flatirontech.

org 2014 Top 25 List of

Information Security Policies and
Procedures Every Business Needs

By Flat Iron Technologies, LLC

flatirontech.org 2014 Top 25 List of Information Security Policies and Procedures Every Business Needs 1
Copyright Protected
 flatirontech.org 2014 Top 25 List of Information
Security Policies and Procedures Every Business Needs
Authors: Flat Iron Technologies, LLC Information Security Professionals

Information security is without question one of the most important and hottest topics facing society
today, due in large part to its increasing use for ensuring the safety and security of critical systems, but
also because of the ever-growing data and cyber security breaches, threats, and attacks. Society has
changed tremendously in recent years, with information security being a large part of this transformation
itself. From increased regulatory compliance mandates, to attacks on the nations critical grid
infrastructure systems, the topic of information security is alive and well, for better or worse. Yet with all
the fear of cyber-attacks and other malicious exploits, companies seem almost paralyzed at times when
putting in place basic, core best practices for ensuring the confidentiality, integrity, and availability (CIA)
of critical systems resources.
And one of the most basic tenants of sound I.T. practices is that of information security policies and
procedures, a topic many companies simply loath, and understandably so. After all, the process of
developing, authoring, refining and completing such documentation is incredibly arduous, mundane, and
highly taxing at times. Still, the material is an essential must have for information security, as
employees and other related parties need clear guidance on the use and application of ones I.T. systems.
Additionally, lets not forget about one of the biggest driving forces behind information security policies,
and thats the ever-growing list of regulatory compliance laws, legislation, and industry specific
mandates. From Sarbanes Oxley to the AICPA reporting framework (SOC 1 SSAE 16, SOC 2 AT
101), HIPAA, FISMA, PCI DSS and thats just the tip of the iceberg security policies and procedures
are a must have for compliance. From essential network security policy documentation to change control
and numerous other mandates, the calling for well-documented, comprehensive information security
policies has never been greater, and its only going to continue to grow in scope and complexity. Its why
organizations need to finally once and for get serious by obtaining, developing, and putting in place
comprehensive information security policies and procedures now.
And while there are a number of organizations and standards advocating such initiatives, such as the
Twenty Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit
Guidelines or CAG, all entities would greatly benefit from more detailed guidance, as least from a policy
and procedure perspective. Lets not forget about the never ending list of information security
benchmarks, standards, frameworks, and best practices while appreciative of their work it often
confuses organizations on which I.T. policies and procedures should be in place.
The solution is finding a cohesive set of high-quality information security policies, those that cover the
approximated twenty-five (25) must-have documents for effective I.T. security and management, and that
also come complete with provisions and supporting procedures from the worlds leading frameworks and
best practices. The top twenty-five (25) information security policies and supporting procedures are now
available for immediate download from Flat Iron Technologies, LLC as an all-inclusive package
containing hundreds of documents.
As for what constitutes the Top 25 information security policies and supporting procedures, consider the
following:
1. Asset Inventory: While not a direct policy document, assent inventory is essentially a process
and procedure for ensuring all system resources are inventoried in a comprehensive manner,

flatirontech.org 2014 Top 25 List of Information Security Policies and Procedures Every Business Needs 2
Copyright Protected
 using a broad range of identifiers and other elements for ensuring detailed information regarding
the who, what, when, where, and why of any particular system resource. As such,
organizations need to have in place formalized processes for recording such information, which
can range from a detailed spreadsheet (which is quite common and very effective) to customized
asset inventory software. Information security is about knowing what all your systems are and
where theyre located, thus asset inventory is extremely critical. Remember, you cant protect
what you dont know you have!

2. Data and Information Classification: Organizations today are faced with copious amounts of
data; much of it considered extremely confidential, while other aspects of it are deemed public
knowledge, available for all to see. Its critically important that all organizations have in place a
clearly defined data and information classification & security categorization policy and
supporting procedures, one that includes the following classification levels:

Unclassified | Public Information

Proprietary
Confidential
Company Confidential
Client Confidential
Sensitive
Trade Secret
Top Secret

3. Security and Patch Management: Time and time again, data breaches and security
compromises occur because of a complete failure in securing and patching system resources
throughout an enterprise. From updating laptops with anti-virus to patching critical databases,
patch management is absolutely essential for ensuring the safety and security of all computing
systems, hence the need for an in-depth and well-documented patch management policies and
procedures.

4. Change Management | Change Control: From internally developed applications, to changes

regarding enterprise-wide system resources, along with changes to customer facing environments,
the need for comprehensive, highly formalized change control measures has never been greater.
Organizations often make changes with little or no documentation at all, leaving virtually nothing
in place regarding accountability and tracking, hence the reason for a well-written change
management | change control policy document.

5. Software Development Life Cycle: The exponential growth in on-demand, web-based services
has also resulted in an explosion in software development activities for many I.T. based
companies. This in turn requires highly formalized and documented SDLC policies and
procedures, whether one utilizes a traditional waterfall model, or perhaps todays growing agile
methodologies. Understanding ones roles and responsibilities along with critical
documentation steps is vital for SDLC initiatives, hence the reason for comprehensive policies
and procedures.

6. Configuration Management: Technically speaking, configuration management is best defined

as Implementing, establishing, maintaining, recording, and effectively monitoring secure

flatirontech.org 2014 Top 25 List of Information Security Policies and Procedures Every Business Needs 3
Copyright Protected
 configurations to an organizations overall information systems landscape, including, but not
limited to the following system resources: network devices, operating systems, applications,
internally developed software and systems, and other relevant hardware and software platforms.

Simply stated, its about applying baseline security standards for ensuring the confidentiality,
integrity, and availability (CIA) of critical system resources, and continuously monitoring and
updating these systems as necessary. Comprehensive configuration initiatives demand well
documented policies and procedures, making this yet another must-have information security
policy document.

7. Vulnerability Management: Identifying, detecting, classifying and prioritizing, along with

remediating, validating, and continuously monitoring vulnerabilities relating to critical
information systems within an organization is an absolute must. This in turn requires well-
document vulnerability management policies and procedures, those that include the following
core subject matter for comprehensive vulnerability management:

IDENTIFICATION | Defining Security Posture and Policies

DETECTION | Assessing Non-Compliance and Vulnerabilities
CLASSIFICATION and PRIORITIZATION | Determining Risk and Urgency
REMEDIATION and VALIDATION | Removing Vulnerabilities and Confirming
Security Updates
CONTINOUS MONITORING | Proactively Assessing Vulnerabilities

8. Incident Response: Knowing how and when to respond to security threats is essential in todays
world of ever-growing cyber security attacks and data breaches. Comprehensive incident
response measures require participation and involvement from everyone within an organization -
senior management all the way down to end-users of systems - along with being aware of the
following core components of incident response:

Preparation
Detection
Initial Response and Containment
Security Analysis | Recovery and Repair
Communication
Post Incident Activities and Awareness
Training and Testing

9. Access Control: Its critically important to have well-defined policies and procedures regarding
user access to all company-wide system resources, along with essential de-provisioning initiatives
also. Too often access control is undertaken with little or no documentation, such as not using
provisioning and deprovisioning forms and checklists, inadequate approval procedures, and
much more. Formalized access control policies and procedures provide much needed guidance
and direction to whats arguably the most important element within any organization who
accesses what systems and why.

10. Personally Identifiable Information: Personally Identifiable Information (PII) has become a
notable topic in information security as organizations are spending vast resources for ensuring the

flatirontech.org 2014 Top 25 List of Information Security Policies and Procedures Every Business Needs 4
Copyright Protected
 safety and security of such information, much of it revolving around personal consumer financial
and health data. With growing cyber security threats and the ever-increasing numbers of data
breaches and security compromises, protecting PII is now more important than ever. What's
needed for ensuring the confidentiality, integrity, and availability (CIA) of PII are well-
documented policies and procedures establishing highly-formalized practices for the use and
disclosure of such information.

11. Server Specific Policies: Windows, UNIX, Linux and any other specific operating systems
residing on servers require comprehensive policies and procedures for ensuring their proper use
and overall safety. Moreover, such documentation should cover basic principles, such as
provisioning and hardening, change control functions, patching, and numerous other best
practices.

12. Server Specific Hardening Documents: Along with such specific policies and procedures for
Windows, UNIX and Linux systems, organizations also need essential provisioning and
hardening documents for ensuring the safety and security of ones information systems. After all,
what good are policies and procedures if comprehensive hardening measures have not been
undertaken for removing insecure services, assigning proper access rights, etc.? Vendors offer a
tremendous amount of information pertaining to system security hardening guidelines, and you
can also purchase the all-inclusive set of information security documents from
securitypolicyportal.com as it contains dozens of essential hardening checklists.

13. Fraud Policy: There are myriads of fraudulent schemes and activities being perpetrated in
todays world. From identity theft to complex financial statement fraud, no person or business
entity is immune to the damaging consequences of fraud. Deterring fraud requires the daily
commitment by all employees, clients, vendors and other related third parties. Fraud, which by its
very nature encompasses a wide range of deceptive and illegal activities, can occur in any
department or division within an organization, resulting in significant threats, losses, and/or
damages. As such, businesses, now more than ever, need a comprehensive fraud program in
place, one complete with an in-depth fraud policy document and other supporting material.

14. Wireless Security: While wireless does indeed provide numerous benefits, insecure platforms
pose significant risks, potentially leading to security breaches that can be extremely damaging,
financially and operationally. Stories abound of poorly provisioned wireless platforms being
compromised by malicious individuals, hackers, and other harmful individuals, ultimately
compromising the confidentiality, integrity, and availability (CIA) of an organization's overall
information systems landscape. A well-written wireless policy covers essential points regarding
wireless access points, access rights, continuous monitoring of the wireless environments, and
much more.

15. Workstation Security: Protecting your workstation area is an important duty all employees
should take very seriously. Employees spend long hours at their workstations, so it's critical to
implement the following best practices:

It's your workstation and that means only you should be using it, and primarily for
business purposes only.

flatirontech.org 2014 Top 25 List of Information Security Policies and Procedures Every Business Needs 5
Copyright Protected
 While most passwords will be enforced by group policy settings from I.T. personnel, its
still important to make them unique, never using information pertaining to your favorites
sports team, home address, middle name, etc.
Make sure your workstation computer has all the required security updates for the
operating system and all other applications running.
Your workstation should be configured for maximum security along with performance,
so do not attempt to disable or modify configuration settings to the operating system or
any other applications.
Do not download or install into any of the drives or ports additional software that has not
been approved as it may contain malicious files, could consume additional resources, or
is simply not professionally suitable for the work environment.
Be careful when opening emails from unknown parties, especially attachments. If it looks
suspicious, do not open the email under any circumstances.
The very best way to implement the aforementioned best practice starts by putting in place a
comprehensive workstation security policy and procedures document for your organization.
16. Vendor Management: With many organizations outsourcing services to other third-party
entities, the issue of vendor management has become a noted topic in todays business world.
Vendor management principles have been around for many years as common due diligence
practices constituted a normal part of business for any entity relying on another for services.
Proper vendor management means conducting extensive due diligence in vendor selection,
assessing current vendors with regards to minimum requirements, reviewing all necessary
contractual documentation, along with numerous continuous monitoring activities and
management oversight.

Whats resulted in an increased focus on vendor management is the growth in information

technology and the need for properly monitoring an organizations growing list of third-party
providers. Using the baseline parameters developed by the banking industry, while also including
provisions relating to information technology results in a comprehensive vendor management
policy and procedures, for which every business needs

17. Social Media. More of an operational policy than that of an information security policy
document, the purpose of a social media policy is to set forth the general guidelines,
responsibilities, and acceptable use of social media forums. Accordingly, this policy also should
adequately discuss and identify unacceptable uses of social media. Simply stated, the use of social
media forums must be conducted with due care and professional judgment at all times for
ensuring the safety and security of organizational information. Too many times weve seen trade
secrets, product specifications, or other highly privileged or sensitive company information being
sent out via the many social media channels. Just as important is it to have policies and
procedures in place for protecting ones network, is the need for policies highlighting essential
social media best practices.

18. Encryption & Key Management: Data breaches, cyber security threats, and untold numbers of
other malicious threats are forcing organization to secure sensitive and confidential data, at rest,
and while in transit. The challenge for most organizations with encryption is not so much the
effectiveness of it - it works very well - but the adoption and continued commitment for ensuring
its use, whenever necessary. From online banking transactions, to I.T. engineers establishing
secure connections, encryption is a must for organizations, and an excellent place to start is a

flatirontech.org 2014 Top 25 List of Information Security Policies and Procedures Every Business Needs 6
Copyright Protected
 professionally developed, comprehensive, and well-defined encryption and key management
policy and procedure document.

19. Anti-Virus and Anti-Malware: Malware is viewed as a hostile and often intrusive software or
program code that can seriously impact the confidentiality, integrity, and availability (CIA) of
ones overall information technology architecture. Its a serious threat that continues to grow
more and more, requiring significant resources from all parties (i.e., vendors who sell anti-
malware products and services, along with organizations that must constantly protect their
systems) regarding effective malware initiatives and solutions. Its therefor critically important to
develop a comprehensive malware policy for the entire organization, one that puts in place
formalized practices for helping thwart viruses and other forms of malicious software.

20. Data Backup and Recovery: One of the most critical functions any I.T. organization can
undertake is ensuring structured and highly formalized data backup policy and procedures are in
place. After all, an organization without its data or the inability to retrieve and restore such data
in a complete, accurate, and timely manner faces serious issues as a viable entity. Backups are
a must, especially considering todays growing regulatory compliance mandates and the ever-
increasing cyber security threats for which business face on a daily basis. Yet even without
compliance mandates, a well-though out, efficient, and reliable backup and recovery plan is a
must for ensuring the confidentiality, integrity, and availability of (CIA) critical data.

21. Firewall Policy: Firewalls are without question one of the most important components within
any organization's network topology as they provide critical services for effectively allowing and
denying specific types of network traffic. Properly provisioned, these devices are highly effective
in blocking unwanted traffic, while also allowing only approved protocols and ports to send and
receive data. However, when provisioned incorrectly and deployed without security in mind,
firewalls can result in critical breaches of security for an organization, ranging from data security
theft to the placement of malicious software (malware) onto one's network. A well-written
firewall policy and supporting procedures is without question one of the most important
security documents any organization can have.

22. Database Policy: Security breaches continue to make front page headlines as thieves relentlessly
pursue sensitive information, such as credit card data, Personally Identifiable Information (PII),
along with financial, banking and other valuable data. By taking proactive measures in securing
and hardening database platforms, organizations are providing the necessary layers of security
needed to mitigate and hopefully eliminate data breaches. Whats needed are database policies
specific to the utility in use (i.e., MySQL, MS SQL Server, DB2, Oracle, etc.).

23. Web Server Security Policy: Web servers (both the residing hardware and software) work in
unison for sending and receiving content to end-users (i.e., clients) by executing any number of
processes. From e-commerce systems to Software as a Service (SaaS) platforms, web servers are
a vital component for a large and growing number of organizations. However, SQL Injection,
Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and numerous other damaging
tactics can paralyze and bring down web servers, often resulting in data breaches to sensitive
information. As such, it's vitally important to secure web servers from today's growing list of
attacks.

flatirontech.org 2014 Top 25 List of Information Security Policies and Procedures Every Business Needs 7
Copyright Protected
 Additionally, Denial of Service (DoS) attacks and other malicious activities against an
organization's network often result in disruption of services from these ever-important web
servers. Securing web servers begins with comprehensive policy and procedure documentation,
such as the material provided from securitypolicyportal.com.

24. Virtualization Policy: Though virtualization has without question brought about greater speed,
efficiencies, and long-term cost savings, great benefits also come with great risks. One of the
biggest challenges of virtualization is that of all computing resources being condensed onto one
physical computing resource, which can be catastrophic if hardware issues are encountered, from
failing disks to physical damage, etc. Additionally, sharing of resources, information, and other
data on virtualized environments also means that malware and other malicious threats can spread
just as easily, conceivably infecting an entire virtualized platform. Comprehensive security
measures for virtualized platforms begin by implementing in-depth, well-written policies and
procedures covering all essential topics, from provisioning and hardening, change management,
patching, just to name a select few initiatives.

25. Remote Access Policy: Advances in technology within recent years have allowed individuals to
enable remote access protocols for accessing data and information within an organizations
private, internal network. As for defining what remote access is - definitions are plentiful - some
vague, while others quite technical in nature. With that said, its best to view remote access as
the following:
The process for which a user must initiate and utilize a known communication protocol (i.e.,
Internet, but more specifically, the use of DSL, cable modem, dial-up, etc.) and other supporting
devices (i.e., modem, etc.). Additionally, remote access is often but not always initiated from
a network not owned, operated, or maintained by the organization granting such access to said
user.
In short, a well-defined remote access policy is needed for ensuring only approved protocols are
used and that only authorized personnel have remote access rights.

Honorable Mention
26. Risk Management: Risk Management has quickly become one of the most notable topics in
todays growing world of regulatory compliance, and for good reason. After all, organizations all
throughout the globe are being challenged like never before with ever-mounting risks, ultimately
forcing senior management to undertake measures for ensuring the safety, security, and financial
solvency of ones enterprise. Organization always have and will continue to face a large
number of growing risks, especially with the complexity of the world we all live. Information
technology has completely transferred so many aspects of the world, yet with great benefits also
come great risks and challenges. Furthermore, the continued adoption and movement towards a
more globally focused economy creates enormous exposure for many organizations, adding yet
another layer of risk that just a few years ago was completely absent.

So whys it not on the Top 25 list, because its not really about having a policy in place its about
putting forth a comprehensive process for assessing risk on an annual basis, which is much more
important than any policy document. If this were an annual list of Top 10
must-have security and organizational practices, then it would without question be included,
possibly even #1.

flatirontech.org 2014 Top 25 List of Information Security Policies and Procedures Every Business Needs 8
Copyright Protected
Theres arguably numerous other information security and operational policies and procedures that could
be included on our annual Top 25 list, yet for purposes of critical must-have documentation, this is the
list weve compiled. Look for our list next year to see what changes, modifications, and enhancements
will be made. With that said, its important to recognize the need for high-quality, well-documented
security policies, especially in todays world of growing regulatory compliance mandates and cyber
security threats.

About Flat Iron Technologies

Flat Iron Technologies, LLC (FIT) is comprised of highly talented
and experienced professionals with a true passion for helping
businesses succeed in todays growing world of regulatory
compliance mandates. Compliance can be incredibly difficult,
challenging and taxing, and its why businesses around the world
turn to FIT for helping with a myriad of regulatory issues, ranging
from comprehensive information security policies and procedures writing to security awareness training,
and so much more. Dont trust your critical compliance needs to just anybody, work with the global
experts whove gained a reputation as hard-working, intelligent, and extremely knowledgeable
professionals that are truly second to none.
Our team consists of a diverse, highly experienced group of individuals possessing a broad understanding
of todays cyber security, information security, and regulatory compliance challenges, which means were
ready to roll up sleeves and assist in any way possible. Companies throughout the world are spending
incredibly large sums of money on any number of security, compliance, and governance mandates, yet the
benefit is often marginal, at best. You need a firm who lives, breathes, and eats this stuff, a firm such as
Flat Iron Technologies, LLC who can get you into shape, iron out the compliance wrinkles, and keep you
on a sustained path for years to come. Give us a call today to discuss your needs and how we can help.
flatirontech.org

flatirontech.org 2014 Top 25 List of Information Security Policies and Procedures Every Business Needs 9
Copyright Protected