Questions
jimpop1998
Chapter6CreatingEffectiveInformationSecurityPolicies_InformationSecurityGovernanceSimplified.pdf
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 1/44
6
Creating Effective Information Security Policies
We haven’t the time to take our time.
Eugene Ionesco, 1912–1994
When organizations first recognize that they need to ensure that the in-
formation assets of the organization are adequately protected, this usu-
ally results in asking the question, “What applicable policies are in
place?” There may be some human resource policies that might apply or
corporate policies noted in the ethics and compliance code of conduct,
however, these are normally insufficient to address the breadth of the in-
formation security needs. The next step is for the organization to embark
upon the time-consuming task of developing information security
policies.
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 2/44
Why Information Security Policies Are Important
To the seasoned information security practitioner, asking why informa-
tion security policies are important may seem like a question with an ob-
vious answer. The question is not so obvious to the end users of the orga-
nization, as many of them may feel that if everyone applies common
sense, there is no need for them to read and sign off on voluminous sets
of policies. The reality is that each person has a different interpretation of
what is common sense. For example, leaving a scruffy old backpack con-
taining books in a car may seem like a reasonable act to one employee
who wonders why would anyone want to steal a bag full of books.
Another employee might think that because of the condition of the back-
pack, no one would want to steal it. Another might think that their car is
parked in broad daylight in a heavily traveled area, which would make
the risk of stealing it quite low. Another employee may think that the car
alarm would be a sufficient deterrent from anyone wanting to go through
the trouble of stealing the backpack.
Then along comes the information security officer, whose job it is to
evaluate the course of action that will provide reasonable security. The
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 3/44
security officer knows the stories of break-ins all too well, and knows that
criminals do not know for sure what is in the backpack. The criminal
might assume that there is a laptop, money, or credit cards that could be
sold for a nominal amount to buy drugs, alcohol, or support rudimentary
living expenses. Thus, the opportunity and motivation presents an unac-
ceptable risk that must be mitigated. The organization cannot afford to
leave these individual decisions up to the common sense internal barom-
eter of thousands of employees. The organization must set forth advice or
a baseline of what behavior is expected for each employee, and not leave
this up to individual discretion. This advice, and expected behavior, is
manifested through a set of information security policies. The policies
form the cornerstone of the information security program and are repre-
sentations of management’s intention that are needed to control the in-
formation security assets.
Avoiding Shelfware
Although information security policies are very important, they can eas-
ily become shelfware if their development, management, and distribution
are not handled appropriately. Countless security departments have filled
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 4/44
binders full of policies over the years that remain unread and require fre-
quent dusting. As the Intranet-based environments started to take hold in
the mid-’90s, these environments moved from paper-based shelfware to
electronic-based shelfware. The security department may have had a
large project to develop the information security policies, place them on
the Intranet, and then they were “done.” Lengthy, technical documents
with all the technical jargon may have sounded impressive to the security
department, but fail when end users are required to read them because
they are not understandable. Who would read these lengthy documents?
The same individuals that would read the complete car owners manual
after purchasing a new car before they put the key into the ignition—in
other words, a very small segment of the population. The security policies
should be written in a language from the user and be brief enough to get
the point across without overwhelming the end user. More detailed de-
scriptions can be placed in standards documents that the users can read
if they need additional information. An organization security policy be-
yond 30 to 60 pages is normally much more than would be required by
any medium- to large-sized organization. Beyond that level, the policies
are likely to go unread.
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 5/44
Electronic Policy Distribution
To avoid shelfware in electronic policies, they need to be kept (1) brief, (2)
updated, and (3) relevant. Web-based policies should each be no more
than two online pages to get the point across as to what is expected
(Fitzgerald, 2004). Resumes are kept to two pages for a reason—people
stop reading them if they have not received what is needed within the
first two pages. Daily online articles on sites such as Yahoo and USA Today
are no more than two pages, as the reader may lose interest after that.
The policies need to be updated at least annually to ensure that the
management direction is still desired. As employees comes across a policy
that was last updated 4 years ago, they may make the conclusion on their
own that the policy no longer applies. The organization may have gone
through a merger, and the conflicting policies may exist for the two orga-
nizations or worse yet, if the policies have never been integrated, the em-
ployees of the acquired company may make the erroneous assumption
that they should still follow their old company policies and may not be
aware of the new acquiring company policies.
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 6/44
Policies need to maintain their relevancy to remain effective. For exam-
ple, if an organization has not addressed the use of social media in their
policies, the management and end users will have to rely on the existing
policies to determine whether social media is acceptable. Or, suppose an
employee just purchased an iPad tablet computer, but the policy indicates
that no personal desktop or laptop computers may be used within the
company. Should the iPad be allowed? Technically, according to the pol-
icy, the iPad “tablet” computer has not been addressed, and the associate
may leave it to an interpretation more favorable to the employee as to
whether to use the device.
Policies posted online should always ensure that the revision history is
provided as well, so that users can see what changes were made to the
documents and also determine if they are looking at the correct version.
Even with many companies moving toward green, environmental-
friendly initiatives to reduce wasteful printing and disposal costs, many
end users still prefer to have a paper document that can be referenced
when needed. The revision update date and history help ensure that the
correct document is being utilized.
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 7/44
Several security vendors have products that will provide an electronic
distribution of security policies and also provide a mechanism for end
users to confirm that they have read, accepted, and understood the policy
contents. The results are then recorded in a database that can be queried
as needed. This information becomes very useful during incident investi-
gations, terminations, and lawsuits where the company wants to demon-
strate that the employee had clear knowledge of the policy and chose to
violate it against the corporate policy.
Canned Security Policies
Consulting organizations have sets of policy templates that are used to
jumpstart a client’s need for information security policies. These are then
tailored to the needs of the organization. This process may be more effec-
tive than writing the information security policies from scratch, as long
as the policies meet the compliance, laws, regulations, and desires of the
organization. It is not unusual to see where an organization has imple-
mented a copied policy verbatim, sometimes even forgetting to change
the company name on the template. During the 2010 BP oil spill, it was re-
vealed that the business continuity/disaster recovery documents from
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 8/44
several major oil companies appeared to have used the same templates
for their disaster recovery plans (Gupta, 2010). Although developing the
complete information security policy is beyond the scope of this book,
there are several information security books available with sample po-
lices that can be used to jumpstart the development. Two very good
sources are Information Security Policies and Procedures—A Practitioner’s
Reference (Peltier, 2007) and Information Security Policies Made Easy by
Information Shield (Wood, 2009). Both of these sources contain valuable
information at a fraction of the cost of a security consultant for one day.
Policies, Standards, Guidelines Definitions
Organizations typically do not have a consistent understanding as to
what a “policy” is. This seems like such a simple concept, so why the diffi-
culty? The reason is not the lack of understanding that a policy is meant
to govern the behavior within the organization. The reason for the confu-
sion has more to do with the fact that in the interest of saving time, orga-
nizations will combine policies, procedures, guidelines, and standards
into one document and call it the policy. This is not really a time saver be-
cause it makes it more difficult by introducing inflexibility into the policy
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 9/44
each time the policy needs to change. This is similar to denormalizing a
database structure to make the performance more efficient, when in fact
it becomes harder to add new data elements to a particular table without
redesigning the table. The policies and procedures end up getting fused
together, and so when the procedure changes, the policy document by de-
fault is changing as well when the policy does not need to change. Or, the
employees begin to think that the procedure is the only way the policy
can be implemented, when there may be multiple procedures across the
organization that are implemented to comply with the policy. For exam-
ple, an organization might have a policy that all systems need a full
backup weekly and they need to be maintained off site. The data center
may have a procedure that ensures that tape backups are taken weekly
and the tapes are picked up by a vendor and transported to the secure
off-site storage. The midrange server infrastructure team may have a pro-
cedure to ensure that full backups are taken weekly through the online
data vaulting process, in addition to the daily incremental backups at the
remote site. The desktop support department may have a procedure that
ensures that company critical information is stored on network drives,
also subject to the weekly online backup process. In this case, each area
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 10/44
has designated local procedures that ensure that they are in compliance
with the higher-level corporate policy.
Policies Are Written at a High Level
Policies should be written at the highest level possible to still be able to
communicate the intentions of the company. The higher the level of the
policy, the more likely the policy is able to stand the test of time.
Companies do not want to be reissuing policies on a frequent basis unless
they have to. This involves resources for development and, more impor-
tant, the time and expense of each person to reread the complete policy.
Whereas changes in technology, company structure, laws and regulations,
emerging trends, and so forth warrant changes to the security policy, fre-
quent changes due to minor technology changes are not desired. The re-
action of most users will be, didn’t we just do this? For example, if pass-
word standards are written into the password policy for a primarily
Windows-based environment, what happens when a Unix server for the
SQL server data warehouse project is introduced? Will the password pol-
icy need to be redistributed and attested to by thousands of users, when
the change impacted only a small number of users?
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 11/44
Security officers and their teams are charged with the responsibility of
creating the security policies. The policies must be written and communi-
cated at a level that is understood by the end users of the organization if
there is to be any chance of compliance. If the policies are poorly written
or written at too high of an education level (common industry practice is
to focus the content for general users at the sixth-to eighth-grade reading
level), the policies will not be understood.
Whereas security officers may be charged with the development of the
policies, the effort is normally a collaborative effort to ensure that the
business issues are addressed. Utilization of an security council, executive
oversight committee, or a subgroup of that committee, depending upon
the policy being drafted, is an approach that considers the business im-
pacts of a security policy decision. Developing the policies solely within
the information technology department and then distributing the policies
without business input is likely to miss important business considera-
tions. As always, deciding on the appropriate security controls is a deci-
sion of risk by the organization, which ultimately should be decided by
the business leaders. The organization is also more likely to accept secu-
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 12/44
rity policies that have been approved and endorsed by the business lead-
ers versus the security officer or the information technology department.
Once these different documents have been created, the basis for ensur-
ing compliance is established. These deliverables form the basis for orga-
nizational compliance with the security policies. The most current ver-
sions of the documents need to be readily accessible by those that are ex-
pected to follow them. Many organizations have placed these documents
electronically on their intranets or shared file folders to facilitate commu-
nication of the most current documents. Placement of these documents
plus checklists, forms, and sample documents can save time for the indi-
vidual and be an added value provided by the security department.
Policies
Policies define what at a high level the organization needs to accomplish
and serves as management’s intentions to control the operation of the or-
ganization to meet business objectives. The why should be stated in the
form of a policy summary statement or purpose. If end users understand
the why, they are more apt to follow the policy. As children, we were told
what to do by our parents and we just did it. As we grew older, we chal-
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 13/44
lenged those beliefs (as 4- and 5-year-olds and again as teenagers) and
needed to understand the reasoning. The rules had to make sense to us.
Today’s organizations are no different; people need to understand the
why before they can really commit.
Security Policy Best Practices
Someone once said, “Writing security policies is like making sausage. You
don’t know want to know what goes into it, but what comes out is pretty
good!” Writing policies does not have to be a mystery, and there are sev-
eral guidelines for creating good security policies practiced in the
industry.
Clearly define policy creation practice—A clearly defined process for ini-
tiating, creating, reviewing, recommending, approving, and distribut-
ing the policies communicates the responsibilities of all parties neces-
sary and the time expectations of their participation. This can be ac-
complished by process flows, swim lanes, flowcharts, or written
documentation.
Write policies to survive 2 to 3 years—Policies are high-level statements
of the objectives of the organization. The underlying methods and tech-
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 14/44
nologies to implement the controls to support the policies may change.
By including these in the other related documents (procedures, stan-
dards, guidelines, and baselines), the policy statements will need less
frequent change. This avoids frequent updates and subsequent distri-
bution to the organization.
Use directive wording—Policies represent expectations to be complied
with. As such, statements such as must, will, and shall communicate
this requirement versus using weaker directives such as should, may,
or can. This latter type of language is better reserved for guidelines or
areas where there are options.
Avoid technical implementation details—Policies should be written to be
technology independent, as the implemented technology may change
over time.
Keep length to a minimum—Policies published online should be limited
in length to two to three pages maximum per policy. The intent for the
policies is for the end user to understand and not to create long docu-
ments for the sake of documentation.
Provide navigation from the policy to the supporting documents—If the
implementation of the policy is placed online, then hyperlinking the
procedures, standards, guidelines, and baselines can be an effective
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 15/44
method to ensure that the appropriate procedures are being followed.
Some of the internal security procedures would not be appropriate for
general knowledge, such as the procedure for monitoring intrusions or
reviewing log files, and these need to be accessible by the security de-
partment and properly secured from general distribution.
Thoroughly review before publishing—Proofreading policies by multiple
individuals can catch errors that may not be readily seen by the
author.
Conduct management review and sign off—Senior management must
endorse the policies if they are to be effectively accepted by all man-
agement levels and subsequently the end users of the organization.
Avoid techno speak—Policies are oriented to communicate to nontech-
nical users. Technical jargon is acceptable in technical documentation
but not in high-level security policies.
Review incidents and adjust policies—Review of the security incidents
that have occurred may indicate the need for a new policy, a revision
to an existing policy, or the need to redistribute the current policy to re-
inforce compliance.
Periodically review policies—A formalized review process provides a
mechanism to ensure that the security policies are still in alignment
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 16/44
with the business objectives.
Develop sanctions for noncompliance—Effective policies have consistent
sanction policies to enable action when the policies are not followed.
These sanctions may include “disciplinary action up to and including
termination.” Stronger language can also be added for prosecution for
serious offenses.
Policies provide the foundation for a comprehensive and effective secu-
rity program. The company is protected from surprises and gives the nec-
essary authority to the security activities of the organization. By commu-
nicating the company policies as directives, accountability and personal
responsibility for adhering to the security practices is established. The
policies are utilized in determining or interpreting any conflicts that may
arise. The policies also define the elements, scope, and functions of the se-
curity management.
Types of Security Policies
Security policies may consist of different types, depending upon the spe-
cific need for the policy (NIST, 2003). The different security policies work
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 17/44
together to meet the objectives of the comprehensive security program.
Different policy types include:
Organizational or program policy—This policy is issued by a senior
management individual who creates the authority and scope for the se-
curity program. The purpose of the program is described and the as-
signed responsibility is defined for carrying out the information secu-
rity mission. The goals of confidentiality, integrity, and availability
would be addressed in the policy. Specific areas of security focus may
be stressed, such as the protection of confidential information for a
credit card company or heath insurance company, or the availability
focus for a company maintaining mission-critical, high-availability sys-
tems. The policy should be clear as to the facilities, hardware, software,
information, and personnel that are in scope for the security program.
In most cases, the scope will be the entire organization, however, in
larger organizations the security program may be limited in scope to a
division or geographic location. The organization policy sets out the
high-level authority to define the appropriate sanctions for failure to
comply with the policy.
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 18/44
Functional, issue-specific policies—Although the organizational security
policies are broad in scope, the functional or issue-specific policies ad-
dress areas of particular security concern requiring clarification. The
issue-specific policies may be focused on the different domains of secu-
rity and address areas such as access control, contingency planning,
segregation of duties principles, and so forth. They may also address
specific technical areas of existing and emerging technologies, such as
use of the Internet, e-mail and corporate communication systems, wire-
less access, or remote system access. For example, an acceptable use
policy may define the responsibilities of the end user for using the cor-
porate computer systems for business purposes only, or may allow the
person some incidental personal use provided the restrictions of ensur-
ing usage is free from viruses, spyware, downloading inappropriate
pictures or software, or sending chain letters through e-mail. These
policies will depend upon the business needs and the tolerance for risk.
The policies contain the statement of the issue, the statement of the
organization’s position on the issue, the applicability of the issue, com-
pliance requirements, and sanctions for not following the policy.
System specific policies—Areas where it is desired to have clearer direc-
tion or greater control for a specific technical or operational area may
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 19/44
have more detailed policies. These policies may be targeted for a spe-
cific application or platform. For example, a system-specific policy may
address which departments are permitted to input or modify informa-
tion in the check writing application for the disbursement of accounts
payable payments.
The more detailed and issue specific the policy, the higher likelihood
that the policy will require more frequent changes. Typically, high-level
organizational security policies will survive for several years, whereas
those focused on the use of technology will change much more frequently
as technology matures and new technology is added to the environment.
Even if an organization is not currently utilizing a technology, policies
can explicitly strengthen the message that the technology is not to be used
and is prohibited. For example, a policy regarding removable media such
as USB drives, or one regarding the use of wireless devices or camera
phones in the workplace, would reinforce the management intentions
around the acceptance or nonacceptance of these devices.
Standards
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 20/44
Whereas policies define what an organization needs, the standards take
this a step further and define the how. Standards provide the agreements
that provide interoperability within the organization through the use of
common protocols.
Standards are the hardware and software security mechanisms se-
lected as the organization’s method of controlling security risks.
Standards are prevalent in many facets of our daily lives, such as the size
of the tires on automobiles; specifications of the height, color, and format
of the stop sign; and the wiring details of the RJ11 plug on the end of the
phone jack cable. Standards provide consistency in the implementation
as well as permit interoperability with reduced confusion. There are
many security standards that could be chosen to implement a particular
solution. For example, when selecting a control for remote access identifi-
cation and authentication, an organization could decide to utilize login
IDs and passwords, strong authentication through a security token over
dialup, or a virtual private network (VPN) solution over the Internet.
Standards simplify the operation of the security controls within the
company and increase the efficiency. It is more costly to support multiple
software packages, which do essentially the same activity. Imagine if each
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 21/44
user was told to go to the local computer store and purchase the antivirus
product that they liked the best. Some users would ask the sales person’s
opinion, some would buy the least expensive to meet their budget needs,
and others might get the most expensive assuming this would provide the
greatest protection. Without a consistent product standard for antivirus
products, the organization would be unsure as to the level of protection
provided. Additionally, each of these different products would have dif-
ferent installation, update, and licensing considerations contributing to
complex management. It makes much sense to have consistent products
chosen for the organization versus leaving the product choice to every
individual.
Determination of which standards meet the organization’s needs must
be driven by the security policies agreed by management. The standards
provide the specification of the technology to effectively enable the orga-
nization to become successful in meeting the requirements of the policy.
If in the example of the remote access the organization was restricting in-
formation over the Internet or had many users in rural areas with limited
Internet access, then the VPN standard over the Internet may not be a
plausible solution. Conversely, for end users transmitting large amounts
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 22/44
of information, the dial-up solution may be impractical. The policy de-
fines the boundaries within which the standards must be supportive.
Standards may also refer to those guidelines established by a standards
organization and accepted by management. Standards creators include
organizations such as the National Institute of Standards and Technology
(NIST), International Organization for Standardization (ISO), Institute of
Electrical and Electronics Engineers (IEEE), American National Standards
Institute (ANSI), and National Security Agency (NSA).
Procedures
Procedures are step-by-step instructions in support of the policies, stan-
dards, guidelines, and baselines. The procedure indicates how the policy
will be implemented and who does what to accomplish the tasks. The pro-
cedure provides clarity and a common understanding to the operation re-
quired to effectively support the policy on a consistent basis. Procedures
are best developed when the input of each of the interfacing areas are in-
cluded in the development of the procedure. This reduces the risk that
important steps, communication, or required deliverables are left out of
the procedure.
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 23/44
Companies must be able to provide assurance that they have exercised
due diligence in the support and enforcement of company policies. This
means that the company has made an effort to be in compliance with the
policies and has communicated the expectations to the workforce. Having
documented procedures communicated to the users, business partners,
and anyone utilizing the systems as appropriate, minimizes the legal lia-
bility of the corporation.
Creating documented procedures is more than a documentation exer-
cise for the sake of documentation. The process itself creates a common
understanding between the developers of the procedure of the methods
used to accomplish the task. Individuals from different organizational
units may be very familiar with their work area but not as familiar with
the impact of a procedure on a department. This is the “beach ball effect,”
where organizations sometimes appear as a large beach ball, and the in-
dividuals working in different departments can only see their side of the
beach ball and may not understand the other parts of the organization.
The exercise of writing down a single, consistent procedure has the added
effect of establishing agreement between the parties. Many times at the
beginning of the process, individuals will think they all understand the
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 24/44
process, only to come to understand that people were really executing dif-
ferent, individual processes to accomplish the task.
Consistent documentation of the procedures permits the ability to im-
prove the procedures. Once everyone understands the initial procedure,
enhancements can be applied and communicated to everyone. This pro-
vides a method to incorporate the best thinking on the single procedure
versus having multiple procedures for the same operation with a mixture
of good and bad practices.
Baselines
Baselines provide descriptions of how to implement security packages to
ensure that implementations are consistent throughout the organization.
Different software packages, hardware platforms and networks have dif-
ferent methods of ensuring security. There are many different options
and settings which must be determined to provide the desired protection.
An analysis of the available configuration settings and subsequent set-
tings desired form the basis for future, consistent implementation of the
standard. For example, turning off the telnet service may be specified in
the hardening baseline document for the network servers. A procedure
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 25/44
for exceptions to the baseline would need to be followed in the event that
the baseline could not be followed for a particular device, along with the
business justification. The baselines are the specific rules necessary to im-
plement the security controls in support of the policy and standards,
which have been developed.
Testing of the implemented security controls on a periodic basis assures
that the baselines are implemented according to the documented base-
lines. The baselines themselves should be reviewed periodically to ensure
that they are sufficient to address emerging threats and vulnerabilities. In
large environments with multiple individuals performing systems admin-
istration and responding to urgent requests, there is an increased risk
that one of the baseline configurations may not be implemented properly.
Internal testing identifies these vulnerabilities and provides a mechanism
to review why the control was or was not properly implemented. Failures
in training, adherence to baselines and associated procedures, change
control, documentation, or skills of the individual performing the
changes may be identified through the testing.
Guidelines
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 26/44
Guidelines are discretionary or optional controls used to enable individu-
als to make judgments with respect to security actions. A good exercise is
to replace the word guideline with the word optional. If by doing so, the
statements contained in the “optional” category are what is desired to
happen at the user’s discretion, then it is an appropriate guideline. If on
the other hand, the statements are considered as required to adequately
protect the security of the organization, then this should be defined as
part of a policy, standard, or baseline.
Guidelines are also those recommendations, best practices, and tem-
plates provided by other organizations such as the Control Objectives for
Information and Related Technology (COBIT), the Capability Maturity
Model (CMM), ISO 17799, British Standard 7799, security configuration
recommendations such as those from the NIST or NSA, organizational
guidelines, or other governmental guidelines.
Combination of Policies, Standards, Baselines, Procedures, and Guidelines
Policies, standards, baselines, procedures, and guidelines are closely re-
lated to each other and may be developed as the result of new regula-
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 27/44
tions, external industry standards, new threats and vulnerabilities,
emerging technologies, upgraded hardware and software platforms, or
risk assessment changes. Sometimes these different areas are combined
into single documents for ease of management of all the documents.
Keeping policies separate from the implementation components (stan-
dards, baselines, and procedures) increases the flexibility and reduces the
cost of maintenance as the policies typically change less frequently than
the supporting processes to achieve compliance with the policy. The rela-
tionships between the policies, standards, baselines, procedures, and
guidelines and the laws and regulations providing the requirement to im-
plement these governing activities is shown in Figure 6.1.
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 28/44
Figure 6.1 Relationships between policies, standards, procedures, baselines, and guidelines.
Policy Analogy A useful analogy to remember the differences between
policies, standards, guidelines, and procedures is to think of a company
that builds cabinets, which has a hammer policy. The different compo-
nents may be as follows:
Policy—”All boards must be nailed together using company-issued
hammers to ensure end product consistency and worker safety.” Notice
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 29/44
the flexibility provided to permit the company to define the hammer
type with changes in technology or safety issues. The purpose is also
communicated to the employees.
Standard— “Eleven-inch fiberglass hammers will be used; only hard-
ened-steel nails will be used with the hammers; automatic hammers
are to be used for repetitive jobs >1 hour.” Technical specifics are pro-
vided to clarify the expectations that make sense for the current envi-
ronment and represent management’s decision.
Guideline—”To avoid splitting the wood, a pilot hole should be drilled
first.” The guideline is a suggestion and may not apply in all cases or all
types of wood. This does not represent a requirement, but rather a sug-
gested practice.
Procedure—”(1) Position nail in upright position on board. (2) Strike
nail with full swing of hammer. (3) Repeat until nail is flush with
board. (4) If thumb is caught between nail and board, see Nail First-Aid
Procedure.” The procedure indicates the process of using the hammer
and the nail to clarify what is expected to be successful. Following this
procedure, with the appropriate standard hammers, and practicing
guidelines where appropriate, will fulfill the policy.
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 30/44
Analogies such as this can be effective when leading the team to de-
velop security policies to ensure that they are on the same wavelength
and not mixing policies, procedures, standards, and guidelines. These can
also be useful in security awareness training to indicate when a particu-
lar user should refer to a policy, standard, procedure, or guideline.
An Approach for Developing Information Security Policies
Let us assume for a moment that the guidance in the preceding sections
were followed, and the organization now has a set of information secu-
rity policies that are easy to read, kept current, and generally available in
a nice format on the Web. However, if no one seems to be reading them
or following them, what could be the problem? Many times the root cause
is a lack of management support. How could this be? After all, if the infor-
mation security officer has been designated with the role of developing
and distributing information security policies, why would there be a low
acceptance rate? The answer usually lies in the fact that while the infor-
mation security officer may have done an excellent job researching and
developing security policies, the same diligence was not applied in ensur-
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 31/44
ing that the rest of management was on board with the policies prior to
rollout. The security officer may decide to push out the policies once his
department has developed them. As such, the policies become those
“owned” by the security officer and not the rest of the management.
These are then treated as departmental policies that have no greater en-
forcement requirements than the policies and procedures that are cre-
ated by their organizational area. Then, when there is a conflict between
the departmental desires and the security policy, the departmental de-
sires win. For example, if an organization has to get information quickly
to a customer, it can fax or e-mail the information as part of its normal
procedure. However, the information security policy may require that all
transmissions over an open network, as in the case of e-mail, or that only
the transmission of all confidential information be encrypted with the
most stringent government standard encryption, such as Federal
Information Processing Standard (FIPS) 140-2 encryption requirements.
The department sending the information may have a disagreement with
the security department on the information classification of “confiden-
tial” in the information security policy, or may feel that the requirement
is a bit over the top and does not agree with the policy at all, as it would
hamper the speed of doing business and cause inferior relationships with
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 32/44
customers. Who is right? In this case, neither; the security officer failed to
obtain agreement with the policy before the procedures were executed
and the executive from the other department is incorrect in not adhering
to the policy. Unfortunately, this situation is all too common. The good
news is that this can be avoided by following a different approach to de-
veloping and distributing the security policies.
Utilizing the Security Council for Policies
Management support is essential in the development of information secu-
rity policies. So, how is that attained? One method that is very effective is
to form a security committee, also known as an information security
council as introduced in Chapter 4. The security council can review the
policies proposed by the information security department. The benefits of
this approach are (1) consensus of the policies are first built at the front-
line supervisor/middle management/technical staff level, (2) senior man-
agement has greater comfort that the policies will be accepted by the or-
ganization as the management team has reviewed them before approval,
and (3) it builds grassroots ownership of the information security policies.
Although the information security council can also serve as oversight for
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 33/44
other security initiatives, serve as a sounding board, and prioritize infor-
mation security efforts, it can be especially effective in vetting and dis-
cussing the information policies that are needed by the organization.
The Policy Review Process
Now that the organization has identified an individual responsible for the
development and implementation of security policies the security council
has been created, and an understanding of what makes a good policy has
been communicated, there needs to be a process for reviewing the poli-
cies. This process may be developed during the creation of the security
council. What is important is that the policy development process is
thought out ahead of time to determine who will (1) create, (2) review
and recommend, (3) approve the final version, (4) publish, and (5) read
and accept the policies. The time spent in this process, up front, will pro-
vide many dividends down the road. Many organizations jump right in
and someone in the security department or information technology de-
partment to draft then email the policy without taking these steps.
Proceeding along that path ends up with a policy that is not accepted by
the organization’s management and thus will not be accepted by the
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 34/44
organization’s end users. Why? Because the necessary discussion, debate,
and acceptance of the policies by the leaders of the organization never
took place. In the end, the question of management commitment again
surfaces, when there was never a process in place to obtain the
commitment.
The process could be depicted in a swim-lane-type chart showing the
parties responsible, activities, records created through each activity, and
decision boxes; or a flowchart format. Senior management will want this
presented at a high level, typically no more than one to two pages of a
process diagram. The process will vary by organizational structure, geo-
graphic location, size, and culture of decision making. However, a suc-
cessful process for review should contain the following steps, as depicted
in Figure 6.2.
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 35/44
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 36/44
Figure 6.2 Security council policy development, approval, and distribution process.
1. Policy needs to be determined—Anyone can request the need for a pol-
icy to the information security department. Business units may have
new situations that are not covered by an existing security policy. If no
security policies exist in the organization, the information security de-
partment needs to take the lead and establish a prioritization of poli-
cies that are necessary.
2. Create, modify existing policy—The information security department
creates an initial draft for a new policy that can be reacted to. Caution
must be taken not to copy and distribute these policies taken from
books or Internet sources as is as they may not be completely appropri-
ate, enforceable, or supported by procedures within the organization.
3. Internal review by security department—People within the security de-
partment will have varying levels of technical expertise, business acu-
men, and understanding of the organizational culture. By reviewing
within the team first, many obvious errors or misunderstandings of the
policy can be avoided before engaging management’s limited review
time. This also increases the credibility of the information systems se-
curity department by bringing a quality product for review. It also
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 37/44
saves time on minor grammatical reviews and focuses the manage-
ment review on substantive policy issues.
4. Security council reviews and recommends policy—This is arguably the
most critical step in the process. This is where the policy begins the ac-
ceptance step within the organization. The policies are read, line by
line, during these meetings and discussed to ensure that everyone un-
derstands the intent and rationale for the policy. Management’s com-
mitment begins here. Why? Because the management feels like part of
the process and have a chance to provide input, as well as thinking
about how the policy would impact their individual departments.
Contrast this method with just sending out the policy and saying “this is
it” and the difference becomes readily apparent. These are the same
management people that are being counted on to continue to support
the policy once it is distributed to the rest of the workforce. Failing in
this step will guarantee failure in having a real policy.
If we buy into the notion that a security council is a good practice, logi-
cal, practical, and appears to get the job done, what is the downside?
Some may argue that it is a slow process, especially when senior man-
agement may be pushing to “get something out there to address secu-
rity” to reduce the risks. It is a slow process while the policies are being
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 38/44
debated. However, the benefits of (1) having a real policy that the orga-
nization can support, (2) buy-in from the management on a continuing
basis, (3) reduced need to rework the policies later, and (4) increased
understanding by management of the policies’ meanings and why they
are important outweigh the benefits of blasting out an e-mail contain-
ing policies that were copied from another source, the name of the
company changed, and distributed without prior collaboration. Policies
created in the later context rarely become “real” and followed within
the organization, as they were not developed with thorough analysis of
how they would be supported by the business in their creation.
5. Information technology steering committee approves policy—A commit-
tee made up of the senior leadership of the organization is typically
formed to oversee the strategic investments in information technology.
Many times these committees struggle with balancing decisions on tac-
tical firefighting on short term issues versus dealing with strategic is-
sues, and this perspective needs to be understood when addressing this
type of committee. The important element in the membership of this
committee is that it involves the decision leaders of the organization.
These are the individuals that the employees will be watching to see if
they support the policies that were initially generated from the security
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 39/44
department. Their review and endorsement of the policies is critical to
obtain support in implementing the policies. Also, they may be aware
of strategic plans or further operational issues not identified by middle
management (through the security council) that may make a policy
untenable.
Since time availability of the senior leadership is typically limited,
these committees meet at most on a monthly basis, but more typically
on a quarterly basis. Therefore, sufficient time for planning policy ap-
proval is necessary. This may seem to run counter to the speed at
which electronic policies are distributed. However, as in the case with
the security council review, the time delay is essential in obtaining
long-term commitment.
6. Publish policy—Organizations that go directly from step 2 to this step
end up with shelfware, or if e-mailed, “electronic dust.” By the time the
policy gets to this step, the security department should feel very confi-
dent that the policy will be understood by the users and supported by
management. Users may agree or disagree with the policy, but will un-
derstand the need to follow it because it will be clear how the policy
was created and reviewed. Care must be taken when publishing poli-
cies electronically, as it is not desirable to publish the same policy over
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 40/44
and over with minor changes to grammar and terminology. Quality re-
views need to be performed early in the development process so that
the security council and information technology steering committee
can devote their time to substantive issues of the policy versus pointing
out the typos and correcting spelling. End users should be given the
same respect and should expect to be reviewing a document free from
error. The medium may be electronic but that does not change the way
people want to manage their work lives. With the amount of e-mail al-
ready in our lives, we should try to limit the amount of “extra work”
that is placed upon the readers of the policies.
The Web-based policy management tools provide the facilities to pub-
lish the policies very quickly. Since tracking of reading the policies is a
key feature of these products, once the policy is published, they typi-
cally cannot be changed unless a new policy is created! This has major
implications for the distribution of the policy. This means that any
change made will require the republishing of the policy. Imagine thou-
sands of users in the organization that now have to reread the policy
due to a minor change. This situation should be avoided with the re-
view process in place in the preceding steps. The electronic compliance
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 41/44
tracking software is usually built this way (and rightly so), so that it is
clear which policy version the user actually signed off on.
It should be clear by now that even though some of the policy develop-
ment tools support a workflow process within the tool to facilitate ap-
provals of the policies through the various stages (such as draft, interim
reviews, and final publishing), there is no substitute for the oral collabo-
ration on the policies. Electronic communications are very flat and do not
provide expression of the meaning behind the words. Through the discus-
sions within the various committees, the documented text becomes
clearer beyond just those with technical skills. The purpose is more apt to
be appropriately represented in the final policies through the collabora-
tive process.
Information Security Policy Process
Security policy development is a repetitive process, where existing poli-
cies are updated and new ones are created as needed. The majority of the
work is in creating the initial security policies, and hopefully, if these poli-
cies were written to the appropriate level, modification of the policies
should be minimal. The majority of the work in policy development is
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 42/44
evaluating the policies against the introduction of new technologies, law
and regulation changes, and changes to the business. Most often, the ex-
isting polices will suffice and not require major change. This rate of small
change can cause organizations to not pay the appropriate attention to
the policy review and update.
As a final note, it should be clear through the activities presented in this
chapter that the information security officer is the facilitator of the infor-
mation security policy development, but should not own them. The secu-
rity policies should be owned by the organization, which in most cases, is
represented by the CEO and the executive management. There will be
much less challenging of the security policy if it is owned and issued at
this level, than if it is owned by the security officer, who may reside at a
lower level within the organization (except for large organizations where
the CISO may be part of the executive team).
All other security procedures, standards, guidelines, and implementa-
tions are dependent upon the construction of a consistent, easy-to-under-
stand, coherent, and comprehensive information security policy. The time
investment in this step is very valuable and the impact to the organiza-
tion should not be underestimated. Following the steps in this chapter
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 43/44
1.
2.
3.
4.
5.
will lead to more efficient and effective information security policy devel-
opment and subsequent acceptance.
Suggested Reading
Peltier, T. R. 2007. Information security policies and procedures: A practitioner’s ref-
erence, 2nd ed. Boca Raton, FL: Auerbach.
Wood, C. C. 2009. Information security policies made easy, version 11. Houston, TX:
Information Shield.
Fitzgerald, T. 2004. Ten steps to effective Web-based security policy development
and distribution. EDPACS 31(9): 1–22.
Fitzgerald, T., Goins, B., and Herold, R. 2007. Information security and risk man-
agement. In Official ISC ® Guide to the CISSP CBK, H. A.Tipton and K. Henry, eds.,
9–17. Boca Raton, FL: Auerbach.
National Institute of Standards and Technology (NIST). March 2009. Special
Publication 800–16 Revl (draft): Information security training requirements: A
role- and performance-based model (draft).
http://csrc.nist.gov/publications/drafts/800-16-revl/Draft-SP800-16-Revl.pdf
2
4/16/23, 1:26 PM Chapter 6 Creating Effective Information Security Policies | Information Security Governance Simplified
https://learning.oreilly.com/library/view/information-security-governance/9781439811658/017-9781466551282-006.xhtml 44/44
6.
7.
National Institute of Standards and Technology (NIST). October 2003. Special
Publication 800-50: Building an information technology security awareness and
training program. http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-
50.pdf
Gupta, U. 2010. Blog: Lessons learned from BP oil spill. Healthcare Info Security
(June 21). http://blogs.healthcareinfosecurity.com/posts.php?postID=592
