What is the single document you need to organize all your IT security activities and practices? It’s the IT security policy. This document sets out the roles and responsibilities of everybody in the organization. You can also use the IT security policy to provide guidance on when to use certain types of security technology, such as multi-factor authentication.
What Is the Goal of Your IT Security Policy?
Before you start tinkering with the organization’s policies, let’s clarify what these policies are meant to achieve. Fundamentally, they serve as guidance to employees to aid in decision making. Instead of executives having to intervene in every question, they can refer employees to the company’s policy. Further, referencing a company policy in decision-making improves consistency and execution.
In the case of an IT security policy, the goal is to make it easier to protect the organization from the risk of loss. As a document meant to serve the entire enterprise, the IT security policy needs to be written with the business user in mind. That means you need to minimize the use of technical security terminology and define those terms when you use them. Finally, we recommend reviewing and updating the policy annually to ensure it keeps up with the evolving threat environment. If the IT security policy isn’t updated regularly, employees will start to ignore it, and your consistent security practices will gradually fall apart.
How to Revise Your IT Security Policy with MFA
You’ve implemented multi-factor authentication (MFA); that’s great news. If you’ve used FIDO2 as part of your MFA implementation, your employees will be able to use their computers and smartphones to access MFA. Making multi-factor authentication convenient is an excellent first step to making it part of their everyday routine.
Now, how do you update your IT security policy to reflect the fact that MFA is available? Use this six-step process to update your policy and promote it across the organization in the next 30 days.
1. Review the IT Security Policy as a Whole
If your IT security policy hasn’t been reviewed in more than a year, an in-depth assessment is necessary. Sit down with three stakeholders: an IT security manager, a business manager, and a business end user. Ask them the following questions to detect any relevant gaps that MFA may solve in the policy.
- What security incidents has the company experienced in the past year?
- How often is the IT security policy used by employees? How could it be easier to use?
- What support is provided to employees and managers to understand what they need to do to implement the policy?
2. Choose 2-3 Security Goals MFA Can Solve
You find out that there are two chronic security problems at your organization. Your executives are facing an increasing number of hacking attacks, including phishing. Second, your account executives and other sales professionals find it challenging to access company resources when they travel for business. MFA can help with both of these problems. Create two new sections to IT security policy designed to address these goals.
3. Outline Roles and Responsibilities for Multi-Factor Authentication
Your IT security policy probably already addresses roles and responsibilities. You simply need to revise these sections to include MFA responsibilities. Here are some suggestions for what may go into the policy.
- Executives: Require executives to use MFA authentication (remember: FIDO2 makes MFA convenient) for high-risk activities such as approving invoices over $10,000 or $100,000.
- Managers: To support their staff in using MFA in their daily work and model how to use this technology to keep the company safe.
- Employees: Set minimum expectations for when employees should use MFA (e.g., working from home or in public places such as hotels).
- IT Security Department: The IT security department has responsibility for overall oversight of the MFA program. You may also ask IT to provide quarterly reports to management on MFA usage and report problems.
4. Provide References to Resources in the IT Security Policy
Generally speaking, your IT security policy isn’t meant to provide detailed technical steps. Instead, include an appendix section where you provide links to other materials on your company’s intranet. For example, you might offer a tips document on how to use Slack and Skype to reduce security risk.
5. Present the Updated IT Security Policy for Approval
Once you have a completed draft of the IT policy, you’ll need to get it approved by company leadership. In larger companies, there may be an established executive committee to approve policy updates. In smaller companies, reach out to the most senior IT leader, such as the chief information officer (CIO) or chief technology officer (CTO).
Tip: After you obtain approval, schedule a calendar reminder for 11 months from now to start the process of reviewing the IT security policy again. Without a reminder, you’re unlikely to remember to do it.
6. Implement a Change Management Plan to Inform and Train Employees
You have an updated IT security policy that includes MFA. Your work isn’t quite done yet. While you’ve been working away on revising the policy, everybody else in the company is concerned with other matters. In short, you need to communicate and train employees on their new responsibilities. We recommend you send out a broadcast email and schedule an in-person workshop to review the policy.
What to Do After You Update Your IT Security Policy with MFA?
Improving your security policy is just one of the ways you can improve IT security. To continue strengthening your defenses, start by offering employee password training to new hires. Next, improve the security and productivity of your IT development team by implementing a container technology such as Docker. Keep up the work of continuously improving your security, and the odds of a serious security incident will keep fading.