A partner wants a copy of our written IT security policy and I'm not sure what to do [closed]

My company is working with another company and as part of the contract they are requesting a copy of my company's written IT Security Policy. I don't have a written IT security policy, and I'm not exactly sure what I want to give to them. We're a Microsoft shop. We have update schedules, limited accesses accounts to manage servers, firewalls, ssl certificates and we run the Microsoft Baseline Security Analyzer from time to time.

We configure services and user accounts as we feel is mostly safe and secure (it's tough when you don't have full control over what what software you run), but I can't go into every detail, each service and server is different. I'm getting more information about what they want but I feel as if they're on a fishing expedition.

My questions are, Is this a standard practice to ask for this information? (I'm not against it honestly, but it's never happened before.) And if this is standard, is there a standard format and expected level of detail I should present?


Solution 1:

They don't need a copy of your entire internal IT policy but I think they may be after something similar to this - someone definitely needs to get you enough information about the contract to determine how much detail you need to provide, and about what. Tho I agree with Joseph - if they need the information for legal/compliance reasons, there needs to be legal input.

Background Information

1) Are any of your employees located outside of the US?

2) Does your company have formalized and documented information security policies in place?

3) Is the handling and classification of information and data covered by your information security policies?

4) Are there any outstanding regulatory issues that you are currently addressing in the state(s) you operate in? If yes, please explain.

General Security

1) Do you have an information security awareness training program for employees and contractors?

2) Which of the following methods for authenticating and authorizing access to your systems and applications do you currently use:

  • Performed by operating system
  • Performed by commercial product
  • Single sign-on
  • Client-side digital certificates
  • Other two-factor authentication
  • Home grown
  • No authentication mechanism in place

3) Who authorizes access for employees, contractors, temps, vendors, and business partners?

4) Do you allow your employees (including contractors, temps, vendors, etc.) to have remote access to your networks?

5) Do you have an information security incident response plan? If no, how are information security incidents handled?

6) Do you have a policy that addresses the handling of internal or confidential information in e-mail messages to outside your company?

7) Do you review your information security policies and standards at least annually?

8) What methods and physical controls are in place to prevent unauthorized access to your company's secure areas?

  • Network servers in locked rooms
  • Physical access to servers limited by security identification (access cards, biometrics, etc.)
  • Video monitoring
  • Sign-in logs and procedures
  • Security badges or ID cards visible at all times in secure areas
  • Security guards
  • None
  • Other, Please provide additional details

9) Please describe your password policy for all environments? I.e.. Length, strength and aging

10) Do you have a disaster recovery (DR) plan? If yes, how often do you test it?

11) Do you have a Business Continuity (BC) plan? If yes, how often do you test it?

12) Will you provide us a copy of your tests results (BC and DR) if requested?

Architecture and system review

1) Will [The Company]’s data and/or applications be stored and/or processed on a dedicated or shared server?

2) If on a shared server, how will [The Company]’s data be segmented from other companies’ data?

3) What type(s) of company-to-company connectivity will be provided?

  • Internet
  • Private/Leased line (e.g., T1)
  • Dial-up
  • VPN (Virtual Private Network)
  • Terminal Service
  • None
  • Other, Please provide additional details

4) Will this network connectivity be encrypted? If yes, what method(s) of encryption will be used?

5) Is there any client-side code (including ActiveX or Java code) required in order to utilize the solution? If yes, please describe.

6) Do you have a firewall(s) to control external network access to your web server(s). If no, where is this server(s) located?

7) Does your network include a DMZ for Internet access to applications? If no, where are these applications located?

8) Does your organization take steps to ensure against Denial-of-Service outages? Please describe these steps

9) Do you perform any of the following information security reviews/tests

  • Internal system/network scans
  • Internally managed self assessments and/or due diligence reviews
  • Internal code reviews/peer reviews
  • External 3rd party penetration tests/studies
  • Other, Please provide details How frequently are these tests performed?

10) Which of the following information security practices are being actively used within your organization

  • Access control lists
  • Digital certificates - Server Side
  • Digital certificates - Client Side
  • Digital signatures
  • Network based intrusion detection/prevention
  • Host Based intrusion detection/prevention
  • Scheduled updates to intrusion detection/prevention signature files
  • Intrusion monitoring 24x7
  • Continuous virus scanning
  • Scheduled updates to virus signature files
  • Penetration studies and/or tests
  • None

11) Do you have standards for hardening or securing your operating systems?

12) Do you have a schedule for applying updates and hot fixes to your operating systems? If no, please tell us how you determine what and when to apply patches and critical updates

13) To provide protection from a power or network failure, do you maintain fully redundant systems for your key transactional systems?

Web Server (if applicable)

1) What is the URL that will be used to access the application/data?

2) What operating system(s) is the web server (s)? (Please provide OS name, version and service pack or patch level.)

3) What is the web server software?

Application Server (if applicable)

1) What operating system(s) is the application server (s)? (Please provide OS name, version and service pack or patch level.)

2) What is the application server software?

3) Are you using role based access control? If yes, how are the access levels assigned to roles?

4) How do you ensure that appropriate authorization and segregation of duties are in place?

5) Does your application employ multi-level user access / security? If yes, please provide details.

6) Are activities in your application monitored by a third party system or service? If yes please provide us with the company and service name and what information is being monitored

Database Server (if applicable)

1) What operating system(s) is the database server (s)? (Please provide OS name, version and service pack or patch level.)

2) Which databases server software is being utilized?

3) Is the DB replicated?

4) Is the DB server part of a cluster?

5) What is done (if anything) to isolate [The Company]’s data from other companies?

6) Will [The Company]’s data, when stored on disk, be encrypted? If yes, please describe encryption method

7) How is source data captured?

8) How are data integrity errors handled?

Auditing and Logging

1) Do you log customer access on:

  • The web server?
  • The application server?
  • The database server?

2) Are the logs reviewed? If yes, please explain the process and how often are they reviewed?

3) Do you provide systems and resources to maintain and monitor audit logs and transaction logs? If yes, what logs do you retain and how long do you store them?

4) Will you allow [The Company] to review your system logs as they pertain to our company?

Privacy

1) What are the processes and procedures used to declassify/delete/discard [The Company]’s data when no longer needed?

2) Have you at any time erroneously or accidentally disclosed customer information?
If yes, what corrective measures have you implemented since?

3) Do contractors (non-employees) have access to sensitive or confidential information? If yes, have they signed a non-disclosure agreement?

4) Do you have vendors that are authorized to access and maintain your networks, systems, or applications? If yes, are these vendors under written contracts providing for confidentiality, background checks, and insurance/indemnification against loss?

5) How is your data classified and secured?

Operations

1) What is the frequency and level of your back-ups?

2) What is the onsite retention period of back-ups?

3) What format are your backups stored in?

4) Do you store backups at an off-site location? If yes, what is the retention period?

5) Do you encrypt your data backups?

6) How do you ensure that only valid production programs are executed?

Solution 2:

I've only ever been asked for this information when working with regulated industries (banking) or government.

I'm not aware of a "standard format", per se, but then I've always been given some template that my Customer was given by an auditor as a "starting place" when I've had to make these.

I'd probably start with some Google searches and see what I could find in the way of sample policy documents. SANS (http://www.sans.org) is also another good place to start looking.

As far as the level of detail goes, I'd say that it probably needs to be tailored to the audience and the purpose. I'd keep the detail high-level unless I was specifically asked to provide low-level details.

Solution 3:

There are several different reasons a company may want to see your security policy. One example is that the Payment Card Industry (Visa, MasterCard, AmEx, etc...) requires the companies that process credit cards must adhere to Payment Card Industry - Data Security Standard (PCI-DSS). A section of the PCI-DSS requires that the partners of the company must also adhere to PCI-DSS (which of course requires written policies).

Frankly if I am granting you access to your network via a VPN or direct connection, then I want to know that you have a certain level of security, otherwise I am opening myself to all sorts of potential issues.

That's why being PCI or ISO 27001 certified can be a boon in this regards because you can let the external organization know that you have things handled up to a certain level. If your policies are very general which policies should be, then it might not be an issue to provide a copy to your partner. However if they want to see specific procedures or security information then I wouldn't let that leave my site.

Kara has some excellent guidance on what you want to cover in your policies. Here's an example of a policy.

IT-001 System Backup/Recovery Policy

I. Introduction This section talks about how backups are important, how you plan to test and keep copies offsite.

II. Purpose A. This policy will cover frequency, storage, and recovery B. This policy covers data, operating systems, and app software C. All backup/recovery procedures must be documented and kept in a safe place

III. Scope This section notes that the policy covers all of the servers and data assets in your company (and any other specific areas like satellite offices).

IV. Roles and Responsibilities A. Manager - decides what gets backed up, determines frequency, medium, and procedures, also checks that backups happen B. System Admin - Runs the backups, checks the backups, tests the backups, transports backups, tests restoration, maintains the backup rotation grandfather/father/son C. Users - Has input on what gets backed up, must place data in location designated to be backed up

V. Policy Description Backup - all the stuff you want to say about backups in a general sense Recovery - all the stuff you want to say about recovery in a general sense

Specific step by step instructions should be in a separate procedures/work instruction document. However if you have a very small organization, you might not separate policies from procedures.

I hope this helps and gives you some useful information.

Solution 4:

I had to write one of these recently and it didn't end up being too difficult. Granted, Even's point about tailoring is important though, as some details are going to take more work to describe than others. NIST also has a large library of free, online publications describing security measures for various purposes, you can use these for ideas where you're not sure what type/extent of security is called for.

Here's some general categories to cover in high level terms though:

  • Data Retention Policy
  • Backup Procedures/Access to backups
  • In-house access restrictions(physical and virtual)
    • Network (wireless, wired)
    • Hardware (servers, workstations, office premises, off-site/telework)
    • Hosting/Data Center (important if you're storing the partners data)
    • Operating System
  • Personnel Screening

This list can be expanded or reduced based on now much information is necessary. Also, no need to fret if you don't yet have quite have all of this in place. My advice is to stick to describing your 'intended' policies, but be prepared to immediately expand them for anything lacking. Also be prepared to be called on what you're claiming, no matter how unlikely this is (the lawyers won't care later on).