Part 1 of 8 - Introducting Security Policies
Part 2 of 8 - Critical Success Factors
Part 3 of 8 - Policy Development
Part 4 of 8 - Risk Assessment for Security Policies
PART 5 - SAMPLE SECURITY POLICIES AND TEMPLATES
Overview
This installment of the "What you need to know about Security Policies", provides an overview of some essential considerations when obtaining source material for your own development of security policies. I provide a souple of suggestions for policy resource material, and discuss the use of policy templates.
Security policies should be based on several sources, which can include:
1. International Information Security Standards
a.) ISO/IEC 17799:2005
b.) NIST standards
c.) The I.T. Baseline Protection Manual
This standard is particularly useful as reference for the development of security procedures and guidelines.
2. RFC’s
a.) The Site Security Handbook - RFC2196.
3. Information Security Principles
a.) OECD - Organisation for Economic Co-operation and Development - http://www.oecd.org/
b.) GAISP - The Generally Accepted Information Security Principles (http://www.issa.org/)
4. Security Policy Books
Security Policy Books such as:
a.) Information Security Policies Made Easy by Charles Cresson Wood (“ISPME”), and others - as discussed below.
5. Sample Security Policies
Sample security policies available on the Internet, such as “The SANS Security Policy Project” - a reference which should be used with due care.
INFORMATION SECURITY PRINCIPLES
Security principles are used to define a foundation upon which security policies can be further defined.Organizations should evaluate and review these security principles before and after the development and elaboration of security policies. This will help define and satisfy management's expectations for security, and fundamental business requirements - during the development and management of the security policies. Sources: Organization for Economic Cooperation and Development (OECD)Generally accepted information security principles (GAISP ver 3.0 - ISSA)
PERVASIVE PRINCIPLES
1 - Accountability Principle
2 - Awareness Principle
3 - Ethics Principle
4 - Multidisciplinary Principle
5 - Proportionality Principle
6 - Integration Principle
7 - Timeliness Principle
8 - Assessment Principle
9 - Equity Principle Obtaining Security Policies
BROAD FUNCTIONAL PRINCIPLES
1 - Information Security Policy
2 - Education and Awareness
3 - Accountability
4 - Information Management
5 - Environmental Management
6 - Personnel Qualifications
7 - System Integrity
8 - Information Systems Life Cycle
9 - Access Control
10 - Operational Continuity and Contingency Planning
11 - Information Risk Management
12 - Network and Infrastructure Security
13 - Legal, Regulatory, and Contractual Requirements of Information Security
14 - Ethical Practices Obtaining Security Policies
INFORMATION SECURITY POLICY BOOKS
The following is a list of the most popular books written on information security policies, currently available:
Information Security Policies, Procedures, and
Standards: Guidelines for Effective Information Security Management
by Thomas R. Peltier
Paperback: 297 pages Publisher: AUERBACH; 1 edition (December 20, 2001)
ISBN-13: 978-0849311376
Writing Information Security Policies by Scott Barman
Paperback: 214 pages
Publisher: Sams; 1ST edition (November 9, 2001)
ISBN-13: 978-1578702640
Information Security Policies and Procedures: A Practitioner's Reference, Second Edition (Hardcover) by Thomas R. Peltier
Hardcover: 448 pages Publisher: AUERBACH; 2 edition (May 20, 2004)
ISBN-13: 978-0849319587
Information Security Policies Made Easy, Version 10 by Charles Cresson Wood
Hardcover: 739 pages Publisher: Information Shield (May 2005)
ISBN-13: 978-1881585138
Description:
This book Can be used as a framework for the creation of a comprehensive set of information security policies.Version 10 of ISPME contains more than 1350 pre-written security policies. The book includes a CD-ROM that includes every policy - in HTML, Word, and PDF formats The policies are divided into 10 separate domains that are mapped to the ISO-17799 standard.
Note: While it may be tempting to immediately start cutting and pasting policies together, it is crucial to understand both
SAMPLE SECURITY POLICIES
Common sources for obtaining sample information security policies include:
Internet SANS
Policies from the SANS Institute, Security Policy Project
A website dedicted to "SysAdmin, Audit, Network, Security"
Internet: http://www.sans.org/resources/policies/
RU Secure
The Security Policies & Standards Group, Deepdale, Preston, UK.
Internet: http://www.information-security-policies-and-standards.com/.
THE USE OF TEMPLATE POLICIES
Disadvantages of using Policy Samples and Templates
Given the time constraints we all tend to work under these days it is very, tempting to adopt template policies rather than research and write your own. A policy quickly delivered - may achieve short term gain for your organization but, in the long term, may well not be broad and deep enough to properly protect your organization’s information assets from the wide range of potential threats.
Advantages of developing your own policies
The benefit of researching and writing your own policy is that the very act of doing so increases your knowledge of what your organization is about, how things work, who does what, what the I.T. infrastructure is, how it may evolve. You may well find that many assumptions you thought to be correct are indeed not so.
POLICY COMPLIANCE TO SECURITY STANDARDS
Policy Focus
Policies should be focused on addresses information security risks. At best your information security policy should deal solely with information security. This may sound “rather obvious”, however some organizations require their security policies to encompass what may loosely be describe as behavioral, or moral policy. For example: issues such as sexual and ethnic harassment issues may be important in their own right, they are not directly relevant to information security.
ISO/IEC17799:2005 Code of Practice for Information Security on Security Policies:
Clause 5 - Security policy 5.1 Information security policy
Objective:
To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Management should set a clear policy direction in line with business objectives and demonstrate support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization.
5.1.1 Information security policy document
Control
An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties.
Implementation guidance
The information security policy document should state management commitment and set out the organization’s approach to managing information security. The policy document should contain statements concerning:
of particular importance to the organization, including:a) a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing (see introduction);
b) a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives;
c) a framework for setting control objectives and controls, including the structure of risk assessment and risk management;
d) a brief explanation of the security policies, principles, standards, and compliance requirements
1) compliance with legislative, regulatory, and contractual requirements;
2) security education, training, and awareness requirements;
3) business continuity management;
4) consequences of information security policy violations;
e) a definition of general and specific responsibilities for information security management, including reporting information security incidents;
f) references to documentation which may support the policy, e.g. more detailed security policies and procedures for specific information systems or security rules users should comply with. This information security policy should be communicated throughout the organization to users in a form that is relevant, accessible and understandable to the intended reader. (Weise, 2001)
References:
Weise, Joel (2001) Developing a Security Policy - SUN
Wood, C.C. (2004) InfoSecurity Infrastructure Inc. RSA
Next in this series:
Part 6 of 8 - Policy Structure and Approach
0 reacties:
Post a Comment