Sunday, 8 July 2012

Tips on Developing an IT Security Policy

As of 22 June 2012, I’ve written 100 posts on my blog; mainly on digital forensics. It is not easy though. You need to do experiments. You need the facts.

And now I’m busy doing forensic analyses on mobile phones. I do not have much time left to update my blog and write up for publication. Hopefully, I will be successful on my “Mobile Phone Forensic Data Recovery” research. This should be the last few experiments that I need to do for this year.

Today, I want to share on an interesting article by Joe Schembri from University Alliance, my guest blogger. Joe has over 10 years of IT experience including 4 years of IT security. Today, he works with University Alliance and CISSP certification prep courses.

There are obviously many factors to consider when developing an effective IT security policy. Just as when considering home security, inherent vulnerabilities and specific unique factors must be weighed carefully. Identifying parameters like the most critical assets to protect, potential threats, and specific intruder profiles can assist in making security stronger and computer systems less penetrable.

1. Mission and Policy Cohesion
The mission of an organization is important to consider, especially if you are brought in as a consultant with limited knowledge of the corporate culture before the initial consultation. The terminology you use to introduce the project, the manner in which you approach team leaders, and the assets considered most valuable will vary from organization to organization. Effective communication and background knowledge will help build a team dynamic between departments collaborating on the policy.

2. Items to Protect
Part of the IT policy provider’s job is to educate the stakeholders in items they may not consider. Whether it is increasing building security, decreasing after-hours access, enhancing employee responsibility, or initiating the discussion for improved server security, the policy needs to be logical and comprehensive.
From a security perspective, your insider knowledge may be “common sense” to you since you are immersed in these situations with clients every day. For an executive with limited knowledge of more stealthy threats, time is needed to share that information so that informed decisions and more effective policies can be developed and proceed smoothly.

3. Use Data to Convince Stakeholders
When building your case for increased security or specific additions of items in the policy document, use industry examples and other pertinent data. Logically building your case gives managers information to take back to their teams, especially when you are introducing change into employee behavior or corporate culture. The same rule applies for working within a family or civic organization to improve security. People are much more likely to change a routine behavior if they have a tangible example to illustrate how the change will benefit the organization, family or company. Larger organizations will have more at stake, but no matter the size of the organization, using examples, case studies, and other pertinent data in an accessible team-oriented way can greatly contribute toward personal engagement.

Today’s threats to cyber security are constantly evolving in both scope and complexity. Mitigating the threats involves staying current on the issues, but also being able to effectively communicate about the threats in ways that are accessible to all members of a team. While policies can frame the best practice solutions to today’s ubiquitous IT security challenges, the policies are only as strong as the stake-holders’ actions regarding policy protocol. When every effort is made to keep the communication inclusive, informative, and collaborative, the resulting policy has shared ownership. In such an environment, the policy becomes dynamic and continually evolving, supported by many as a way to keep shared assets safe for the good of the entire group.