The development and deployment of an enterprise Security Policy that defines the what and how of enterprise security is now mandated by numerous regulatory and industry standards, such as HIPAA and PCI-DSS. The development of a Security Policy, however, generally takes specialized skills that most organizations do not have. As a result, the process either takes a significant amount of time, or a significant amount of money. Info-Tech’s Security Policy Solution Set will help you: •Understand what goes into a Security Policy and why. •Determine which specific policies are required by your organization. •Streamline the creation of a policy set via customizable standards-based templates. •Implement policies in an order that makes sense. •Understand policy enforcement. Use this material to build the Policies you need to be protected and compliant without spending a penny.

1. Develop & Deploy a Security Policy Info-Tech Research Group

4. Info-Tech Research Group Policy Implementation and Enforcement Establish a Baseline The value of Policy What goes in a Policy? Build the Policies

7. More complete Policy sets provide better guidance in how to be secure, leading to better enterprise security 0 Info-Tech Research Group Full Policy reduces the likelihood of a security breach By themselves “thou shalt/shalt not” objectives don’t do enough to protect the enterprise; they may indicate “what” needs to be done, but don’t provide enough context to discern the “why” and “how”. Without these factors enterprises find it difficult to enact security. Only a full Policy set (objectives, standards, baselines/guidelines and procedures) provides sufficient information to implement appropriate protection, which is key to avoiding breaches. Survey data shows that having objectives leads to a reduction in breach occurrence of anywhere from 19 to 46% (depending on breach type). However, having full Policies results in a total reduction of 57 to 93%. Clearly, knowing what to do and how to do it improves security more than just knowing what to do. n=114 “ Policy is ineffective without procedures to guide users on how to adhere. Procedures are required so that everyone interprets and acts on the Policy in a consistent manner .” - IT Director of a small Not For Profit

8. Info-Tech Research Group Policy Implementation and Enforcement Establish a Baseline of Understanding Build the Policies Follow a framework during document creation Negotiate stringency with the Business

12. Info-Tech Research Group Negotiate, not mandate, restrictiveness of Policy to ensure higher levels of acceptance and adoption Determine Required Controls Establish Initial Stringency Review Interactively with Business Publish Drafts, Solicit Feedback IT sets initial stringency such that its rationale can be provided in business terms. This is a start point only; use it as the opening position but be prepared that it will change once business needs are understood. IT and business units use workshop sessions to tailor the degree of constraint the policy represents. Know going in which issues you can give on, and where you need to hold firm then practice give-and-take. IT drafts policies based on agreed-to stringency, circulates for review, and incorporates feedback. Maintaining business unit involvement eliminate the risk of error and disagreement at publication. Info-Tech Insight: Policy is a living document – IT can work towards stronger policy over time. Remember; a weaker than ideal policy is better than no policy at all. IT determines the areas where documented controls are needed by the enterprise. Use the results of security audits to identify weak points in existing security controls. Standards such as PCI-DSS can guide as well.

13. Info-Tech Research Group Implement & Enforce Implement with structure Enforcement leads to success Establish a Baseline of Understanding Build the Policies

14. The first phases of policy implementation: obtaining acceptance and assessing impacts Info-Tech Research Group Obtain Acceptance from Management Management buy-in is key to policy acceptance; it indicates that policies are accurate, are to be upheld, that funds will be made available, and that all employees will be equally accountable. Buy-in not just approval and funding, but also the championing of adoption - this says not just “we approve” but also “we will adhere”. Implementation must be seen to be top-down, not bottom-up. Assess Impacts of Policy Deployment Policy changes the way users and systems work; the magnitude of that change must be taken into account. Balance the impact of policies on users as well as on security to determine which policies should be implemented first. Focus on high security/low user impact Policies first to effect maximum change with minimal pain. Adopt low security/high user impact Policies last, when users knowledge is higher. Policy impact matrix “ Policy is our most important security tool, but clean implementation was vital.” - CIO of a regional telecom provider

15. Info-Tech’s Security Policy Implementation Tool will help establish an ordered ranking of Policy implementation Info-Tech Research Group Info-Tech’s Security Policy Implementation Tool assesses the optimal order for Policy deployment. Rank the factors that impact implementation, specify the policies to be implemented, and assign them to framework layers. The tool indicates which Policies should be implemented first, and which can wait until later. It provides ranking scores as well so that enterprises can see the net impact difference between Policies to tweak the order, if required. Policy Implementation Guide Output Page

16. Minimize user impact to ensure that Policy implementation is more successful Info-Tech Research Group Make changes that improve security with no user impact Get things moving and make quick security improvements with policies that don’t affect employees. Train employees and record their acceptance of policies Ensure users are ready for the capabilities to be introduced by educating before making changes that affect them. Make final changes to existing systems and processes Implement/adopt according to security & user impact; balance high security impact against low user impact where possible. Implement net-new capabilities Remaining changes likely to have big impacts, but users will be familiar with and more accepting of processes by now. “ Getting the users trained on the policies early was the key to our successful rollout – the users knew what was coming and, most importantly, why.” - CSO at a large retailer

17. Without enforcement, Policy just another piece of shelf-ware; tools are key to that process 0 Info-Tech Research Group Less than 4 in 10 recognize tools needed for Policy enforcement Process lays the enforcement foundation. Categorizing violations according to severity allows the enterprise to leverage more severe sanctions against more severe problems. Clearly state sanctions that will be levied in the event of violation so there can be no doubt in the minds of employees. Assign responsibility for verifying policy compliance to ensure consistent enforcement. Tools essential for measurement of policy compliance. Activity monitoring and logging the most basic tool required. Syslogs and other native tools provide this minimal capability but often not enough. Dedicated user and system monitoring and management solutions may be required. These tools have configurable rules and automated reporting. Examples include IAM, SIM and GRC software. n=114

18. Policy enforcement must be ubiquitously applied or it will be undermined over time 0 Info-Tech Research Group It is essential that, unless exemptions are specifically written into the Policy, enforcement be applied equally to all users and all groups. If differential enforcement of the Policy is allowed to exist, a “caste” system is created that becomes obvious . In time this undermines Policy acceptance and effectiveness. Survey data shows that Policy enforcement is not leveraged against 60% of managers and 50% of IT staff. In comparison, only 30% of users escape sanctions when violating the Policy. Users cannot be Policy scapegoats “ We are having a devil of a time getting Senior Management to actually follow the security rules that they were part of creating. As a result, our users are starting to grumble. If we can’t get this under control I’m concerned I’ll have a revolution on my hands.” - Security Manager at a Mid-Size Manufacturer