Management, compliance & auditing

Risks and Benefits of Security Policy Templates

Daniel Dimov
May 24, 2017 by
Daniel Dimov

1. Introduction

Many small and large organizations prefer to download ready-made security policy templates instead of hiring experienced professionals for drafting their security policies from scratch. While the use of templates can certainly save human and financial resources, it may also cause financial and reputational harm to the organizations relying solely on templates.

Security policies govern the practices used by organizations with regard to protecting their physical and information technology assets. Security policies are usually continuously updated to reflect practical and regulatory requirements. Normally, such documents include provisions regarding organizations' acceptable use policies, training programs aiming to raise information security awareness, incident response practices, and specific requirements aiming to protect IT infrastructure. Security policy documents may prevent security breaches and mitigate their consequences. Well-drafted security policies also play an important role in investigating cyber-attacks because they may reveal the information security vulnerabilities used for conducting them.

Security policy templates can be found on the Internet for a charge or as free downloadable documents. Prebuilt security policy templates seem to be a quick and convenient way to meet the regulatory requirements and extend organizations' security policy folder. However, when not properly vetted, such templates may bring a number of dangers to organizations. In this article, we will investigate two corporate risks related to the use of security policy templates, namely, risks of violating laws prohibiting misleading commercial practices (see Section 2) and risks of violating laws prohibiting negligent representations (see Section 3). We will also investigate the ways in which organizations can benefit from security policy templates without financial and reputational risks (see Section 4). At the end of the article, a conclusion is drawn (see Section 5).

2. Violating laws prohibiting misleading commercial practices

To be effective, a security policy has to be accurate, up to date, professionally diligent, and reflect realistic security practices, strategies, and goals. The failure to meet these requirements may be considered to be a misleading commercial practice. Misleading commercial practices are acts performed by a company that deceive an average consumer regarding the nature, characteristics, and pricing of the product or service offered as well as the extent of company's commitments to its customers.

The laws of most countries prohibit misleading commercial practices. If an organization simply copies a security policy template without adjusting it to its needs, the organization may be deemed to mislead consumers. It is especially relevant in privacy policy statements that at present are obligatory for websites and web-based applications under the laws of many jurisdictions. For example, if a security policy owned by a company offering cloud services states that the company will use passwords containing at least 15 characters, but the company uses passwords containing only seven characters, the policy will mislead the customers of the company into believing that strong passwords protect their data.

The sanctions for misleading commercial practices vary depending on the country. Many regulatory authorities, including the U.S. Federal Trade Commission (the "FTC"), may challenge misleading commercial practices through administrative and judicial channels. For instance, in the case of GeoCities, the FTC commenced administrative proceedings against a company, which published a privacy policy stating that the personal information collected through a "New Member Application form," was used only for the purpose of sending specific advertising offers and other products or services. The FTC argued that the company used the collected data not only for the purposes specified in the privacy statement, but also "also sold, rented, or otherwise marketed or disclosed this information, including information collected from children to third parties who have used this information for purposes other than those for which members have given permission."

3. Violating laws prohibiting negligent representations

The contract laws of England and other Commonwealth countries use the concept of negligent misrepresentation. It occurs when a natural or legal person carelessly makes a representation without having a reasonable basis to believe it is true. The person to whom a negligent representation is made is usually entitled to damages. By way of illustration, if a company induces its clients to sign contracts with it by falsely stating that it protects personal data by using encryption, the clients may be entitled to invalidate the contract and get damages.

In the context of security policies, such violations can be intentional and unintentional. While intentional, negligent representations are made without organization's conscious clear belief that they are true, unintentional negligent representations may occur if the security policy is blindly copied from a purchased or freely downloaded template, without modifying it for meeting the particular characteristics and needs of the organization.

Therefore, to avoid violating laws prohibiting negligent representations, it is not enough to assume that the organization that used the template adheres and complies with all the clauses stated in the security policy template. Each clause and statement contained in the template should be reviewed and adapted to that particular organization and meet its real security practices.

4. Benefiting from security policy templates without financial and reputational risks

To benefit from security policy templates without risks, an organization needs to follow three simple steps, namely, choosing the correct template (see Section 4.1), adjusting the selected template in accordance with the needs of the organization (see Section 4.2), and checking whether the organization complies with all clauses of the modified template (see Section 4.3). These three steps are examined in more detail below.

4.1 Choosing the correct template

On the Internet, there is a great variety of general security policy templates. However, to have a solid security strategy and ensure compliance with all applicable standards, organizations should give preference to comprehensive templates, and not simple templates that may lack important information. A comprehensive security policy document should cover at least the following information security aspects: acceptable use, backup, network access, incident response, confidential data, outsourcing, email, virtual private network, password, encryption, data classification, physical security, and retention policies.

It is important to note that the chosen general or detailed template should be adjusted and implemented by a professional who is capable of checking the legal compliance of the policy and ensuring that the document meets applicable standards and organizational specifics. Moreover, it should be pointed out that different jurisdictions apply different requirements and compliance standards to security policies. For example, organizations operating in the US will be subject to regulatory compliance standards that differ significantly from the EU legal framework. Thus, it is of utmost importance to identify the applicable law and ensure that the chosen security policy template complies with it. This work should also be dedicated to a security professional who has access to the relevant legal information.

[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]

4.2 Adjusting the selected template in accordance with the needs of the organization

A security policy template should be adjusted to comply with the requirements of the relevant jurisdiction, reflect the specifics of the organization, and meet its needs. An information security officer within the organization who has sufficient knowledge about applicable laws and standards or outsourced should make the adjustments of the template either to external professionals.

Another issue regarding organizations' security policies is the complexity of their language, and the contract drafting style often applied to them. Due to the complex legal terminology often used in such types of documents, employees of an organization, especially those without a legal education, may find it difficult to understand the details contained in the document and follow the policies and procedures indicated in it. This issue may be crucial in undergoing security assessment audits or mitigating information security incidents. To assure an accurate application of a security policy, it is important to assess if the document is drafted in a clear, concise, and easily understandable way so that employees of an organization would be able to follow and interpret it. The document should also be up to date, practical, and reflect real-world experience, instead of being a set of theoretical statements.

4.3 Checking whether the organization complies with all clauses of the modified template

A large number of small and medium size businesses prefer to download and use security policy templates for the purposes of remediation compliance listings and performing compliance audits. However, if the chosen security policy template is blindly adopted as organization's final security policy or reviewed without much care, the organization may fail to comply with the clauses of the modified template. To avoid the issues related to negligent representations and misleading commercial practices, all the clauses included in the security policy should be verifiable. Therefore, the statements governing major aspects of organization's information security program, such as acceptable use policies, encryption practices, password construction and protection, email use, data breach recovery plans, and security response guidelines, should reflect the real practices of the organization.

5. Conclusion

Security policy templates that are freely accessible on the Internet often assist small and medium size businesses in preparing their security policies. However, the improper use of such templates may result in legal issues and financial losses. Therefore, organizations that decide to use security policy templates should be aware of the two legal risks discussed in this article, namely, risks of violating laws prohibiting misleading commercial practices and risks of violating laws prohibiting negligent representations.

The main steps that should be taken into consideration by an organization when drafting a security policy on the basis of a template should be: (1) choosing a template that meets the applicable standards and legal requirements; (2) allowing a professional to perform any adjustments of the template; (3) ensuring that the final document is customised and drafted in accordance with the needs of the organization; (4) making the document accessible and understandable to the employees of the organization, and (5) checking whether all clauses of the modified template are addressed and complied with by the organization. Moreover, the document should be up to date, practical, and reflect real-world experience, instead of merely being a set of unverified statements. Professional assistance in reviewing the document by a competent person can be of major importance in increasing the quality of organization's information security program and ensuring a positive outcome of compliance audits.

References

  1. 'A Brief Overview of the Federal Trade Commission's Investigative and Law Enforcement Authority', July 2008, Federal Trade Commission. Available at https://www.ftc.gov/about-ftc/what-we-do/enforcement-authority.
  2. 'DOCKET NO. C-3850', Federal Trade Commission. Available at https://www.ftc.gov/sites/default/files/documents/cases/1999/02/9823015cmp.htm .
  3. Fitzgerald, T., 'Information Security Governance Simplified: From the Boardroom to the Keyboard', CRC Press, 2016.
  4. Goodman, S., Straub, D., Baskerville, R., 'Information Security: Policy, Processes, and Practices', Routledge, 2016.
  5. Granneman, J., 'The dangers of using security policy templates in the enterprise', TechTarget, 5 January 2017. Available at http://searchsecurity.techtarget.com/tip/The-dangers-of-using-security-policy-templates-in-the-enterprise.
  6. Herzig, T., Walsh, T., Gallagher, L., 'Implementing Information Security in Healthcare: Building a Security Program', HIMSS, 2013.
  7. 'Instant Security Policies'. Available at http://www.instantsecuritypolicy.com .
  8. Jacobs, S., 'Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance', John Wiley & Sons, 2011.
  9. Kostadinov, D., 'Key Elements of an Information Security Policy', InfoSec Institute. Available at /key-elements-information-security-policy/#gref .
  10. Landoll, D., 'Information Security Policies, Procedures, and Standards: A Practitioner's Reference', CRC Press, 2017.
  11. Peltier, T., 'Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management', CRC Press, 2016.
  12. 'Security policy samples, templates and tools', CSO, 25 January 2016. Available at http://www.csoonline.com/article/3019126/security/security-policy-samples-templates-and-tools.html.
  13. Vladimirov, A., Gavrilenko, K., Mikhailovsky, A., 'Assessing Information Security: Strategies, Tactics, Logic and Framework', IT Governance Ltd, 2010.
  14. Williams, B., 'Information Security Policy Development for Compliance: ISO/IEC 27001, NIST SP 800-53, HIPAA Standard, PCI DSS V2.0, and AUP V5.0', CRC Press, 2016.
  15. '10 Top Downloadable Security Policies', IT Business Edge. Available at http://www.itbusinessedge.com/slideshows/show.aspx?c=84182&slide=1.

Co-Author

"Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master's degree in IP & ICT Law."

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.