Developing Information Security Policy

Why is Developing Good Security Policy Difficult?

• Effective Security/IA Policy is more than locking doors and changing passwords

• Must reflect the entire enterprise/organization and its business goals and mission areas

• Needs to address a multitude of issues– Human resources– IT– Physical Security– Costs– Governance

Why is Developing Good Security Policy Difficult?

• Must be comprehensive

• To be effective the policy must be unambiguous

• Must be a human document – not technical

Getting Started

• “The first step toward enhancing and organization’s security is the development and implementation of a precise, yet enforceable security policy, informing staff of the various aspects of their responsibilities, general use of organizational resources, and explaining how sensitive information must be handled. The policy will also describe in detail the meaning of the term acceptable use, as well as listing prohibited activities.”

• Building and Implementing a Successful Information Security Policy, by Dancho Danchev, WindowSecurity.com, 2003

Know the Organization• When developing a Security/IA Policy it• is critical to first know the organization

– Business model– Goals/Mission– Organizational Personality– Structure

Risk Analysis• Policy developer(s) need to know

the risks facing an organization

• Either conduct a Risk Analysis or access existing risk data

• Understand how the organization does or intends to manage risk

• Must include a Vulnerability assessment

Risk Assessment

• Risk management approaches are better for connecting to business drivers and for protecting the right assets.

• However, even risk-based approaches are limiting if there is no enterprise context or view:

– Organizations are often not likely to act on findings even when they direct or perform the assessment

– Operational unit strategies for protecting assets frequently collide with enterprise barriers, such as a lack of security policy or training

– Operational units cannot devise and deploy an effective protection strategy for the enterprise

• Therefore – the need for effective policy!!

Vulnerability Assessment

• Technology-based approaches such as vulnerability management approaches aren’t enough

– Reactive– Tool driven – Focused in the technical domain– Performed by technicians (IT) primarily– Lack of connection to business drivers, mission– Security relegated to the responsibility of IT– IT-based security decisions based on their drivers– Focused on information or network security, but not

administration, operations, or infrastructure (physical)

Standards• Know and understand the

organizational standards that will be used for guidance within the policy.

• Can be broader based standards adopted by the organization

• Used as a basis for developing comprehensive and enforceable policy

• Shall, Will, Must!!!

Issue Statements• These statements define each of the

issues addressed within the policy document

• Access control• Unauthorized software• Unauthorized use• Data protection• Personnel requirements• Etc.

Applicability• Identifies Where, How, When, To

Whom and To What the security/IA policy applies

• Making this clear critical to governance/enforcement

• Critical to eliminating ambiguities

Establish Responsibilities• Clarifies who is responsible for

what or whom

• Can be an effective way to bring the organization together

• Sharing responsibility for organizational security can expand the number of people who believe they are stakeholders in the success of the organization

• Important for compliance

Compliance• Compliance requirements must be precise

• Should be applied equally within the organization

• Needs to define consequences of compliance failures

• Consequences do not have to be punitive• Punitive measures should be able to be applied

at all levels of an organization

• Compliance issues should be described as a means of ensuring success – not just identifying failure

Points of Contact• It is essential that people within an

organization know who to contact with security issues

• Questions on security/IA policy should able to be resolved rapidly and clearly

• Security policy management should be seen as an asset to the workings of the organization

Visibility• To be effective a security/IA

policy must be visible

• Readily available to all personnel

• Should be provided at hire• Security training must be part

of indoc

• Continued training and security awareness should be part of the organizational culture

Policy Challenges

• Potential barriers to success for developing a security/IA policy that is effective across the enterprise:

– fail to realize security management is a business issue as well as technological challenge

– security goals are aligned with CIO, not the organization– good policy needs more than IT to work together to

achieve information security goals– effective policy will convince organizational units other

than IT that they should care about information security

Policy Challenges

• Security/IA Policy has to be part of the strategic plan for an organization

• Security strategies must also enable the organization, but must be balanced against potentially limiting the achievement of other strategic objectives