It’s rough out there—hackers, threats, cyber warfare, and more! Everything is happening at the same time, and it feels like cybersecurity awareness is in everybody’s crosshairs. We all know we should improve our security, but figuring out how to prioritize it is a challenge for all of us.
You can be concerned about your infrastructure, and you should—those servers and databases cost you all that hard-earned money, and we’re not even mentioning the endless hours your developers spent planning your architecture. I wish I could tell you that’s all you need to worry about, but I’d be lying.
Your users are also concerned about their data. Names, email addresses, social security numbers, payment information, and more. You have it, and the bad guys want it. It’s important to think ahead and have answers to some common questions: What are you doing to protect your customer’s data? What steps will you take if your application is compromised?
Luckily, the friendly folks at Sqreen have a solution that might help. Enter the Open Source Security Page. We’re here to discuss why you need a public security policy and how you can get started. Let’s jump right into it!
Cool pitch, but do I need it?
Yes. Unless you’ve been living under a rock, the world of user information protection has been under siege. The changes started with the 2018 GDPR. Although applicable only to EU citizens, GDPR also rocked our world this side of the pond. Big companies already experienced the consequences of a weak security policy. Facebook was among the first to update its strategy, with Google following closely behind.
Being forthright with your users about how you’re using and protecting their data is no longer optional. That’s why you need to have an internal information strategy in place. And if you’re a CTO or a CISO, protecting that data should, by all means, be at the core of your information strategy. Explaining how and what information you collect, how you use it, and what you’re doing to protect it is critical. Moreover, it’s essential to specify how to react in the event that you’re compromised. A robust policy also provides a set of practices to minimize an attack.
That’s right. Protection doesn’t end at the architecture level, and the responsibility doesn’t stop there. That secured network, those secret keys, etc., they’re OK, but they may not be enough. You need to think about all levels of security risk, from infrastructure to network to application. Having a policy will address security concerns your architecture can’t and will also become a team effort. When there’s an attack, it’s a domino effect that usually goes all the way up to the upper management. Acting as a company to define scopes of action and security objectives will engage everyone. Your information security head will thank you.
What is a security policy?
A security policy includes items on data integrity, consistency, and more. The organization needs to follow this material across the board. Typically, this information is available online. Your users should find it readily available.
At its essence, a policy is a set of actions to take. That is, what the strategy to address security problems is. Usually, it consists of a document (or multiple documents) outlining the company’s strategy.
Your company must determine what steps to take and what objectives it can set to protect the customer’s information. Failing to do so may render all other efforts useless.
What you can include depends on your company’s needs, but typically a reliable document needs to cover:
- Integrity: Guarantees that the information will be kept in its original state. An integral document is meant to answer one question: What’s the company doing to prevent changes, accidental or not, to the data?
- Confidentiality: Should provide a guarantee that only authorized users can have access to the protected.
- Availability: Ensures that the users can access their private information when needed. From the organization’s perspective, having documentation available reassures that operations can continue operating at all times.
Now that we’ve discussed the basics, it’s time to answer the main question here.
Why do I need a public security policy?
Having a security policy demonstrates your organization’s commitment to security and compliance. A robust document helps establish confidence with providers and users. The policy lives and breathes and adapts itself to your organization’s needs. Therefore, it’s unique.
Your friends here at Sqreen suggest that having a readily available security policy can even help us save time. Selling or providing services to corporate customers will be seamless if you have an excellent public policy, helping you navigate the dreaded security questionnaires. It also helps your customers and users understand how you will respond to security issues.
As with everything in life, you may be concerned trying to figure out what exactly to write in your public security policy. Should you have one document per service offered? A blanket policy that will cover all products, services, and users? Who is the policy intended for?
That last question is particularly important, and I don’t mean to add more depth to this idea, but companies usually orient their security policies around their customers and often forget to address their engineers and upper management in the plans.
A quick example of a management-oriented security policy might include:
- Proper procedure for buying and adding third-party software or libraries.
- Security breaches and how to notify your crisis resolution teams and/or management.
- Privacy on work devices.
Moreover, here are a few ideas based on content policies out there:
- What data do you collect?
- How does your company use that data?
- How does your company share the information collected?
And ultimately, this question has sparked a lot of controversies:
- How can your users download or delete the information you’ve collected?
Getting started
Obviously, the most straightforward way to get started is to start with a blank page and begin adding content. However, this isn’t recommended. Another option is to go online and use a generator. They ask you a bunch of questions and come up with a blanket document. While a bit more oriented to your needs, also not recommended.
It’s tempting to reuse a boilerplate or a template. However, you’ll find they won’t represent your company’s culture and practices. Internally, your security policy guides your employees on how they respond to an attack. A public document also helps with auditing procedures for the company’s internal systems.
Remember our conversation above. A good security policy should be unique, and this includes both the content and its organization. Remember, crafting a public security policy needs to be a company-wide effort. Sqreen provides a great tool to get started: the Open Source Security Page.
Your company can be up and running with The Open Source Security Page in 15 minutes, which is always a plus. It’s as simple as cloning the repo on your local environment, navigating to the right directory and file, /docs/markdown-content.md, and effectively going by its markdown and adding the proper content.
You don’t need to worry about the design or UX, as the application already includes it. However, if you’re feeling creative enough, you can navigate to the index.html file and tweak the directives. That’s it.
Since it’s an open-source initiative, PRs are welcomed, if you feel so inclined.
Now what?
Get started! Start having these conversations at work, and get everybody involved with the company’s strategies and ideas. As your company’s security owner, you should spearhead the security initiative while making sure those initiatives are compatible with the rest of the company’s rules.
Finally, you need to implement a functional and organized tool to help you get up and running quickly. Your legal department will be happy, and your engineers will appreciate the structure and guidance. If you’re still looking for ideas, try Sqreen’s Security Grader. It’ll ask you some questions about your current setup and will double-check your security.
Remember that this isn’t a one time deal. There will be changes to your policy as your products and your company grow. Every time there’s an update, your security policy should keep up. It’s the only way to make sure your security is up to date.
—-
This post was written by Guillermo Salazar. Guillermo is a solutions architect with over 10 years of experience across a number of different industries. While his experience is based mostly in the web environment, he’s recently started to expand his horizons to data science and cybersecurity.
