Policies, codes, contracts and regulations

In order to realise a secure Cyber culture, it’s necessary to formulate appropriate and effective rules through compelling policies, codes, contracts, and regulations.

Acceptable use policy

An acceptable use policy demonstrates the organisation’s commitment to information assurance and must be approved by the director responsible for information assurance.

They define how the business expects individuals to use corporate resources, such as the internet and email, and answer questions like:

• When can staff members access the internet for private matters?
• Can individuals send personal email from their corporate account?

The areas included in acceptable use policies should be reviewed and agreed with team leaders, HR and senior managers before they’re enforced.

Codes of practice reinforce policies and procedures and are often incorporated into an acceptable use policy.

They can also provide guidelines on ethical issues like racism, sexual discrimination, and harassment. Individuals should acknowledge they’ve read and understood the acceptable use policy. Preferably with examples in plain English.

Things to consider: Social media, email, IPR, diversity, pornography, religion, software, harassing, or other offensive statements.

An acceptable use policy states the rules individuals must follow, for example:

• Which internet sites are prohibited
• How corporate email should be used
• The rules for mobile device usage
• How to deal with the media

Codes of conduct

Codes of conduct relate to the behavioural responsibilities of staff members, contractors and sub-contractors.

They typically incorporate aspects of behaviour relating to maintaining the confidentiality, integrity, and availability of company systems or information.

This might be things like:

• Not openly discussing customer contact information outside the workplace
• Personal safety and integrity issues, including illegal drug use or excessive consumption of alcohol
• Activities that might lead to an individual becoming a target for blackmail or coercion

Other areas typically included in a code of conduct might relate to corporate hospitality, gifts and improper customer relationships which could lead to allegations of bribery and corruption.

Elements that may be included in this policy are:

• Ensuring that user passwords and PINs are protected
• Ensuring that passwords are used appropriately, are not compromised, and are changed at appropriate intervals
• Ensuring that users only access information, facilities, or equipment for which they have the designated business need and requisite authorisation
• Logging-off from systems when leaving a workstation unattended
• Locking away sensitive documentation and media when not in use (as part of a clear desk policy, for example)
• Use of personal devices such as smartphones and tablets
• Ensuring that all security incidents are reported. See it, say it

Employment contracts

Another method of underpinning a security culture is through the individual’s contract of employment. This creates a legal and binding relationship between the employee and employer and ensures that each party is clear about the obligations they have to each other.

Typically, the contract of employment will include:

• Behaviour and conduct expectations
• Intellectual property clauses to ensure ideas or sensitive company information remain within the organisation
• Aspects of acceptable use for systems and knowledge
• The duty-of-care to other members of staff

The contract will be signed by both parties to confirm understanding and agreement to the terms.

Consequences of violation

As you will have noted, when it comes to security breaches it’s not a question of ‘if’ but ‘when’. So, in the event of a security breach or a user not following procedure, remedial action must be taken. The consequences of such breaches should be documented along with the processes and procedures to be followed by all relevant stakeholders in your business. This may include the information security manager, the human resources department, line management, and even senior-level executives. In some cases, if the breach is serious enough and involves coercion or espionage (industrial or governmental), or results in the discovery of criminal activities, then external dependencies on reporting to the police or intelligence services may be appropriate. Users should know the consequences of policy violation and understand that when they sign their acceptable use policies, they are bound to be dealt by those terms.

When documenting the procedures for dealing with policy violation, you should always establish a stakeholder map, including when that stakeholder needs to get involved. E.g., in only the most serious incidents, such as fraud, would you escalate involvement up to the Chief Executive. You should always document the standard responses as to what a violation could result in. A breach of the codes of practice in your acceptable use policy may require a ‘three strikes and you’re out’ approach. In this case, two warnings are issued before the HR interview occurs. However, it may be that this violation invokes an internet ban for three months. Responses must always be measured and appropriate. The most important thing to remember is that each policy violation will occur as an individual incident and should be treated appropriately.

It’s important to fully assess any incident before administering a penalty. This assessment process must look at all the evidence as in some cases the incident may not be covered by the general policy, and there may well be good reason it occurred. A good example is when one of your technical security people browses to a website that is on the corporate black-list while they’re doing this as part of an on-going investigation. This staff member would not be penalised for doing his or her job properly and thoroughly. 

However, it’s a waste of time having a policy in place unless the organisation is prepared to enforce it. Senior management, and those that impose the rules, need to support the processes to deal with any violations. If violations have not been dealt with appropriately, or have been ignored by line management, then this should also be considered as a violation of policy and treated accordingly. It's important to monitor this area as part of developing a strong security culture.

Statutory, regulatory and advisory

External factors can influence how an enterprise’s information assurance is managed, and these requirements need to be understood so that the appropriate assurance controls can be adopted to enable the business to fulfil its responsibilities.

Statutory requirements - Legal requirements that must be fulfilled. E.g., law enforcement agencies must be contacted should certain laws be broken or are suspected of being broken (the download of child abuse images would be such a case in many countries). Compliance with these requirements may influence how an enterprise’s incident reporting procedures are organised. E.g., how, when and by whom should the authorities be contacted. Privacy legislation such as the GDPR will influence how information is stored and managed within the enterprise and how resources are deployed to ensure that the enterprise complies with this legislation.

Regulatory requirements - Are often imposed by trade bodies, and these specify how an enterprise should operate to conform to certain standards. Although these are not legal obligations, regulatory bodies have extensive powers and failure to comply with regulations could lead to fines or, in extreme cases, exclusion from trading in a particular environment. The finance sector is a good example of this as it maintains strict controls to prevent financial malpractices such as fraud or money laundering. Official bodies, such as the Financial Conduct Authority (FCA) within the UK, have far-reaching powers. Another example of a regulatory authority in the UK with significant powers are the Government agency on health and safety in the workplace Health and Safety Executive.

Advisory requirements - May arise from government agencies or utility companies and provide advice as to what arrangements should be put into place to cope with instances such as fires, natural disasters, and acts of terrorism. These requirements are not legally binding and are generally issued to encourage best practice.

Service contracts and safeguarding

Aspects of the delivery are commonly outsourced to third-party organisations, either through a single contractor providing a specialist service or a fully outsourced capability, for example, to deliver penetration testing or auditing services. Services might also be provided as part of a consortium of partners who provide a single service under a framework agreement. Many government contracts work this way.

In each situation, the supplier must comply with the standards and requirements of the contracting organisation. For example, if an organisation is ISO 27001 compliant, the contracting supplier might be required to adhere to the same guidelines.

Security requirements will be included in the supplier’s contract, clearly stating that taking on the work requires compliance with all security standards, including the need to be audited. Active management through regular audit checks, perhaps every one to two years, can help to reduce the risk to the organisation.

The contract should include a Security Aspects Letter which lays out in plain English what security measures and protective markings apply to the information assets the third-party will be handling. It should also detail penalty clauses and damages in the event of a security breach. Both parties should sign this contract which will remain binding and legal for at least the duration of service supply.

Passing on contractual obligations from supplier to third party is called flow down. A ‘flow down’ clause is a contract provision by which the parties incorporate the terms of the general contract between the owner and the general contractor into the lower tier agreement.

Contractual safeguards

When developing contracts with third parties, it is important to ensure that controls are put in place to protect the information assets of the enterprise to an acceptable level. In effect, it is necessary to ensure that a third party would take the same level of care in protecting an organisation’s information as the organisation would internally. The types of safeguards required will vary depending on the type of service being provided and the sensitivity of the enterprise data.

Contract conditions should include clauses to ensure that proper assurance controls are in place. The types of clauses needed, might include clauses to:

• Carry out regular assurance reviews and health checks
• Apply security patches in a timely manner
• Protect information against malicious code

What’s next?

Building on this overview of the need for security and a positive security culture, it’s time to move on to look in detail at user access controls. You’ll read up on what’s available and the benefits of some of the processes available to you.