Common Errors in Defining Security PoliciesRight Ways of Defining Information Assurance Policies and Controls
Among the biggest challenge facing enterprises today is lack of an ideal information assurance policy and standards for deploying new technological architectures and controls to combat threats. Enterprises of critical sectors make common mistakes in defining the organization's information assurance policy, which leaves a huge flaw in the security systems. It's time CISOs took control, evolved a governance structure through consensus with the business and established information assurance standards that are practical to enforce. Qatar guides the enterprises and CISOs through its information assurance policy in securing their assets against threats of confidentiality, integrity and availability.
I strongly believe security policy is one area to which most enterprises pay the least attention. Mostly, policies are developed by consultants or IT staff not well-versed in the business and organizational culture.
Ideally, CISOs must base the information security program on the principle that not all information assets beg a high level of assurance
I've observed some common mistakes enterprises make while prescribing security policies, overlooking vital aspects:
- Lack of a clear enforcement model;
- Lack of governance structure and ownership of policy;
- Enterprises focusing only on technology, not policy management;
- Shortcomings in choosing right controls/technology because they do not understand organizational risks;
- Unclear access control policy for all new devices and legacy applications;
- Ambiguous DLP policy not catering to the domain need;
- Lack of visibility into security policy needs of the business;
- Team's lack of understanding what must be secured;
- A lack of processes necessary to establish security and risk frameworks;
- Enterprises unable to classify information assets to implement Infosec programs;
- Infosec risks yet to become board room discussions.
Awareness among CISOs for building effective information security is imperative given that the government of Qatar worked on certain compliance standards to combat threats.
Ideal Governance Structure and Policy Parameters
What should be the ideal security governance structure within enterprises? What parameters are critical while defining the policy? Why do policies fail? How must compliance and information assurance tools be used to develop a risk-free environment?
As a first step, I'd recommend that CISOs adopt Qatar's National Information Assurance Policy targeting critical sector organizations, mapped using international standards like ISO 27001:2013 and PCI DSS v3.1.
Ideally, CISOs must base the program on the principle that not all information assets beg a high level of assurance.
They must follow the Pareto rule - 80 percent of assets need minimal controls, and 20 percent require adequate security with additional controls. Also, logic says that baseline or mandatory controls are applied across all assets. However, entities must conduct a Business Impact Analysis to identify critical processes. Then, identify information assets within these processes and classify them based on the Confidentiality, Integrity and Availability triad.
Further, I believe classification of information assets is important. No organization spends a fortune securing an asset with little or no value.
What should the ideal governance structure be to develop a framework? This does not necessarily lie within the format or syntax of the document. The most important thing is having the right governance in place, assigning an owner for the infosec program at the right executive level and with the right management support.
Some parameters for a security document include these:
- Ensure the policy document is clear and concise;
- Clearly identify the objective, audience, policy statements, enforcement, roles and responsibilities;
- Ensure the policy aligns with regulations and frameworks;
- Define key metrics to measure its performance and assess if it's delivered the objectives;
- Choose security controls that are practical, enforceable and provide the required security without compromising the business itself;
- Once formulated, adequately communicating it to the audience; security policies should become part of the employee on-boarding process and regular security awareness sessions;
- Security policies must be able to manage risks proactively and face audit observations;
- Policies must be designed to be effective in managing outsourcing or third party risks.
While compliance is a means, the real objective is building and integrating an infosec culture within the organization's DNA. Policy management is not only about writing policies, but also executing them through effective implementation and compliance enforcement. Also, CISOs must ensure that security's discussed at the highest management level alongside other enterprise risks as part of the usual business.
I recommend appointing a head for the infosec program reporting to the organization's highest authority. The policy must be developed through consensus with the business, not in isolation.
Also, infosec operations should be delineated from the IS manager's role and responsibilities. Ideally IMO, IS operations should be part of IT, whereas the overall IS Governance must be provided by the IS manager reporting directly to the highest level - potentially the CEO or the Board.
Samir K. Pawaskar is the head of Cyber Security Policy & Standards, Ministry of Information & Communications Technology, Qatar. He has developed National Information Assurance Policy (Qatar's Information Security Policy) and the complete program around it to drive its adoption and compliance within the stakeholders. An experienced information security professional with more than nineteen years of experience having worked in diverse verticals.