question pdf
jimpop1998
Chapter6CreatingEffectiveInformationSecurityPolicies_InformationSecurityGovernanceSimplified.pdf
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 1/30
6
Creating Effective Information Security Policies
We haven’t the time to take our time.
Eugene Ionesco, 1912–1994
When organizations first recognize that they need to ensure that the information
assets of the organization are adequately protected, this usually results in asking
the question, “What applicable policies are in place?” There may be some human
resource policies that might apply or corporate policies noted in the ethics and
compliance code of conduct, however, these are normally insufficient to address
the breadth of the information security needs. The next step is for the organiza-
tion to embark upon the time-consuming task of developing information security
policies.
Why Information Security Policies Are Important
To the seasoned information security practitioner, asking why information secu-
rity policies are important may seem like a question with an obvious answer. The
question is not so obvious to the end users of the organization, as many of them
may feel that if everyone applies common sense, there is no need for them to read
and sign off on voluminous sets of policies. The reality is that each person has a
Topics Start Learning Search 50,000+ courses, events, titles, … What's New
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 2/30
different interpretation of what is common sense. For example, leaving a scruffy
old backpack containing books in a car may seem like a reasonable act to one em-
ployee who wonders why would anyone want to steal a bag full of books. Another
employee might think that because of the condition of the backpack, no one
would want to steal it. Another might think that their car is parked in broad day-
light in a heavily traveled area, which would make the risk of stealing it quite low.
Another employee may think that the car alarm would be a sufficient deterrent
from anyone wanting to go through the trouble of stealing the backpack.
Then along comes the information security officer, whose job it is to evaluate
the course of action that will provide reasonable security. The security officer
knows the stories of break-ins all too well, and knows that criminals do not know
for sure what is in the backpack. The criminal might assume that there is a laptop,
money, or credit cards that could be sold for a nominal amount to buy drugs, alco-
hol, or support rudimentary living expenses. Thus, the opportunity and motiva-
tion presents an unacceptable risk that must be mitigated. The organization can-
not afford to leave these individual decisions up to the common sense internal
barometer of thousands of employees. The organization must set forth advice or a
baseline of what behavior is expected for each employee, and not leave this up to
individual discretion. This advice, and expected behavior, is manifested through a
set of information security policies. The policies form the cornerstone of the infor-
mation security program and are representations of management’s intention that
are needed to control the information security assets.
Avoiding Shelfware
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 3/30
Although information security policies are very important, they can easily be-
come shelfware if their development, management, and distribution are not han-
dled appropriately. Countless security departments have filled binders full of poli-
cies over the years that remain unread and require frequent dusting. As the
Intranet-based environments started to take hold in the mid-’90s, these environ-
ments moved from paper-based shelfware to electronic-based shelfware. The se-
curity department may have had a large project to develop the information secu-
rity policies, place them on the Intranet, and then they were “done.” Lengthy,
technical documents with all the technical jargon may have sounded impressive
to the security department, but fail when end users are required to read them be-
cause they are not understandable. Who would read these lengthy documents?
The same individuals that would read the complete car owners manual after pur-
chasing a new car before they put the key into the ignition—in other words, a
very small segment of the population. The security policies should be written in a
language from the user and be brief enough to get the point across without over-
whelming the end user. More detailed descriptions can be placed in standards
documents that the users can read if they need additional information. An organi-
zation security policy beyond 30 to 60 pages is normally much more than would
be required by any medium- to large-sized organization. Beyond that level, the
policies are likely to go unread.
Electronic Policy Distribution
To avoid shelfware in electronic policies, they need to be kept (1) brief, (2) up-
dated, and (3) relevant. Web-based policies should each be no more than two on-
line pages to get the point across as to what is expected (Fitzgerald, 2004).
Resumes are kept to two pages for a reason—people stop reading them if they
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 4/30
have not received what is needed within the first two pages. Daily online articles
on sites such as Yahoo and USA Today are no more than two pages, as the reader
may lose interest after that.
The policies need to be updated at least annually to ensure that the manage-
ment direction is still desired. As employees comes across a policy that was last
updated 4 years ago, they may make the conclusion on their own that the policy
no longer applies. The organization may have gone through a merger, and the
conflicting policies may exist for the two organizations or worse yet, if the policies
have never been integrated, the employees of the acquired company may make
the erroneous assumption that they should still follow their old company policies
and may not be aware of the new acquiring company policies.
Policies need to maintain their relevancy to remain effective. For example, if an
organization has not addressed the use of social media in their policies, the man-
agement and end users will have to rely on the existing policies to determine
whether social media is acceptable. Or, suppose an employee just purchased an
iPad tablet computer, but the policy indicates that no personal desktop or laptop
computers may be used within the company. Should the iPad be allowed?
Technically, according to the policy, the iPad “tablet” computer has not been ad-
dressed, and the associate may leave it to an interpretation more favorable to the
employee as to whether to use the device.
Policies posted online should always ensure that the revision history is pro-
vided as well, so that users can see what changes were made to the documents
and also determine if they are looking at the correct version. Even with many
companies moving toward green, environmental-friendly initiatives to reduce
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 5/30
wasteful printing and disposal costs, many end users still prefer to have a paper
document that can be referenced when needed. The revision update date and his-
tory help ensure that the correct document is being utilized.
Several security vendors have products that will provide an electronic distribu-
tion of security policies and also provide a mechanism for end users to confirm
that they have read, accepted, and understood the policy contents. The results are
then recorded in a database that can be queried as needed. This information be-
comes very useful during incident investigations, terminations, and lawsuits
where the company wants to demonstrate that the employee had clear knowledge
of the policy and chose to violate it against the corporate policy.
Canned Security Policies
Consulting organizations have sets of policy templates that are used to jumpstart
a client’s need for information security policies. These are then tailored to the
needs of the organization. This process may be more effective than writing the in-
formation security policies from scratch, as long as the policies meet the compli-
ance, laws, regulations, and desires of the organization. It is not unusual to see
where an organization has implemented a copied policy verbatim, sometimes
even forgetting to change the company name on the template. During the 2010 BP
oil spill, it was revealed that the business continuity/disaster recovery documents
from several major oil companies appeared to have used the same templates for
their disaster recovery plans (Gupta, 2010). Although developing the complete in-
formation security policy is beyond the scope of this book, there are several infor-
mation security books available with sample polices that can be used to jumpstart
the development. Two very good sources are Information Security Policies and
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 6/30
Procedures—A Practitioner’s Reference (Peltier, 2007) and Information Security
Policies Made Easy by Information Shield (Wood, 2009). Both of these sources con-
tain valuable information at a fraction of the cost of a security consultant for one
day.
Policies, Standards, Guidelines Definitions
Organizations typically do not have a consistent understanding as to what a “pol-
icy” is. This seems like such a simple concept, so why the difficulty? The reason is
not the lack of understanding that a policy is meant to govern the behavior within
the organization. The reason for the confusion has more to do with the fact that in
the interest of saving time, organizations will combine policies, procedures,
guidelines, and standards into one document and call it the policy. This is not re-
ally a time saver because it makes it more difficult by introducing inflexibility
into the policy each time the policy needs to change. This is similar to denormaliz-
ing a database structure to make the performance more efficient, when in fact it
becomes harder to add new data elements to a particular table without redesign-
ing the table. The policies and procedures end up getting fused together, and so
when the procedure changes, the policy document by default is changing as well
when the policy does not need to change. Or, the employees begin to think that
the procedure is the only way the policy can be implemented, when there may be
multiple procedures across the organization that are implemented to comply with
the policy. For example, an organization might have a policy that all systems need
a full backup weekly and they need to be maintained off site. The data center may
have a procedure that ensures that tape backups are taken weekly and the tapes
are picked up by a vendor and transported to the secure off-site storage. The
midrange server infrastructure team may have a procedure to ensure that full
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 7/30
backups are taken weekly through the online data vaulting process, in addition to
the daily incremental backups at the remote site. The desktop support department
may have a procedure that ensures that company critical information is stored on
network drives, also subject to the weekly online backup process. In this case,
each area has designated local procedures that ensure that they are in compliance
with the higher-level corporate policy.
Policies Are Written at a High Level
Policies should be written at the highest level possible to still be able to communi-
cate the intentions of the company. The higher the level of the policy, the more
likely the policy is able to stand the test of time. Companies do not want to be reis-
suing policies on a frequent basis unless they have to. This involves resources for
development and, more important, the time and expense of each person to reread
the complete policy. Whereas changes in technology, company structure, laws and
regulations, emerging trends, and so forth warrant changes to the security policy,
frequent changes due to minor technology changes are not desired. The reaction
of most users will be, didn’t we just do this? For example, if password standards
are written into the password policy for a primarily Windows-based environ-
ment, what happens when a Unix server for the SQL server data warehouse
project is introduced? Will the password policy need to be redistributed and at-
tested to by thousands of users, when the change impacted only a small number
of users?
Security officers and their teams are charged with the responsibility of creating
the security policies. The policies must be written and communicated at a level
that is understood by the end users of the organization if there is to be any chance
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 8/30
of compliance. If the policies are poorly written or written at too high of an educa-
tion level (common industry practice is to focus the content for general users at
the sixth-to eighth-grade reading level), the policies will not be understood.
Whereas security officers may be charged with the development of the policies,
the effort is normally a collaborative effort to ensure that the business issues are
addressed. Utilization of an security council, executive oversight committee, or a
subgroup of that committee, depending upon the policy being drafted, is an ap-
proach that considers the business impacts of a security policy decision.
Developing the policies solely within the information technology department and
then distributing the policies without business input is likely to miss important
business considerations. As always, deciding on the appropriate security controls
is a decision of risk by the organization, which ultimately should be decided by
the business leaders. The organization is also more likely to accept security poli-
cies that have been approved and endorsed by the business leaders versus the se-
curity officer or the information technology department.
Once these different documents have been created, the basis for ensuring com-
pliance is established. These deliverables form the basis for organizational com-
pliance with the security policies. The most current versions of the documents
need to be readily accessible by those that are expected to follow them. Many or-
ganizations have placed these documents electronically on their intranets or
shared file folders to facilitate communication of the most current documents.
Placement of these documents plus checklists, forms, and sample documents can
save time for the individual and be an added value provided by the security
department.
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 9/30
Policies
Policies define what at a high level the organization needs to accomplish and
serves as management’s intentions to control the operation of the organization to
meet business objectives. The why should be stated in the form of a policy sum-
mary statement or purpose. If end users understand the why, they are more apt to
follow the policy. As children, we were told what to do by our parents and we just
did it. As we grew older, we challenged those beliefs (as 4- and 5-year-olds and
again as teenagers) and needed to understand the reasoning. The rules had to
make sense to us. Today’s organizations are no different; people need to under-
stand the why before they can really commit.
Security Policy Best Practices
Someone once said, “Writing security policies is like making sausage. You don’t
know want to know what goes into it, but what comes out is pretty good!” Writing
policies does not have to be a mystery, and there are several guidelines for creat-
ing good security policies practiced in the industry.
Clearly define policy creation practice—A clearly defined process for initiating,
creating, reviewing, recommending, approving, and distributing the policies
communicates the responsibilities of all parties necessary and the time expecta-
tions of their participation. This can be accomplished by process flows, swim
lanes, flowcharts, or written documentation.
Write policies to survive 2 to 3 years—Policies are high-level statements of the
objectives of the organization. The underlying methods and technologies to im-
plement the controls to support the policies may change. By including these in
the other related documents (procedures, standards, guidelines, and baselines),
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 10/30
the policy statements will need less frequent change. This avoids frequent up-
dates and subsequent distribution to the organization.
Use directive wording—Policies represent expectations to be complied with. As
such, statements such as must, will, and shall communicate this requirement
versus using weaker directives such as should, may, or can. This latter type of
language is better reserved for guidelines or areas where there are options.
Avoid technical implementation details—Policies should be written to be tech-
nology independent, as the implemented technology may change over time.
Keep length to a minimum—Policies published online should be limited in
length to two to three pages maximum per policy. The intent for the policies is
for the end user to understand and not to create long documents for the sake of
documentation.
Provide navigation from the policy to the supporting documents—If the imple-
mentation of the policy is placed online, then hyperlinking the procedures,
standards, guidelines, and baselines can be an effective method to ensure that
the appropriate procedures are being followed. Some of the internal security
procedures would not be appropriate for general knowledge, such as the proce-
dure for monitoring intrusions or reviewing log files, and these need to be ac-
cessible by the security department and properly secured from general
distribution.
Thoroughly review before publishing—Proofreading policies by multiple individ-
uals can catch errors that may not be readily seen by the author.
Conduct management review and sign off—Senior management must endorse
the policies if they are to be effectively accepted by all management levels and
subsequently the end users of the organization.
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 11/30
Avoid techno speak—Policies are oriented to communicate to nontechnical
users. Technical jargon is acceptable in technical documentation but not in
high-level security policies.
Review incidents and adjust policies—Review of the security incidents that have
occurred may indicate the need for a new policy, a revision to an existing pol-
icy, or the need to redistribute the current policy to reinforce compliance.
Periodically review policies—A formalized review process provides a mecha-
nism to ensure that the security policies are still in alignment with the business
objectives.
Develop sanctions for noncompliance—Effective policies have consistent sanc-
tion policies to enable action when the policies are not followed. These sanc-
tions may include “disciplinary action up to and including termination.”
Stronger language can also be added for prosecution for serious offenses.
Policies provide the foundation for a comprehensive and effective security pro-
gram. The company is protected from surprises and gives the necessary authority
to the security activities of the organization. By communicating the company poli-
cies as directives, accountability and personal responsibility for adhering to the
security practices is established. The policies are utilized in determining or inter-
preting any conflicts that may arise. The policies also define the elements, scope,
and functions of the security management.
Types of Security Policies
Security policies may consist of different types, depending upon the specific need
for the policy (NIST, 2003). The different security policies work together to meet
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 12/30
the objectives of the comprehensive security program. Different policy types
include:
Organizational or program policy—This policy is issued by a senior manage-
ment individual who creates the authority and scope for the security program.
The purpose of the program is described and the assigned responsibility is de-
fined for carrying out the information security mission. The goals of confiden-
tiality, integrity, and availability would be addressed in the policy. Specific ar-
eas of security focus may be stressed, such as the protection of confidential in-
formation for a credit card company or heath insurance company, or the avail-
ability focus for a company maintaining mission-critical, high-availability sys-
tems. The policy should be clear as to the facilities, hardware, software, infor-
mation, and personnel that are in scope for the security program. In most
cases, the scope will be the entire organization, however, in larger organiza-
tions the security program may be limited in scope to a division or geographic
location. The organization policy sets out the high-level authority to define the
appropriate sanctions for failure to comply with the policy.
Functional, issue-specific policies—Although the organizational security policies
are broad in scope, the functional or issue-specific policies address areas of
particular security concern requiring clarification. The issue-specific policies
may be focused on the different domains of security and address areas such as
access control, contingency planning, segregation of duties principles, and so
forth. They may also address specific technical areas of existing and emerging
technologies, such as use of the Internet, e-mail and corporate communication
systems, wireless access, or remote system access. For example, an acceptable
use policy may define the responsibilities of the end user for using the corpo-
rate computer systems for business purposes only, or may allow the person
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 13/30
some incidental personal use provided the restrictions of ensuring usage is free
from viruses, spyware, downloading inappropriate pictures or software, or
sending chain letters through e-mail. These policies will depend upon the busi-
ness needs and the tolerance for risk. The policies contain the statement of the
issue, the statement of the organization’s position on the issue, the applicability
of the issue, compliance requirements, and sanctions for not following the
policy.
System specific policies—Areas where it is desired to have clearer direction or
greater control for a specific technical or operational area may have more de-
tailed policies. These policies may be targeted for a specific application or plat-
form. For example, a system-specific policy may address which departments
are permitted to input or modify information in the check writing application
for the disbursement of accounts payable payments.
The more detailed and issue specific the policy, the higher likelihood that the
policy will require more frequent changes. Typically, high-level organizational se-
curity policies will survive for several years, whereas those focused on the use of
technology will change much more frequently as technology matures and new
technology is added to the environment. Even if an organization is not currently
utilizing a technology, policies can explicitly strengthen the message that the tech-
nology is not to be used and is prohibited. For example, a policy regarding remov-
able media such as USB drives, or one regarding the use of wireless devices or
camera phones in the workplace, would reinforce the management intentions
around the acceptance or nonacceptance of these devices.
Standards
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 14/30
Whereas policies define what an organization needs, the standards take this a
step further and define the how. Standards provide the agreements that provide
interoperability within the organization through the use of common protocols.
Standards are the hardware and software security mechanisms selected as the
organization’s method of controlling security risks. Standards are prevalent in
many facets of our daily lives, such as the size of the tires on automobiles; specifi-
cations of the height, color, and format of the stop sign; and the wiring details of
the RJ11 plug on the end of the phone jack cable. Standards provide consistency in
the implementation as well as permit interoperability with reduced confusion.
There are many security standards that could be chosen to implement a particu-
lar solution. For example, when selecting a control for remote access identifica-
tion and authentication, an organization could decide to utilize login IDs and
passwords, strong authentication through a security token over dialup, or a vir-
tual private network (VPN) solution over the Internet.
Standards simplify the operation of the security controls within the company
and increase the efficiency. It is more costly to support multiple software pack-
ages, which do essentially the same activity. Imagine if each user was told to go to
the local computer store and purchase the antivirus product that they liked the
best. Some users would ask the sales person’s opinion, some would buy the least
expensive to meet their budget needs, and others might get the most expensive as-
suming this would provide the greatest protection. Without a consistent product
standard for antivirus products, the organization would be unsure as to the level
of protection provided. Additionally, each of these different products would have
different installation, update, and licensing considerations contributing to com-
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 15/30
plex management. It makes much sense to have consistent products chosen for
the organization versus leaving the product choice to every individual.
Determination of which standards meet the organization’s needs must be
driven by the security policies agreed by management. The standards provide the
specification of the technology to effectively enable the organization to become
successful in meeting the requirements of the policy. If in the example of the re-
mote access the organization was restricting information over the Internet or had
many users in rural areas with limited Internet access, then the VPN standard
over the Internet may not be a plausible solution. Conversely, for end users trans-
mitting large amounts of information, the dial-up solution may be impractical.
The policy defines the boundaries within which the standards must be
supportive.
Standards may also refer to those guidelines established by a standards organi-
zation and accepted by management. Standards creators include organizations
such as the National Institute of Standards and Technology (NIST), International
Organization for Standardization (ISO), Institute of Electrical and Electronics
Engineers (IEEE), American National Standards Institute (ANSI), and National
Security Agency (NSA).
Procedures
Procedures are step-by-step instructions in support of the policies, standards,
guidelines, and baselines. The procedure indicates how the policy will be imple-
mented and who does what to accomplish the tasks. The procedure provides clar-
ity and a common understanding to the operation required to effectively support
the policy on a consistent basis. Procedures are best developed when the input of
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 16/30
each of the interfacing areas are included in the development of the procedure.
This reduces the risk that important steps, communication, or required deliver-
ables are left out of the procedure.
Companies must be able to provide assurance that they have exercised due dili-
gence in the support and enforcement of company policies. This means that the
company has made an effort to be in compliance with the policies and has com-
municated the expectations to the workforce. Having documented procedures
communicated to the users, business partners, and anyone utilizing the systems
as appropriate, minimizes the legal liability of the corporation.
Creating documented procedures is more than a documentation exercise for
the sake of documentation. The process itself creates a common understanding
between the developers of the procedure of the methods used to accomplish the
task. Individuals from different organizational units may be very familiar with
their work area but not as familiar with the impact of a procedure on a depart-
ment. This is the “beach ball effect,” where organizations sometimes appear as a
large beach ball, and the individuals working in different departments can only
see their side of the beach ball and may not understand the other parts of the or-
ganization. The exercise of writing down a single, consistent procedure has the
added effect of establishing agreement between the parties. Many times at the be-
ginning of the process, individuals will think they all understand the process, only
to come to understand that people were really executing different, individual pro-
cesses to accomplish the task.
Consistent documentation of the procedures permits the ability to improve the
procedures. Once everyone understands the initial procedure, enhancements can
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 17/30
be applied and communicated to everyone. This provides a method to incorporate
the best thinking on the single procedure versus having multiple procedures for
the same operation with a mixture of good and bad practices.
Baselines
Baselines provide descriptions of how to implement security packages to ensure
that implementations are consistent throughout the organization. Different soft-
ware packages, hardware platforms and networks have different methods of en-
suring security. There are many different options and settings which must be de-
termined to provide the desired protection. An analysis of the available configura-
tion settings and subsequent settings desired form the basis for future, consistent
implementation of the standard. For example, turning off the telnet service may
be specified in the hardening baseline document for the network servers. A pro-
cedure for exceptions to the baseline would need to be followed in the event that
the baseline could not be followed for a particular device, along with the business
justification. The baselines are the specific rules necessary to implement the secu-
rity controls in support of the policy and standards, which have been developed.
Testing of the implemented security controls on a periodic basis assures that
the baselines are implemented according to the documented baselines. The base-
lines themselves should be reviewed periodically to ensure that they are suffi-
cient to address emerging threats and vulnerabilities. In large environments with
multiple individuals performing systems administration and responding to ur-
gent requests, there is an increased risk that one of the baseline configurations
may not be implemented properly. Internal testing identifies these vulnerabilities
and provides a mechanism to review why the control was or was not properly im-
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 18/30
plemented. Failures in training, adherence to baselines and associated proce-
dures, change control, documentation, or skills of the individual performing the
changes may be identified through the testing.
Guidelines
Guidelines are discretionary or optional controls used to enable individuals to
make judgments with respect to security actions. A good exercise is to replace the
word guideline with the word optional. If by doing so, the statements contained in
the “optional” category are what is desired to happen at the user’s discretion, then
it is an appropriate guideline. If on the other hand, the statements are considered
as required to adequately protect the security of the organization, then this
should be defined as part of a policy, standard, or baseline.
Guidelines are also those recommendations, best practices, and templates pro-
vided by other organizations such as the Control Objectives for Information and
Related Technology (COBIT), the Capability Maturity Model (CMM), ISO 17799,
British Standard 7799, security configuration recommendations such as those
from the NIST or NSA, organizational guidelines, or other governmental
guidelines.
Combination of Policies, Standards, Baselines, Procedures, and Guidelines
Policies, standards, baselines, procedures, and guidelines are closely related to
each other and may be developed as the result of new regulations, external indus-
try standards, new threats and vulnerabilities, emerging technologies, upgraded
hardware and software platforms, or risk assessment changes. Sometimes these
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 19/30
different areas are combined into single documents for ease of management of all
the documents. Keeping policies separate from the implementation components
(standards, baselines, and procedures) increases the flexibility and reduces the
cost of maintenance as the policies typically change less frequently than the sup-
porting processes to achieve compliance with the policy. The relationships be-
tween the policies, standards, baselines, procedures, and guidelines and the laws
and regulations providing the requirement to implement these governing activi-
ties is shown in Figure 6.1.
Figure 6.1 Relationships between policies, standards, procedures, baselines, and guidelines.
Policy Analogy A useful analogy to remember the differences between policies,
standards, guidelines, and procedures is to think of a company that builds cabi-
nets, which has a hammer policy. The different components may be as follows:
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 20/30
Policy—”All boards must be nailed together using company-issued hammers to
ensure end product consistency and worker safety.” Notice the flexibility pro-
vided to permit the company to define the hammer type with changes in tech-
nology or safety issues. The purpose is also communicated to the employees.
Standard— “Eleven-inch fiberglass hammers will be used; only hardened-steel
nails will be used with the hammers; automatic hammers are to be used for
repetitive jobs >1 hour.” Technical specifics are provided to clarify the expecta-
tions that make sense for the current environment and represent
management’s decision.
Guideline—”To avoid splitting the wood, a pilot hole should be drilled first.” The
guideline is a suggestion and may not apply in all cases or all types of wood.
This does not represent a requirement, but rather a suggested practice.
Procedure—”(1) Position nail in upright position on board. (2) Strike nail with
full swing of hammer. (3) Repeat until nail is flush with board. (4) If thumb is
caught between nail and board, see Nail First-Aid Procedure.” The procedure
indicates the process of using the hammer and the nail to clarify what is ex-
pected to be successful. Following this procedure, with the appropriate stan-
dard hammers, and practicing guidelines where appropriate, will fulfill the
policy.
Analogies such as this can be effective when leading the team to develop secu-
rity policies to ensure that they are on the same wavelength and not mixing poli-
cies, procedures, standards, and guidelines. These can also be useful in security
awareness training to indicate when a particular user should refer to a policy,
standard, procedure, or guideline.
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 21/30
An Approach for Developing Information Security Policies
Let us assume for a moment that the guidance in the preceding sections were fol-
lowed, and the organization now has a set of information security policies that
are easy to read, kept current, and generally available in a nice format on the
Web. However, if no one seems to be reading them or following them, what could
be the problem? Many times the root cause is a lack of management support. How
could this be? After all, if the information security officer has been designated
with the role of developing and distributing information security policies, why
would there be a low acceptance rate? The answer usually lies in the fact that
while the information security officer may have done an excellent job research-
ing and developing security policies, the same diligence was not applied in ensur-
ing that the rest of management was on board with the policies prior to rollout.
The security officer may decide to push out the policies once his department has
developed them. As such, the policies become those “owned” by the security offi-
cer and not the rest of the management. These are then treated as departmental
policies that have no greater enforcement requirements than the policies and pro-
cedures that are created by their organizational area. Then, when there is a con-
flict between the departmental desires and the security policy, the departmental
desires win. For example, if an organization has to get information quickly to a
customer, it can fax or e-mail the information as part of its normal procedure.
However, the information security policy may require that all transmissions over
an open network, as in the case of e-mail, or that only the transmission of all con-
fidential information be encrypted with the most stringent government standard
encryption, such as Federal Information Processing Standard (FIPS) 140-2 encryp-
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 22/30
tion requirements. The department sending the information may have a disagree-
ment with the security department on the information classification of “confiden-
tial” in the information security policy, or may feel that the requirement is a bit
over the top and does not agree with the policy at all, as it would hamper the
speed of doing business and cause inferior relationships with customers. Who is
right? In this case, neither; the security officer failed to obtain agreement with the
policy before the procedures were executed and the executive from the other de-
partment is incorrect in not adhering to the policy. Unfortunately, this situation is
all too common. The good news is that this can be avoided by following a different
approach to developing and distributing the security policies.
Utilizing the Security Council for Policies
Management support is essential in the development of information security poli-
cies. So, how is that attained? One method that is very effective is to form a secu-
rity committee, also known as an information security council as introduced in
Chapter 4. The security council can review the policies proposed by the informa-
tion security department. The benefits of this approach are (1) consensus of the
policies are first built at the front-line supervisor/middle management/technical
staff level, (2) senior management has greater comfort that the policies will be ac-
cepted by the organization as the management team has reviewed them before
approval, and (3) it builds grassroots ownership of the information security poli-
cies. Although the information security council can also serve as oversight for
other security initiatives, serve as a sounding board, and prioritize information
security efforts, it can be especially effective in vetting and discussing the infor-
mation policies that are needed by the organization.
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 23/30
The Policy Review Process
Now that the organization has identified an individual responsible for the devel-
opment and implementation of security policies the security council has been cre-
ated, and an understanding of what makes a good policy has been communicated,
there needs to be a process for reviewing the policies. This process may be devel-
oped during the creation of the security council. What is important is that the pol-
icy development process is thought out ahead of time to determine who will (1)
create, (2) review and recommend, (3) approve the final version, (4) publish, and
(5) read and accept the policies. The time spent in this process, up front, will pro-
vide many dividends down the road. Many organizations jump right in and some-
one in the security department or information technology department to draft
then email the policy without taking these steps. Proceeding along that path ends
up with a policy that is not accepted by the organization’s management and thus
will not be accepted by the organization’s end users. Why? Because the necessary
discussion, debate, and acceptance of the policies by the leaders of the organiza-
tion never took place. In the end, the question of management commitment again
surfaces, when there was never a process in place to obtain the commitment.
The process could be depicted in a swim-lane-type chart showing the parties re-
sponsible, activities, records created through each activity, and decision boxes; or
a flowchart format. Senior management will want this presented at a high level,
typically no more than one to two pages of a process diagram. The process will
vary by organizational structure, geographic location, size, and culture of decision
making. However, a successful process for review should contain the following
steps, as depicted in Figure 6.2.
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 24/30
Figure 6.2 Security council policy development, approval, and distribution process.
1. Policy needs to be determined—Anyone can request the need for a policy to the
information security department. Business units may have new situations that
are not covered by an existing security policy. If no security policies exist in the
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 25/30
organization, the information security department needs to take the lead and
establish a prioritization of policies that are necessary.
2. Create, modify existing policy—The information security department creates an
initial draft for a new policy that can be reacted to. Caution must be taken not
to copy and distribute these policies taken from books or Internet sources as is
as they may not be completely appropriate, enforceable, or supported by proce-
dures within the organization.
3. Internal review by security department—People within the security department
will have varying levels of technical expertise, business acumen, and under-
standing of the organizational culture. By reviewing within the team first,
many obvious errors or misunderstandings of the policy can be avoided before
engaging management’s limited review time. This also increases the credibility
of the information systems security department by bringing a quality product
for review. It also saves time on minor grammatical reviews and focuses the
management review on substantive policy issues.
4. Security council reviews and recommends policy—This is arguably the most criti-
cal step in the process. This is where the policy begins the acceptance step
within the organization. The policies are read, line by line, during these meet-
ings and discussed to ensure that everyone understands the intent and ratio-
nale for the policy. Management’s commitment begins here. Why? Because the
management feels like part of the process and have a chance to provide input,
as well as thinking about how the policy would impact their individual depart-
ments. Contrast this method with just sending out the policy and saying “this is
it” and the difference becomes readily apparent. These are the same manage-
ment people that are being counted on to continue to support the policy once it
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 26/30
is distributed to the rest of the workforce. Failing in this step will guarantee
failure in having a real policy.
If we buy into the notion that a security council is a good practice, logical, prac-
tical, and appears to get the job done, what is the downside? Some may argue
that it is a slow process, especially when senior management may be pushing to
“get something out there to address security” to reduce the risks. It is a slow
process while the policies are being debated. However, the benefits of (1) hav-
ing a real policy that the organization can support, (2) buy-in from the manage-
ment on a continuing basis, (3) reduced need to rework the policies later, and
(4) increased understanding by management of the policies’ meanings and why
they are important outweigh the benefits of blasting out an e-mail containing
policies that were copied from another source, the name of the company
changed, and distributed without prior collaboration. Policies created in the
later context rarely become “real” and followed within the organization, as
they were not developed with thorough analysis of how they would be sup-
ported by the business in their creation.
5. Information technology steering committee approves policy—A committee made
up of the senior leadership of the organization is typically formed to oversee
the strategic investments in information technology. Many times these commit-
tees struggle with balancing decisions on tactical firefighting on short term is-
sues versus dealing with strategic issues, and this perspective needs to be un-
derstood when addressing this type of committee. The important element in the
membership of this committee is that it involves the decision leaders of the or-
ganization. These are the individuals that the employees will be watching to see
if they support the policies that were initially generated from the security de-
partment. Their review and endorsement of the policies is critical to obtain
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 27/30
support in implementing the policies. Also, they may be aware of strategic
plans or further operational issues not identified by middle management
(through the security council) that may make a policy untenable.
Since time availability of the senior leadership is typically limited, these com-
mittees meet at most on a monthly basis, but more typically on a quarterly ba-
sis. Therefore, sufficient time for planning policy approval is necessary. This
may seem to run counter to the speed at which electronic policies are distrib-
uted. However, as in the case with the security council review, the time delay is
essential in obtaining long-term commitment.
6. Publish policy—Organizations that go directly from step 2 to this step end up
with shelfware, or if e-mailed, “electronic dust.” By the time the policy gets to
this step, the security department should feel very confident that the policy will
be understood by the users and supported by management. Users may agree or
disagree with the policy, but will understand the need to follow it because it
will be clear how the policy was created and reviewed. Care must be taken
when publishing policies electronically, as it is not desirable to publish the
same policy over and over with minor changes to grammar and terminology.
Quality reviews need to be performed early in the development process so that
the security council and information technology steering committee can devote
their time to substantive issues of the policy versus pointing out the typos and
correcting spelling. End users should be given the same respect and should ex-
pect to be reviewing a document free from error. The medium may be elec-
tronic but that does not change the way people want to manage their work
lives. With the amount of e-mail already in our lives, we should try to limit the
amount of “extra work” that is placed upon the readers of the policies.
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 28/30
The Web-based policy management tools provide the facilities to publish the
policies very quickly. Since tracking of reading the policies is a key feature of
these products, once the policy is published, they typically cannot be changed
unless a new policy is created! This has major implications for the distribution
of the policy. This means that any change made will require the republishing of
the policy. Imagine thousands of users in the organization that now have to
reread the policy due to a minor change. This situation should be avoided with
the review process in place in the preceding steps. The electronic compliance
tracking software is usually built this way (and rightly so), so that it is clear
which policy version the user actually signed off on.
It should be clear by now that even though some of the policy development
tools support a workflow process within the tool to facilitate approvals of the poli-
cies through the various stages (such as draft, interim reviews, and final publish-
ing), there is no substitute for the oral collaboration on the policies. Electronic
communications are very flat and do not provide expression of the meaning be-
hind the words. Through the discussions within the various committees, the docu-
mented text becomes clearer beyond just those with technical skills. The purpose
is more apt to be appropriately represented in the final policies through the col-
laborative process.
Information Security Policy Process
Security policy development is a repetitive process, where existing policies are
updated and new ones are created as needed. The majority of the work is in creat-
ing the initial security policies, and hopefully, if these policies were written to the
appropriate level, modification of the policies should be minimal. The majority of
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 29/30
1.
2.
the work in policy development is evaluating the policies against the introduction
of new technologies, law and regulation changes, and changes to the business.
Most often, the existing polices will suffice and not require major change. This
rate of small change can cause organizations to not pay the appropriate attention
to the policy review and update.
As a final note, it should be clear through the activities presented in this chapter
that the information security officer is the facilitator of the information security
policy development, but should not own them. The security policies should be
owned by the organization, which in most cases, is represented by the CEO and
the executive management. There will be much less challenging of the security
policy if it is owned and issued at this level, than if it is owned by the security offi-
cer, who may reside at a lower level within the organization (except for large or-
ganizations where the CISO may be part of the executive team).
All other security procedures, standards, guidelines, and implementations are
dependent upon the construction of a consistent, easy-to-understand, coherent,
and comprehensive information security policy. The time investment in this step
is very valuable and the impact to the organization should not be underestimated.
Following the steps in this chapter will lead to more efficient and effective infor-
mation security policy development and subsequent acceptance.
Suggested Reading
Peltier, T. R. 2007. Information security policies and procedures: A practitioner’s reference,
2nd ed. Boca Raton, FL: Auerbach.
Wood, C. C. 2009. Information security policies made easy, version 11. Houston, TX:
Information Shield.
4/9/23, 9:12 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 30/30
3.
4.
5.
6.
7.
Fitzgerald, T. 2004. Ten steps to effective Web-based security policy development and distri-
bution. EDPACS 31(9): 1–22.
Fitzgerald, T., Goins, B., and Herold, R. 2007. Information security and risk management. In
Official ISC ® Guide to the CISSP CBK, H. A.Tipton and K. Henry, eds., 9–17. Boca Raton, FL:
Auerbach.
National Institute of Standards and Technology (NIST). March 2009. Special Publication
800–16 Revl (draft): Information security training requirements: A role- and performance-
based model (draft). http://csrc.nist.gov/publications/drafts/800-16-revl/Draft-SP800-16-
Revl.pdf
National Institute of Standards and Technology (NIST). October 2003. Special Publication
800-50: Building an information technology security awareness and training program.
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
Gupta, U. 2010. Blog: Lessons learned from BP oil spill. Healthcare Info Security (June 21).
http://blogs.healthcareinfosecurity.com/posts.php?postID=592
2
