When someone mentions the term “information security policy,” images of an archaic document held in a vault covered in dust, containing hollow words that no one actually knows come to mind. But is that what an information security policy is? The short answer is no.

Building a culture of security at your organization really does start with an information security policy. Here are six key ways to help your organization build a successful information security policy:

1. Scope to What You Do

As an auditor, one of the things I have run across in my time is gigantic information security policies that were pulled from a template without customization that do not meet the business’s needs.

An information security policy should be the bedrock of your information security program. It’s a central policy that supports, guides, and outlines your information security program. The policy needs to address security for people, processes, and technologies that are in place within the organization.

There is no such thing as a one-size-fits-all information security policy. A policy for an organization that prints documents is going to have different nuances from a policy for an organization that deals with micro-transactions. The key is that the policy needs to address the risk and security needs that are specific to your business.

The information security policy must be a useable document that allows for the furtherance of information security at the organization. An organization should not have a policy just to have a policy, but the policies should guide the overall security of the company.

2. Make Your Policy a Living Document

Since the information security policy is the cornerstone of an organization’s information security program, it needs to grow and change alongside the organization’s perceived risk landscape and changing business needs. For some organizations, the information security policy is only reviewed once a year at best and changes to the actual policy are few and far between.

For an organization that truly embraces the idea of a security-based culture, updates to the information security policy should happen as frequently as the risk and business needs of the organization demand, which will most likely be more than once a year.

3. Communicate Your Information Security Policy’s Requirements

A policy isn’t useful if no one has read it.

Making sure the organization personnel read the organization’s information security policy and understand its requirements is a key component for ensuring the organization has a successful information security program.

Organizations should not only ensure that personnel are periodically refreshing their knowledge of the information security policy, but they also need to ensure that any changes or updates are communicated to its entire personnel. This ensures that all members of the organization have an understanding of what’s in the policy and its requirements.

4. Make Your Policy Understandable

The information security policy is a policy that will be regularly used as part of the organization’s information security program, as such, it needs to be understandable by the personnel beholden to it and implementing the policy. This requires the use of language that is easily consumable by these individuals. When a policy is easy to understand and consume, personnel are more likely to follow the policy’s requirements.

5. Make sure Your Policy Empowers the Organization’s Information Security Program

If the information security policy is the base of the information security program, it needs to empower the organization’s information security program.

The policy should specifically communicate the purpose, objectives, and authority for the organization’s information security program. The policy also needs to communicate penalties for not following the policy in addition to identifying legal, regulatory, and industry security regulations that organizations are required to uphold. The policy should lay out a detailed picture of how the organization has defined its information security requirements.

6. Reflect the Importance of the Information Security Program in Your Policy

A judicious amount of time and thought needs to be put into the creation of an information security policy as a result of its importance to the organization’s information security program.

Taking time to think about desired outcomes, possible impacts, enforcement, and ability to implement the policy are important aspects to consider when crafting the document. The greater the amount of forethought that is put into crafting the policy, the higher the potential success of the organization’s information security program.

In conclusion, information security policies can be a challenging document to create, but with proper thought and understanding of the organizations goals for the  information security program, an appropriate information security policy can be crafted.

Need Help with Your Organization’s Information Security Policy?

Writing and revising policies can feel overwhelming at times, but, with expert help, you’ll be able to craft information security policies that will help support your organization’s security culture and prepare you to face today’s threats confidently.

At KirkpatrickPrice, we are committed to helping you throughout your compliance journey. Part of that journey is making sure your policies are updated and effective.

Having one of our security experts review your policies will allow your organization to stay proactive in this ever-changing industry. Sign up for your free policy review today!

About the Author

Mike Wise has over 15 years of information security experience, specializing in data centers and distributed computing. He is passionate about helping clients grow their understanding of information security. As an Information Security Specialist at KirkpatrickPrice, Mike holds CISSP, QSA, and ITIL certifications.

Why is Data Center Physical Security Important?

As we see more and more headlines of breaches, the focus on intruders accessing critical data has been heightened. What is the goal of those intruders? To access critical data stored by organizations.

This brings data centers into focus because the ultimate nexus of that critical data is in the data center. One of the top responsibility areas for data centers falls into that of physical security. Even with the shift to cloud-based infrastructure, data centers are still the critical physical bastion protecting critical data from physical theft.

Take video surveillance, for example. The video surveillance system is often seen as a “set it and forget it” system, but when something goes wrong, the first thing that pops into people’s minds is “check the cameras” so they can physically see what happened. Video surveillance is an integral part of data centers’ physical security posture, but it often gets neglected. Common issues are cloudy or obstructed cameras, clocks that are not accurate, systems running on end-of-life operating systems, and storage systems that are not retaining videos as long as expected.

There are so many aspects of physical security at data centers, but what are some best practices to embed physical security into the culture of your data center management?

4 Best Practices for Data Center Physical Security

The four best practices for physical security at data centers are controlling physical access, using multiple layers of security, training all personnel on the security procedures and why the procedures are important, and testing your physical security controls.

1. Monitor and track personnel through the data center.

Physical access management to data centers is a critical component of the overall physical security of the environment. Both providing access and understanding movement through the data center are key. The use of biometric readers, anti-tailgating systems, mantraps, and other physical access control systems to ensure access to spaces is authorized and monitored is critical.

2. Use multiple systems to provide layers of security.

Physical security is one of the classic examples of defense in depth. To provide comprehensive physical security, multiple systems and processes must work together, like perimeter security, access control, and process management.

3. Provide training on all physical security procedures.

Ensuring that all personnel adhere to physical security procedures and understand the importance of their responsibilities to a data center’s physical security program is a key concept. Intruders will always look for weak links, and it has been proven time and time again that weaknesses can often be on the human side of the equation.

4. Test your physical security controls.

Internal testing of physical security controls is an important concept in relation to physical security. Validating access grants, ensuring that video footage is recording, and verifying that anti-tailgate mechanisms are working as intended are three areas that I recommend you check. Testing of your physical controls a part of your normal operating procedures is one step that is often overlooked.

Auditor Insight on Physical Security Best Practices

As an auditor, one thing that I look for is how physical security is built into the culture of data center management.

Do operational personnel understand the reason why the policies and procedures are in place? Do they recognize the importance of physical security? If personnel fail at following and enforcing physical security policies, then there is a risk of a physical security breach.

A great example of this is the ubiquitous “no tailgating” sign. I have seen the “no tailgating” sign or policy in data centers blatantly ignored because employees think it’s not an issue or an important rule to follow. This cannot be farther from the truth; not following the no tailgating policy has a direct impact on the data center’s physical access control implementation.

The ability to track movements and insure security becomes at-risk, which can lead to unauthorized access and possible breaches. It’s examples such as this that give me insight into the culture of data center management at an organization.

Does your data center take physical security seriously? Is your critical data protected from physical threats? Contact us today to start learning more about information security for data centers.

About Mike Wise

Mike Wise of KirkpatrickPriceMike Wise has over 15 years of information security experience, specializing in data centers and distributed computing. He is passionate about helping clients grow their understanding of information security. As an Information Security Specialist at KirkpatrickPrice, Mike holds CISSP, QSA, and ITIL certifications.

More Data Center Resources

Overcoming Security Challenges at Your Data Center