it will provide you with a good start, which can help you to develop a plan to protect your business from cyber-security threats.

Browse the bullet points for things to consider. Bookmark the page for future reference, go through the guide in more detail when you’re ready to develop your own security policies. Remember, the goal of this guide is to raise the bar; it’s not going to solve all your security problems (or make you industry compliant). But, it will help you start moving in the right direction.

Know your business

  • Create a list of all of your systems: email, accounting, purchasing, online supplier portals, and file servers.
  • Create a list of your users, what types of staff do you have? Reception? Sales? Accounts payable? Accounts receivable? Management?
  • What devices do you have? File servers? Wireless access points? Routers? Laptops? Tablets?
  • What types of data do you store? Credit card numbers? Business plans? Client usernames and passwords? Personal information? Secret documents?
  • Our Systems.doc
  • Our Users.doc
  • Our Devices.doc

Play some “what if” games

  • Ask, “What if this device fails?”
  • Ask, “What if a staff member quits or is fired?”
  • Ask, “What if a device goes missing?”
  • Ask, “What if someone steals the device?”
  • Ask, “What if the data is leaked?”
  • Ask, “What if someone has access to our Wi-Fi?”
  • Ask, “What if someone guesses our server password?”
  • Ask, “What if Bruce Willis teams up with Mr Robot to compromise one of your staff who is involved in international money laundering?”


Reality Check

  • How often do your staff turnover?
  • How often have your computers failed?
  • How likely is it that your Wi-Fi password is easy to guess?
  • Have you changed your banking passwords recently?
  • Do any of your staff know Bruce Willis or Mr Robot?

Reality check is probably the most technical process. The difficulty lies with understanding how possible a certain type of failure is, and also understanding how likely it is that malicious attackers would exploit that scenario. Hackers tend to work on the fringe of unlikely scenarios; they will focus on areas that most people haven’t considered for protection.It’s unlikely that a hacker is going to bring down the city’s electricity grid to unlock your vault (unless it’s Hans Gruber), but maybe you hadn’t considered putting a padlock on your electrical switch [fuse] box?

Think contingency

  • Think about what will happen if your staff quit?
  • What process should happen if staff leave suddenly? What if they’re fired? Who is responsible for revoking their access?
  • How do we continue to operate if the dispatch or HR system is offline? Do you have hard copy or paper based form to fall back on? Should you have a fallback solution?
  • What will you do if your system is infected by malware or ransomware? Do you need a spare computer? Can you afford the downtime while you re-install software and restore from backups?
  • What happens if your Internet link or a specific server goes down? How can you continue to work?
  • What will you do if your supplier’s system is breached? What passwords should you change? What information did they know about your business or your clients? How could this information be used to manipulate you?
  • When you see Bruce Willis in your car park, how should you react?

Contingency planning often involves getting creative. Realistically, most businesses won’t fall over immediately if something goes wrong.Use your what-if scenarios and your lists of servers, staff and devices to create separate, 1-page contingency documents: “Restoring from a ransomware attack”; “Key-staff member resigns”; “Internet access lost”. Sometimes technical products can help with your recovery or risk mitigation. But, the general themes can often be addressed if you have a solid understanding of your organisational requirements.

Manage access

For each of the systems, devices and websites that you have identified, consider who needs access and why. Poor access control is a common point of failure in business security. Long forgotten staff still know your banking details, and everyone still shares the same password. You need to know who has access to your data and systems.

  • Document clearly which staff should be able to access which systems. E.g.: Does reception need access to your “Client Documents File-Share”?
  • Do they need access to your supplier portal?
  • Get your limited IT team to enact and test these access policies.
  • Erase or disable any user or administrative accounts that are no longer required.
  • Audit your computers and servers to see if suspicious accounts have been created. Check to make sure that the user’s you’ve documented are the only users with access.
  • Don’t give Bruce Willis a swipe card if he’s only doing temporary work for you.

Your work to identify systems, staff, scenarios, and contingencies will give you an idea of who needs access to what. By limiting or ‘compartmentalising’ access, you limit the exposure to other people’s errors. The types of contingencies you’ve identified will also decide what types of access management you need to undertake.

Manage all changes

Because no business environment is static, your policy documents should recognise that staff will come and go, account numbers will change, and new software will become available. You should be clear about who can make these changes, and what they need to consider before they do.

  • Who can change your accounting or finance details?
  • What is the process for updating your mailing list or client details?
  • What should happen if a client calls you to change their billing information (how do you verify that client without inadvertently disclosing their information? How to you confirm the changes?)
  • What should happen if one of your staff needs new software? What is the business case for the software? Is it coming from a reputable manufacturer? Is it well supported? Are there any known vulnerabilities or hacks (have you checked the software with Google searches)?
  • If Bruce Willis says ‘jump’ should your staff respond?

Managing both security and policy changes is integral to policy success. It’s unlikely that you’ve thought of every scenario, or documented everything perfectly.The rules you define here can be in the form of statements and checklists - your documents will be titled things like: “New staff induction process”; “Changes to administration systems”; “Staff resignation process”; “Policy for installing software on work computers”; “Checklist of requirements before connecting personal tablets to the office Wi-Fi network”

You should have rules that define the types of changes you can expect, as well as catchall rules and checklists for consideration if something falls through the cracks.

Password rules: what, who, how and when?

Who has access to your bank account? You might be surprised! What about password security — do you need complex passwords or do you permit easy to remember passwords? Password rules are critical to business security because passwords are usually the keys that permit access to your whole organisation. Many people think that password policy merely defines how annoying passwords should be to remember.

While defining password complexity is certainly part of the process, you should also consider more significant threats such as shared passwords for your banking and supplier portals. Also consider general password advice regarding re-use of passwords on multiple sites, and whether it’s ok to write down a password (sometimes this might not be a bad idea if you can put it behind lock-and-key).

  • If you have shared banking or supplier portal passwords change them all. Document what sites you have access to and when the password was last changed. Changing all of your ‘shared’ passwords will reset access, and exclude all those who have inadvertently been given the password throughout history.
  • Change passwords to your devices, routers, and Wi-Fi access points. Changing settings on these devices can open the door to full access to all of your systems.
  • Avoid sharing new passwords with everyone. Refer to your list of user groups and decide who needs access to what services.
  • Use different passwords for every single activity. Define password rules that separate access to banking, server administration, website administration.
  • Wherever possible don’t use a shared password, create specific user accounts and assign privileges to the account. It’s much easier to cancel a single user account than it is to communicate a new password to 5 users.
  • Decide when to update shared passwords. Perhaps after a certain elapsed time, or immediately after someone has left. Remember that you might need to change shared passwords on many devices, websites, and servers.
  • Don’t forget to update the passwords on your routers, and Wi-Fi access points. Add these to a checklist so they don’t get forgotten.
  • Consider individual password policies. Suggest that users have a unique password for their work activities.
  • Does Bruce Willis need to know your banking password? How about your Wi-Fi password?

The biggest wins in most small organisations are managing the use of share passwords and accounts. Policies and checklists that decide who, when and how these passwords are used (and changed) will help your security immensely.

Be careful not to go overboard with password complexity rules. There’s plenty of research to suggest that draconian password change policies may actually decrease security of systems. Ridiculous policies are harder to enforce, people simply can’t remember crazy passwords.

“Your password must contain a capital letter, a number, the name of a famous cat, the initials of a Greek philosopher and an underscore. Your password must be changed weekly, and you can’t use any of the last four password (also, don’t write it down)!”

You don’t want weak passwords, but more importantly you don’t want to open the door to frequent password changes, or an easy to guess password convention because your policies are too complex. You might also consider whether password managers are appropriate for your users or organisation.

Protect your computers and data

Most businesses need good data. You have tonnes of data from business documents, through to accounting data and client contact lists. Your data is your business, without it you’d be lost. Consider your “What-if?” scenarios and protect your computers and data.

  • Try to use real-time backup solutions like Time Machine or Windows backup. Also, take a daily backup, and a weekly offsite backup. Make sure the backups are encrypted (Google search “creating an encrypted backup on windows”, find trusted sources, don’t arbitrarily install backup software)
  • Decide how often should someone spot-check your backups to see if they can access your most important files. You need to verify that the files work and are correct. Daily? Weekly?
  • Consider once or twice a year scheduling a “test restore” of an entire computer or server from your backups. It’s tedious, but unless you test it out, you don’t know for certain it’s working.
  • Update your operating systems, and application software. The latest security and software patches protect against newly discovered vulnerabilities.
  • Disable applications and extensions you don’t need for your business activities. Do you really need flash player? Do you need more than one web browser?
  • Install and update virus-scanning software. It’s only as good as the latest update, so make sure this is up to date.
  • Disable any un-necessary devices or computers? If that server is no longer used, it’s no longer maintained!
  • When Bruce Willis shoots up your server room, where will you go to restore your data?

Consider these points from two angles: think first about how to protect your data from malicious access or being stolen; then, work out how you’ll protect your data against disasters.Controlling un-necessary software installations and limiting access to data will help protect your business from malicious attacks. Some of these controls can be identified in other sections such as change management and access control.

A good disaster recovery plan will protect you from a host of unforeseen events, from a fire in your building to a ransomware attack. This is the most important ‘last line’ of defence any business can have.

Protect your staff, users and clients

You have a duty of care to those you deal with. Avoid liability and PR disasters by protecting them from data breaches. Consider what data you actually need to be carry out your business objectives.

Related:
1 2 Page 1
Page 1 of 2
How to supercharge Slack with ‘action’ apps
  
Shop Tech Products at Amazon