Management of Information Security

4-1

Chapter 4 Security Policy

Chapter Overview
In this chapter, readers will learn to define information security policy and understand its central role in a successful information security program. Research has shown that there are three major types of information security policy and the chapter will explain what goes into each type as the reader learns how to de elop, implement, and maintain arious types of information security policies.

Chapter Objectives
!hen you complete this chapter, you will "e a"le to# $efine information security policy and understand its central role in a successful information security program Recogni%e the three major types of information security policy and &now what goes into each type $e elop, implement, and maintain arious types of information security policies

Introduction
'his chapter focuses on information security policy# what it is, how to write it, how to implement it, and

how to maintain it. (olicy is the essential foundation of an effecti e information security program. )'he success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems. *ou, the policy ma&er, set the tone and the emphasis on how important a role information security will ha e within your agency. *our primary responsi"ility is to set the information resource security policy for the organi%ation with the o"jecti es of reduced ris&, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.+

Management of Information Security

4-,

!hy (olicy. /uality information security program "egins and ends with policy. (roperly de eloped and implemented policies ena"le the information security program to function almost seamlessly within the wor&place. .lthough information security policies are the least expensi e means of control to execute, they are often the most difficult to implement. Some "asic rules must "e followed when shaping a policy# (olicy should ne er conflict with law (olicy must "e a"le to stand up in court, if challenged (olicy must "e properly supported and administered ).ll policies must contri"ute to the success of the organi%ation. Management must ensure the ade/uate sharing of responsi"ility for proper use of information systems. 0nd users of information systems should "e in ol ed in the steps of policy formulation.+ 'he 1ulls-eye Model 1ulls-eye model layers# (olicies2the outer layer in the "ull3s-eye diagram 4etwor&s2where threats from pu"lic networ&s meet the organi%ation3s networ&ing infrastructure Systems2includes computers used as ser ers, des&top computers, and systems used for process control and manufacturing systems .pplications2includes all applications systems

)5policies are important reference documents for internal audits and for the resolution of legal disputes a"out management6s due diligence 7and8 policy documents can act as a clear statement of management6s intent5+ (olicy, Standards, and (ractices (olicy is )a plan or course of action, as of a go ernment, political party, or "usiness, intended to influence and determine decisions, actions, and other matters+.

Management of Information Security . standard is a more detailed statement of what must "e done to comply with policy. (ractices, procedures and guidelines explain how employees will comply with policy.

4-9

:or policies to "e effecti e they must "e# properly disseminated read understood

agreed-to (olicies re/uire constant modification and maintenance. In order to produce a complete information security policy, management must define three types of information security policy# 0nterprise information security program policy Issue-specific information security policies Systems-specific information security policies

0nterprise Information Security (olicy

5sets the strategic direction, scope, and tone for all of an organi%ation3s security efforts.

Management of Information Security 5 assigns responsi"ilities for the arious areas of information security. 5 guides the de elopment, implementation, and management re/uirements of the information security program. 0IS( 0lements Most 0IS( documents should pro ide# .n o er iew of the corporate philosophy on security

4-4

Information on the structure of the information security organi%ation and indi iduals that fulfill the information security role :ully articulated responsi"ilities for security that are shared "y all mem"ers of the organi%ation :ully articulated responsi"ilities for security that are uni/ue to each role within the organi%ation

;omponents of the 0IS( Statement of (urpose - .nswers the /uestion )!hat is this policy for-+ (ro ides a framewor& for the helps the reader to understand the intent of the document. Information 'echnology Security 0lements - $efines information security. 4eed for Information 'echnology Security - (ro ides information on the importance of information security in the organi%ation and the o"ligation <legal and ethical= to protect critical information whether regarding customers, employees, or mar&ets. Information 'echnology Security Responsi"ilities and Roles - $efines the organi%ational structure designed to support information security within the organi%ation. Reference to >ther Information 'echnology Standards and ?uidelines - >utlines lists of other standards that influence and are influenced "y this policy document.

0xample 0IS( - ;;! (rotection of Information# Information must "e protected in a manner commensurate with its sensiti ity, alue, and criticality. @se of Information# ;ompany A information must "e used only for the "usiness purposes expressly authori%ed "y management. Information Bandling, .ccess, and .nd @sage# Information is a ital asset and all accesses to, uses of, and processing of, ;ompany A information must "e consistent with policies and standards. $ata and (rogram $amage $isclaimers# ;ompany A disclaims any responsi"ility for loss or damage to data or software that results from its efforts to protect the confidentiality, integrity, and a aila"ility of the information handled "y computers and communications systems.

Management of Information Security

4-C

Degal ;onflicts# ;ompany A information security policies were drafted to meet or exceed the protections found in existing laws and regulations, and any ;ompany A information security policy "elie ed to "e in conflict with existing laws or regulations must "e promptly reported to Information Security management. 0xceptions to (olicies# 0xceptions to information security policies exist in rare instances where a ris& assessment examining the implications of "eing out of compliance has "een performed, where a standard ris& acceptance form has "een prepared "y the data >wner or management, and where this form has "een appro ed "y "oth Information Security management and Internal .udit management. (olicy 4on-0nforcement# Management6s non-enforcement of any policy re/uirement does not constitute its consent. Eiolation of Daw# ;ompany A management must seriously consider prosecution for all &nown iolations of the law. Re ocation of .ccess (ri ileges# ;ompany A reser es the right to re o&e a user6s information technology pri ileges at any time. Industry-Specific Information Security Standards# ;ompany A information systems must employ industry-specific information security standards. @se of Information Security (olicies and (rocedures# .ll ;ompany A information security documentation including, "ut not limited to, policies, standards, and procedures, must "e classified as )Internal @se >nly,+ unless expressly created for external "usiness processes or partners. Security ;ontrols 0nforcea"ility# .ll information systems security controls must "e enforcea"le prior to "eing adopted as a part of standard operating procedure.

Issue-Specific Security (olicy

. sound issue-specific security policy pro ides detailed, targeted guidance to instruct all mem"ers of the organi%ation in the use of technology "ased systems. 'he ISS( should "egin with an introduction of the fundamental technological philosophy of the organi%ation. 'his ser es to protect "oth the employee and the organi%ation from inefficiency and am"iguity. .n effecti e ISS(# .rticulates the organi%ation3s expectations a"out how the technology-"ased system in /uestion should "e used $ocuments how the technology-"ased system is controlled and identifies the processes and authorities that pro ide this control Ser es to indemnify the organi%ation against lia"ility for an employee3s inappropriate or illegal system use 0 ery organi%ation3s ISS( should#

Management of Information Security .ddress specific technology-"ased systems Re/uire fre/uent updates

4-F

;ontain an issue statement on the organi%ation3s position on an issue. ISS( topics could include# 0lectronic mail @se of the Internet and the !orld !ide !e" Specific minimum configurations of computers to defend against worms and iruses (rohi"itions against hac&ing or testing organi%ation security controls Bome use of company-owned computer e/uipment @se of personal e/uipment on company networ&s @se of telecommunications technologies

@se of photocopy e/uipment ;omponents of the ISS( Statement of (urpose o Scope and .pplica"ility o $efinition of 'echnology .ddressed o Responsi"ilities .uthori%ed .ccess and @sage of 0/uipment o @ser .ccess o :air and Responsi"le @se o (rotection of (ri acy (rohi"ited @sage of 0/uipment o $isrupti e @se or Misuse o ;riminal @se o >ffensi e or Barassing Materials o ;opyrighted, Dicensed or other Intellectual (roperty o >ther Restrictions Systems Management o Management of Stored Materials

Management of Information Security o o o o 0mployer Monitoring Eirus (rotection (hysical Security 0ncryption

4-G

Eiolations of (olicy o (rocedures for Reporting Eiolations o (enalties for Eiolations (olicy Re iew and Modification o Scheduled Re iew of (olicy o (rocedures for Modification Dimitations of Dia"ility o Statements of Dia"ility o >ther $isclaimers

Implementing ISS(

Management of Information Security

4-H

;ommon approaches for creating and managing ISS(s include# ;reate a num"er of independent ISS( documents, each tailored to a specific issue ;reate a single comprehensi e ISS( document that aims to co er all issues ;reate a modular ISS( document that unifies policy creation and administration, while maintaining each specific issue3s re/uirements.

'he recommended approach is the modular policy, which pro ides a "alance "etween issue orientation and policy management.

System-Specific (olicy
Systems-Specific (olicies <SysS(s= fre/uently do not loo& li&e other types of policy. 'hey may often "e created to function as standards or procedures to "e used when configuring or maintaining systems. SysS(s can "e separated into two general groups, management guidance and technical specifications, or they may "e written li&e the example noted a"o e to com"ine these two types of SysS( content into a single policy document.

Management of Information Security

4-I

Management ?uidance SysS(s ;reated "y management to guide the implementation and configuration of technology as well as address the "eha ior of people in the organi%ation in ways that support the security of information. .ny technology that affects the confidentiality, integrity or a aila"ility of information must "e assessed to e aluate the tradeoff "etween impro ed security and restrictions. 1efore management can craft a policy informing users what they can do with the technology and how they may do it, it might "e necessary for system administrators to configure and operate the system. 'echnical Specifications SysS(s !hile a manager may wor& with a systems administrator to create managerial policy as specified a"o e, the system administrator may need to create a different type of policy to implement the managerial policy. 0ach type of e/uipment has its own type of policies, which are used to translate the management intent for the technical control into an enforcea"le technical approach. 'here are two general methods of implementing such technical controls, access control lists and configuration rules.

Access Control Lists .ccess control lists <.;Ds= include the user access lists, matrices, and capa"ility ta"les that go ern the rights and pri ileges of users. .;Ds can control access to file storage systems, o"ject "ro&ers or other networ& communications de ices. . capa"ility ta"le is a similar method that specifies which su"jects and o"jects users or groups can access. It clearly identifies which pri ileges are to "e granted to each user or group of users.

Management of Information Security

4-1J

'hese specifications are fre/uently complex matrices, rather than simple lists or ta"les. 'he le el of detail and specificity <often called granularity= may ary from system to system, "ut in general .;Ds ena"le administrations to restrict access according to user, computer, time, duration, or e en a particular file. In general .;Ds regulate# !ho can use the system !hat authori%ed users can access !hen authori%ed users can access the system !here authori%ed users can access the system from

Bow authori%ed users can access the system Restricting what users can access, e.g. printers, files, communications, and applications. .dministrators set user pri ileges, such as# Read !rite ;reate Modify $elete ;ompare ;opy

In some systems, capa"ility ta"les are called user profiles or user policies.

Management of Information Security

4-11

;onfiguration Rules ;onfiguration rules are the specific configuration codes entered into security systems to guide the execution of the system when information is passing through it. Rule policies are more specific to the operation of a system than .;Ds, and may or may not deal with users directly. Many security systems re/uire specific configuration scripts telling the systems what actions to perform on each set of information they process.

Management of Information Security

4-1,

Combination SysSPs It is not uncommon for an organi%ation to create a single document that com"ines elements of "oth the Management ?uidance and the 'echnical Specifications SysS(s. !hile this can "e somewhat confusing to those who will use the policies, it is ery practical to ha e the guidance from "oth perspecti es in a single place. ;are should "e ta&en to articulate the re/uired actions carefully as the procedures are presented.

?uidelines for (olicy $e elopment

It is often useful to iew policy de elopment as a two-part project. 'he first project designs and de elops the policy <or redesigns and rewrites an outdated policy=, and the second esta"lishes management processes to perpetuate the policy within the organi%ation. 'he former is an exercise in project management, while the latter re/uires adherence to good "usiness practices. 'he (olicy (roject

Management of Information Security Di&e any I' project, a policy de elopment or re-de elopment project should "e well planned, properly funded, and aggressi ely managed to ensure that it is completed on time and within "udget. !hen a policy de elopment project is underta&en, the project can "e guided "y the SecS$D; process. In estigation (hase $uring the In estigation phase the policy de elopment team should complete the following acti ities# >"tain support from senior management Support and acti e in ol ement of I' management, specifically the ;I>. 'he clear articulation of goals

4-19

'he participation of the correct indi iduals from the communities of interest affected "y the recommended policies. 'he team must include representati es from Degal, Buman Resources and endusers of the arious I' systems co ered "y the policies. 'he team will need a project champion with sufficient stature and prestige to accomplish the goals of the project. 'he team will also need a capa"le project manager to see the project through to completion. . detailed outline of the scope of the policy de elopment project, and sound estimates for the cost and scheduling of the project. .nalysis (hase 'he .nalysis phase should include the following acti ities# . new or recent ris& assessment or I' audit documenting the current information security needs of the organi%ation. 'he gathering of many &ey reference materials2including any existing policies2 in addition to the items noted a"o e. $esign (hase 'he $esign phase should include the following acti ities# . design and plan for how the policies will "e distri"uted and how erification of the distri"ution to mem"ers of the organi%ation will "e accomplished. Specifications for any automated tool used for the creation and management of policy documents. Re isions to feasi"ility analysis reports "ased on impro ed costs and "enefits as the design is clarified. Implementation (hase In the Implementation phase the policy de elopment team will see to the writing the policies. Resources a aila"le include#

Management of Information Security 'he !e" ?o ernment sites (rofessional literature. Se eral authors (eer networ&s. (rofessional consultants. Ma&e certain the policies are enforcea"le. (olicy distri"ution is not always as straightforward as you might thin&.

4-14

0ffecti e policy is written at a reasona"le reading le el, and attempts to minimi%e technical jargon and management terminology.

Management of Information Security

4-1C

Maintenance (hase $uring the maintenance phase, the policy de elopment team monitors, maintains, and modifies the policy as needed to ensure that it remains effecti e as a tool to meet changing threats. 'he policy should ha e a "uilt-in mechanism ia which users can report pro"lems with the policy, prefera"ly anonymously. 'he Information Security (olicy Made 0asy .pproach <IS(M0= ?athering Key Reference Materials $efining . :ramewor& :or (olicies (reparing . ;o erage Matrix

Management of Information Security

4-1F

Ma&ing ;ritical Systems $esign $ecisions

Structuring Re iew, .ppro al, .nd 0nforcement (rocesses IS(M0 ;hec&list (erform a ris& assessment or information technology audit to determine your organi%ation6s uni/ue information security needs. ;larify what the word )policy+ means within your organi%ation so that you are not preparing a )standard,+ )procedure,+ or some other related material. 0nsure that roles and responsi"ilities related to information security are clarified, including responsi"ility for issuing and maintaining policies. ;on ince management that it is ad isa"le to ha e documented information security policies. Identify the top management staff who will "e appro ing the final information security document and all influential re iewers. ;ollect and read all existing internal information security awareness material and ma&e a list of the included "ottom-line messages. ;onduct a "rief internal sur ey to gather ideas that sta&eholders "elie e should "e included in a new or updated information security policy. 0xamine other policies issued "y your organi%ation such as those from Buman Resources management, to identify pre ailing format, style, tone, length, and cross-references. Identify the audience to recei e information security policy materials and determine whether they will each get a separate document or a separate page on an intranet site. $etermine the extent to which the audience is literate, computer &nowledgea"le, and recepti e to security messages.

Management of Information Security

4-1G

$ecide whether some other awareness efforts must ta&e place "efore information security policies are issued. @sing ideas from the ris& assessment, prepare a list of a"solutely essential policy messages that must "e communicated. If there is more than one audience, match the audiences with the "ottom-line messages to "e communicated through a co erage matrix. 758 $etermine how the policy material will "e disseminated, noting the constraints and implications of each medium of communication. Re iew the compliance chec&ing process, disciplinary process, and enforcement process to ensure that they all can wor& smoothly with the new policy document. $etermine whether the num"er of messages is too large to "e handled all at one time, and if so, identify different categories of material that will "e issued at different times. Ba e an outline of topics to "e included in the first document re iewed "y se eral sta&eholders. 1ased on comments from the sta&eholders, re ise the initial outline and prepare a first draft 758 Ba e the first draft document re iewed "y the sta&eholders for initial reactions, presentation suggestions, and implementation ideas. Re ise the draft in response to comments from sta&eholders. Re/uest top management appro al on the policy. (repare extracts of the policy document for selected purposes.

$e elop an awareness plan that uses the policy document as a source of ideas and re/uirements. ;reate a wor&ing papers memo indicating the disposition of all comments recei ed from re iewers, e en if no changes were made. !rite a memo a"out the project, what you learned, and what needs to "e fixed so that the next ersion of the policy document can "e prepared more efficiently, "etter recei ed "y the readers, and more responsi e to the uni/ue circumstances facing your organi%ation. (repare a list of next steps that will "e re/uired to implement the re/uirements specified in the policy document. IS(M0 4ext Steps (ost (olices 'o Intranet >r 0/ui alent $e elop . Self-.ssessment Luestionnaire $e elop Re ised user I$ Issuance :orm $e elop .greement 'o ;omply !ith Information Security (olicies :orm $e elop 'ests 'o $etermine If !or&ers @nderstand (olicies .ssign Information Security ;oordinators

Management of Information Security 'rain Information Security ;oordinators (repare .nd $eli er . 1asic Information Security 'raining ;ourse $e elop .pplication Specific Information Security (olicies $e elop . ;onceptual Bierarchy >f Information Security Re/uirements .ssign Information >wnership .nd ;ustodianship 0sta"lish .n Information Security Management ;ommittee $e elop .n Information Security .rchitecture $ocument

4-1H

S( HJJ-1H# ?uide for $e eloping Security (lans 'he 4IS' Special (u"lication HJJ-1H offers another approach to policy management. 1ecause policies are li ing documents that constantly change and grow. 'hese documents must "e properly disseminated <distri"uted, read, understood and agreed to=, and managed. ?ood management practices for policy de elopment and maintenance ma&e for a more resilient organi%ation. In order to remain current and ia"le, policies must ha e# an indi idual responsi"le for re iews, a schedule of re iews, a method for ma&ing recommendations for re iews, and an indication of policy and re ision date.

. :inal 4ote on (olicy Dest you "elie e that the only reason to ha e policies is to a oid litigation, it is important to emphasi%e the pre entati e nature of policy. (olicies exist first, and foremost, to inform employees of what is and is not accepta"le "eha ior in the organi%ation. 'his is an effort to impro e employee producti ity, and pre ent potentially em"arrassing situations. If the organi%ation could not erify that the employee was in fact properly educated on the policy, as descri"ed earlier in the chapter, the employee could sue the organi%ation for wrongful termination. Dawsuits cost money, and the organi%ation could "e so financially de astated that it had to go out of "usiness. >ther employees lose their li elihood, and no one wins.

Management of Information Security

4-1I

Discussion Topics
1. Ba e students perform research on the Internet a"out ;harles ;resson !ood. Bow many "oo&s are a aila"le from him and what are their titles- .re they current <when were they pu"lished= and do other experts agree that he is an authority on information security policy,. :ind the 0IS( for the state go ernment in which you reside. Bow is it the same or different from the 0IS( recommended "y this text"oo&-

Key Terms
1ull3s eye model (ractice (rocedure ?uideline Standard (olicy 0nterprise information security policy <0IS(= Issue-specific security policy <ISS(= System-specific policy <SysS(= $ue diligence

(rinciples of Information Security

1-,J