What you need to know about Security Policies (Part 1 of 8)

A common challenge for information security management professionals, is the development, execution and maintenance of corporate information security policies. I have developed and deployed many security policies over the past decade, and accumulated several "information security policy gems", which I will share with you in the following couple of posts.

Note: The text in this series contains the outline of a training workshop I provided on the subject of "Information Security Policy Development". It is the purpose to improve this framework and allow it to evolve into a more complete documented version of the presentation.

INTRODUCTION TO SECURITY POLICIES

For many security professionals, and security officers who are inexperienced in the development of security policies it can be a challenge to know how to go about structuring a security project, and to know how to define the scope of the policy. In this series, I will cover many aspects of corpotate information security policy development projects.

Section 1 - Introduction to Policy Projects

• Developing a Project Plan
• Objectives, Scope, Participants & Resources

Section 2 – Understanding Information Security Policies

• Fundamental Concepts: Policies, Standards & Procedures

Section 3 – Principles of Security Policy Development

• Development Approach
• Risk Analysis Methods for Policy Development
• Policy Sources and Templates
• The Art of Policy Writing

Section 4 – Security Policy Implementation

• Policy Dissemination & Communication
• Security Awareness

Section 5 – Policies Management

• Policy Maintenance
• Change Management
• Scheduled Policy Reviews

In the policy development literature, the few books that have been written specificaly on information security policy development, does not offer significant insight and guidance on the development of a comprehensive policy development project plan, not much of best-practice development techniques. I will elaborate my views on this, as well as other interesting topics such as the "policy communication project plan", and my thoughts on policy management (maintenance and change control).

Structuring a Corporate Security Policy Project

Perhaps the most important success factors of security policy projects are knowing how to structure the project, knowing how to define the scope, and following a well-designed development and execution plan. These steps lay the foundation for the communication and future management of the policies. I will explain these concepts.

Security Policy projects are complicated. The development and implementation of information security policies usually more complicated than expected. It requires a high-level as well as a detailed understanding of the business.

You will not succeed if you restrict your analysis to the I.T. business environment. It is essential that you also obtain a thorough understanding of all the business activities, particularly any activities and business practices that contribute to risk. Often, you are required to spearhead changing perceptions about risks and information security throughout the organization.



Organization wide involvement is vital

• Policies should never be developed alone, in seclusion.
• Development demand the correct mixture of experience, skill and knowledge.

SECTION 2 - UNDERSTANDING INFORMATION SECURITY POLICIES

SECTION OVERVIEW:

2.1 Understanding Security Policies
• Defining “Security Policy”
• Key criteria (legal, etc.)
• Difference between policies, standards & procedures

2.2 Policy Types
• Enterprise
• Issue-Specific
• System-Specific

In this sestion, I will cover the following:

2.1 Understanding Security Policies
2.1.1 Defining “Security Policy”
2.1.2 Difference between policies, standards & procedures
2.1.3 Purpose of Security Policies
2.1.4 Benefits of Security Policies
2.1.5 Common Policy Misconceptions
2.1.6 Critical Success factors of Security Policies
2.1.7 Why some policies fail
2.1.8 Key criteria (legal, etc.)

Defining “Security Policy”
In its simplist definition,k security policies can be defined as a combination of several things; such as management instructions, plans, rules etc.

• Management instructions
  It is the formal documentation of management decisions about information security, and the primary way in which management's expectations for security are translated into specific, measurable, and testable goals and objectives.
  

• A Plan
  Policies is plan, or course of action, intended to influence and determine decisions, actions, and other matters.
  

• Rules
  Policies are a set of rules that dictates acceptable and unacceptable behaviour within an organization.
  

• Policies are mandatory
  Opposed to standards and guidelines which are not necessarily mandatory.
  

• General statements - not specific
  Policies are more general than standards and procedures.
  

• Independent
  Policies are product and vendor independent
  

• Include Penalties
  Policies must also specify the penalties for unacceptable behaviour, and define an appeal process.
  

What a policy is NOT:

• The security policy defines what business and security goals and objectives management desires, but not how these solutions are engineered and implemented.
• Policies are not detailed statements explaining how controls should be implemented or management..
  For example: Information security policies are not systems settings for firewalls and other system components.
• Policies do not included detailed, step-by-step technical standards and procedures.
  

Difference between policies, standards & procedures

Security Policies:

• Security policies embody management’s overall security expectations, goals and objectives.
• To be practical and implementable, policies must be further defined by standards, guidelines, and procedures.
• While the policies should not often change, the various standards and procedures do often change.
  

For example:
A policy can be an organization’s prohibiting the viewing of inappropriate Web sites at the workplace. To execute this policy, the organization must implement a set of standards that clarify and define exactly what is inappropriate in the workplace and to what degree the organization will act to stop the inappropriate use.

Security Standards:

• Security Standards are directives derived from generic or specific policy, designed to structure and guide the implementation of the policy.
• Standards are more detailed statements of what must be done to comply with policy, and provide specific interpretation of policies.
• Standards that provide more measurable (“auditable”) guidance in each policy area.
  

For example:

A standard might specify that user names must be unique, and passwords must contain a minimum of six characters with at least one non-alphabetical character. Standards also cover both non-technical and technical requirements. An effective policy framework would include technical security standards to provide detailed system hardening and configuration requirements (as standards) for various system and network infrastructure and applications.

Security Procedures:

• Security procedures also provide specific interpretation of policies and the standards.
• It instruct users, customers, technicians, management, and others on how to implement the policies.
• Procedure documents are environment-specific and is needed for each technology used by the business.
• It specifies in detail how the Security Standards are to be implemented by that technology.
  

Security Guidelines:

• Guidelines are documented best practices and recommendations for addressing the security needs of domains or resources not covered by formal policy.
• Often, these are “standards in waiting” in the process of being developed and ratified.
• They are not requirements to be met, but are strongly recommended.
  

This concludes part one of this eight part series on Understanding Information Security Policies.
In the next installment, part 2, I will discuss the various policies types what you should know about the actual development of security policies.

Regards,

Ciske
CISKE@INFOSECRISKS.COM

References:
Mattord, H. J. Whitman,M.E. (2004) Teaching Information Security Policy
- Proceedings of the 8th Colloquium for Information Systems Security Education


Next issues in this series "What you need to know about Security Policies"
Part 2 of 8 - Critical Success Factors
Part 3 of 8 - Policy Development
Part 4 of 8 - Risk Assessment for Security Policies
Part 5 of 8 - Sample Security Policies and Templates
Part 6 of 8 - Policy Structure and Approach