The importance of setting a Policy for your Security Policies

In our role as cybersecurity specialists managing multiple cloud ecosystems and hosting complex websites, we’ve learnt that security policies and the policy of managing policies are not always as rigorous as they should be regardless of the size or maturity of the organisation.

Most businesses have security policies in place, and whilst the ambition is there to implement them across the business, too easily they are forgotten or worse ignored by busy employees. Then there is always the scenario that arises when there has been a change in employees and security policies haven’t been properly briefed in the handover. And often enough there is no policy in place to ensure company security policies are reviewed and updated regularly. However, it remains a critical part of the cyber security armoury for businesses, no matter the size or industry sector, or deployment of new technologies and how they layer into your existing network and policies.

As part of our ongoing cyber security commitment to educating and informing businesses, we prepared this blog to share the basics about the different types of security policies and how you can (and should) be implementing them in your business.

If at the end of this blog post, you’ve learnt something new about the importance of policies and the policy of policies, then we will have succeeded in keeping your business one step further ahead in its quest to be more secure.

It starts with Permission Sets 

User access is managed through creating and setting policies. Policies are connected to digital identities, users, groups and roles. A policy is an object associated with a digital identity or resource and defines its permissions. Policies are evaluated when a user or role makes a request. Permissions are set so any request is evaluated and allowed or denied. For example, there are identity-based policies, resource-based policies, permission boundaries, session policies, SCPs and ACLs.

Policies are set to define permissions for any action regardless of how you choose to perform an operation.

 Typically, faster to use standard policies / generic templates 

Acceptable Use Policy

Acceptable Use Policy (AUP) is an object document that defines a set of rules and regulations for employees or customers, when it comes to the usage of specific IT resources. An AUP clearly outlines what users can and can not do with the IT resources at hand. This policy is somewhat similar to End User Licence Agreements (EULA) that users must agree upon before using a software application, except that AUP covers usage of a much larger IT resource than a single software application.

Access Control Policy (ACP)

The name Access Control Policy speaks about this policy and what it does within an organisation. ACP manages information systems and data, as well as how employees access those systems. This policy covers access control standards as well as implementation rules. This policy is also covering regulations regarding password complexity in an organisation, network access, user access and operating system procedures. This policy also covers employee identity management.

Change Management Policy (CMP)

Change Management Policy refers to a formal procedure that an organisation goes through when a change in IT infrastructure is initiated. Change requests may come from any level within the organisation. Change management policy raises awareness of changes that are occurring in the IT environment and prevents incidents associated with the change.

Information Security Policy (ISP)

These are high-level policies that cover a lot of protocols connected with security procedures in an organisation. This policy is issued in order to ensure that the employees of an organisation comply with the standards and procedures of technology assets of a company. Users of this policy are to sign an acknowledgement that they will comply with certain rules and guidelines in order to prevent information breaches.

Incident Response (IR) Policy

Incident Response Policy regulates an approach to resolving incidents related to IT infrastructure. This policy lays down a process in case of an emergency, so that business operations can successfully power through an IT-related crisis. This policy is usually closely connected to the Disaster Recovery Policy (DRP) and Business Continuity Plan (BCP).

Communication Policy

This policy formalises how to communicate within an organisation using all available channels provided in a company. This policy covers mediums like emails, blogs, social media and chats.


Policy classification

Identity-based policies – Identity based policies allow permissions to an identity, users, groups to which users belong and roles they carry out.

Resource-based policies – Resource-based policies allow permissions to principal entities that are defined in a policy. Principles can share the same account as the resource or it may be in other accounts.

Permissions boundaries – Use managed policies as permissions boundaries for users or roles. Those policies set the maximum permissions that identity-based policies can allow for a user or role. Permissions boundaries don’t define the maximum permissions per resource-based policy.

Organisations SCP – Service control policies define the maximum permissions per member account of an organisation. SCPs set limitations on permissions that are granted by identity-based or resource-based policies. They aren’t used to grant permissions.

Access control lists (ACLs) – ACLs are used to control which principles in other accounts can access a certain resource. Access Control Lists are somewhat similar to resource-based policies, even though they don’t use JSON document structure. ACLs are cross-account permission policies that allow access to the specified user or role. ACLs are not used to allow access to users and roles in the same account.

Session policies – Session policies add limitations to permissions that identity-based policies allow per a specific session. Session policies do not grant permissions.

Principle of user privilege / what they need to know to get the job done 

The assignment of permissions that a user has in order to access a system is a security best practice applied in cybersecurity. Operating systems are developed with different roles and privileges. Privileges are designated to user profiles, in accordance with their activities and responsibilities.

The principle of least privilege is based on allowing necessary permissions to any users that are carrying out activities associated with their role within an organisation, in accordance with their job description. For that purpose, they are granted minimum rights in order to complete their duties for the assigned task.

This practice is usually implemented with the aim to ensure the privacy and security of information.

Assigning more than necessary permissions to a user may result in them carrying out unauthorised activities, in the system, which can eventually lead to security breaches. Accessing, downloading and modifying information, to name a few. User privileges must also be taken into account when designing a secure system, one that allows your users to carry out their tasks, yet keep the system safe.

How to set up company policy/implement company policy / secure company buy-in 

  1. Create a tiered access policy, one that aligns with your company’s organisational units and their areas of work.
  2. Set user definitions, make sure you define users with permanent access and those with temporary access to information and facilities. This is not as simple as differentiating between employees and non-employees.
  3. Make user training mandatory – Designing an organisational policy is a great step forward in your organisational structure, but not sticking to it is just a waste of resources.
  4. Visitor Management is necessary, yet it is not as simple as logging all your visitors in a book.

Finally, think about how all these policies fit into your organisational structure and how you would implement them across the business. If you want a helping hand, then Digital Craftsmen can guide you through setting up the right set of policies, and tailoring the options available especially for your organisation, so you’re not overcomplicating your policies by having too many.

Contact our Solutions Architects teamISO 27001 and Cyber Essentials Plus verified experts to help ensure your policies are fit for purpose and future proof them by establishing your own Policy on Policies.

If you have any questions, concerns or issues about your online security and how to keep your business and employees protected – then give us a call on +44 (0)20 3745 7706 or email us on [email protected] where there will be a craftsman happy to help.

Latest Insights

Read the latest news, research and expert views from our master Craftsmen on cyber security and hosting issues, cyber risk, threat intelligence, network security, incident response and cyber strategy.