Security is important. Security underpins pretty much every activity you are engaged in – be it at work or at home. From a business perspective, security can be the difference between winning new contracts, keeping existing customers and simply making a profit. Despite this, there are still a large number of organisations that miss out the most fundamental stage of their own security – having a security policy.
A security policy acts as the foundation for all your security measures, it gives “high level” direction for how you intend to treat security and sets the framework in which you, your staff and your suppliers should behave to ensure that your business remains secure.
What is a security policy?
For our purposes, a security policy is simply a set of guiding principles or rules stated with the intention of influencing business decisions and actions so that they reflect agreed practice about how your company operates.
It is important you keep in mind that the policy is very much a high level statement of intent. It should be signed off – and supported – by senior management and it should be flexible enough to allow your business to function.
As governance document, the security policy should not mandate how things are done – that is for the procedure documents – nor should it set specific benchmarks as this belongs in the standards documents. It should not cover how security will be implemented either – that belongs in the security plan documents.
It should be short enough that people read it and succinct enough that it address the key security issues for your business. It must be read (and understood) by all your employees and should be included in any contractual terms with you suppliers.
What should my security policy cover?
This totally depends on your business goals and strategy. The policy document has to align with your business so be careful about selecting ones off the shelf or from pre-printed books, it is always better to design one specifically for your business.
At Halkyn Consulting, our experience in providing security to a wide range of clients across many market sectors has led us to realise that there are some common elements that should be in every security policy document:
- Introduction and Management Commitment. This is crucial but should be kept short and sweet. Have your Director / Chairman put a paragraph in explaining how important security is to the business and how it is every employee’s responsibility to support the overall security.
- Scope. Set out what areas are covered by this policy and what arent – we would always recommend you cover physical security, information security (including IT Security) and HR related security issues – such as background screening – but the choice is yours.
- Objectives. Keep it short and sweet – ideally following on from the management commitment. If you cant phrase an objective for the policy – are you sure you need one?
- Basic Principles. Here you can include some overarching principles that encompass the policy – for example “We will operate two-person rule in the office at all times to ensure that any accusation of corruption or theft can be easily disproven” or “We will verify the background of all employees to ensure that all our staff are who they say they are, have a legitimate right to work in the UK and have properly represented their past.” Try to avoid any phrasing which can cast doubt on the integrity of your staff even if you are implementing a control over this area. The security policy is here to protect your employees as well as your business.
- Responsibilities. Define key personal and their responsibilities within your security plan. It is normal to begin with the Board / Senior Management and work down. Make sure you remind all employees that they have a part to play here. Individuals are always responsible for taking care of themselves and complying with the policies, standards and procedures put in place to protect them and your business. Remind them. Repeatedly.
- Policy Statements. Now you can list each of the high level policy statements and give a summary of what is expected. Dont go into process-detail here and dont set standards. You can, however, link to both of these documents by saying things like “User accounts will be created in accordance with the User Account Creation Procedure Document and all passwords must comply with the Password Complexity Standard.” Remember to write for your audience though. Work through your planned policy statements in a logical order and make sure you cover all the areas in your scope.
That is pretty much all you need in a Security Policy – the hard part is to make sure all your employees have read it, understand it and know how to implement & adhere to it.
If you are a small – medium enterprise you probably only need one Policy document, supported by relevant standards & procedures.
However, if your business is complex, you have multiple sites or a workforce that covers lots of different areas, then you might want to consider creating a full Security Management System with several policy documents linking to each area. In this instance, we would strongly recommend you create an overarching “Corporate Policy” which sets intent driven by the board / senior management and then break this down into different policy areas – such as HR, IT, Building Security, Travel etc.
As a very rough rule of thumb, if your policy statements are reaching four pages you need to consider breaking down your policy documents into different policy areas.
As a last point, remember – none of this is any use unless you educate your staff properly and enable them to comply. Right or wrong, most people will go down the path of least resistance. If your staff find it easier to circumvent policy or you dont explain it properly to them, then it will fall down.
One of the most cost effective security enhancements possible is staff training. Make the most of it.