26. Common Security Policies

Security Policies and Regulatory Obligations

All policies must support the regulatory and contractual obligations of the organization.
Policies should cover required controls while remaining simple enough for users to understand. Senior management is responsible for the policies. Common security-related policies include the following.

Data Handling Policy

Defines how data can be used within the organization.

• Data may be restricted to certain roles or made public outside the organization.
• Policies should state any restrictions or refer to legal definitions.
• Proper data classification helps the organization comply with laws and regulations.

Example: Classifying credit card data as confidential helps ensure compliance with PCI DSS (Payment Card Industry Data Security Standard), which requires encryption of credit card information.

Password Policy

Defines expectations for systems and users regarding password use.

• Describes leadership’s commitment to secure access to data.
• Outlines password standards used by the organization.
• Identifies who is responsible for enforcing and validating the policy.

Acceptable Use Policy (AUP)

Defines acceptable use of the organization’s network and computer systems and helps protect the organization from legal action.

Employees or anyone with access to organizational assets should sign the AUP and keep a copy.

Common areas covered include:

• Data access
• System access
• Data disclosure
• Passwords
• Data retention
• Internet usage
• Company device usage

Bring Your Own Device (BYOD) Policy

Allows employees to use personally owned devices for business purposes.

• Employees may acquire and use their own equipment.
• Organizations may also provide a list of approved devices.

This approach can improve employee morale but creates security challenges because organizations lose some control over standardization and privacy.

Employees must agree to follow the policy before accessing organizational systems or data. Organizations must set clear expectations and business rules for BYOD devices.

Privacy Policy

Addresses protection of Personally identifiable information (PII) and electronic protected health information (ePHI).

The policy should specify:

• What information is considered PII or ePHI
• Proper procedures for handling that information
• Enforcement mechanisms and consequences for noncompliance
• References to applicable regulations and laws

Examples of related laws include GDPR, PIPEDA, HIPAA, and GLBA.

Organizations should also provide a public document explaining how private information is used internally and externally.

Change Management Policy

Change management governs how systems move from the current state to a future state. It includes:

• Deciding to make a change
• Implementing the change
• Confirming the change was correctly completed

Changes to systems, components, or operating environments may introduce vulnerabilities. A change management process ensures changes are implemented without negatively affecting business operations.