Defense in Depth Layer 1: Policies/Procedures/Awareness/Education

“People often represent the weakest link in the security chain and 

are chronically responsible for the failure of security systems.”
— Bruce Schneier

The outermost layer of the Defense in Depth (DID) strategy is formed by policies and procedures that govern a company’s information security practices as well as the awareness and education of these practices in general. 

Don’t cue the collective eye roll just yet!  While most people don’t appreciate the documentation of do’s and don’ts, policies and procedures serve an important purpose.  Security is everyone’s responsibility; making that fact known upfront can prevent many problems. 

Side Note:  Information security potentially begins at the hiring process.  It is important to hire people who are proactive, have good attitudes, and are willing to comply with company policies.  Once those people are hired, they should be properly trained and treated well.

1. The Purpose of Security Policies and Procedures
There are various reasons to create and implement security policies and procedures. 
-To establish the necessary requirements to prevent or minimize accidental or intentional unauthorized access and/or damage to company technology
-To provide consistent guidelines for best security practices
-To communicate the importance of security to all employees
-To establish minimum safeguards
-To satisfy regulations or laws

2. The Elements of a Solid Security Policy
The security policy should include the following components:
-Purpose
-Scope 
-Definitions and acronyms 
-Policy topics 
-Enforcement 
-Compliance 
-Revision history 
-Related policies and procedures 
-Contact information

3. Security Policy Topics
The tenets of Confidentiality, Integrity, and Availability should be upheld in all security efforts. In order to implement and maintain a successful security effort, certain topics should be addressed in the security policy to support these principles, including:
-Roles and responsibilities of all staff members 
-Handling confidential, sensitive, and proprietary information 
-Appropriate email and Internet usage 
-Instant messaging 
-Downloading and opening attachments 
-Responding to potential security threats and attacks 
-Proper use and maintenance of user names and passwords 
-Saving and backing up data 
-Hardware and software installation 
-System access and updates 
-Malware avoidance and protection
-Mobile device usage, BYOD, etc. 
-Removable media usage, e.g. USB storage devices 
-Remote access and telecommuting 
-Power irregularities 
-Data storage and disposal 
-Technology standards 
-Other best security practices as applicable

The Policies/Procedures/Awareness/Education efforts should be reevaluated on a regular basis in order to keep up with new threats and vulnerabilities and to prevent complacency.  In order for security efforts to be successful, they must be enforced; even better, they should be modeled by upper management and IT staff.

As the saying goes, the best defense is a good offense.  In the pursuit of information security, it makes sense to start by educating the users of the information to be secured.    With all the external threats out there, it would be tragic if the threat came from within in the form of an unaware or misinformed employee.

Next time, we’ll discuss how physical security measures can provide tangible protective barriers to secure information. 

Thanks for reading!

Jen