Security Policy Framework

Terminology

Security Policy is defined as the rules and regulations set by an organization. Security policies have to be laid down by management in compliance with applicable law, industry regulations, and the decisions of enterprise leaders. Policies are mandatory for any enterprise; they are expressed in different language and require compliance. Failure to conform to policy can result in disciplinary action, termination of employment, and even legal action.

A security policy is the basis for security awareness, training and education; they govern how an organization’s information is to be protected against breaches of security.

Security policies are focused on the desired results not on the means of achieving those results. The methods of achieving policies are defined by controls, standards, and procedures.

Controls

When developing a framework for implementing security policies, controls are measures used to protect systems against specific threats.

Standards

A standard can be an accepted specification for hardware, software, or human actions. Standards can be de facto when they are so widely used that new applications respect their conventions.

In a corporate environment, a standard refers to specific technical choices for implementing particular policies. Typically, the standards are of concern to those who must implement policies; not all standards need to made known to all personnel. Standards must change in response to a changing technical environment; typically, standards change more rapidly than the security policy.

Procedures

Procedures prescribe how people are to behave in implementing security policies.

Policy Framework

Creating security policies without guidance from experienced policy writers is a time-consuming effort. The result could be that a policy leaves everyone in an enterprise so puzzled that the policies turn into shelf ware – they are stored, but never used.

Guidance for policy writers is helping to structure their work, avoid pitfalls, and save enormous amounts of time. Any security policy framework should at least be based on one of the following resources:

  • ISO 17799
  • RFC2196
  • IT Baseline Protection Manual

ISO 17799

With the increasing interest in security, ISO 17799 certification has been established as a goal for many organizations throughout the world. Security consultants are trained for compliance with ISO 17799, which offers a convenient framework in accordance with an international standard.

ISO 17799 is organized into ten major sections, each covering a different topic or area:

  1. Business continuity planning
  2. System access control
  3. System development and maintenance
  4. Physical and environmental security
  5. Compliance
  6. Personnel security
  7. Security organization
  8. Computer and network management
  9. Asset classification and control
  10. Security policy

RFC2196 (Site Security Handbook)

The Internet Engineering Task Force (IETF) has an extensive list of informational documents called requests for comments (RFCs) governing all aspects of Internet. One document of particular value to any organization thinking about improving its security practices is the Site Security Handbook, RFC2196.

The Site Security Handbook has the following structure:

  • Introduction
  • Security Policies
  • Architecture
  • Security Services and Procedures
  • Security Incident Handling
  • Ongoing Activities
  • Tools and Locations
  • Mailing Lists and Other Resources
  • References

IT Baseline Protection Manual


The German government’s computer security arm, the Bundesamt für Sicherheit in der Informationstechnik, has published a useful set of security guidelines.

The IT Baseline Protection Manual has five main sections:

  • Stand-alone systems
  • Networked systems
  • Communications
  • Infrastructure
  • Methodologies

In general, each module presents concepts, threats and vulnerabilities, and the necessary countermeasures. The work provides a sound basis for effective information security protection.

Collaborating in Building Security Policies


Security has always been described as being everyone’s business and, in fact, it is. Security issues, security awareness, and security provisions penetrate each action and interaction between user and machine. Security policies challenge users to change the way they think about their own responsibility for protecting the corporate information. Security has to be presented to everyone in the organization in a way that causes them to recognize that they, personally and professionally, have a stake in information protection. Security managers or officers, in order to be successful, must involve employees from throughout the enterprise in developing security policies. Users must justifiably feel that they own their security procedures. These users have to become partners rather than opponents of effective security.

Phase I: Preliminary Evaluation


Studies of the extent to which information security policies are in place consistently show that relatively few of the respondents have adequate policies in place.

In the absence of existing or adequate security policies, a preliminary inventory is the first step in providing upper management with the baseline information that will justify developing a corporate information security policy. The preliminary evaluation should be quick and inexpensive. At this point in time no detailed work is required, since approval, support, and budget from upper management is necessary first.

The main goal of preliminary evaluation is to ask people who work with information resources what they believe are their most important security needs. In practice, employees and managers have valuable insights that transcend theory and generalizations.

To gather the baseline data it is recommended to run a preliminary study based on the ISO 17799 major sections and identify the critical and sensitive systems.

Phase II: Management Sensitization


Support from upper management is essential for further progress. The goal here is to get approval for an organization-wide audit and policy project. The best way to launch such a project is to start with a meeting, where a short statement from a senior executive about the crucial role of information protection in the organization is given. The next tasks are: set priorities, determine an action plan, define a timetable and milestones, and formulate policies and procedures to protect corporate information resources.

Phase III: Need for Analysis


Representatives from every sector of the enterprise should get together or be interviewed in order to investigate security requirements, the participants’ wide experience and perspective, which will be crucial in deciding which areas to protect most strongly.

An evaluation as to what degree the systems and networks are vulnerable to breaches of security has to be performed. In relation with a typical audit, facilities, personnel policies, existing security, application systems, and legal responsibilities could be covered. The focus should be on Internet, campus communications, wide area enterprise networks, and on electronic data interchange with clients and suppliers.

Phase IV: Policies and Procedures


Once the information gathering process and its analysis and evaluation are done, the construction of policies and procedures that meet the needs of the enterprise has to be performed.

Genuine participation by all the representatives from every sector of the enterprise is a critical element of success. The policies have to be owned by these representatives.

Phase V: Implementation


This is the hardest part because the new policy has to be explained to fellow employees and they need to be convinced to change their habits. Awareness and training sessions for all levels of the enterprise have to be organized.

Phase VI: Maintenance


Once the enterprise has begun to integrate a concern for security into every aspect of its work, the issue must be kept fresh and interesting. Every employee should regularly confirm and sign the annual security agreement. This practice ensures that no one can argue that the organization’s commitment to security is a superficial charade.