What are the top 3 most important information security policies a company can have?

This question was asked on Linkedin and I found it very interesting to read the different opinions given. Based on the answers, I think it is possible to guess differences in people approach of security policies. I found for example, that reading the answers, you can figure out if the person is technology or process minded.

My answer reflects my opinion regarding Information Security. I think that technology is obviously essential to protect information systems. However:

  • without a strong governance structure...
  • ...driving a security program...
  • ...supported by a consistent set of security policies...

... technology can be a waste of money. The cursor should be put somewhere between technology and governance. If it positioned too near technology you will experience these example of issues:

  • No authority to enforce a security requirement (eg. You need to install a great security product on the servers of a new project, but the project manager doesn't want it to be installed, he has the final word because this new application needs to go live as soon as possible). 
  • No consistence in the application of security across the information assets (eg. who care about the security of the old mainframe!, you prefer working on the security of your new virtual infrastructure!).
  • No strategy or alignment with business current and future objectives/initiatives (eg. You keep working on preventing the blue screen of death with the new Microsoft security patches whereas your company plan to acquire one competitor, just connect both networks directly and didn't think someone should be concerned by security).
  • You have many firewalls, intrusion detection systems, proxies, anti-virus, but programmers don't have any secure programming standards and web application programmers have never heard about OWASP.
  • You have many firewalls, intrusion detection systems, proxies, anti-virus, but you are still ensure that you will be aware of an attack because you don't have time to review the logs and you are not too sure if the alerts work.
  • ...
Well, actually I could do a very very long list, it could be funny though, I may try to contact the MITRE to propose a new enumeration: Technology focused security drawback enumeration (TFSDE) :-)

Well, as you probably understood reading these few lines, I am more that convinced that security policies are essential. Policies establish, but also demonstrate governance. I am convinced about the essential need of security policies, but for the right reasons, not to tick a box and have my number of issues decreased when the auditor comes back. That's unfortunately still the main driver for policies and information security in general. 

My Answer to the question:

What are the top 3 most important information security policies a company can have?

This is actually a very good question, and any security professional has to review policies, and needs to prioritize his work. So it makes sense to find out where to start.

I like the work done by Thomas R. Peltier trying to categorize policies in three tier:

  • Global policies (Tier 1)
  • Topic-specific policies (Tier 2)
  • Application-specific policies (Tier 3)

The CISSP describes as well 3 classifications of policies that matches more or less the one from Mr Peltier:
  • Organizational or Program policy
  • Functional, issue specific policies
  • System specific policies

As I have never seen two companies having the same set of policies (even if in a way of another they address the same things), I find it useful to first identify what category they are from.

If you see the set of policies like a pyramid, the policy at the top is the most important and the one that needs to be reviewed first. This is the one in the Tier 1 (Peltier's classification) or Organizational policy (CISSP classification).

Let's call it the "Organizational Information Security Policy" at the top of the pyramid. This policy normally lays out fundamental things like
  • Governance structure for security
  • Senior management commitment
  • lays out strategic and tactical security program
  • Define roles and responsibilities

I like this policy to be easy to read as a reference document for all employees. I like to keep it short (4-5 pages max) I would definitely review this document first. 

The next one I would look at is the Asset classification policy. It needs to be really crystal clear to the company what assets need to be protected, to what extend and who is the owner.

For the third one, if you are responsible for Business Continuity, I would say the Business Continuity Management policy. If this is out of your scope, my third one would be Acceptable use policy.

I definitely think that information security is more about strategy and senior management commitment than trying to address it from the technology requirements, that's why I would definitely start reviewing, updating and have the Tier 1 policies signed off again.