IT Security Nov 4, 2020

Information Security Policy – Set up policies and boost information security.

The number of security breaches registered daily has been giving IT admins a headache ever since we entered the age of digital transformation. Over the last few years, there have been plenty of stories of data being stolen and businesses being blackmailed and it’s not easy to shake the feeling of uneasiness and helplessness. But why? And what can we do to fight this feeling? These are the questions I’ll be tackling in this blog today.

Share article

Hans-Jürgen Martini
Team Leader Network & Security Engineers – CC-BISS

The causes.

Why do IT managers feel unhappy and uneasy? What is it that makes them feel anxious? These feelings are often a sign that our subconscious is trying to tell us that something isn’t quite right. They could also be the niggling feeling at the back of your mind telling you that making no decision will be worse and so sometimes you just have to go with the lesser of two evils. You may feel uneasy whatever you decide to do, but emotions are how our subconscious helps us to decide what to do. 

IT managers often don't have an IT security strategy which is aligned with that of the business, meaning that insomnia and nervousness are the order of the day. Most companies simply lack an Information Security Policy that lays down their own requirements in this area. The result is uncertainty and having to try to get to grips with the topic of IT security every single day, while fighting a never-ending war against cyber criminality.

Information security in a nutshell.

Information security describes the technical and non-technical qualities of information processing and storage systems, which should guarantee confidentiality, integrity and availability. It serves to protect against risks and threats, avoid economic damage and minimise dangers.

The focus is on:

  • Confidentiality – Ensuring that the information is only available to those who have a legitimate interest in accessing it.
  • Integrity  – Ensuring that the information is protected from unauthorised and active changes and/or deletion.
  • Availability  – Ensuring that the information is available for the people who need it, when they need it.

What needs to be protected?

Corporate information and relevant assets need to be protected from both internal and external threats. Security requirements need to be defined to ensure the information is adequately protected.

This can be done on the basis of:

  • Risk analysis.
  • Legal, regulatory, statutory and contractual requirements.
  • Principles and objectives resulting from the business requirements for information processing.

No clear policies.

Most companies, however, are not aware of the importance of an Information Security Policy and starting on the road to developing one is difficult and demands the staff to be able to do so. This and the cost of developing such a Policy puts many businesses off.

The benefits of an Information Security Policy.

Information Security Policies tend to be based on risk analyses which identify critical points and introduce security processes. Each policy relates to a specific risk and defines the measures that need to be taken to minimise it. Ensuring information security is essential for businesses to be able to protect their profitability, competitive edge and reputation, and make sure they are adhering to legal provisions. This in turn defines and aligns information security management with business requirements and relevant laws and regulations.

A company-wide Information Security Policy is structured into sets of policies issued by the company to ensure that all IT users within the company’s domain or network comply with the rules and guidelines in the network or within the company’s area of responsibility.

Information Security Policy objectives and content.

  • To reduce information security risks to a lower level, as required by business owners.
  • To support the business strategy through efficient, secure and responsible use of information.
  • To provide a framework for compliance with recognised information security standards as well as legal and regulatory requirements.

An excerpt of an Information Security Policy:

  • Acceptable Use Policy
  • Asset Management and Disposal Policy
  • Business Continuity Policy
  • Change Management Policy
  • Cryptography Policy
  • External Party Management Policy
  • Information Security Incident Management Policy
  • Information Classification and Handling Policy
  • Information Retention, Backup and Restore Policy
  • Logging and Monitoring Policy
  • Mobile Computing Policy
  • Network Security Policy
  • Physical Security Policy
  • Platform and Application Management Policy
  • User Access Management Policy
  • Vulnerability Management Policy

All of these policies are supported by standards that include details on how to implement each individual policy.

Summary.

Rules are based on experience and knowledge that are derived from specific regularities and are defined for a specific area in agreement with the IT organisation and company managers. Bundling these individual rules makes up an Information Security Policy. Rules enable IT security and raise awareness of proactive and entrepreneurial action. What’s more, they ultimately lead to a strong and entrepreneurially valuable IT organisation, which—as a business enabler—can secure economic success and give the company a decisive competitive edge.

Get in touch with our security experts at the BISS (Bechtle Internet Security und Services) Competence Centre who will help you tackle security vulnerabilities and strengthen information security.