Every organization has something that someone else wants. Someone might want that something for himself, or he might want the satisfaction of denying something to its rightful owner. Your assets are what need the protection of a security policy.
Determine what your assets are by asking (and answering) the following questions:
- What do you have that others want?
- What processes, data, or information systems are critical to you, your company, or your organization?
- What would stop your company or organization from doing business or fulfilling its mission?
The answers identify assets in a wide range, including critical databases, vital applications, vital company customer and employee information, classified commercial information, shared drives, email servers, and web servers.
A security policy comprises a set of objectives for the company, rules of behavior for users and administrators, and requirements for system and management that collectively ensure the security of network and computer systems in an organization. A security policy is a “living document,” meaning that the document is never finished and is continuously updated as technology and employee requirements change.
The security policy translates, clarifies, and communicates the management position on security as defined in high-level security principles. The security policy acts as a bridge between these management objectives and specific security requirements. It informs users, staff, and managers of their obligatory requirements for protecting technology and information assets. It should specify the mechanisms that you need to meet these requirements. It also provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the security policy. Therefore, an attempt to use a set of security tools in the absence of at least an implied security policy is meaningless.
The three reasons for having a security policy are as follows:
- To inform users, staff, and managers
- To specify mechanisms for security
- To provide a baseline
One of the most common security policy components is an acceptable use policy (AUP). This component defines what users are allowed and not allowed to do on the various components of the system, including the type of traffic that is allowed on the networks. The AUP should be as explicit as possible to avoid ambiguity or misunderstanding. For example, an AUP might list the prohibited website categories.
A properly defined security policy does the following:
- Protects people and information
- Sets the rules for expected behavior
- Authorizes staff to monitor, probe, and investigate
- Defines the consequences of violations
The audience for the security policy is anyone who might have access to your network, including employees, contractors, suppliers, and customers. However, the security policy should treat each of these groups differently.
The audience determines the content of the policy. For example, you probably do not need to include a description of why something is necessary in a policy that is intended for the technical staff. You can assume that the technical staff already knows why a particular requirement is included. Managers are also not likely to be interested in the technical aspects of why a particular requirement is needed. However, they might want the high-level overview or the principles supporting the requirement. When end users know why a particular security control has been included, they are more likely to comply with the policy.
In the policy, users can be organized into two audiences:
- Internal audience
- Managers and executives
- Departments and business units
- Technical staff
- End users
- External audience
- Consultants and contractors
One document will not likely meet the needs of the entire audience of a large organization. The goal is to ensure that the information security policy documents are coherent with its audience needs.
Security Policy Components
Figure 1-14 shows the hierarchy of a corporate policy structure that is aimed at effectively meeting the needs of all audiences.
Figure 1-14. Components of a Comprehensive Security Policy
Most corporations should use a suite of policy documents to meet their wide and varied needs:
- Governing policy: This policy is a high-level treatment of security concepts that are important to the company. Managers and technical custodians are the intended audience. The governing policy controls all security-related interaction among business units and supporting departments in the company. In terms of detail, the governing policy answers the “what” security policy questions.
- End-user policies: This document covers all security topics important to end users. In terms of detail level, end-user policies answer the “what,” “who,” “when,” and “where” security policy questions at an appropriate level of detail for an end user.
- Technical policies: Security staff members use technical policies as they carry out their security responsibilities for the system. These policies are more detailed than the governing policy and are system or issue specific (for example, access control or physical security issues). In terms of detail, technical policies answer the “what,” “who,” “when,” and “where” security policy questions. The “why” is left to the owner of the information.
The governing policy outlines the security concepts that are important to the company for managers and technical custodians:
- It controls all security-related interactions among business units and supporting departments in the company.
- It aligns closely with not only existing company policies, especially human resource policies, but also any other policy that mentions security-related issues, such as issues concerning email, computer use, or related IT subjects.
- It is placed at the same level as all companywide policies.
- It supports the technical and end-user policies.
- It includes the following key components:
- A statement of the issue that the policy addresses
- A statement about your position as IT manager on the policy
- How the policy applies in the environment
- The roles and responsibilities of those affected by the policy
- What level of compliance to the policy is necessary
- Which actions, activities, and processes are allowed and which are not
- What the consequences of noncompliance are
End-user policies are compiled into a single policy document that covers all the topics pertaining to information security that end users should know about, comply with, and implement. This policy may overlap with the technical policies and is at the same level as a technical policy. Grouping all the end-user policies together means that users have to go to only one place and read one document to learn everything that they need to do to ensure compliance with the company security policy.
Security staff members use the technical policies in the conduct of their daily security responsibilities. These policies are more detailed than the governing policy and are system or issue specific (for example, router security issues or physical security issues). These policies are essentially security handbooks that describe what the security staff does, but not how the security staff performs its functions.
The following are typical policy categories for technical policies:
- General policies
- Acceptable use policy (AUP): Defines the acceptable use of equipment and computing services, and the appropriate security measures that employees should take to protect the corporate resources and proprietary information.
- Account access request policy: Formalizes the account and access request process within the organization. Users and system administrators who bypass the standard processes for account and access requests may cause legal action against the organization.
- Acquisition assessment policy: Defines the responsibilities regarding corporate acquisitions and defines the minimum requirements that the information security group must complete for an acquisition assessment.
- Audit policy: Use to conduct audits and risk assessments to ensure integrity of information and resources, investigate incidents, ensure conformance to security policies, or monitor user and system activity where appropriate.
- Information sensitivity policy: Defines the requirements for classifying and securing information in a manner appropriate to its sensitivity level.
- Password policy: Defines the standards for creating, protecting, and changing strong passwords.
- Risk-assessment policy: Defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the information infrastructure that is associated with conducting business.
- Global web server policy: Defines the standards that are required by all web hosts.
- Email policies
- Automatically forwarded email policy: Documents the policy restricting automatic email forwarding to an external destination without prior approval from the appropriate manager or director.
- Email policy: Defines the standards to prevent tarnishing the public image of the organization.
- Spam policy: The AUP covers spam.
- Remote-access policies
- Dial-in access policy: Defines the appropriate dial-in access and its use by authorized personnel.
- Remote-access policy: Defines the standards for connecting to the organization network from any host or network external to the organization.
- VPN security policy: Defines the requirements for remote-access IP Security (IPsec) or Layer 2 Tunneling Protocol (L2TP) VPN connections to the organization network.
- Personal device and phone policies
- Analog and ISDN line policy: Defines the standards to use analog and ISDN lines for sending and receiving faxes and for connection to computers.
- Personal communication device policy: Defines the information security’s requirements for personal communication devices, such as voicemail, smartphones, tablets, and so on.
- Application policies
- Acceptable encryption policy: Defines the requirements for encryption algorithms that are used within the organization.
- Application service provider (ASP) policy: Defines the minimum security criteria that an ASP must execute before the organization uses the ASP’s services on a project.
- Database credentials coding policy: Defines the requirements for securely storing and retrieving database usernames and passwords.
- Interprocess communications policy: Defines the security requirements that any two or more processes must meet when they communicate with each other using a network socket or operating system socket.
- Project security policy: Defines requirements for project managers to review all projects for possible security requirements.
- Source code protection policy: Establishes minimum information security requirements for managing product source code.
- Network policies
- Extranet policy: Defines the requirement that third-party organizations that need access to the organization networks must sign a third-party connection agreement.
- Minimum requirements for network access policy: Defines the standards and requirements for any device that requires connectivity to the internal network.
- Network access standards: Defines the standards for secure physical port access for all wired and wireless network data ports.
- Router and switch security policy: Defines the minimal security configuration standards for routers and switches inside a company production network or used in a production capacity.
- Server security policy: Defines the minimal security configuration standards for servers inside a company production network or used in a production capacity.
- Wireless communication policy: Defines standards for wireless systems that are used to connect to the organization networks.
- Document retention policy: Defines the minimal systematic review, retention, and destruction of documents received or created during the course of business. The categories of retention policy are, among others:
- Electronic communication retention policy: Defines standards for the retention of email and instant messaging.
- Financial retention policy: Defines standards for the retention of bank statements, annual reports, pay records, accounts payable and receivable, and so on.
- Employee records retention policy: Defines standards for the retention of employee personal records.
- Operation records retention policy: Defines standards for the retention of past inventories information, training manuals, suppliers lists, and so forth.
Standards, Guidelines, and Procedures
Security policies establish a framework within which to work, but they are too general to be of much use to individuals responsible for implementing these policies. Because of this, other, more-detailed documents exist. Among the more important of these detailed documents are the standards, guidelines, and procedures documents.
Whereas policy documents are very much high-level overview documents, the standards, guidelines, and procedures documents are documents that the security staff will use regularly to implement the security policies.
Standards enable an IT staff to be consistent. They specify the use of specific technologies so that IT staff members can narrow the focus of their expertise to those technologies instead of trying to know everything about all sorts of technologies. Standards also try to provide consistency in the network, because supporting multiple versions of hardware and software is unreasonable unless it is necessary. The most successful IT organizations have standards to improve efficiency and to keep things as simple as possible.
Standardization also applies to security. One of the most important security principles is consistency. If you support 100 routers, it is important that you configure all 100 routers as similarly as possible. If you do not do this, it is difficult to maintain security. When you do not strive for the simplest of solutions, you usually fail in being secure.
Guidelines help provide a list of suggestions on how you can do things better. Guidelines are similar to standards, but are more flexible and are not usually mandatory. You will find some of the best guidelines available in repositories known as “best practices.” The following is a list of widely available guidelines:
- National Institute of Standards and Technology (NIST) Computer Security Resource Center; http://csrc.nist.gov/
- National Security Agency (NSA) Security Configuration Guides; http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/index.shtml
- The Common Criteria for Information Technology Security Evaluation; http://www.commoncriteriaportal.org/
- Defense Information Systems Agency (DISA) Field Security Operations Office – Security Technical Information Guides (STIG); http://iase.disa.mil/stigs/
Procedure documents are longer and more detailed than the standards and guidelines documents. Procedure documents include the details of implementation, usually with step-by-step instructions and graphics. Procedure documents are extremely important for large organizations to enable them to have the consistency of deployment that is necessary to have a secure environment. Inconsistency is the enemy of security.
Table 1-6 provides a comparative chart for standards, guidelines, and procedures, which accompany security policies.
Table 1-6. Comparison Between Standards, Guidelines, Procedures
Specify the use of specific technologies in a uniform way
Are usually mandatory
Accomplish consistency and uniformity
Are similar to standards, but more flexible and not usually mandatory
Can be used to define how standards should be developed or to guarantee adherence to general security policies
Include NIST Computer Security Resource Center, NSA Security Configuration Guides, Common Criteria, and others
Are usually required
Are the lowest level of the policy chain
Provide detailed steps used to perform specific tasks
Provide the steps required to implement the policies, standards, and guidelines
Are also known as practices
Security Policy Roles and Responsibilities
In any organization, it is senior management, such as the CEO, that is always ultimately responsible for everything. Typically, senior management only oversees the development of a security policy. The creation and maintenance of a security policy is usually delegated to the people in charge of IT or security operations.
Sometimes the senior security or IT management personnel, such as the chief security officer (CSO), the chief information officer (CIO), or the chief information security officer (CISO), will have the expertise to create the policy, sometimes they will delegate it, and sometimes it will be a bit of both strategies. But the senior security person is always intimately involved in the development and maintenance of security policy. Guidelines can provide a framework for policy decision making.
Senior security staff is often consulted for input on a proposed policy project. They might even be responsible for the development and maintenance of portions of the policy. It is more likely that senior staff will be responsible for the development of standards and procedures.
Everyone else who is involved in the security policy has the duty to abide by it. Many policy statements will include language that refers to a potential loss of employment for violation of the policy. IT staff and end users alike are responsible to know the policy and follow it.
Technical, administrative, and physical controls can all be defeated without the participation of the end-user community. To get accountants, administrative assistants, and other end users to think about information security, you must regularly remind them about security. The technical staff also needs regular reminders because their jobs tend to emphasize performance, such as introducing new technologies, increasing throughput, and the like, rather than secure performance, such as how many attacks they repelled. Therefore, leadership must develop a nonintrusive program that keeps everyone aware of security and how to work together to maintain the security of their data. The three key components used to implement this type of program are awareness, training, and education.
An effective computer security-awareness and training program requires proper planning, implementation, maintenance, and periodic evaluation. In general, a computer security-awareness and training program should encompass the following seven steps:
Step 1. Identify program scope, goals, and objectives.
The scope of the program should provide training to all types of people who interact with IT systems. Because users need training that relates directly to their use of particular systems, you need to supplement a large, organization-wide program with more system-specific programs.
Step 2. Identify training staff.
It is important that trainers have sufficient knowledge of computer security issues, principles, and techniques. It is also vital that they know how to communicate information and ideas effectively.
Step 3. Identify target audiences.
Not everyone needs the same degree or type of computer security information to do his or her job. A computer security-awareness and training program that distinguishes between groups of people, presents only the information that is needed by the particular audience, and omits irrelevant information will have the best results.
Step 4. Motivate management and employees.
To successfully implement an awareness and training program, it is important to gain the support of management and employees. Consider using motivational techniques to show management and employees how their participation in a computer security and awareness program will benefit the organization.
Step 5. Administer the program.
Several important considerations for administering the program include visibility, selection of appropriate training methods, topics, and materials, and presentation techniques.
Step 6. Maintain the program.
You should make an effort to keep abreast of changes in computer technology and security requirements. A training program that meets the needs of an organization today may become ineffective when the organization starts to use a new application or changes its environment, such as by connecting to the Internet.
Step 7. Evaluate the program.
An evaluation should attempt to ascertain how much information is retained, to what extent computer security procedures are being followed, and the general attitudes toward computer security.
A successful IT security program consists of the following:
- Developing IT security policy that reflects business needs tempered by known risks.
- Informing users of their IT security responsibilities, as documented in agency security policy and procedures.
- Establishing processes for monitoring and reviewing the program.
You should focus security awareness and training on the entire user population of the organization. Management should set the example for proper IT security behavior within an organization. An awareness program should begin with an effort that you can deploy and implement in various ways and be aimed at all levels of the organization, including senior and executive managers. The effectiveness of this effort usually determines the effectiveness of the awareness and training program and how successful the IT security program will be.