ITS 305 - Security Policies and Auditing

Chapter 4, Information Security Policy

Objectives:

This lesson discusses information security policies. Objectives important to this lesson:

  1. What are information security policies
  2. Types of security policies
  3. Developing security policies
Concepts:

This chapter covers information security policies, which the text tells us are the heart of an effective security program. The text says that policies are inexpensive (they are just rules) but hard to implement, because they have no effect if people do not comply with them. So what makes a good policy?

  • A policy should not be in conflict with applicable law. (Should not? Maybe the author meant must not.)
  • A policy must stand up in court when challenged. This sounds like the first rule, but it is more about proving the legality of the policy itself, not its being in accord with existing laws.
  • A policy must be properly supported and administered: supported by authority in the enterprise, and implemented and enforced correctly and fairly.

The text lists some benefits that policies have for management:

  • reference for internal audits - this proves we have a policy
  • reference for legal disputes - shows that management made the policy accessible to those who should have acted under it
  • statements of management's intent - serves as a guideline for staff who may need to act when management is not available for consultation
  • not listed: justification of actions - staff can refer to a policy when they need to explain themselves to management

That list of justifications looks more like a list of alibis. It's not our fault, your honor, we told everyone not to do what they did. Do they serve any constructive purposes? Well, they should. Let's consider some (the text finally got around to them) definitions:

  • policy - a plan that influences decisions;
    a guideline for decisions and actions;
    needs to be understood by those meant to follow it because it is a set of rules about what actions are acceptable and what actions are unacceptable
  • standard - a statement of what must be done to comply with a policy;
    example: a standard might require that workstations bought for use in a particular area (e.g. systems development) must be either of two specific approved workstation models in order to comply with a policy that we only purchase workstations from a short list from a contracted vendor; a standard is typically more specific and narrow than a policy, and tells you how do what you need to do so you don't break the rules
  • practice - if a policy and its standards are still a bit vague, a practice is document that spells out more specifically what we must do to be in compliance;
    if standards are specific enough, a statement of practice may not be necessary;
    if different work areas, for example, must follow the rules in different ways, they may each have a statement of practice to tell staff how to comply in their jobs

The text has a long list of requirements for a policy to be effective:

  • must be properly written - understandable, relevant, clear
  • must be distributed - although the historical legend about ignnorance of the law not being an excuse, it is not sensible to expect staff to comply with a policy they are not told about
  • must be read - if we email a policy statement to all employees, does that guarantee that they all will read it?
  • must be understood and agreed to - it is frequently amazing that people will agree completely with a policy as long as it applies to someone else, not them
  • must be uniformly applied - the rules should be the same rules for eeveryone, or the policy will cause those who must follow it to resent those who do not and those who make and enforce the rules

The points above are sensible but arguable. Have you ever worked someplace where all the rules apply equally to all employees? If so, it must not have been a very large organization.

The text continues with a list of topics that should be addressed by issue-specific security policies:

  • email
  • Internet use
  • system configurations (of workstations and other equipment, such as Point of Sale devices)
  • rules about hacking, including rules about installing unapproved software
  • approved use of company equipment at home
  • allowed use of personal equipment on company networks
  • allowed use of networks/telephones for company or personal business
  • allowed use of photocopiers
  • prohibited uses of company resources

The text makes a large distinction between policies created at three levels:

  • Enterprise Information Security Policies - high level, enterprise-wide rules
  • Issue-Specific Security Policies - concerned with usage and operational rules for specific systems
  • System-Specific Security Policies - may be standards for setting up or maintaining systems
Notice that the third item is not simply a tighter focus of the second, it is a different focus. Why do we need security rules for the installation of equipment? A system can be most vulnerable while it is being installed, or while it is down for maintenance. We should not ignore these windows of vulnerability. How do you remember that? Recall how Nick Cage stole the Declaration of Independence. He got them to move it from the public, bulletproof display to the "safety" of the restoration room. (National Treasure, Walt Disney Pictures, 2004)

The text reminds us that in the creation phase of a policy, it should be approved by your management, human relations authorities, and appropriate legal staff before you consider distributing it an putting it in force. All staff should understand that a policy is a work rule and that it must be followed,

A large part of the chapter concerns complicated methods for constructing policies that are not often used. It is suggested that policies be examined for the reading level and grade level of the words and phrases used in them, but this is also frequently unavailable to writers unless they use software that supports it. Modern versions of Microsoft Word, for example, do include the statistics shown in figure 4-9. Note the recommendations for the two pertinent scales in the text:

  • A higher score on the Flesch Reading Ease scale means "easier to read". The text recommends a score of 60 to 70 for most corporate documents.
  • The Flesch-Kincaid Grade Level score corresponds to the number of American grade school years needed to comprehend the item scored. The text recommends 7th or 8th grade levels for most corporate documents. Would lower be better? Can you say "not necessarily", neighbor? I thought you could!