A BlueCentral Whitepaper

Information Security Policies, Standards and Procedure

Guidelines for effective information security management.
By Simon Oliver, General Manager Clients and Strategy, BlueCentral with Kevin Fitzgerald, Principal at Fitzgerald InfoSec

A BlueCentral Whitepaper | 1

Contents
p3 p4 p5 p6 Introduction Developing information security policies, standards and procedures Meeting international standards Information security health check and report Conclusion p7 About BlueCentral Contact us

A BlueCentral Whitepaper | 2

Introduction
The information security landscape is changing rapidly. Most recent influences have been: the proliferation of storage-rich mobile technology in the form of smartphones and tablet devices the new gen-Y digital native workforce changing the nature and definition of work the freedom of expression available to users of social media the convenience of working outside of the office in hours that suit the individuals role and lifestyle. As a result of these adjustments in the way business is conducted, ownership of information does not carry the same clear accountability it once did. Physical and behavioural boundaries used to exist around information management but these can be missing in the modern workplace. Clearly thought-out information security policies, standards and procedures addressing internationally supported standards, will go a long way to addressing the risk exposure these changes have created. An organisation operating without information security policies, standards and procedures is akin to a ship operating without a rudder. A business operating with considered information security policies, standards and procedures can demonstrate to management, stakeholders and employees the critical importance of information security to the long-term success of an organisation. It is also vital that these policies and procedures are backed by the executive layer. Without C-level buy in, it will be difficult to create a culture of respect for security in the organisations daily operations. Additionally, security guidance should be factored into longer term business strategies around issues including flexible working, BYOD and acceptable usage policies for social networking. BlueCentral has teamed with Kevin Fitzgerald, a 30 year veteran on Information Security, to co-author a three-part series on risk management. As a hosting provider, it is critical for us to ensure that the hosting systems and solutions of both BlueCentral and that of our customers meet the wide range of criteria required by Australian Standards. These include areas such as compliance with data privacy standards, the highest information security levels, and the reassurance for customers that the systems on which their data is hosted are reliable, scalable and robust enough to repel any threat. In this third paper, Policies, Standards and Procedures, we discuss guidelines for effective information security management. To read the previous papers in this series, Risk Management and Business Continuity Management, please click here

A BlueCentral Whitepaper | 3

Developing information security policies, standards and procedures

The introduction of information security policies, standards and procedures is a good idea at any time. In the current technology and business environment, these standards provide a powerful way of creating a security-positive corporate culture. They also enable businesses to maximise the advantages of the Information Transformation Age while establishing clear behavioural boundaries around information protection. A comprehensive project to develop policies, standards and procedures should cover the following phases: Project initiation Information Security Health-check Creation of appropriate policies, standards and procedures Application of the policies, standards and procedures to the day-to-day operations of the organisation Self-awareness training.

A BlueCentral Whitepaper | 4

Meeting international standards

Just as creating and implementing information security procedures, standards and policies customised to your business is a crucial undertaking, so too is ensuring these procedures, standards and policies adhere to global best practice. The international standard for information security management systems (ISO/IEC 27001:2006 Information technology Security techniques Information security management systems Requirements) has been prepared to provide a model for establishing, implementing and operating an Information Security Management System (ISMS) scaled to the needs of any organisation. A key element of the ISMS is the definition of the risk assessment methodology suited to the organisation. (For more on Managing Risk, see the first paper in this series) The risk assessment methodology is designed to help the organisation understand its risk profile. This profile can be used as the basis for the selection of pre-defined Control Objectives and Controls that will enable businesses to safeguard their information. The ISO27001 standard is designed to set a detailed scope of security policies which can be applied to your organisation. This standard covers the following Control Objective Topics: Security Policy Organisation of information security Asset management Human resource security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance Once established, these Control Objective Topics should be: evaluated as part of an Information Security Health-check report; tailored to the organisation and implemented as formal information security policies, standards and procedures; implemented as actual information security controls and applied within the organisations operations as appropriate; promoted in training and awareness seminars, and webinars as required. Note that the ISO 27001 standard provides an important foundation to organisational security, but there will also be other influences, depending on your business, location and compliance requirements. These include the Privacy Act, PCI, SOX and HIPAA just to name a few. It is important to establish all of the regulations and requirements applicable to your industry in advance to ensure your policies and procedures are suitable to the business environment in which you operate.

A BlueCentral Whitepaper | 5

Information security health check and report

The purpose of reviewing an organisations information security profile is to give management an overall view of the strengths and weaknesses of its businesss security, based upon the ISO 27001 standard. With this knowledge, management can then judge if they need to undertake further work and if so in what areas. The steps below outline the process for reviewing an organisations information security profile: Much of the review process will be completed by a consultant undertaking face-to-face interviews with management and stakeholders. These interviews will be based on the 11 ISO27001 Control Objective topics listed in the previous section. *Note that this activity could also be completed by asking participants rate the organisation against each of the Control Objectives based on a percentage or chart. After concluding the interview or survey stage, the consultant will consolidate and present the responses based on averages. These responses can be used to determine the organisations information security status against the eleven Control Objectives. A rating for each survey question can be turned into an estimated rating for each of the Control Objectives. *Note that this may require a collaborative workshop to gain agreement in each of the objectives. Once agreed, the security effectiveness profile provides the basis for management to recommend actions to improve the organisations security posture.

Conclusion
In summary, information security policies and standards are not to be taken lightly. If your organisation does not comply with ISO 27001 standards it faces the risk of security breaches or data leakage which could result in a loss of clients and contracts; and even damage your business reputation. Those however, who do understand the importance of information security standards and procedures create and implement an information security-conscious culture that has the capacity to improve every aspect of their business activities.

A BlueCentral Whitepaper | 6

This whitepaper brief is a consolidated paper drawing from an extensive project workbook on information security policies, standards and procedures. If you would like to receive the full workbook please visit www.fitzgeraldinfosecmentoring.com, email Kevin Fitzgerald at kevin@fitzgeraldinfosec.com.au.

About BlueCentral
BlueCentral is an Australian hosting company offering managed infrastructure and business-grade hosting services to private and public sectors. It guarantees high-availability of clients services through active management of critical online infrastructure including networking, server, data storage and security technologies. The company has been delivering IT managed hosting services for 15 years and has over 150 clients across Australia and New Zealand. BlueCentral is an IPMG business, an integrated group of marketing services business with over 20 companies across print, digital and communications. For more information, visit BlueCentrals website at www.bluecentral.com.

Contact us
Phone: 1300 258 323 Email: sales@bluecentral.com www.bluecentral.com

managed hosting

virtual hosting

data storage

disaster recovery
A BlueCentral Whitepaper | 7