Before you start assigning policies, you need to know where your business is at risk. Enacting policies that are good in name only is wasting time. It could even get your organization into hot water by presenting false information on what you are doing. Based on the outcome of your information risk assessment, on both technical and operational issues, you will likely need the following desktop-centric policies:
- Change Management
- Mobile Device Synchronization and Handling
- Patch Management
- Remote Access
- Removal of Computer Equipment
- Security Testing
- Security Awareness and Training
- System Logging and Monitoring
- User Authorization
- Wireless Networks
The next step is to determine what needs to be documented. Take some time to think through the security issues related to managing your desktops, and start putting together your minimum security standards and necessary policies. This isn't something, however, that you should take on by yourself. If you work for a relatively small
Requires Free Membership to View
When you register, you’ll also receive targeted alerts from my team of editorial writers and independent industry experts with the latest news, tips, and advice to help you do your job more efficiently and effectively. Our goal is to keep you informed on the hottest topics and biggest challenges faced by IT professionals today working with desktop management and security technologies.
Margie Semilof, Editorial Director
organization where you are the chief cook and the bottle washer when it comes to IT, security and compliance, talk these things over with someone in management. If you are in a larger organization, this type of security standardization and policy development should be handled by a security, compliance or IT governance committee. It likely won't work any other way.
Once you are ready to write out what you expect, I highly recommend bringing some formal structure to your security policy documents. The following security policy template has been shown to work well:
- Introduction: An overview of what you're covering, such as patch management, malware protection, system maintenance and monitoring, vulnerability testing and so on.
- Purpose: The high-level goal(s) and strategy of the policy.
- Scope: The systems (i.e., desktops, all Windows systems, office applications, etc.), users and departments that are covered.
- Exceptions: Specific systems (i.e., Windows XP and older systems), users and departments that are not covered by the policy.
- Roles and responsibilities: The people involved and what's expected of them in support of the policy.
- Policy statement: A place to state your actual policy. Be sure to make it clear that "this is how we do things here".
- Procedures: Detailed steps that outline how you're actually carrying out the policy and how it's being enforced. You might want to consider documenting your procedures in a separate document if they are more than a few sentences in length.
- Compliance metrics: The procedures and means used to measure compliance with the policy.
- Review and evaluation: When the policy will be reviewed and evaluated for accuracy, applicability, etc.
- Sanctions:Specific consequences for policy violations, such as, "X will happen on the first offense, Y for second offense, and Z for the third offense". (This is where the value of having a security committee, or at least management buy-in and support, becomes obvious.)
- References: Laws, regulations, and frameworks, such as state breach notification laws, HIPAA, PCI DSS, ISO/IEC 27002 and so on.
- Related documents: Other policies, guidelines, standards (such as the ones I've mentioned previously) and documents that pertain to the policy.
- Revisions: The ongoing changes to the policy document (i.e., who, what, when, why).
- Notes: Notes, findings, lessons learned, etc., that can help with future policy management.
The bottom line with security policies is to make them simple yet concise, outline what's expected and keep everyone informed. Also, don't forget to make sure they're actually enforced. The most important thing of all, however, is to just get rolling. If you're diligent and disciplined, you can build out your desktop security-related documentation in no time. You'll have the essentials in place, and you'll be ready to take on any new desktop software that comes your way.
| ABOUT THE AUTHOR: |
|
Kevin Beaver Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, he specializes in performing independent security assessments and helping IT professionals enhance their careers. Kevin has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and Security on Wheels blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com. |
This was first published in June 2009
Join the conversationComment
Share
Comments
Results
Contribute to the conversation