News / Security /

How to build a better IT security policy

A good defense — from firewalls and passwords to anti-rootkit tools, malware detection, penetration testing and sniffing tools — resides side by side with your security policy.


Once upon a time, critical business information was associated with financial records that were kept protected on paper ledgers in a fireproof safe.

Today, the world looks a lot different when we consider 24/7 business operations, e-commerce, growing volumes of data, increasing customer demands and the need for privacy of information. Couple this with a reliance on automation and technology, and it brings into focus the importance of information security.

It becomes even more important when we’re faced with ensuring business continuity in any kind of business disruption or disaster — from cyber crime to acts of terrorism, natural disasters, pandemics, severe weather and climate change.

In June, for example, the Canadian government became the target of a cyber-attack by activist group Anonymous in response to Bill C-51, the controversial anti-terrorism legislation. The result was a surgical denial of service attack, which caused several federal websites to be impaired for hours. While no loss of sensitive data occurred, the inability for users to access the sites was disruptive — and with that the primary directive of Anonymous was achieved.

So what have we learned from incidents like these?

Information systems are critical to almost all businesses today. C-level executives now, more than ever, are embracing the idea that information security is a fundamental business process required to maintain the integrity of the business and uphold customer confidence.

That’s where a security policy comes in.

A security policy should focus on the IT framework of applications and business systems, including the supporting connectivity layer (the networks). Structured policies are easier to implement, however, if they include associated standards and guidelines.

A standard, used and associated with the specifics of the policy, defines details such as how it is used and under which circumstances. A guideline, on the other hand, is much more flexible and based on industry best practices.

To do this properly, establish the criticality and risk exposure of your IT environments by documenting responses to the following questions:

  • What constitutes a complete inventory of IT technologies, processes and practices that exists to support or operate the business networks, computers, programs and data?
  • What are the required information security requirements that must be in place to ensure the information integrity of your IT environments?
  • If you measure “we must have”’ to “what we already have,” what is the plan to address the gaps?
  • What is the financial and operational impact to the business if a cyber-security incident presented itself, such as if data were to be lost or corrupted, or your website or IT system compromised?

A good defense — from firewalls and passwords to anti-virus programs, anti-rootkit tools, malware detection, penetration testing and sniffing tools — resides side by side with your security policy. Both are your “security tools.”

Image courtesy of Free Digital Photos

Comments are closed.