The framework for an organization’s information security program is composed of policies and their respective standards and procedures. This article will examine the relationship between policies, standards, and procedures and the roles they play in an organization’s information security program. In addition, the roles that of individuals inside and outside of the organization with respect to the creation of policy and standards will be discussed. Finally, how an organization can meet information security need at each level of security and how this relates to the information security policy (ISP) content. Information Security Policy (ISP)
Policies form the foundation of everything an organization is and does. Likewise, an ISP is the beginning of a company’s information security program. A policy is a high-level plan on how an organization intends to respond to certain issues. An ISP sets the tone of the organizations information security program and establishes the will and intent of the company in all information security matters. The ISP also defines how the company will regulate its employees. Policies must support an organization’s objectives and promote the organization’s success. Policies must never be illegal and must be defensible in a court of law. Policies must be supported and administered fairly and consistently throughout the organization (Whitman & Mattford, 2010). The following paragraphs list some tips for developing and implementing an ISP.
A Clear Purpose
It is essential that an ISP have a clearly defined purpose. Specific objective should guide the creation of the ISP and the purpose should articulate exactly what the policy is to accomplish (McConnell, 2002). McConnell (2002) further notes that, “If you cannot explain why the policy exists, you cannot expect your employees to understand it or follow it” (p. 2).
In developing policies, it is a good idea to gain the input of the employees to which the policy will apply. Ideally, there should be at least one representative from each department. Allowing various employees give input to the policy, will help to ensure that nothing is overlooked and that the policy is easily understood (McConnell, 2002).
Security Awareness and Training Program
In addition to gaining the employee’s acknowledgement of the ISP at their orientation, the ISP should be part of the security awareness and training program. Ongoing awareness training can focus on various security policies (McConnell, 2002). It is important to keep the awareness of information security matters fresh in the minds of the employees to avoid complacent behaviors that may lead to serious violations.
Enforcement is critical to the success of any policy; policies that are not enforced are soon ignored. McConnell (2002) notes, “A policy that you are unable or unwilling to enforce is useless” (p. 2). If a policy is unenforceable, it should be removed or revised to the point where it is enforceable. Not only must a policy be enforceable, it must be enforced from the top down. When managers set the example, the rest of the staff are more likely to follow (McConnell, 2002).
While policy sets the overall plan or intent of the organization in regards to information security, standards define the specific elements required to comply with policy. For example, an acceptable usage policy may prohibit employees from visiting inappropriate websites; the standard defines what websites are considered inappropriate (Whitman & Mattford, 2010). Standards may be developed in house, but the common preferred way is to utilize already established industry standards that can then be tailored to the organization’s specific needs.
Procedures are the step-by-step actions necessary to comply with the policy. Procedures are driven by standards that are governed by policy (Whitman & Mattford, 2010). Most policy violations may be traced back to either a willful or negligent failure to follow procedures.
Senior management initiates the need for policy creation; it is their intent and purpose that the policy is created to communicate. Senior management is the final authority and gives the final approval for the policy.
Information Security Officer (ISO)
The ISO is essentially the policies champion overseeing all aspects of the ISP and the agent reporting to senior management. The ISO creates a governance committee that works together to develop and update policy. The ISO oversees organizational compliance with security policies (California Office of Information Security and Privacy Protection, 2008).
The information technology (IT) staff is responsible for installing and maintaining the technical controls to ensure users are compliant with the security policies. For example, the IT staff may install software that blocks access to prohibited websites. The IT staff also conducts monitoring of employee activity on the company network.
Mangers, as already stated, must lead by example. When managers do not follow and enforce policies, it communicates to the employees that policies are not important and that following them is optional. A body will always follow its head; likewise a department will always follow the example of its managers.
The average end user is perhaps the greatest security asset and the greatest security threat; clear security policies and proper security awareness training are the deciding factors. People should be made aware of common security threats such as social engineering attacks and the importance of safeguarding their password information. They should be trained to understand exactly what the organization expects form them in regards to information security (Whitman & Mattford, 2010).
There may be times when outside people may need to have access to an organizations network such vendors, consultants, and temporary employees. Such people should be required to sign an acknowledgement form agreeing to abide by all security policies, standards, and procedures.
The Bulls-eye Model
The bulls-eye model is a way of tailoring the ISP to the needs of the organization at various security levels. The four levels of the bulls-eye are: policies, networks, systems, and applications (Whitman & Mattford, 2010). Whitman and Mattford (2010) state, “In this model, issues are addressed by moving from the general to the specific, always starting with policy” (p. 120).
AN information security policy, as already discussed, sets the foundation for an organization’s information security program (Ungerman, 2005). While all policies are high-level, there are different levels that a policy may address. The enterprise information security policy (EISP) is the overall policy that encompasses all other information security policies within the organization. Issue specific security policies (ISSP) target specific issues and contain more low-level elements than the EISP. An example of an ISSP is an acceptable use policy (SUP). Finally, there are system specific security policies (SysSP). A SysSP is so low-levelthat it may appear more like a procedure than a policy. A SysSP through either managerial guidance or technical specifications defines system-specific controls needed to conform to an ISSP. An example of an SysSP would be the implementation of website filtering software to enforce the company’s AUP (Whitman & Mattford, 2010).
Network-level security is about securing the network and as such is heavily focused on controlling access through user authentication. EISP may define who may access the network in addition to how and why. An ISSP may then specify what type of authentication and access control models may be used. SysSPs can then proscribe technical specifications, such as software requiring a periodic password change, to facilitate compliance with the ISSP (Whitman & Mattford, 2010).
System-level security is concerned with securing the actual system components of the network such as the computers, printers, and servers. Examples of ISSPs at the system level are AUP, password policies, and policies prohibiting the installation of unapproved hardware and software by end users (Whitman & Mattford, 2010).
Application-level security deals with any type of application form out-of –the-box software like MS Office to enterprise resource planners (ERP) like SAP. Policy considerations here would be controlling user access and application update policy. Policy controls who has access to which applications and to which features (Whitman & Mattford, 2010).
California Office of Information Security and Privacy Protection. (2008, April). Guide for the Role and Responsibilities of an Information Security Officer Within State Government. Retrieved from http://www.cio.ca.gov/ois/government/documents/pdf/iso_roles_respon_guide.pdf McConnell, K. D. (2002). How to Develop Good Security Policies and Tips on Assessment and Enforcement. Retrieved from http://www.giac.org/paper/gsec/1811/develop-good-security-policies-tips-assessment-enforcement/102142 Ungerman, M. (2005). Creating and Enforcing an Effective Information Security Policy. Retrieved from http://www.isaca.org/Journal/Past-Issues/2005/Volume-6/Documents/jopdf-0506-creating-enforcing.pdf Whitman, M., & Mattford, H. (2010). Management of Information Security (3rd ed.). Mason, OH: Cengage Learning. Retrived from The University of Phoenix eBook Collection database.