Information Security Policies

If your organization is very small, security hygiene measures – which I've written about in detail -- may be all you need for information security.  But as your organization gets larger, the scope of your information security needs necessarily widens and there are more and more controls to put in place (and monitor).

One of the best ways to start down the path to an information security program is to create a suite of information security policies.  Policies, in any domain, essentially state "this is the way we do things here".  If you create an information security policies suite that covers the breadth of controls you need in information security (and privacy) – and if you then implement those policies, as you obviously should – they will drive your entire security (and privacy) program.

It sounds simple but it's best handled with an explicit understanding of your organization's needs in priority order:
  1. generate a list of all the policies required by the organization
  2. prioritize the list
  3. starting from the highest-priority policy and moving down the list, for each policy:
    1. write the policy, review it, and iterate it it's good enough quality
    2. prioritize the list of controls described in the policy
    3. implement the high-priority controls in the policy
  4. get the entire suite of policies approved
  5. set up a system to track compliance with the policies
  6. go through all the policies to implement the medium-priority controls in each policy
  7. go through all the policies to implement the remaining (lower-priority) controls in each policy
  8. revisit the suite of policies annually or when business conditions change
I've tried to show above that the steps are not linear, rather the are circular.  So you can start implementing the important policies before you've written all the policies, and you can start implementing a lower priority policy before you've fully implemented a higher-priority policy.  Your goal is to implement the controls in the order that achieves the best risk reduction for the organization.

There are several frameworks you could start from in creating your suite of policies, but the most commonly used is the specification ISO/IEC 27002:2013, "Information technology — Security techniques — Code of practice for information security controls", or simply ISO 27002.  This is a spec that you'll have to pay for in order to access in full text.

At a basic level you would create one policy artifact for each of the 14 "meat" (non-introductory) chapters -- effectively policy areas -- of the specification:

5. Information security policies
6. Organization of information security
7. Human resource security
8. Asset management
9. Access control
10. Cryptography
11. Physical and environmental security
12. Operations security
13. Communications security
14. System acquisition, development and maintenance
15. Supplier relationships
16. Information security incident management
17. Information security aspects of business continuity management
18. Compliance

Most chapters cover more than one policy area and the areas in scope for each chapter are not always obvious from the chapter titles; so it's very useful to look at the subheadings and sub-subheadings under each chapter, which you can find here

I recommend you read though this list carefully in order to understand, at a high level, the wide breath of information security policy areas, and to start your thinking on which areas you need to cover. 

There are a few policy areas that need to be added on top of what ISO 27002 provides, the most important being:
  1. Risk Management Policy
  2. Acceptable Use Policy (AUP)
  3. Disaster Recovery Policy
  4. Privacy Policy for external consumption
Each policy area will become one artifact in your suite of policies.  There are different ways to map policy areas to policy documents, such as one-to-one or many-to-one.  It's often best if each artifact is a separate document because this allows you to reissue each one separately, with change control, but some smaller organizations may prefer to have the entire suite in one document for simplicity.

All -- except for two -- of the policy artifacts are written for the purpose of guiding the teams in the organization that are responsible for aspects of security, so their audience is those teams.  These target teams are mainly:
  1. information security
  2. privacy (if present, for the internal privacy policy) 
  3. human resources (for human resources polices, and the AUP)
  4. legal (for privacy policies, human resources policies, and the AUP)
  5. corporate security (if present, for many aspects of physical security)
The two exceptions are:
  1. Acceptable Use Policy (AUP) – the target is employees
  2. Privacy Policy for external consumption – the target is customers
Creating policies can be a fair amount of work and is often therefore put off longer than it should be.  The best way to reduce the effort is to start from a template that covers all policies areas in depth and to then customize it to suit the organization.  Templates can be found on the web or from an information security consultant.

Having information security policies is very important for any organization, but you don't need to try to create them all right way.  Proper prioritization, based on a rough gap and risk assessment, is key to knowing which ones are needed ASAP and which can wait.  It's so much better to have in place the handful -- or even a couple - of policies that will make a real different to your organization's security than to postpone indefinitely the creation of any policies because the project seems overwhelming.

This has been only the briefest of overviews of the important area of information security policies.  There is so much more that could be written but this blog post has to stop somewhere.  If you do a web search you'll find no shortage of information.


Security considerations for buying a new smartphone or tablet

If you're in the market for a new smartphone or tablet, one of your most important criteria should be a long support life of security updates.  When your device stops getting security updates, the longer you continue to use it, the larger the target painted on your back becomes, due to the security vulnerabilities that start accumulating. 

Android versus iOS (iPhone or iPad) is often a personal, quasi-religious choice, but, functionality aside, it's fair to say that iOS is more secure but generally more expensive than Android.

For Android:

This is a great article to help you understand security updates by brand for Android:

8 Best Android Phones (Unlocked, Cheap): Our 2021 Picks | WIRED

Look especially at the number of years of security updates provided, since when the security updates end, your phone or tablet becomes only a good paperweight.  Brands that license Android from Google usually have a shorter support life than Google has for its own devices (Nexus brand).

N.B. The number of years of security updates is from when the device is released to the market, not from when you buy it!  So you have to find the release date for a device you're looking at.  You could do a web search for the brand and model of the device combined with "release date".

For iOS: 

Apple does a better job of providing security updates, so an iOS device will almost always get 4 or 5 years of security updates.  And this year, some 5-year-old iOS devices are getting an extra year of support, for a total of 6 years, but that's unusual.


My next talk, kind of: July 21 (AMA)

I've done lots of talks, both in-person and online, on various cybersecurity / information security subjects such as passwords and password managers, two-factor authentication (2FA)/MFA, backup and storage, device and network hardening, secure internet use, privacy, and user security/privacy awareness.

But this session is different: the entire purpose is to answer your questions. You'll be able to ask me your questions in the multi-way videoconference.

For SMBs in the Okanagan, this is your chance to ask any questions you have about cybersecurity as well as information security generally.

Details and registration here: 


Almost free cloud backup

If you're sold on having a full cloud backup of all your data -- and you should be -- but you find the cloud backup services I suggested a bit pricey, there might be an "almost free" option you could use.  It depends, though, on your having access to a lot of space on a cloud storage service like Google Drive, OneDrive, Drobox, iCloud Drive, etc.  You might have this already, say, if you subscribe to Microsoft 365.

This solution will give you as much retention as you want of old file versions and deleted files, and will let you do point-in-time restores.

Here are the pieces of the solution:

  1. A Sync.com Free plan account, which gives you 5 GB for free (and more if you refer other people to the service).
  2. A cloud storage services (as noted above) with enough space for your entire backup. (You'll actually need somewhat more space given the versioning.)
  3. The SyncBackSE backup software, about CAD $62 one-time

Here is what you do:

  1. Divide your files logically -- in your head -- into two piles: Sensitive and Non-Sensitive.
    • Sensitive files are ones that you think need end-to-end encryption (E2EE).
    • Non-Sensitive files are ones that don't need E2EE.
  2. Then separate your files physically -- on your drive -- so that each high-level folder (say, the top level folders under your Documents folder or your Photos folder) contains either Sensitive files or Non-Sensitive files but not both.
    • Sensitive files are limited to the 5 GB or 6 GB or whatever in your Sync.com plan.
    • Non-Sensitive files are limited to whatever you have in your cloud storage plan.
  3. Buy SyncBackSE software (see above).
  4. Configure SyncBackSE to automatically and daily do this:
    • Back up all Sensitive folders to the Sync.com folder, using Versioning
    • Back up all Non-Sensitive folders to the OneDrive folder, using Versioning
If you want to get a bit fancier, you could use SyncBackSE's AES encryption abilities to encrypt files before writing them to the Non-Sensitive cloud storage. Then you don't really need Sync.com.

If you use this referral link to sign up for Sync.com, you'll get an extra 1 GB of storage.  (I will too, but I have no need for any more space.)


World Backup Day, and suggestions

Today is World Backup Day.  A CBC story.

Data backup is really important so here are a few suggestions:

  1. Ensure that all your important data is backed up to at least one and ideally to two different "places", at least one of which is in the cloud.
  2. For files that live on your computer or an external drive, your first backup should be to a cloud provider.  Your second backup can be cloud or local.
  3. If you have files that live in the cloud, you need at least one backup too, which could be on your computer or an external drive.
  4. Manual backup can work if you're diligent, but automated regular backup is much better.
  5. Cloud sync (often free, e.g., Google Drive) is not the same as cloud backup (usually paid, e.g., Backblaze).  True backup will keep deleted files and old versions of your files for at least, say, a year, supports point-in-time restore, and lets you choose which folders to back up.  Cloud sync providers usually keep these for no more than 30 days, don't support PIT restore, and only back up files you place in the single fixed folder.
  6. For sensitive data consider using a cloud provider with end-to-end encryption (E2EE), also called Zero Knowledge.
  7. For local backups (e.g., to external drives) you probably want to ensure that the data is encrypted.  (But then also ensure that your computer's drive is encrypted.  Windows 10 Home doesn't do that and Windows 10 Pro doesn't do it by default; if an someone steals your computer they'll get all your data.)
  8. For mobile devices you can reduce data backup concerns by ensuring that all important data on your device actually comes from (is synced from) the cloud, or, say in the case of new photos, is automatically backed up to the cloud.