Basic Policies and Standards
March 25, 2011How do you pursue an agenda for the service offering while growing a security team and building a security infrastructure for a rapidly growing company, all at the same time? The answer is to start with the basics.
When a company is very small, it has the luxury of hiring people with highly specialized skills and similar mindsets. However, once a startup has progressed beyond its initial growth period, it has to hire employees with a broad range of skills and experiences. When thinking about security, the glue that brings these varying groups and skill sets together is basic security policies and practices.
Devise a Security policy that breaks down into 10 key areas:
1. Corporate Policy Statement
2. Allocation of Security Responsibilities
3. Security Awareness: Education and Training
4. Control of Security Incidents: Re-porting and Tracking
5. Virus Controls
6. Business Continuity Planning (BCP)
7. Control of Proprietary Software
8. Protection of Corporate Data
9. Overall Information and Data Pro-tection
10. Compliance to the Security Policy
Corporate Policy Statement
A CPS is an essential document for initiating any security program. It protects an organization from basic high-level risks, documents the organization’s commitment to security and provides management and staff with information on security concepts. The statement should define the scope of coverage and the responsibilities of all employees in protecting corporate information and resources.
The Plan
Devising a plan of action that reflected our business objectives, provided adequate protection for the current activities of various operational units and kept business units engaged in the Security process.
To be effective, the plan would have to look something like this:
1. Separate the attention given to the immediate security needs from the long-term security goals. In simple terms: Give the operations and business departments the security they need today while working in parallel to construct an overarching security structure.
2. Pay individual attention to each of the company’s divisions while coordinating their operations and projects with corporate-wide security efforts.
3. Concentrate the limited security resources on the immediate- and high-priority issues first, and take on remaining goals as security resources grow.
Divide and Conquer
To lessen the impact of interruptions caused by attacks and make progress on the plan, structuring of the security group became the next critical task. The structure devised divided the security team into three groups:
1. “Corporate” security, which focuses on the security foundations with policies, awareness and assessment activities.
2. Security engineering, which has individuals assigned to the various business and engineering departments, working with them on the development of new products and initiatives and ensuring security is incorporated throughout the organization’s activities.
3. Security services, a unit charged with performing the routine security tasks, such as running the firewalls, collecting logs and conducting physical security checks.
Implementing the Plan
In the middle of the night, functional and security issues impact the operations staff greater than any other group. So, it made complete sense to pursue a security agenda in “reverse.” That is, start security activities with the operations organization and processes, focus on their interface with engineering / development, and then move on to the engineering / development groups and processes.
The security services team would have to support the tactical activities, such as managing the firewalls and operating security assessment tools. The security engineers would have to pursue the majority of the work toward business goals:
1. Be part of the system and application design;
2. Be involved in the development and operational service processes;
3. Reinforce the security culture;
4. Find creative solutions for overcoming the lack of physical control over remote sites; and
5. Pursue best practices as the base for all of our efforts.
Get involved. The fact that my security team rolled up their sleeves and climbed into the trenches with the engineering and operations departments gave the security initiative credibility and earned it respect. Never before had the other functional business groups had Security people working side-by-side with them to find applicable solutions to technical risk issues. The cooperative effort led to the more expeditious resolution to many security issues.
Stay on target. Cooperation is one thing, but working with other departments shouldn’t derail you from long-term objectives. There are certain business issues that require individual attention, as well as problems that demand the immediate reallocation of resources. But nothing should distract a Security team from working toward its goal of building a comprehensive security infrastructure. Security awareness, a positive security culture and core Security policies will win in the long run.
www.bestitdocuments.com