Select Page

During Build IT Together in May of 2015, Chris Czub gave a keynote on information security. In the second installment of a 3 part series, here’s a recap based on Chris’ presentation, calling out the importance of having a security policy in place.

“Lulzsec hacks embarrassed the security community by showing us we were outclassed as defenders. The NSA leaks show we were outclassed as attackers, too.”

–Haroon Meer

One of the best measures organizations can take is simple, and it’s free: being prepared, by constructing a policy and sticking to it.

Preparedness is your security blanket

Preparedness can really reduce the cost of data breaches. Many expensive breaches could have been prevented, and cheaply – or at least cost-effectively preventable.

There are a lot of commonalities on how certain breaches begin:

  • Poor passwords
  • Malware on end-user systems
  • Phishing
  • Application deterioration
  • Software
  • Lost or stolen devices

How can these problems be mitigated?

Creating an Information Security Policy

Above is the management statement from Duo Security’s information security policy, if you don’t already have a policy like this, then consider putting one together. Its step one for building up security and a data secure culture. And you’ll have something to refer to when asked “how do we do this?” If you’re drafting one for your organization, here are a few places to start:

Ownership policy

Define what systems your organization is working with, and who is responsible for maintaining and securing those.

Employee responsibility policy

A simple outline of the security duties employees are expected to do while they’re working at the company.

Devices (BYOD) policy

Does your organization allow users to bring their personal device to the workplace? Connect them to the network? What about work files—can they be downloaded to personal devices? This section should address these security issues for employees.. For example, Duo Security’s grants the ability to look at those personal devices used to access corporate data in the event of a breach.

Incident management policies

This section should answer the question “how do we deal with a breach?”—before you ever have a breach. Obviously, depending on the situation, you’ll have to think on your feet a little bit, but at least you’ll have a good starting point.

Risk-assessment policy

On an ongoing basis—Duo Security does it yearly—assess your organization’s risk. Look at all your systems, policies, and also evaluate the information security policy itself, to make sure you’re adhering to everything

We only called out 5 sections your policy coul dhave. The entirety of the Duo Security’s policy revolves around the “lucky 13” items listed below. These would change, of course, depending on your organization and your angle, but this should give you some ideas on where to start.

That’s it. Then promote it within your organization and live by it. Oh, and don’t forget to evaluate it at least once a year and audit your processes and system.
Does your organization enforce a security policy? You can find the rest of Chris’ slides from the event here. Check out the next recap to see one simple step your organization can take towards becoming more secure.