Discussion and Replies

Information_Security_Design_Implementation_Measure..._----_Chapter_7._Security_Policy.pdf

Home >Computer Science homework help >Discussion and Replies

117

Security Policy

An organization’s information security policy is one of the most important business documents within the organization. That’s right—business document and not a technology document. The security policy should always be an extension of the organization’s business environment, culture, and mission as well as account for any applicable laws and regulations. By having a formal information security policy, the organization will benefit in a number of ways.

The information security policy should be customized to reflect the business objectives of each organization. This is one of the primary reasons why using standard template-based policies is not effective for many managers. It is clear that many organizations share similar business objectives and many policies can overlap. The element that makes the information security policy effective, strangely enough, is not the policy document—it is the people. For information security to be taken seriously within any organization, there absolutely must be visible support from management at all levels. This can range from funding information security initia- tives to managers and executives attending user training sessions with everyone else in the company as well as holding all users accountable for their actions.

Effective information security is about people and their actions. An organiza- tion can publish well-written documents that have all the right words on the page. If the users and employees do not internalize and accept these requirements, however, the results will likely be less than desirable for management. In a previous book,

Information Security Awareness: The Psychology Behind the Technology

(ISBN: 1-4208-5632-4), I research and describe the relationship between psychol- ogy and behavior involving users internalizing information security messages and why this process is so critical to the overall successes of every information security program.

The first control area within the ISO/IEC 17799:2005 (27002) Code of Practice for Information Security Management is about the information security policy doc- ument and management’s support and direction for the information security program. There are only two controls within this area. The number of controls in this area does not represent its lack of importance. In fact, the first control is a key risk indicator control as previous described.

The overall objective for this control area could be characterized by stating that management must provide direction for the overall information security initiative and outwardly support the program. The two controls for this control area are focused on the information security policy document and the review and evaluation of the policy. The security clause and two associated controls for the information security policy control area are listed and described in the following sections.

AU7087_C007.fm Page 117 Tuesday, May 23, 2006 8:37 AM

Layton, Timothy P.. Information Security : Design, Implementation, Measurement, and Compliance, Auerbach Publishers, Incorporated, 2006. ProQuest Ebook Central, http://ebookcentral.proquest.com/lib/apus/detail.action?docID=267956. Created from apus on 2025-04-25 00:13:44.

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

118

Information Security

INFORMATION SECURITY POLICY

The high-level purpose and intent of the “Information Security Policy” main security clause is to ensure that there is a management-sponsored information security policy and that all relevant users (internal, external, etc.) are aware of their responsibilities. Senior management and organizational stakeholders must provide visible support and direction for the information security initiative as a whole. All applicable laws and regulations must be accounted for in the policy documents as well as the business objectives and requirements of the organization.

The two controls within this main security clause are detailed below for your review and evaluation. Keep in mind that these controls, as well as the other 131 of them, were written as a framework for organizations to adopt and implement within their own individual organizations based on their own unique business requirements.

Through the use of a customized risk analysis and organizational evaluation, the management team must decide how to implement each of the controls within their own environments. The basic framework and guidelines are presented within the body of each control. These controls should be evaluated against the business strategy and plans of each organization before being implemented. This is exactly why the information security management team and staff must be knowledgeable and fluent with the organization’s mission, business goals, and objectives.

It should be clear to everyone within the organization that the management team supports the information security mission and that the mission is linked to the overall business strategy. The reality for most organizations is that each department and manager is very busy with their own objectives and challenges. Information security at times can be viewed as another hurdle or obstacle keeping them from achieving their goals or project deadlines. The responsibility falls onto the information security team to keep this mission moving forward and in front of key organizational stake- holders to ensure that the requirements and objectives of the organization are being met. The concept of information security is gaining a wider acceptance within many organizations because of the legal and regulatory requirements.

I have met a wide array of managers in organizations that operate in various industries. Many managers do not fully understand the intended purpose of the ISO/IEC 17799 Code of Practice. Many confuse the standard with laws such as the Sarbanes–Oxley (SOX) or Gramm–Leach–Bliley (GLB) acts. The standard can be thought of as a “code of practice” that an organization can follow to implement information security best practices, independent of industry. After a close inspection of the controls within the standard, you will notice that if an organization implements the controls within the appropriate context of its environment, many, if not most, of the information security requirements by current laws and regulations will be directly or indirectly met. This holds true whether you are discussing the Data Protection Directive in Europe or SOX, GLB, or HIPAA (Health Insurance Portability and Accountability Act) in the United States.

AU7087_C007.fm Page 118 Tuesday, May 23, 2006 8:37 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Security Policy

119

5.1.1

—

NFORMATION

SECURITY

POLICY

DOCUMENT

As previously discussed, example threat and vulnerability statements are presented in this control in an effort to help the readers of this text develop and implement their own threat and vulnerabilities into their risk assessment process. The exercise of mapping threat statements to each of the 133 controls is complex and extremely time-consum- ing—but very necessary. These mappings should be created with consensus and not in a silo. It is important to get as many qualified resources involved or reviewing the threat and vulnerability mappings as possible. It is unlikely that any single person possesses the depth of knowledge and skills within all 11 security clauses to effectively develop or review the threat and vulnerability maps. Try to focus on finding subject matter experts within each security clause and leverage their knowledge and skill. Also, con- tinue looking for help and resources via the Internet in this area, as more people will try to do very similar projects the longer this version of the standard has been published. Check my Web site at www.timlayton.com for new or additional information on threat and vulnerability statements as they develop over time.

Scope:

Management should provide support in the form of funding, business process, establishment of a cultural norm, and a clear policy direction across the organization in the form of a written business document for information security. Management must communicate information security policies to all employees and relevant parties including consultants, contractors, vendors, business partners, etc.

Key Risk Indicator:

Yes

Control Class:

(M) Management, (O) Operations

Key Questions:

• Is there a formal information security document published by management representing the business, legal, contractual, and regulatory requirements of the organization?

• Is the information security policy document made available to all employ- ees and users including external third parties of the organization’s infor- mation systems?

• How is the policy communicated to all affected parties and what is the frequency of communication?

• How does the information security policy document support the business objectives of the organization?

• Does the information security policy document account for all applicable laws, regulations, and contractual requirements?

• Is there a documented structure for risk assessment and risk management within the body of the information security policy?

• Are all applicable 11 control areas within the standard represented in the policy?

• Does the information security policy reference other policies, standards, or control procedures as appropriate?

• Can management provide a business case as to why any of the controls or control areas does not apply to their organization?

AU7087_C007.fm Page 119 Tuesday, May 23, 2006 8:37 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

120

Information Security

As described in the second chapter, the GISAM provides a source of threats that are broken down into four major categories: Human Malicious, Human Non-mali- cious, Accidental, and Other (natural or other unplanned disruptions or disasters). The threats that I list within each of these four threat categories are sourced from professional experience, NIST, BITS, and other publicly available industry and trade information. Refer to Listings A, B, C, and D in Chapter 2 for a listing of threats separated by category.

The vulnerabilities listed in this control begin with a category and are followed by a specific vulnerability. This is a systematic approach to developing a list of associated vulnerabilities for each control. Refer to the following example as a means to develop your own threat and vulnerabilities.

Threat:

Users (employees, consultants, partners, etc.) do not comply with information security policies.

Vulnerability: Human Non-malicious—Poor Management Philosophy:

Management does not support security policy development by lack of funding. Control Class: (M) Management

Vulnerability: Human Non-malicious—Poor Management Philosophy:

Management does not support security awareness and education training for all users and relevant parties. Control Class: (M) Management

Vulnerability: Human Non-malicious—Poor Management Practices:

Management does not enforce compliance with published information secu- rity policies. Control Class: (M) Management

Vulnerability: Human Non-malicious—Poor Management Practices:

Users are not aware of information security policy requirements. Control Class: (M) Management

Vulnerability: Human Malicious—Employee or Management Malicious Actions:

Users purposely do not comply with information security policies. Control Class: (O) Operations

External References:

NIST SP 800-30, ISO/IEC 13335-1:2004, SOX IT Controls, GLB

Additional Information:

There are a total of 11 control areas within the ISO/IEC 17799 standard. For the purpose of a quick reminder, those areas are information security, organizing information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, infor- mation security incident management, business continuity management, and compli- ance. The challenge for each organization is to identify which of the 11 main security clauses and the respective control objectives and controls within these areas applies to their organization and therefore should be communicated within the information security policy document. A standard format and process should be developed and utilized to communicate the information security policies. Many organizations that embrace the ISO/IEC 17799:2005 (27002) structure their information security policies after the standards table of contents. This approach can be very helpful for organiza- tions that do not have an existing approved or published format.

AU7087_C007.fm Page 120 Tuesday, May 23, 2006 8:37 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Security Policy

121

One of the key points about the information security policy control is that management interaction is required on a lot of different levels. It is clear from strategic and pragmatic perspectives as well as the overall intent of this control that management support is mandatory for this control to be truly effective.

Many organizations when writing and implementing their information security policy fail to realize the importance of senior management support. Most everyone understands the funding part of the support, but the visible and cultural support dimensions often get overlooked or downplayed. These dimensions are critical for helping build cultural norms within the organization and gaining the acceptance of individual users and groups.

An information security policy document is a strategic business document that to be effective must have a clear strategy and series of goals defined, just like any other business initiative. I have personally witnessed many organizations placing the development and deployment of their information security policy on their informa- tion technology department. In many cases this is a sure sign of impending failure. The information security policy is much broader than information technology. There are compliance and legal requirements that may drive a series of policies versus excluding others. Depending on the industry, the policy may by its very nature include or exclude certain aspects of the ISO/IEC 17799:2005.

Other variables such as organizational culture, geography, diversity, and business objectives and requirements factor into what the information security policy will ultimately need to communicate. By conducting a business-oriented risk analysis, an organization can determine what needs to be included within its information security policy. This is not a one-time effort. There must be a continual process designed and implemented to review and update the various security policies as appropriate. For publicly traded or regulated organizations, the process of ensuring compliance with laws and standards is a continual process that must be supported at all levels within the organization.

It is important to establish the meaning of policy. An information security policy is developed to communicate what users “must” do, and not how to accomplish the policy objective. A series of supporting procedures, guidelines, and standards should be developed to support the mission of the information security policy document. Refer to the standard for specific elements to include within the set of information security policies. In addition, the ISO/IEC 27001 should be reviewed and consulted for additional guidance in this area.

5.1.2

—

EVIEW

THE

INFORMATION

SECURITY

POLICY

Scope:

To continually monitor and update the information security policy document as required by a host of qualifying events to ensure its applicability and effectiveness.

Key Risk Indicator:

Control Class:

(M) Management

Key Questions:

• How often is the information security policy reviewed?

AU7087_C007.fm Page 121 Tuesday, May 23, 2006 8:37 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

122

Information Security

• Does management engage qualified external subject matter experts to review the information security policy?

• Does the policy owner operate from a defined and documented review process to revise and update the policy?

• How are qualifying events reviewed to determine if a policy revision or update is required?

• Is a formal management-approved process required for policy changes and updates?

Additional Information:

A key point to consider about this control objective is the assignment of ownership. The information security policy document and process should have an owner or owners responsible for its continual review, updating, and deployment. As with any other organizational policy, the information security policy needs to be monitored and reviewed for its effectiveness and applicability.

One of the best ways to ensure the effectiveness of the information security policy is to measure it at the control level. A formal information security review and evaluation process should be developed or outsourced that measures and reports on the level of effectiveness for each of the 133 controls within the 11 main control areas. A scale and review methodology should be developed or adopted to accom- plish the review and monitoring activities discussed above. A business impact ana- lysis should be conducted to identify those controls and controls areas that, if not implemented to a high degree of effectiveness, would introduce an unacceptable amount of risk into the environment, organization, and business model.

Qualifying events as discussed earlier would include events or activities such as changes in the information systems, information technology environment, opera- tional processes, business objectives, new well-known vulnerabilities that are known to potentially impact your systems and operations, etc. The environment, vulnera- bilities, and business landscape are in a constant state of change, and this is funda- mentally why it is critical to continually monitor and adjust as well as add new controls within your information security program as applicable. If you want to review the actual security program, refer to the ISO/IEC 27001 for guidance as well as my Web site at www.timlayton.com.

SUMMARY

I am routinely asked by many different people and organizations around the world, “What exactly should our information security policy contain, and how long should it be?” My response is the same every time no matter where the organization is based or their industry: “It depends.” It honestly depends on several factors. For example, federal, government, legal, and regulatory factors absolutely must be fac- tored into the information policy and strategy, as appropriate. The business objectives and requirements of the organization are equally important and must be included to ensure continuance and integrity of the organization’s information systems and processes. These factors alone will shape the table of contents for the information security policy.

AU7087_C007.fm Page 122 Tuesday, May 23, 2006 8:37 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

Security Policy

123

For example, a small privately held organization that does not engage third-party vendors simply would not include those controls that are applicable for this type of business activity, and there is no need for them to be addressed at this time in the information security policy. However, the organization should have a defined process to address this type of activity if and when it presents itself. Conversely, a publicly traded organization in the financial industry, by default, has a host of legal, federal, and regulatory requirements that must be addressed at the control level as well as within the information security policy document. The requirements for a well- documented and routinely monitored information security program is not an option; it is a federal requirement. The financial organization referenced in the example above must comply with legal requirements for information security regarding Sar- banes–Oxley and Gramm–Leach–Bliley, as well as federal and regulatory require- ments from the OCC (Office of the Comptroller of the Currency), etc.

My earlier response of “It depends” is the short way of saying that each orga- nization must assess its individual requirements. It is in the best interest of the information security management team to include as many departments and business units within the information security planning process as possible and appropriate. This is a practical way of keeping organizational stakeholders actively involved in information security matters.

REFERENCES

ISO/IEC 17799:2005 Information Technology — Security Techniques — Code of Practice for Information Security Management, International Organization for Standardiza- tion, 2005.

AU7087_C007.fm Page 123 Tuesday, May 23, 2006 8:37 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .

AU7087_C007.fm Page 124 Tuesday, May 23, 2006 8:37 AM

C op

yr ig

ht ©

2 00

6. A

ue rb

ac h

P ub

lis he

rs , I

nc or

po ra

te d.

A ll

rig ht

s re

se rv

ed .