Security policies serve as formal documentation of your organization’s overall security strategy and are fundamental to your security program. They are the rules you have decided will govern various aspects of your security, and they are vital guides to securing your organizational assets.
Why Security Policies are Important
Security policies are important because they help to protect your organization’s tangible and digital assets. Physical security policies are designed to safeguard buildings, personnel, and hardware such as computers and other IT equipment from theft, loss, or damage. Data security policies protect electronic or digital assets such as software, databases, intellectual property, and other sensitive information from hacking, ransomware, or other breaches.
If security policies reflect your strategy, security procedures and security processes are the tactical implementations of that strategy. Examples of topics addressed by security policies include acceptable use, access control, change management, data backup and retention, disaster recovery, and incident response, to name a few.
Security policies are required by many regulations and security frameworks, including the widely-adopted Cybersecurity Framework promulgated by the National Institute of Standards and Technology (NIST), and the sweeping HIPAA Security Rule in healthcare as two examples.
NIST Framework Requires Security Policies
Because they are part of the foundation of any security program, security policies are specified in the first of the five core functions of the NIST Cybersecurity Framework. The five core functions are Identify, Protect, Detect, Respond, and Recover.
Core Function #1: Identify. This primary core function calls for developing an “organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.”
According to the NIST Cybersecurity Framework, “Activities in the Identify function are fundamental to the effective use of the framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts consistent with its risk management strategy and business needs.”
Core Function: Identify > Category: Governance. There are five categories within the Identify function, and security policies reside in the Governance category. The other four categories are Asset Management, Business Environment, Risk Assessment, and Risk Management Strategy.
The Governance category requires that the “policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.”
Core Function: Identify > Category: Governance > Subcategory: Security Policy. Subcategory GV-1 under Governance is specific to security policies. It requires that “Organizational cybersecurity policy is established and communicated.” And while this seems to be a simple statement, it actually represents a good bit of work. That’s because security policies must be (1) established, (2) implemented, (3) communicated, (4) maintained, and (5) updated as needed to keep the policies viable.
Other Requirements for Security Policies
In addition to the NIST Cybersecurity Framework, several federal regulations require security policies. These include the Gramm-Leach-Bliley Act (GLBA) governing the financial industry, the PCI Data Security Standard (PCI-DSS) in the payment card industry, and the HIPAA Security Rule in the healthcare industry. There are others as well.
In the healthcare sector, for instance, the Administrative Safeguards section of the HIPAA Security Rule sets requirements pertaining to access control. The three specifications below are just a few of many examples of the security policies required in the healthcare industry:
- Implement policies and procedures for authorizing access to electronic protected health information (ePHI) when such access is appropriate.
- Train all workforce members regarding security policies and procedures and apply appropriate sanctions against workforce members who violate them.
- Perform a periodic assessment of how well the security policies and procedures meet the requirements of the Security Rule.
In other words, healthcare organizations must control access to patient data, enforce the controls, and review the policy and procedures periodically. Other Safeguards have requirements for specific policies as well.
When to Review Your Policies
Security policies that are written and published once, without review and updating, will become moot and unenforceable over time. They must be treated as living documents.
For that reason, security policies should be reviewed every three years to ensure they reflect your organization’s current operating environment as well as current federal, state, and industry regulations.
In addition, there are several specific events that should trigger a security policy review immediately. These trigger events include:
- Implementation of new information services or systems, or significant changes to existing information services or systems.
- Introduction of new, or significant changes to, existing infrastructure or technology.
- Employment of new third-party resources who may have access to company buildings, hardware, data, or systems. These include cloud service providers, data processors, and similar outsourced services.
- New regulations that have physical or data security implications, or changes to existing regulatory requirements.
If these or similar events occur, conduct a security policy review promptly in order to (1) determine the effects of the event on your existing security policies, (2) update the affected policies immediately, and (3) publish and otherwise communicate the updated security policies.
How to Review Security Policies
An effective review of your security policies entails three primary steps, as follows.
- Inventory. Gather your current inventory of security policies, including official policy documents as well as memos and other announcements of ad hoc changes to policies. Often, ad hoc changes fail to make it into the official policy documentation, and the policy review is an opportunity to add them.
- Analyze. Review and assess your current security policies in the context of regulatory requirements that apply to your industry and organization. Identify where required security policies are absent from the written documentation. Also, identify which policies only partially meet regulatory requirements.
- Remediate. Where policies are missing, develop policies to address the gaps, making sure they meet regulatory requirements and organizational needs. Where policies are not fully compliant, or are out of date for other reasons, amend them accordingly.
When conducting your security policy review, it’s helpful to gather the security procedures that flow out of each policy. This is a more thorough approach to reviewing and updating your security policies and reveals where procedures are missing or other out-of-sync conditions.
If resource constraints make it unrealistic for you to review your security policies every three years, consider engaging a professional security consultant or a Virtual Chief Information Security Officer (VCISO) to conduct this project for you. Outsourcing this review to an expert is a smart and popular option.
Summary
Security policies document your organization’s overall security strategy and drive the formulation of tactical procedures and processes. Many regulations require those security policies, and procedures, to be implemented and maintained. The HIPAA Security Rule specifies a variety of security policies, for example, and the NIST Cybersecurity Framework calls for the creation of security policies in its primary core function.
Security policies can become outdated and incomplete as your organization grows and evolves, and as specific events trigger new policies. In addition, security policies can be outdated by the enactment of new regulations and changes to regulatory requirements. A security policy review, conducted every three years at a minimum, will ensure that your policies remain current and compliant.
