Building a Realistic Security Policy for Your Business.

If you were asked what the most valuable asset of your business is today, what would you say? Likely, just like most executives, you thought of business intelligence—its strategies, processes, contracts, resources, and clients. All of these (and much more) can be summarized in one word: Data. The high demand for Information Security worldwide confirms what The Economist has already warned: "Data is more valuable than oil."

Securing an asset as valuable as your information is certainly not a simple task. Unxpose assists with the initial steps, making the product secure for the end customer, but we also need to discuss internal processes. According to an IBM study, 95% of security breaches and incidents are caused by what is referred to as "human error." Carelessness by employees and a lack of awareness of the proper protocols, so to speak. So, how can a company be secured starting from its internal processes?

Information Security Policy (ISP)
This is where the Information Security Policy (ISP) comes into play. Just as there is a staff manual or even a company code of ethics, the ISP is the important document that will guide employees and processes, setting forth the guidelines for the work environment, prioritizing assets and access, and containing best security practices for the day-to-day operations of the company. Accordingly, the ISP is vital for avoiding leaks and incidents, protecting the pillars of your business—its Integrity, Availability, and Confidentiality.

Aligning with Standards and Laws
In addition to the General Data Protection Law (LGPD), which requires companies to have internal security training and imposes penalties of up to 50 million reais for violations, there is also ISO 27001, a standard specifically focused on the Information Security Policy. According to this standard, Information Security exists to protect assets from attacks, leaks, incidents, espionage, sabotage, and even natural forces such as disasters, among others.

Integrating Tools, Employees, and the ISP
The first step, even before creating the ISP, is to inventory existing assets and processes within the company. After all, it is impossible to define protection guidelines without knowing what needs to be protected. Next, it is advisable to classify information according to its level of risk in case of exposure, from public to confidential data. Then, it's possible to start drafting the ISP based on who should have access to what information, as well as their methods of authentication, storage, communication, disposal, and so on. The intention is for the ISP to be the foundation of all the processes involving the company's information and its life cycle.

Alongside the tools and employees, the ISP is thus an essential element of the internal process pillar, and should be developed with input from all departments, or even a committee bringing together different areas of the company.

"The first tip for a good security policy is simplicity, as it must be actionable. Since all employees in the organization need to read and accept it, create it with the average employee in mind."

RODRIGO JORGE, CISO of Neoway, a company with ISO 27001 certification.

Realistically Considering Processes
One of the biggest challenges in building an ISP is avoiding an extensive, overly technical document that is of little practical use in the company's daily operations. Many make the mistake of taking the quicker route by copying an existing security policy, as if it were a one-size-fits-all solution for any environment. This is where the danger lies.

It is crucial to keep the company culture in mind at all times during the creation of an ISP. This will prevent absurd rules that don’t make sense for the environment or for the employees' processes. A complex policy with impossible and convoluted norms is of no use if, in the end, employees prefer the "easier path," ignoring the guidelines and exposing the entire process to incidents.

Opening Space for Innovation
An ISP should not exist to restrict processes. Making daily tasks overly difficult for employees will inevitably create friction between people and secure processes, leading to a preference for insecure shortcuts. Additionally, an ISP that does not align with the company culture will delay the implementation of new tools, processes, and technologies, weakening the chances for innovation within the business. "Security must support the business and never hinder it; thus, common sense is required, along with collaboration: security and business areas," reflects Rodrigo Jorge.

Considering the company’s culture in creating the ISP also means opening space for updates and the inclusion of new technologies and processes, especially for startups and agile companies. It's important to highlight that the policy needs to be reviewed and updated periodically, being inclusive of new processes.

Training, Testing, and Rewarding Your Employees
If the ISP is not constantly reinforced to employees, it will not be practiced. Security is a complex topic, seldom taught in people's daily lives, and as such, it is poorly understood