Brad Curtis | Blog

Solutionary Blog and Bloggers

 Solutionary is an information security company. What does that mean? Simply put, we help businesses protect their assets, remain fully secure and safe online, and maintain and adhere to compliance regulations and standards. Solutionary's blog will be a place to learn about and discuss a wide variety of security and compliance topics. More information about Solutionary can be found here. To read the Solutionary blog comment policy and disclaimer, click here.

Solutionary Bloggers: 

Brad Curtis, Compliance Manager              Jon Heimerl, Director of Strategic Security
Mike Hrabik, President and CTO 
Don Gray, Chief Security Strategist
Court Little, Director of Strategic Security Joseph Blankenship, Senior Director of Product Marketing and Strategy
Doug Picotte, Regional Technical Manager
Rob Kraus, Senior Security Consultant   Scott Simpson, Director, Security Consulting Services                            Brian Reed, Regional Technical Manager          

 

 

 

 


Subscribe to our blog

Your email:

Posts by category

Posts by popularity

Solutionary Minds - Your Information Security Blog Source

Current Articles | RSS Feed RSS Feed

Got Security Policy? Part 4: Raising the Bar

Posted by Brad Curtis on Wed, Aug 18, 2010 @ 01:58 PM
Share on Twitter Twitter | Share on Facebook Facebook | Submit to Digg digg it |  Add to delicious  delicious |  Submit to StumbleUpon StumbleUpon | Submit to Reddit reddit 

Training, Acknowledgements and Awareness

In my previous post, I provided some information to help you get your Security Policy (the policy) communicated to employees, ensure the policy works for your organization and enforce it.7 Security Policy Development resized 600

Today, I’m going to leap forward a bit and provide information to help you not only enforce the policy, but ensure employees are actually reading and understanding the policy.  Doing so, follows security best practices and can even help you become compliant with many industry standards.

First, you should create a list of the items in the policy, which are important to your organization, for example:

  • User name and password requirements (format, length, strength, etc.)
  • Physical security requirements (access to sensitive areas and information, tailgating, access cards, biometrics, etc.)
  • Logical access (how access is approved, assigned, tracked, and audited)
  • Software use (licensing requirements, copying, support, etc.)
  • Remote access (authorization, VPN applications and use, authentication, etc.)
  • Visitor policy (NDAs, visitor badges, access, use of non-company equipment, etc).
  • Monitoring and use of company assets (Internet, chat, e-mail, etc.)
  • Incident handling (identification, notification, follow-up, etc.)
  • Exception (notification, approval, tracking, etc.)
  • Information classifications (private, public, internal use, etc.)
  • Intellectual property (patents, trademarks, etc.)

The above is not intended to be a comprehensive list, but rather a high-level suggestive list of items an organization may want to focus on.

Next, develop a set of questions (e.g., multiple choice, true/false, or combination thereof, etc.), which highlight the topics you selected. You don’t want to make the questions too difficult, but at the same time, should be worded in a way, which requires the user to read the policy to be able to answer them. 20 to 40 questions should be sufficient to ensure your employees have read and understand the policy. Set the passing grade (e.g., 90% or whatever you choose) and those who do not pass, have them find those items in the policy and correct their answers. This will help them to understand those items they may not have read close enough the first time through.

You should also develop a short letter of understanding and acknowledgement, which states the employee has read, understands, and agrees to follow and enforce the policy on a daily basis. Have them sign the letter and file it in their human resources employee file (e.g., hardcopy or electronically).

You should have all your employees go through the review, test, and acknowledgement process on an annual basis. Even executive-level employees should be required to go through the process. Their participation not only enforces the importance of the policy, but also provides them with the knowledge to answer questions their reports may have about the policy.

Note: You can make the process described above part of your new hire procedures and before you assign equipment, physical and logical access, etc to a new employee, make them complete the review, test and acknowledgement. This helps you be proactive about security and sets the tone straight-away about the importance of protecting company and customer information.

Finally, you should take the list of topics you used in the test and develop a simple PowerPoint security awareness presentation, which you can make available to employees on the company Intranet, etc. This allows you to send quarterly (or whatever frequency you want) reminders to review the training; thereby checking another box for compliance.

If you create a program with the elements I’ve described herein, you are well on your way to having a solid Security Policy program.

0 Comments Click here to read/write comments

Got Security Policy? Part 3: Basic Policy

Posted by Brad Curtis on Fri, Jul 23, 2010 @ 01:10 PM
Share on Twitter Twitter | Share on Facebook Facebook | Submit to Digg digg it |  Add to delicious  delicious |  Submit to StumbleUpon StumbleUpon | Submit to Reddit reddit 

Implement, Communicate, Update, and Enforce Your Policy

describe the image

My last post described how to develop a Security Policy from scratch. Some organizations may have a very basic policy in-place but do not communicate, update, or enforce the policy. This post provides some high-level direction on how you can get started.

Note: Most industry standards and regulations (e.g., PCI, SAS-70, GLBA, HIPAA, SOX, etc.), require you have, at a minimum, a written Security Policy that is communicated to employees, contractors, etc.

You do not need a committee to get started on implementing your policy. However, I would suggest a few very important administrative assurances before rolling it out:

  • Technical Writer – have a tech writer develop, or at least, edit the policy
  • HR Review – have HR review the policy to ensure it doesn’t conflict with your corporate culture or invoke an unnecessary burden to the company
  • Legal Review – if an option, you should have a legal firm review the policy to ensure it is in line with local, state, and federal laws and regulations.

Implement

Once you have a Security Policy (albeit in many cases very basic), you can quickly take a step closer to compliance by implementing a few basic principals:

  1. Require all new employees to read your Security Policy (or all employees if you are starting from scratch with a policy for the first time)
  2. Notify employees of changes you make to the policy
  3. State the disciplinary actions, which may result from non-compliance

Update

You should review the policy at least on an annual basis to ensure it is still valid, accurate, and applicable. You will always find there’s information missing or it is outdated.

Communicate

When you do make changes to the policy, ensure you communicate those changes via e-mails or the company Intranet. This will reduce the cycles involved with HR when employee’s question why policy has changed and they were not informed.

Enforce

Train employees on the importance of following the policy and the ramifications for not following it. Require employees to report any instances of non-compliance or incidents to your security officer, HR representative, or executive.

If you implement these basic principals, you are well on your way to having a solid Security Policy and program. Up next, I’ll discuss how you can take implementing your Security Policy to the next level and get you one step closer to a solid security program.

0 Comments Click here to read/write comments

All Posts