Information Security Policy
As per the ISO/IEC 27001 Annex A
Information Security Policy
This policy defines an Information Security Program (also known as ISMS - Information Security Management System). It includes authorization from the senior management to establish, implement, maintain and continually improve upon an ISMS according to the requirements of ISO/IEC 27001 standards. This policy also includes a list of objectives for an ISMS. A list of subsidiary policies that the security program should produce are included.
Human Resources Security
It is one of the important policies that strengthen an organization's security posture. People being the weakest link in security, ensuring the right people are hired is critical. Everyone should be aware of their information security responsibilities. Security responsibilities of employees continues through out their employment with the organization and sometimes even after the employment.
Cryptographic controls (algorithms and key lengths) are being obsoleted regularly by the industry. For example, AES with CBC mode, DES and 3DES are considered weaker. TLSv1.1 is no longer considered strong (along with SSLv3 and TLSLv1.0). A significant part of the TLSv1.2 protocol suite is no longer considered as strong by SSL Labs. This policy formulates the encryption standards that are considered to be safe for use.
Physical security is the first and foremost security control in practice today, a practice that has thousands of years old. Even in the age of cloud and AI, these controls are still relevant. The TemplatesIT physical security policy defines secure areas, equipment protection policies and which physical security events should be qualified into incidents.
Systems (software or infrastructure) could be built in-house, or procured from outside or the development of which could be outsourced. This document includes policies on information security requirements for a system that is developed or procured, and then subsequently implemented and commissioned into operations.
Suppliers and partners are one of the significant contributors of security risks into an organization's risk posture. Yes, this practice is very much ignored. This policy requires an organization to include security requirements into their supplier evaluation and governance processes.
Business continuity often requires considerable amount of security measures so that the information assets of an organization is protected while a business continuity, disaster recovery or a crisis management incident is in progress.
Every organization should have a policy that lets it's employees know of the ways in which they are allowed to use the IT and other facilities that are provisioned to them, in order to perform their duties.
This policy includes information security organization topics (such as security team organization, contact with authorities or special interest groups, and information security aspects in project management) as well as mobile device and teleworking policies.
It is considered as one of the first discipline to achieve the right level of security, and yet the most problematic domain in most of the organizations. Understanding what is to be protected is indeed the first step. This policy talks about identification, inventory, classification and handling of information and other assets.
Every employee should have the right level of access permissions to systems required for the performance of their job. Not a bit more. This document contains policies regarding access permissions and restrictions, access controls, privileged access management, management of authentication secrets, secure logon procedures, source code management with regards to access control, and many more.
The primary rule of operation is that all activities are performed following a well established procedures. If not all, most of it. The operational security policy includes malware protection, backups, event logging and monitoring, controlling operational software, vulnerability management and information system audit considerations.
A verity of communication or data exchange goes on within a business and also across business. These information needs to be protected due its sensitivity. This document includes policies on information protection within and across other networks that interact with your business.
It is not a matter of 'IF', but 'WHEN'. When all controls fail, it is important to have an effective and efficient security incident management practice. It should ensure that the impact from the incident is minimal. The root cause must be identified and the lessons learnt must be used to improve upon the existing organizational process assets.
The organization should identify the legal, regulatory and contractual obligations that should be satisfied during it's business operation. One of the critical legislation that has impacted most of the organizations is GDPR (EU countries and others alike), which must be identified as one of the legal requirements, and the requirements towards personal information protection.
In recent years, IoT has been a major point of discussion among information security professionals. These devices when left unprotected, it has become a source of many attack vectors. An effective policy is required to deal with such threats.