A corporate security policy is the cornerstone document of a company’s risk management. Does your business have the appropriate security controls in place to implement the policy, or is the policy a forgotten document in a dusty drawer?

Although most companies have established security policies at the strategic level these are not always enforced, because they lack foundational support at the tactical level. The key to solving this is knowledgeable and skilled security practitioners who can take the lead and implement security controls aligned to the policy’s goals.

Many security incidents may have been avoided if the proper security controls had been in place. As a result, affected businesses are running the operational risks of huge penalties by not being compliant with security and privacy regulations, while risking damage to their reputation.

Having a corporate security policy is not a panacea. Implementing and enforcing this policy, with foundational security controls by skilled security practitioners, is the only way to have a robust security posture and prevent your company’s name from hitting the headlines for all the wrong reasons. This article will show you why a security policy is so vital. But first, let’s start with the basics.

What is a Corporate Security Policy?

A corporate information security policy is a statement designed to guide employees’ behavior regarding the security of the company’s data, assets, and IT systems. The security policy defines the who, what, and how regarding the desired behavior, and plays an important role in an organization’s overall security posture.

Security policies reflect the acceptable risk of the executive management and therefore serve to establish a security mindset within the organization. The goal of a security policy is to provide meaningful direction and value to the individuals within an organization.

Security policies are not “static” documents, rather “living” ones. Given the rapidly changing threat environment, a corporate security policy should be updated frequently to address current risks and regulatory compliance requirements, such as GDPR, CCPA or HIPAA.

To address the acceptable security risk, security policies need to address access control, change management, training, risk management, incident response and recovery, data encryption and machine identities, communications security.

Security Policy Must Be an Integral Part of Organizational Culture

For a security policy to be effective and holistic, it has to address people, processes and technology.

• People are the user needs, such as convenience, seamless experience and lack of friction.
• Processes support data-driven decisions to support user needs and to satisfy the policy goals and objectives.
• Technology is to be aligned with people and processes for the policy to be proportionate and applicable.

Addressing the people, processes, technology triangle we ensure that security policy is an integral part of the overall organizational culture. This is crucial, because it proves that the policy has leadership buy-in and is aligned with the overall corporate policy. Accepted security risk becomes part of the overall business risk. Reports by the World Economic Forum and IBM have identified that cyber-related risks rank as one of the top ten business risks, second only to environmental ones.

Is Having A Security Policy Enough?

Simple answer: no. Having a security policy forgotten in a dusty drawer is like not having a policy at all. A security policy needs to be enforceable and applicable.

If the policy is not going to be enforced, then why waste the time and resources writing it? It is important that everyone from the CEO down to the newest of employees comply with these policies. The executive management must lead by example and comply with the security policies and the consequences of non-compliance with the policy. Otherwise, mistrust and apathy toward compliance can plague your organization.

On the other hand, can the policy be applied fairly to everyone? Security policies are supposed to be directive in nature and are intended to guide and govern every employee’s behavior. If the policy is not enforced, then employee behavior is not directed into productive and secure computing practices which results in greater risk to your organization. Users need to be exposed to security policies several times before the message becomes part of the organizational DNA and the risk of non-compliance with the policy is understood by everyone.

Security Controls Implement the Security Policy

While the security policy is at the strategic level and serves as the management’s letter of intention, the security controls, at the tactical level, materialize the goals of the policy.

NIST defines the security control as a “safeguard or countermeasure… designed to protect the confidentiality, integrity, and availability” of an information asset or system and “meet a set of defined security requirements.” Security controls cover management, operational, and technical actions that are designed to deter, delay, detect, deny, or mitigate malicious attacks and other threats to information systems.

The primary objective of the security controls is to reduce security risks associated with data loss, by enforcing your policies and security best practices. Controls can help you achieve goals like:

• Promoting consistency in how employees handle data across the enterprise
• Keeping data safe, yet accessible
• Helping identify and manage security threats and risks promptly
• Ensuring compliance with regulations, such as the GDPR and CCPA

5 Foundational Security Controls for an Effective Security Policy

These foundational security controls can help any organization implement an effective security policy

Access Controls: Access controls determine the allowed activities of legitimate users to access system resources. By exercising access controls one can specify what users can do, which resources they can access and what operations they can perform on a system. User authentication and access management are authorization structure controls which are not monolithic, rather granular and adaptive based on contextual information and predefined conditions. Access control systems offer different levels of confidentiality, integrity, and availability to the user, the system and the corporate assets.

Security Operations: Security operations such as asset management, change management, assessments, and awareness training, identify an organization’s information assets and document the processes required for the implementation of policies, standards, and frameworks that ensure the confidentiality, integrity, and availability of these assets. Having visibility into your corporate assets allows security teams to be aware of what they are to protect.

Risk Identification, Monitoring, and Analysis: Organizations face a wide range of security challenges today, including expanding risks to organizational assets and customer data. Understanding and managing these risks are integral components of a successful corporate security program. Identifying risks to information systems and developing and implementing controls to mitigate the identified risks are the cornerstones of an enterprise-wide risk management process.

Incident Response and Recovery: Planning for unexpected events is an act of prudence. Organizations must plan and be prepared to act during an incident or a breach. Incident response and business continuity planning can assist an organization to navigate safely through the troubled waters of a security incident back to normal operations. As such, incident response and business continuity are complementary to each other. Proper contingency planning and incident response are vital for an organization’s survival.

Cryptography: Cryptography is a “must-have” for every organization as it is plugged into the overall framework of confidentiality, integrity, and availability. Encryption is the foundation of keeping data confidential and it is no wonder that is the single measure mentioned in all regulations and jurisdictions. Encryption also helps ensure the authenticity of two communicating parties’, whether humans or devices, machines. Hashes and digital certificates are used to verify the integrity of streamed data. Finally, cryptography impacts the availability of data through the introduction of extra risk due to the loss or compromise of cryptographic keys.

How SSCP Certification Helps

Implementation of the above security controls falls into the hands of security practitioners. And there is no better way to develop your technical skills and security knowledge than achieving the SSCP certification . Whether you are an experienced technology professional or just starting out into the world of cybersecurity, the (ISC)²’s SSCP certification is ideal to enhance your ability to implement, monitor and administer security procedures and controls that ensure your organization’s confidentiality, integrity, and availability.

For more information about implementing security controls and the benefits of SSCP certification, read our white paper, How You Can Become a Cybersecurity Hero.