Chapter 4, Information Security Policy

ITS 305 - Security Policies and Auditing

Chapter 4, Information Security Policy

Objectives:

This lesson discusses information security policies. Objectives important to this lesson:

What are information security policies
Types of security policies
Developing security policies

Concepts:

This chapter covers information security policies, which the text tells us are the heart of an effective security program. The text says that policies are inexpensive (they are just rules) but hard to implement, because they have no effect if people do not comply with them. So what makes a good policy?

A policy should not be in conflict with applicable law. (Should not? Maybe the author meant must not.)
A policy must stand up in court when challenged. This sounds like the first rule, but it is more about proving the legality of the policy itself, not its being in accord with existing laws.
A policy must be properly supported and administered: supported by authority in the enterprise, and implemented and enforced correctly and fairly.

The text lists some benefits that policies have for management:

reference for internal audits - this proves we have a policy
reference for legal disputes - shows that management made the policy accessible to those who should have acted under it
statements of management's intent - serves as a guideline for staff who may need to act when management is not available for consultation
not listed: justification of actions - staff can refer to a policy when they need to explain themselves to management

That list of justifications looks more like a list of alibis. It's not our fault, your honor, we told everyone not to do what they did. Do they serve any constructive purposes? Well, they should. Let's consider some (the text finally got around to them) definitions:

policy - a plan that influences decisions;
a guideline for decisions and actions;
needs to be understood by those meant to follow it because it is a set of rules about what actions are acceptable and what actions are unacceptable
standard - a statement of what must be done to comply with a policy;
example: a standard might require that workstations bought for use in a particular area (e.g. systems development) must be either of two specific approved workstation models in order to comply with a policy that we only purchase workstations from a short list from a contracted vendor; a standard is typically more specific and narrow than a policy, and tells you how do what you need to do so you don't break the rules
practice - if a policy and its standards are still a bit vague, a practice is document that spells out more specifically what we must do to be in compliance;
if standards are specific enough, a statement of practice may not be necessary;
if different work areas, for example, must follow the rules in different ways, they may each have a statement of practice to tell staff how to comply in their jobs

The text has a long list of requirements for a policy to be effective:

must be properly written - understandable, relevant, clear
must be distributed - although the historical legend about ignnorance of the law not being an excuse, it is not sensible to expect staff to comply with a policy they are not told about
must be read - if we email a policy statement to all employees, does that guarantee that they all will read it?
must be understood and agreed to - it is frequently amazing that people will agree completely with a policy as long as it applies to someone else, not them
must be uniformly applied - the rules should be the same rules for eeveryone, or the policy will cause those who must follow it to resent those who do not and those who make and enforce the rules

The points above are sensible but arguable. Have you ever worked someplace where all the rules apply equally to all employees? If so, it must not have been a very large organization.

The text continues with a list of topics that should be addressed by issue-specific security policies:

email
Internet use
system configurations (of workstations and other equipment, such as Point of Sale devices)
rules about hacking, including rules about installing unapproved software
approved use of company equipment at home
allowed use of personal equipment on company networks
allowed use of networks/telephones for company or personal business
allowed use of photocopiers
prohibited uses of company resources

Assignment 1: Consider the list of security topics above. Write a policy that relates to your hypothetical company. This is a group and individual assignment (see below). Everyone must do steps 1 through 6. Groups will present their chosen work for discussion next week.

State the topic from the list above.
State the general uses that are acceptable to the company. Give at least one example of an appropriate, specific use.
State the general uses that are unacceptable to the company. Give at least one example of an inappropriate, specific use.
State the business reason for the policy to exist.
State the outcome of an employee being found in violation of the policy. (Note: not all policy violations require capital punishment.)
Present your policy to your group, and have the group pick and modify the "best" one, which will be presented in class next week.

The text makes a large distinction between policies created at three levels:

Enterprise Information Security Policies - high level, enterprise-wide rules
Issue-Specific Security Policies - concerned with usage and operational rules for specific systems
System-Specific Security Policies - may be standards for setting up or maintaining systems

Notice that the third item is not simply a tighter focus of the second, it is a different focus. Why do we need security rules for the installation of equipment? A system can be most vulnerable while it is being installed, or while it is down for maintenance. We should not ignore these windows of vulnerability. How do you remember that? Recall how Nick Cage stole the Declaration of Independence. He got them to move it from the public, bulletproof display to the "safety" of the restoration room. (National Treasure, © Walt Disney Pictures, 2004)

The text reminds us that in the creation phase of a policy, it should be approved by your management, human relations authorities, and appropriate legal staff before you consider distributing it an putting it in force. All staff should understand that a policy is a work rule and that it must be followed,

A large part of the chapter concerns complicated methods for constructing policies that are not often used. It is suggested that policies be examined for the reading level and grade level of the words and phrases used in them, but this is also frequently unavailable to writers unless they use software that supports it. Modern versions of Microsoft Word, for example, do include the statistics shown in figure 4-9. Note the recommendations for the two pertinent scales in the text:

A higher score on the Flesch Reading Ease scale means "easier to read". The text recommends a score of 60 to 70 for most corporate documents.
The Flesch-Kincaid Grade Level score corresponds to the number of American grade school years needed to comprehend the item scored. The text recommends 7th or 8th grade levels for most corporate documents. Would lower be better? Can you say "not necessarily", neighbor? I thought you could!

Assignment 2: Reconsider the policy you submitted for assignment 1. This is to be done as a second assignment, for each person, and may not be combined the first assignment. This is an individual assignment.

Run your document through the spelling/grammar checker for scores on the two scales above. Note the two initial scores.
Make changes as you think may work to bring your document closer to the two targets stated above.
Check for a closer match to the two targeted statistics. Repeat as necessary to get a closer match than you started with.
Submit your revised document along with the statistics for its original and final forms.