Security Policies are a vital part of any Businesses approach to security and whereas some Small Businesses may put off having one until they feel they are big enough to have one, others believe that they won't get big without one. Here we provide some guidance on getting started in creating a Security Policy for you Small Business.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Head of IT at Ratcliffe Groves, the square brackets with the initials indicate the speaker.
Introduction to Small Business Security Policies
[SS] Today, we're going to be looking at security policies for Small Businesses and how to set one up, their importance, the place and role that they play within small businesses. I'm going to start off this time. We will be providing a basic template at some point, so please watch this space.
Types of Policies and Documents Supporting Policies
Let's start with how and where security policies they fit into the Business of Small Businesses? Basically, security policies are at the highest level of any set of controls your Business has. This means that, of all the controls that you might have for your network, systems, applications, etc. the security policy is at the very highest level with all the other controls supporting it.
Another way of looking at the policies is in terms of documentation, policies sit at the highest level with standards, practices, guidelines, each forming the next layer or level down. For many Small Businesses, some of these may not be required in the early stages, but as the business grows, the chances are that all are necessary. The role each one plays is slightly different. A policy set out why the organisation is going to do what it is going to do, laying out the overarching principles for security. The standards in particular, will define what the organization will or will not use and why they would use it and in what circumstances they will use particular technologies or approaches. Standards are the mandatory actions or rules that will be followed to support and direct the policy
So, for example, your Business may have a firewall policy to protect traffic into and out of your communication network. However, you may also have a standard for firewalls which define what types you will use, what the minimum specification they will be, with some minimum rules that all of them have, as well as the usual rules that all of them will have, what type of encryption you will use, and all those sorts of things that are related to the use of firewalls that will be the same standard across all of them. Standards can define for you what it is you're going to use, why you're going to use it, they are the next level of mandatory detail that a Business may want to use to ensure that they get their security policy implemented effectively.
Moving further down the documentation stack, practices, procedures, or processes define the mandatory steps of how you're going to achieve the policy goals using the standards. Guidelines are the best practices that can be followed but are not mandatory. We've often mentioned the need to document things in previous episodes, and if they are mandatory for your Business they would be classed as practices procedures or processes, but if they were optional, they would be classed as guidelines.
In many cases Small Businesses may start of only having a policy, with standards and procedures within the policy, and as the Business grows, it may separate the other components out over time.
Include Policies into Staff Handbooks after Board Approval
[NI]: I've noticed a lot of time in small businesses, the security policy is part of another document, like the Staff Handbook. Which means that there's no actual defined security policy but there are a set of dos and don'ts related to security for employees. It's good practice to expand upon what you have and turn it into a more formal document.
In those early days the security policy will cover a wide range of the network systems, and applications as you've mentioned. However, it's a good idea that as the Business expands, you separate it out into multiple policies rather than have everything to do with security in a single document. Or, in the worst case where that security information is buried in three paragraphs in a much larger staff handbook. Separating out also encourages reviewing and updating it as separate policies instead of a much larger document that may involvement HR and legal. It's better to have a separate security policy that you can update as you need, as technology changes, as advice changes, and just refer to it. This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
Additional security and risk information and resources for SMB's