Paper 1
jimpop1998
Chapter6CreatingEffectiveInformationSecurityPolicies_InformationSecurityGovernanceSimplified.pdf
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 1/38
6
Creating Effective Information Security Policies
We haven’t the time to take our time.
Eugene Ionesco, 1912–1994
When organizations first recognize that they need to ensure
that the information assets of the organization are adequately
protected, this usually results in asking the question, “What
applicable policies are in place?” There may be some human
resource policies that might apply or corporate policies noted
in the ethics and compliance code of conduct, however, these
are normally insufficient to address the breadth of the infor-
mation security needs. The next step is for the organization to
embark upon the time-consuming task of developing informa-
tion security policies.
Why Information Security Policies Are Important
To the seasoned information security practitioner, asking why
information security policies are important may seem like a
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 2/38
question with an obvious answer. The question is not so obvi-
ous to the end users of the organization, as many of them may
feel that if everyone applies common sense, there is no need
for them to read and sign off on voluminous sets of policies.
The reality is that each person has a different interpretation
of what is common sense. For example, leaving a scruffy old
backpack containing books in a car may seem like a reason-
able act to one employee who wonders why would anyone
want to steal a bag full of books. Another employee might
think that because of the condition of the backpack, no one
would want to steal it. Another might think that their car is
parked in broad daylight in a heavily traveled area, which
would make the risk of stealing it quite low. Another em-
ployee may think that the car alarm would be a sufficient de-
terrent from anyone wanting to go through the trouble of
stealing the backpack.
Then along comes the information security officer, whose
job it is to evaluate the course of action that will provide rea-
sonable security. The security officer knows the stories of
break-ins all too well, and knows that criminals do not know
for sure what is in the backpack. The criminal might assume
that there is a laptop, money, or credit cards that could be sold
for a nominal amount to buy drugs, alcohol, or support rudi-
mentary living expenses. Thus, the opportunity and motiva-
tion presents an unacceptable risk that must be mitigated. The
organization cannot afford to leave these individual decisions
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 3/38
up to the common sense internal barometer of thousands of
employees. The organization must set forth advice or a base-
line of what behavior is expected for each employee, and not
leave this up to individual discretion. This advice, and ex-
pected behavior, is manifested through a set of information
security policies. The policies form the cornerstone of the in-
formation security program and are representations of
management’s intention that are needed to control the infor-
mation security assets.
Avoiding Shelfware
Although information security policies are very important,
they can easily become shelfware if their development, man-
agement, and distribution are not handled appropriately.
Countless security departments have filled binders full of poli-
cies over the years that remain unread and require frequent
dusting. As the Intranet-based environments started to take
hold in the mid-’90s, these environments moved from paper-
based shelfware to electronic-based shelfware. The security
department may have had a large project to develop the infor-
mation security policies, place them on the Intranet, and then
they were “done.” Lengthy, technical documents with all the
technical jargon may have sounded impressive to the security
department, but fail when end users are required to read
them because they are not understandable. Who would read
these lengthy documents? The same individuals that would
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 4/38
read the complete car owners manual after purchasing a new
car before they put the key into the ignition—in other words,
a very small segment of the population. The security policies
should be written in a language from the user and be brief
enough to get the point across without overwhelming the end
user. More detailed descriptions can be placed in standards
documents that the users can read if they need additional in-
formation. An organization security policy beyond 30 to 60
pages is normally much more than would be required by any
medium- to large-sized organization. Beyond that level, the
policies are likely to go unread.
Electronic Policy Distribution
To avoid shelfware in electronic policies, they need to be kept
(1) brief, (2) updated, and (3) relevant. Web-based policies
should each be no more than two online pages to get the point
across as to what is expected (Fitzgerald, 2004). Resumes are
kept to two pages for a reason—people stop reading them if
they have not received what is needed within the first two
pages. Daily online articles on sites such as Yahoo and USA
Today are no more than two pages, as the reader may lose in-
terest after that.
The policies need to be updated at least annually to ensure
that the management direction is still desired. As employees
comes across a policy that was last updated 4 years ago, they
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 5/38
may make the conclusion on their own that the policy no
longer applies. The organization may have gone through a
merger, and the conflicting policies may exist for the two or-
ganizations or worse yet, if the policies have never been inte-
grated, the employees of the acquired company may make the
erroneous assumption that they should still follow their old
company policies and may not be aware of the new acquiring
company policies.
Policies need to maintain their relevancy to remain effec-
tive. For example, if an organization has not addressed the use
of social media in their policies, the management and end
users will have to rely on the existing policies to determine
whether social media is acceptable. Or, suppose an employee
just purchased an iPad tablet computer, but the policy indi-
cates that no personal desktop or laptop computers may be
used within the company. Should the iPad be allowed?
Technically, according to the policy, the iPad “tablet” computer
has not been addressed, and the associate may leave it to an
interpretation more favorable to the employee as to whether
to use the device.
Policies posted online should always ensure that the revi-
sion history is provided as well, so that users can see what
changes were made to the documents and also determine if
they are looking at the correct version. Even with many com-
panies moving toward green, environmental-friendly initia-
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 6/38
tives to reduce wasteful printing and disposal costs, many end
users still prefer to have a paper document that can be refer-
enced when needed. The revision update date and history
help ensure that the correct document is being utilized.
Several security vendors have products that will provide an
electronic distribution of security policies and also provide a
mechanism for end users to confirm that they have read, ac-
cepted, and understood the policy contents. The results are
then recorded in a database that can be queried as needed.
This information becomes very useful during incident investi-
gations, terminations, and lawsuits where the company wants
to demonstrate that the employee had clear knowledge of the
policy and chose to violate it against the corporate policy.
Canned Security Policies
Consulting organizations have sets of policy templates that are
used to jumpstart a client’s need for information security poli-
cies. These are then tailored to the needs of the organization.
This process may be more effective than writing the informa-
tion security policies from scratch, as long as the policies meet
the compliance, laws, regulations, and desires of the organiza-
tion. It is not unusual to see where an organization has imple-
mented a copied policy verbatim, sometimes even forgetting
to change the company name on the template. During the
2010 BP oil spill, it was revealed that the business
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 7/38
continuity/disaster recovery documents from several major
oil companies appeared to have used the same templates for
their disaster recovery plans (Gupta, 2010). Although develop-
ing the complete information security policy is beyond the
scope of this book, there are several information security
books available with sample polices that can be used to jump-
start the development. Two very good sources are Information
Security Policies and Procedures—A Practitioner’s Reference
(Peltier, 2007) and Information Security Policies Made Easy by
Information Shield (Wood, 2009). Both of these sources contain
valuable information at a fraction of the cost of a security con-
sultant for one day.
Policies, Standards, Guidelines Definitions
Organizations typically do not have a consistent understand-
ing as to what a “policy” is. This seems like such a simple con-
cept, so why the difficulty? The reason is not the lack of un-
derstanding that a policy is meant to govern the behavior
within the organization. The reason for the confusion has
more to do with the fact that in the interest of saving time, or-
ganizations will combine policies, procedures, guidelines, and
standards into one document and call it the policy. This is not
really a time saver because it makes it more difficult by intro-
ducing inflexibility into the policy each time the policy needs
to change. This is similar to denormalizing a database struc-
ture to make the performance more efficient, when in fact it
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 8/38
becomes harder to add new data elements to a particular ta-
ble without redesigning the table. The policies and procedures
end up getting fused together, and so when the procedure
changes, the policy document by default is changing as well
when the policy does not need to change. Or, the employees
begin to think that the procedure is the only way the policy
can be implemented, when there may be multiple procedures
across the organization that are implemented to comply with
the policy. For example, an organization might have a policy
that all systems need a full backup weekly and they need to be
maintained off site. The data center may have a procedure
that ensures that tape backups are taken weekly and the tapes
are picked up by a vendor and transported to the secure off-
site storage. The midrange server infrastructure team may
have a procedure to ensure that full backups are taken weekly
through the online data vaulting process, in addition to the
daily incremental backups at the remote site. The desktop sup-
port department may have a procedure that ensures that com-
pany critical information is stored on network drives, also
subject to the weekly online backup process. In this case, each
area has designated local procedures that ensure that they are
in compliance with the higher-level corporate policy.
Policies Are Written at a High Level
Policies should be written at the highest level possible to still
be able to communicate the intentions of the company. The
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 9/38
higher the level of the policy, the more likely the policy is able
to stand the test of time. Companies do not want to be reissu-
ing policies on a frequent basis unless they have to. This in-
volves resources for development and, more important, the
time and expense of each person to reread the complete pol-
icy. Whereas changes in technology, company structure, laws
and regulations, emerging trends, and so forth warrant
changes to the security policy, frequent changes due to minor
technology changes are not desired. The reaction of most
users will be, didn’t we just do this? For example, if password
standards are written into the password policy for a primarily
Windows-based environment, what happens when a Unix
server for the SQL server data warehouse project is intro-
duced? Will the password policy need to be redistributed and
attested to by thousands of users, when the change impacted
only a small number of users?
Security officers and their teams are charged with the re-
sponsibility of creating the security policies. The policies must
be written and communicated at a level that is understood by
the end users of the organization if there is to be any chance
of compliance. If the policies are poorly written or written at
too high of an education level (common industry practice is to
focus the content for general users at the sixth-to eighth-grade
reading level), the policies will not be understood.
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 10/38
Whereas security officers may be charged with the develop-
ment of the policies, the effort is normally a collaborative ef-
fort to ensure that the business issues are addressed.
Utilization of an security council, executive oversight commit-
tee, or a subgroup of that committee, depending upon the pol-
icy being drafted, is an approach that considers the business
impacts of a security policy decision. Developing the policies
solely within the information technology department and
then distributing the policies without business input is likely
to miss important business considerations. As always, decid-
ing on the appropriate security controls is a decision of risk by
the organization, which ultimately should be decided by the
business leaders. The organization is also more likely to ac-
cept security policies that have been approved and endorsed
by the business leaders versus the security officer or the infor-
mation technology department.
Once these different documents have been created, the ba-
sis for ensuring compliance is established. These deliverables
form the basis for organizational compliance with the security
policies. The most current versions of the documents need to
be readily accessible by those that are expected to follow
them. Many organizations have placed these documents elec-
tronically on their intranets or shared file folders to facilitate
communication of the most current documents. Placement of
these documents plus checklists, forms, and sample docu-
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 11/38
ments can save time for the individual and be an added value
provided by the security department.
Policies
Policies define what at a high level the organization needs to
accomplish and serves as management’s intentions to control
the operation of the organization to meet business objectives.
The why should be stated in the form of a policy summary
statement or purpose. If end users understand the why, they
are more apt to follow the policy. As children, we were told
what to do by our parents and we just did it. As we grew
older, we challenged those beliefs (as 4- and 5-year-olds and
again as teenagers) and needed to understand the reasoning.
The rules had to make sense to us. Today’s organizations are
no different; people need to understand the why before they
can really commit.
Security Policy Best Practices
Someone once said, “Writing security policies is like making
sausage. You don’t know want to know what goes into it, but
what comes out is pretty good!” Writing policies does not have
to be a mystery, and there are several guidelines for creating
good security policies practiced in the industry.
Clearly define policy creation practice—A clearly defined
process for initiating, creating, reviewing, recommending,
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 12/38
approving, and distributing the policies communicates the
responsibilities of all parties necessary and the time expec-
tations of their participation. This can be accomplished by
process flows, swim lanes, flowcharts, or written
documentation.
Write policies to survive 2 to 3 years—Policies are high-level
statements of the objectives of the organization. The under-
lying methods and technologies to implement the controls
to support the policies may change. By including these in
the other related documents (procedures, standards, guide-
lines, and baselines), the policy statements will need less
frequent change. This avoids frequent updates and subse-
quent distribution to the organization.
Use directive wording—Policies represent expectations to be
complied with. As such, statements such as must, will, and
shall communicate this requirement versus using weaker
directives such as should, may, or can. This latter type of
language is better reserved for guidelines or areas where
there are options.
Avoid technical implementation details—Policies should be
written to be technology independent, as the implemented
technology may change over time.
Keep length to a minimum—Policies published online should
be limited in length to two to three pages maximum per
policy. The intent for the policies is for the end user to un-
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 13/38
derstand and not to create long documents for the sake of
documentation.
Provide navigation from the policy to the supporting docu-
ments—If the implementation of the policy is placed online,
then hyperlinking the procedures, standards, guidelines,
and baselines can be an effective method to ensure that the
appropriate procedures are being followed. Some of the in-
ternal security procedures would not be appropriate for
general knowledge, such as the procedure for monitoring
intrusions or reviewing log files, and these need to be acces-
sible by the security department and properly secured from
general distribution.
Thoroughly review before publishing—Proofreading policies
by multiple individuals can catch errors that may not be
readily seen by the author.
Conduct management review and sign off—Senior manage-
ment must endorse the policies if they are to be effectively
accepted by all management levels and subsequently the
end users of the organization.
Avoid techno speak—Policies are oriented to communicate
to nontechnical users. Technical jargon is acceptable in
technical documentation but not in high-level security
policies.
Review incidents and adjust policies—Review of the security
incidents that have occurred may indicate the need for a
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 14/38
new policy, a revision to an existing policy, or the need to
redistribute the current policy to reinforce compliance.
Periodically review policies—A formalized review process
provides a mechanism to ensure that the security policies
are still in alignment with the business objectives.
Develop sanctions for noncompliance—Effective policies
have consistent sanction policies to enable action when the
policies are not followed. These sanctions may include “dis-
ciplinary action up to and including termination.” Stronger
language can also be added for prosecution for serious
offenses.
Policies provide the foundation for a comprehensive and ef-
fective security program. The company is protected from sur-
prises and gives the necessary authority to the security activi-
ties of the organization. By communicating the company poli-
cies as directives, accountability and personal responsibility
for adhering to the security practices is established. The poli-
cies are utilized in determining or interpreting any conflicts
that may arise. The policies also define the elements, scope,
and functions of the security management.
Types of Security Policies
Security policies may consist of different types, depending
upon the specific need for the policy (NIST, 2003). The differ-
ent security policies work together to meet the objectives of
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 15/38
the comprehensive security program. Different policy types
include:
Organizational or program policy—This policy is issued by a
senior management individual who creates the authority
and scope for the security program. The purpose of the pro-
gram is described and the assigned responsibility is defined
for carrying out the information security mission. The goals
of confidentiality, integrity, and availability would be ad-
dressed in the policy. Specific areas of security focus may be
stressed, such as the protection of confidential information
for a credit card company or heath insurance company, or
the availability focus for a company maintaining mission-
critical, high-availability systems. The policy should be
clear as to the facilities, hardware, software, information,
and personnel that are in scope for the security program. In
most cases, the scope will be the entire organization, how-
ever, in larger organizations the security program may be
limited in scope to a division or geographic location. The or-
ganization policy sets out the high-level authority to define
the appropriate sanctions for failure to comply with the
policy.
Functional, issue-specific policies—Although the organiza-
tional security policies are broad in scope, the functional or
issue-specific policies address areas of particular security
concern requiring clarification. The issue-specific policies
may be focused on the different domains of security and
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 16/38
address areas such as access control, contingency planning,
segregation of duties principles, and so forth. They may also
address specific technical areas of existing and emerging
technologies, such as use of the Internet, e-mail and corpo-
rate communication systems, wireless access, or remote
system access. For example, an acceptable use policy may
define the responsibilities of the end user for using the cor-
porate computer systems for business purposes only, or
may allow the person some incidental personal use pro-
vided the restrictions of ensuring usage is free from viruses,
spyware, downloading inappropriate pictures or software,
or sending chain letters through e-mail. These policies will
depend upon the business needs and the tolerance for risk.
The policies contain the statement of the issue, the state-
ment of the organization’s position on the issue, the applica-
bility of the issue, compliance requirements, and sanctions
for not following the policy.
System specific policies—Areas where it is desired to have
clearer direction or greater control for a specific technical
or operational area may have more detailed policies. These
policies may be targeted for a specific application or plat-
form. For example, a system-specific policy may address
which departments are permitted to input or modify infor-
mation in the check writing application for the disburse-
ment of accounts payable payments.
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 17/38
The more detailed and issue specific the policy, the higher
likelihood that the policy will require more frequent changes.
Typically, high-level organizational security policies will sur-
vive for several years, whereas those focused on the use of
technology will change much more frequently as technology
matures and new technology is added to the environment.
Even if an organization is not currently utilizing a technology,
policies can explicitly strengthen the message that the tech-
nology is not to be used and is prohibited. For example, a pol-
icy regarding removable media such as USB drives, or one re-
garding the use of wireless devices or camera phones in the
workplace, would reinforce the management intentions
around the acceptance or nonacceptance of these devices.
Standards
Whereas policies define what an organization needs, the stan-
dards take this a step further and define the how. Standards
provide the agreements that provide interoperability within
the organization through the use of common protocols.
Standards are the hardware and software security mecha-
nisms selected as the organization’s method of controlling se-
curity risks. Standards are prevalent in many facets of our
daily lives, such as the size of the tires on automobiles; specifi-
cations of the height, color, and format of the stop sign; and
the wiring details of the RJ11 plug on the end of the phone
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 18/38
jack cable. Standards provide consistency in the implementa-
tion as well as permit interoperability with reduced confu-
sion. There are many security standards that could be chosen
to implement a particular solution. For example, when select-
ing a control for remote access identification and authentica-
tion, an organization could decide to utilize login IDs and
passwords, strong authentication through a security token
over dialup, or a virtual private network (VPN) solution over
the Internet.
Standards simplify the operation of the security controls
within the company and increase the efficiency. It is more
costly to support multiple software packages, which do essen-
tially the same activity. Imagine if each user was told to go to
the local computer store and purchase the antivirus product
that they liked the best. Some users would ask the sales
person’s opinion, some would buy the least expensive to meet
their budget needs, and others might get the most expensive
assuming this would provide the greatest protection. Without
a consistent product standard for antivirus products, the orga-
nization would be unsure as to the level of protection pro-
vided. Additionally, each of these different products would
have different installation, update, and licensing considera-
tions contributing to complex management. It makes much
sense to have consistent products chosen for the organization
versus leaving the product choice to every individual.
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 19/38
Determination of which standards meet the organization’s
needs must be driven by the security policies agreed by man-
agement. The standards provide the specification of the tech-
nology to effectively enable the organization to become suc-
cessful in meeting the requirements of the policy. If in the ex-
ample of the remote access the organization was restricting
information over the Internet or had many users in rural ar-
eas with limited Internet access, then the VPN standard over
the Internet may not be a plausible solution. Conversely, for
end users transmitting large amounts of information, the dial-
up solution may be impractical. The policy defines the bound-
aries within which the standards must be supportive.
Standards may also refer to those guidelines established by
a standards organization and accepted by management.
Standards creators include organizations such as the National
Institute of Standards and Technology (NIST), International
Organization for Standardization (ISO), Institute of Electrical
and Electronics Engineers (IEEE), American National
Standards Institute (ANSI), and National Security Agency
(NSA).
Procedures
Procedures are step-by-step instructions in support of the poli-
cies, standards, guidelines, and baselines. The procedure indi-
cates how the policy will be implemented and who does what
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 20/38
to accomplish the tasks. The procedure provides clarity and a
common understanding to the operation required to effec-
tively support the policy on a consistent basis. Procedures are
best developed when the input of each of the interfacing areas
are included in the development of the procedure. This re-
duces the risk that important steps, communication, or re-
quired deliverables are left out of the procedure.
Companies must be able to provide assurance that they
have exercised due diligence in the support and enforcement
of company policies. This means that the company has made
an effort to be in compliance with the policies and has com-
municated the expectations to the workforce. Having docu-
mented procedures communicated to the users, business part-
ners, and anyone utilizing the systems as appropriate, mini-
mizes the legal liability of the corporation.
Creating documented procedures is more than a documen-
tation exercise for the sake of documentation. The process it-
self creates a common understanding between the developers
of the procedure of the methods used to accomplish the task.
Individuals from different organizational units may be very
familiar with their work area but not as familiar with the im-
pact of a procedure on a department. This is the “beach ball
effect,” where organizations sometimes appear as a large
beach ball, and the individuals working in different depart-
ments can only see their side of the beach ball and may not
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 21/38
understand the other parts of the organization. The exercise
of writing down a single, consistent procedure has the added
effect of establishing agreement between the parties. Many
times at the beginning of the process, individuals will think
they all understand the process, only to come to understand
that people were really executing different, individual pro-
cesses to accomplish the task.
Consistent documentation of the procedures permits the
ability to improve the procedures. Once everyone under-
stands the initial procedure, enhancements can be applied
and communicated to everyone. This provides a method to in-
corporate the best thinking on the single procedure versus
having multiple procedures for the same operation with a
mixture of good and bad practices.
Baselines
Baselines provide descriptions of how to implement security
packages to ensure that implementations are consistent
throughout the organization. Different software packages,
hardware platforms and networks have different methods of
ensuring security. There are many different options and set-
tings which must be determined to provide the desired protec-
tion. An analysis of the available configuration settings and
subsequent settings desired form the basis for future, consis-
tent implementation of the standard. For example, turning off
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 22/38
the telnet service may be specified in the hardening baseline
document for the network servers. A procedure for exceptions
to the baseline would need to be followed in the event that the
baseline could not be followed for a particular device, along
with the business justification. The baselines are the specific
rules necessary to implement the security controls in support
of the policy and standards, which have been developed.
Testing of the implemented security controls on a periodic
basis assures that the baselines are implemented according to
the documented baselines. The baselines themselves should
be reviewed periodically to ensure that they are sufficient to
address emerging threats and vulnerabilities. In large envi-
ronments with multiple individuals performing systems ad-
ministration and responding to urgent requests, there is an in-
creased risk that one of the baseline configurations may not
be implemented properly. Internal testing identifies these vul-
nerabilities and provides a mechanism to review why the con-
trol was or was not properly implemented. Failures in train-
ing, adherence to baselines and associated procedures, change
control, documentation, or skills of the individual performing
the changes may be identified through the testing.
Guidelines
Guidelines are discretionary or optional controls used to en-
able individuals to make judgments with respect to security
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 23/38
actions. A good exercise is to replace the word guideline with
the word optional. If by doing so, the statements contained in
the “optional” category are what is desired to happen at the
user’s discretion, then it is an appropriate guideline. If on the
other hand, the statements are considered as required to ade-
quately protect the security of the organization, then this
should be defined as part of a policy, standard, or baseline.
Guidelines are also those recommendations, best practices,
and templates provided by other organizations such as the
Control Objectives for Information and Related Technology
(COBIT), the Capability Maturity Model (CMM), ISO 17799,
British Standard 7799, security configuration recommenda-
tions such as those from the NIST or NSA, organizational
guidelines, or other governmental guidelines.
Combination of Policies, Standards, Baselines, Procedures, and Guidelines
Policies, standards, baselines, procedures, and guidelines are
closely related to each other and may be developed as the re-
sult of new regulations, external industry standards, new
threats and vulnerabilities, emerging technologies, upgraded
hardware and software platforms, or risk assessment
changes. Sometimes these different areas are combined into
single documents for ease of management of all the docu-
ments. Keeping policies separate from the implementation
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 24/38
components (standards, baselines, and procedures) increases
the flexibility and reduces the cost of maintenance as the poli-
cies typically change less frequently than the supporting pro-
cesses to achieve compliance with the policy. The relation-
ships between the policies, standards, baselines, procedures,
and guidelines and the laws and regulations providing the re-
quirement to implement these governing activities is shown
in Figure 6.1.
Figure 6.1 Relationships between policies, standards, procedures, baselines, and guidelines.
Policy Analogy A useful analogy to remember the differ-
ences between policies, standards, guidelines, and procedures
is to think of a company that builds cabinets, which has a
hammer policy. The different components may be as follows:
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 25/38
Policy—”All boards must be nailed together using company-
issued hammers to ensure end product consistency and
worker safety.” Notice the flexibility provided to permit the
company to define the hammer type with changes in tech-
nology or safety issues. The purpose is also communicated
to the employees.
Standard— “Eleven-inch fiberglass hammers will be used;
only hardened-steel nails will be used with the hammers;
automatic hammers are to be used for repetitive jobs >1
hour.” Technical specifics are provided to clarify the expec-
tations that make sense for the current environment and
represent management’s decision.
Guideline—”To avoid splitting the wood, a pilot hole should
be drilled first.” The guideline is a suggestion and may not
apply in all cases or all types of wood. This does not repre-
sent a requirement, but rather a suggested practice.
Procedure—”(1) Position nail in upright position on board.
(2) Strike nail with full swing of hammer. (3) Repeat until
nail is flush with board. (4) If thumb is caught between nail
and board, see Nail First-Aid Procedure.” The procedure in-
dicates the process of using the hammer and the nail to
clarify what is expected to be successful. Following this pro-
cedure, with the appropriate standard hammers, and prac-
ticing guidelines where appropriate, will fulfill the policy.
Analogies such as this can be effective when leading the
team to develop security policies to ensure that they are on
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 26/38
the same wavelength and not mixing policies, procedures,
standards, and guidelines. These can also be useful in security
awareness training to indicate when a particular user should
refer to a policy, standard, procedure, or guideline.
An Approach for Developing Information Security Policies
Let us assume for a moment that the guidance in the preced-
ing sections were followed, and the organization now has a
set of information security policies that are easy to read, kept
current, and generally available in a nice format on the Web.
However, if no one seems to be reading them or following
them, what could be the problem? Many times the root cause
is a lack of management support. How could this be? After all,
if the information security officer has been designated with
the role of developing and distributing information security
policies, why would there be a low acceptance rate? The an-
swer usually lies in the fact that while the information secu-
rity officer may have done an excellent job researching and
developing security policies, the same diligence was not ap-
plied in ensuring that the rest of management was on board
with the policies prior to rollout. The security officer may de-
cide to push out the policies once his department has devel-
oped them. As such, the policies become those “owned” by the
security officer and not the rest of the management. These are
then treated as departmental policies that have no greater en-
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 27/38
forcement requirements than the policies and procedures that
are created by their organizational area. Then, when there is a
conflict between the departmental desires and the security
policy, the departmental desires win. For example, if an orga-
nization has to get information quickly to a customer, it can
fax or e-mail the information as part of its normal procedure.
However, the information security policy may require that all
transmissions over an open network, as in the case of e-mail,
or that only the transmission of all confidential information
be encrypted with the most stringent government standard
encryption, such as Federal Information Processing Standard
(FIPS) 140-2 encryption requirements. The department send-
ing the information may have a disagreement with the secu-
rity department on the information classification of “confi-
dential” in the information security policy, or may feel that
the requirement is a bit over the top and does not agree with
the policy at all, as it would hamper the speed of doing busi-
ness and cause inferior relationships with customers. Who is
right? In this case, neither; the security officer failed to obtain
agreement with the policy before the procedures were exe-
cuted and the executive from the other department is incor-
rect in not adhering to the policy. Unfortunately, this situation
is all too common. The good news is that this can be avoided
by following a different approach to developing and distribut-
ing the security policies.
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 28/38
Utilizing the Security Council for Policies
Management support is essential in the development of infor-
mation security policies. So, how is that attained? One method
that is very effective is to form a security committee, also
known as an information security council as introduced in
Chapter 4. The security council can review the policies pro-
posed by the information security department. The benefits of
this approach are (1) consensus of the policies are first built at
the front-line supervisor/middle management/technical staff
level, (2) senior management has greater comfort that the
policies will be accepted by the organization as the manage-
ment team has reviewed them before approval, and (3) it
builds grassroots ownership of the information security poli-
cies. Although the information security council can also serve
as oversight for other security initiatives, serve as a sounding
board, and prioritize information security efforts, it can be es-
pecially effective in vetting and discussing the information
policies that are needed by the organization.
The Policy Review Process
Now that the organization has identified an individual re-
sponsible for the development and implementation of secu-
rity policies the security council has been created, and an un-
derstanding of what makes a good policy has been communi-
cated, there needs to be a process for reviewing the policies.
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 29/38
This process may be developed during the creation of the se-
curity council. What is important is that the policy develop-
ment process is thought out ahead of time to determine who
will (1) create, (2) review and recommend, (3) approve the fi-
nal version, (4) publish, and (5) read and accept the policies.
The time spent in this process, up front, will provide many div-
idends down the road. Many organizations jump right in and
someone in the security department or information technol-
ogy department to draft then email the policy without taking
these steps. Proceeding along that path ends up with a policy
that is not accepted by the organization’s management and
thus will not be accepted by the organization’s end users.
Why? Because the necessary discussion, debate, and accep-
tance of the policies by the leaders of the organization never
took place. In the end, the question of management commit-
ment again surfaces, when there was never a process in place
to obtain the commitment.
The process could be depicted in a swim-lane-type chart
showing the parties responsible, activities, records created
through each activity, and decision boxes; or a flowchart for-
mat. Senior management will want this presented at a high
level, typically no more than one to two pages of a process dia-
gram. The process will vary by organizational structure, geo-
graphic location, size, and culture of decision making.
However, a successful process for review should contain the
following steps, as depicted in Figure 6.2.
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 30/38
Figure 6.2 Security council policy development, approval, and distribution process.
1. Policy needs to be determined—Anyone can request the need
for a policy to the information security department.
Business units may have new situations that are not cov-
ered by an existing security policy. If no security policies ex-
ist in the organization, the information security department
needs to take the lead and establish a prioritization of poli-
cies that are necessary.
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 31/38
2. Create, modify existing policy—The information security de-
partment creates an initial draft for a new policy that can
be reacted to. Caution must be taken not to copy and dis-
tribute these policies taken from books or Internet sources
as is as they may not be completely appropriate, enforce-
able, or supported by procedures within the organization.
3. Internal review by security department—People within the
security department will have varying levels of technical
expertise, business acumen, and understanding of the orga-
nizational culture. By reviewing within the team first, many
obvious errors or misunderstandings of the policy can be
avoided before engaging management’s limited review
time. This also increases the credibility of the information
systems security department by bringing a quality product
for review. It also saves time on minor grammatical reviews
and focuses the management review on substantive policy
issues.
4. Security council reviews and recommends policy—This is ar-
guably the most critical step in the process. This is where
the policy begins the acceptance step within the organiza-
tion. The policies are read, line by line, during these meet-
ings and discussed to ensure that everyone understands the
intent and rationale for the policy. Management’s commit-
ment begins here. Why? Because the management feels like
part of the process and have a chance to provide input, as
well as thinking about how the policy would impact their
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 32/38
individual departments. Contrast this method with just
sending out the policy and saying “this is it” and the differ-
ence becomes readily apparent. These are the same man-
agement people that are being counted on to continue to
support the policy once it is distributed to the rest of the
workforce. Failing in this step will guarantee failure in hav-
ing a real policy.
If we buy into the notion that a security council is a good
practice, logical, practical, and appears to get the job done,
what is the downside? Some may argue that it is a slow
process, especially when senior management may be push-
ing to “get something out there to address security” to re-
duce the risks. It is a slow process while the policies are be-
ing debated. However, the benefits of (1) having a real pol-
icy that the organization can support, (2) buy-in from the
management on a continuing basis, (3) reduced need to re-
work the policies later, and (4) increased understanding by
management of the policies’ meanings and why they are
important outweigh the benefits of blasting out an e-mail
containing policies that were copied from another source,
the name of the company changed, and distributed without
prior collaboration. Policies created in the later context
rarely become “real” and followed within the organization,
as they were not developed with thorough analysis of how
they would be supported by the business in their creation.
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 33/38
5. Information technology steering committee approves policy
—A committee made up of the senior leadership of the or-
ganization is typically formed to oversee the strategic in-
vestments in information technology. Many times these
committees struggle with balancing decisions on tactical
firefighting on short term issues versus dealing with strate-
gic issues, and this perspective needs to be understood
when addressing this type of committee. The important ele-
ment in the membership of this committee is that it in-
volves the decision leaders of the organization. These are
the individuals that the employees will be watching to see if
they support the policies that were initially generated from
the security department. Their review and endorsement of
the policies is critical to obtain support in implementing the
policies. Also, they may be aware of strategic plans or fur-
ther operational issues not identified by middle manage-
ment (through the security council) that may make a policy
untenable.
Since time availability of the senior leadership is typically
limited, these committees meet at most on a monthly basis,
but more typically on a quarterly basis. Therefore, suffi-
cient time for planning policy approval is necessary. This
may seem to run counter to the speed at which electronic
policies are distributed. However, as in the case with the se-
curity council review, the time delay is essential in obtain-
ing long-term commitment.
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 34/38
6. Publish policy—Organizations that go directly from step 2 to
this step end up with shelfware, or if e-mailed, “electronic
dust.” By the time the policy gets to this step, the security
department should feel very confident that the policy will
be understood by the users and supported by management.
Users may agree or disagree with the policy, but will under-
stand the need to follow it because it will be clear how the
policy was created and reviewed. Care must be taken when
publishing policies electronically, as it is not desirable to
publish the same policy over and over with minor changes
to grammar and terminology. Quality reviews need to be
performed early in the development process so that the se-
curity council and information technology steering commit-
tee can devote their time to substantive issues of the policy
versus pointing out the typos and correcting spelling. End
users should be given the same respect and should expect
to be reviewing a document free from error. The medium
may be electronic but that does not change the way people
want to manage their work lives. With the amount of e-mail
already in our lives, we should try to limit the amount of
“extra work” that is placed upon the readers of the policies.
The Web-based policy management tools provide the facili-
ties to publish the policies very quickly. Since tracking of
reading the policies is a key feature of these products, once
the policy is published, they typically cannot be changed
unless a new policy is created! This has major implications
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 35/38
for the distribution of the policy. This means that any
change made will require the republishing of the policy.
Imagine thousands of users in the organization that now
have to reread the policy due to a minor change. This situa-
tion should be avoided with the review process in place in
the preceding steps. The electronic compliance tracking
software is usually built this way (and rightly so), so that it
is clear which policy version the user actually signed off on.
It should be clear by now that even though some of the pol-
icy development tools support a workflow process within the
tool to facilitate approvals of the policies through the various
stages (such as draft, interim reviews, and final publishing),
there is no substitute for the oral collaboration on the policies.
Electronic communications are very flat and do not provide
expression of the meaning behind the words. Through the dis-
cussions within the various committees, the documented text
becomes clearer beyond just those with technical skills. The
purpose is more apt to be appropriately represented in the fi-
nal policies through the collaborative process.
Information Security Policy Process
Security policy development is a repetitive process, where ex-
isting policies are updated and new ones are created as
needed. The majority of the work is in creating the initial se-
curity policies, and hopefully, if these policies were written to
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 36/38
the appropriate level, modification of the policies should be
minimal. The majority of the work in policy development is
evaluating the policies against the introduction of new tech-
nologies, law and regulation changes, and changes to the busi-
ness. Most often, the existing polices will suffice and not re-
quire major change. This rate of small change can cause orga-
nizations to not pay the appropriate attention to the policy re-
view and update.
As a final note, it should be clear through the activities pre-
sented in this chapter that the information security officer is
the facilitator of the information security policy development,
but should not own them. The security policies should be
owned by the organization, which in most cases, is repre-
sented by the CEO and the executive management. There will
be much less challenging of the security policy if it is owned
and issued at this level, than if it is owned by the security offi-
cer, who may reside at a lower level within the organization
(except for large organizations where the CISO may be part of
the executive team).
All other security procedures, standards, guidelines, and im-
plementations are dependent upon the construction of a con-
sistent, easy-to-understand, coherent, and comprehensive in-
formation security policy. The time investment in this step is
very valuable and the impact to the organization should not
be underestimated. Following the steps in this chapter will
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 37/38
1.
2.
3.
4.
5.
6.
7.
lead to more efficient and effective information security pol-
icy development and subsequent acceptance.
Suggested Reading
Peltier, T. R. 2007. Information security policies and procedures: A
practitioner’s reference, 2nd ed. Boca Raton, FL: Auerbach.
Wood, C. C. 2009. Information security policies made easy, version 11.
Houston, TX: Information Shield.
Fitzgerald, T. 2004. Ten steps to effective Web-based security policy
development and distribution. EDPACS 31(9): 1–22.
Fitzgerald, T., Goins, B., and Herold, R. 2007. Information security and
risk management. In Official ISC ® Guide to the CISSP CBK, H.
A.Tipton and K. Henry, eds., 9–17. Boca Raton, FL: Auerbach.
National Institute of Standards and Technology (NIST). March 2009.
Special Publication 800–16 Revl (draft): Information security training
requirements: A role- and performance-based model (draft).
http://csrc.nist.gov/publications/drafts/800-16-revl/Draft-SP800-16-
Revl.pdf
National Institute of Standards and Technology (NIST). October 2003.
Special Publication 800-50: Building an information technology secu-
rity awareness and training program.
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-
50.pdf
Gupta, U. 2010. Blog: Lessons learned from BP oil spill. Healthcare
Info Security (June 21).
2
3/27/23, 10:04 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 38/38
http://blogs.healthcareinfosecurity.com/posts.php?postID=592
