Five Core Security Policies and What They Mean
At the job before the one that I have now, it was my responsibility to construct/write whole enterprise information security policies, so I have a relatively solid background in this type of experience. I also have experience as a former incident responder, which has given me insight into the myriad of ways that threats can be introduced to corporate networks – especially by insider threats. Most of these policies are tied to the NIST CSF (800-53) requirements/recommendations via a Policy Template Guide from the Center for Internet Security, in addition to policy samples you can find on SANS, which I’ll link to both below and highly recommend checking out!
This type of policy generally dictates and specifies what expectations an organization has for its employees when they utilize network resources, visit websites, access emails, etc. It gives an employee a baseline for acceptable behavior and details potential consequences for deviating from it. It’s also the location where a company may inform an employee of the level of logging/privacy that they can/can’t expect when using corporate resources. This type of policy directly addresses the potential insider threat concerning employees and their use of corporate network resources.
A remote access policy will dictate the expectations that an employee is required to follow and access requirements when they utilize a remote access technology or solution like VPN when access company resources away from the office. This type of policy is critical when you have employees working from home, traveling, etc. Defining expectations of behavior, what should and should not be accessed, and where it’s acceptable to access the corporate network (avoiding things like hotel/public WiFi) will reduce the likelihood of an incident occurring.
This type of policy dictates the requirements for choosing a secure, complex password, where it should and should not be stored (e.g., not writing passwords on sticky notes, which is also related to a “clean desk policy”), and how often it is to be changed. A policy of this type can help reduce insider threat by making it less likely a malicious insider will be able to do things like guess a coworker’s password or find it on a sticky note on someone’s desk.
This policy may not apply to specific highly secure environments where removable media is blocked at a hardware/software level. However, this policy can significantly reduce insider threat potential in organizations where it’s still allowed or allowed for a group of authorized people. One aspect of this is reducing the likelihood of “data exfiltration” – something that the LabSim discusses briefly and which means “to steal data.” An insider threat placing confidential data on a flash drive and taking it home can cause issues of confidentiality as well as integrity. We saw this happen with the case of Edward Snowden and his theft of classified documents from the NSA several years ago. Another aspect of a removable media policy is the accidental or intentional introduction of malware via removable media. Sometimes employees aren’t even aware that malware resides on their personal flash drive and, if plugged into a corporate machine, can infect the corporate network. An example of this in the real world would be the Stuxnet malware, introduced to an air-gapped system via removable media (a flash drive).
This one is by no means the least important in this list, and some may argue it would be the most important policy. Most organizational breaches occur via phishing attacks, which the LabSim talks about, but I have also experienced in my time in IR. Having a solid, comprehensive Security Awareness Training Policy should help elevate awareness across your employee base to recognize potential threats – both external as well as internal. Because phishing is the most likely way, a company will experience a resultant breach, this type of policy can help reduce the likelihood you experience a failure with network security.
Center for Internet Security & National Institute of Standards and Technology. (2020, July). NIST Cybersecurity Framework - Policy Template Guide. Center for Internet Security. https://www.cisecurity.org/wp-content/uploads/2020/07/NIST-CSF-Policy-Template-Guide-2020-0720-1.pdf
SANS Institute. (n.d.). Information Security Policy Templates | SANS Institute. Retrieved August 28, 2021, from https://www.sans.org/information-security-policy/
TestOut Corp. (n.d.). LabSim for Security Pro (section 13.1). Retrieved from http://www.testout.com
Zetter, K. (2014, November 3). An Unprecedented Look at Stuxnet, the World’s First Digital Weapon. Wired. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
Zetter, K. (2013, June 13). Snowden Smuggled Documents From NSA on a Thumb Drive. Wired. https://www.wired.com/2013/06/snowden-thumb-drive/