Principle
The organisation defines, implements, communicates and enforces appropriate policies and processes that direct its overall approach to securing systems and data that support delivery of essential services.
Description
The organisation’s approach to securing network and information systems that support essential services should be defined in a set of comprehensive security policies with associated processes. It is essential that these policies and processes are more than just a paper exercise and steps must be taken to ensure that the policies and processes are well described, communicated and effectively implemented.
Policies and processes should be written with the intended recipient community in mind. For example, the message or direction communicated to IT staff will be different from that communicated to senior managers. There should be mechanisms in place to validate the implementation and effectiveness of policies and processes where these are relied upon for the security of the essential service. Such mechanisms should also support an organisational ability to enforce compliance with policies and processes when necessary.
To be effective, service protection policies and processes need to be realistic, i.e. based on a clear understanding of the way people act and make decisions in the workplace, particularly in relation to security. If they are developed without this understanding there is a significant risk that service protection policies and processes will be routinely circumvented as people use work-arounds and short cuts to achieve their work objectives.
Guidance
Developing policies and processes
The policies and processes needed by an organisation depend upon its function and should integrate with the organisation’s approach to governance and risk management. Operators of essential services should have a range of policies and processes, including:
- An organisational security or service protection policy: endorsed by senior management, this high-level policy should include the organisation’s overarching approach to governing security and managing risks, the organisation’s aims and intents for security and what is of key concern.
- Supporting policies and processes: contextual lower-level definitions controlling, directing and communicating organisational security practice.
- Compliance policies and processes for sector regulations, standards, etc.: specific policies and processes appropriate to the compliance regime; these may be defined by the regulation, standard, etc., For example, to comply with ISO/IEC 27001, organisations should have in place certain security policies and procedures relevant to what the organisation does, how it does it, and what their ISO/IEC 27001 information security management system covers (see ISO/IEC 27002:2013 section 5 for detail).
People-focussed practical approach
There is a growing body of evidence that people have a limit to the effort available to comply with security and there are recognisable costs to security behaviours. Exceeding human limits of compliance is likely to result in non-compliance, such as workarounds or circumventing controls.
Organisations should understand how people work with the systems and data they use to support the delivery of essential services to ensure security and people work together. Discover how people and security really need to work together to achieve the organisation’s objectives and desired productivity . Engage in and continue security conversations with staff, partners, contractors, any other system users, security and technical experts, plus organisational representatives such as HR, change and communications experts. These conversations can be enabled through, for example:
- personal interviews,
- staff security attitude surveys,
- promoting security reporting culture without fear of blame or recrimination,
- engaging people in the design of processes and policies
Use your understanding of how people work to develop practical security policies and processes and, wherever possible, reduce the human effort required to comply.
There are many resources available intended to help organisations decide what their service protection policies should look like; for example, SANS provide various information security policy templates.
Personnel security
You should ensure that individuals authorised to access networks and information systems supporting the delivery of essential services are trustworthy. To be fully effective, link personnel security with identity and access control. Further information can be found in CPNI’s Personnel and People Security and ISO 27002:2013 section 7.
Implementing and communicating service protection policies and processes
Implementation of a new or improved service protection policy or process requires communication to those under its scope and evaluation of its effectiveness.
Effectively communicate the policies and information on how service protection processes work to everyone who can affect the security of the system, so that they can readily understand the contribution they make and their responsibilities to essential service security.
Communication can be achieved through continued security conversations and staff awareness and training programmes. However, it should be noted that having a staff awareness and training programme alone, without an understanding of how people work with security, is unlikely to result in improved compliance with service protection policies and processes. Refer to B6. Staff Awareness & Training for further information on effective staff awareness and training programmes.
Suitable data and metrics should be defined prior to implementation to evaluate the previous condition and assess the impact of the new or updated policy or process. Information may be drawn from security incidents, technical measurements, surveys, customer feedback, etc.
Improving policies and processes
Service protection policies and processes should be designed to be adaptable, to fit the needs of the changing environment. Organisations should regularly review their service protection policies and processes in light of any recorded security breaches so that these documents and the organisation’s security can be continually improved.
References
HP & University College London whitepaper The Compliance Budget
SANS blog on security costs to people
SANS information security policy templates
BS ISO/IEC 27002:2013 sections 5 & 7
IEC/TS 62443-1-1 section 5.8 & BS IEC 62443-2-1:2011 section 4.3.2.6
CPNI’s Personnel and People Security
< Back to Principle A4 Forward to Principle B2 >
Source: NCSC