ITS 305 - Security Policies and Auditing

Chapter 4, Information Security Policy

Objectives:

This lesson discusses information security policies. Objectives important to this lesson:

  1. What are information security policies
  2. Types of security policies
  3. Developing security policies
Concepts:

This chapter covers information security policies, which the text tells us are the heart of an effective security program. The text says that policies are inexpensive (they are just rules) but hard to implement, because they have no effect if people do not comply with them. So what makes a good policy?

  • A policy should not be in conflict with applicable law. (Should not? Maybe the author meant must not.)
  • A policy must stand up in court when challenged. This sounds like the first rule, but it is more about defending your policy itself, not its being in accord with existing laws.
  • A policy must be properly supported and administered: supported by authority in the enterprise, and implemented and enforced correctly and fairly.

The text lists some benefits that policies have for management:

  • reference for internal audits - this proves we have a policy
  • reference for legal disputes - shows that management made the policy accessible to those who should have acted under it
  • statements of management's intent - serves as a guideline for staff who may need to act when management is not available for consultation
  • not listed: justification of actions - staff can refer to a policy when they need to explain themselves to management

That list of justifications looks more like a list of alibis. It's not my clients' fault, your honor, they told everyone not to do what was done. Do they serve any constructive purposes? Well, they should. Let's consider some (the text finally got around to them) definitions:

  • policy - a policy is a plan that influences decisions;
    a policy is a guideline for decisions and actions;
    a policy needs to be understood by those meant to follow it because it is a set of rules about what actions are acceptable and what actions are unacceptable
  • standard - a statement of what must be done to comply with a policy;
    example: a standard might require that workstations bought for use in a particular area (e.g. systems development) must be either of two specific approved workstation models in order to comply with a policy that we only purchase workstations from a short list from a contracted vendor; a standard is typically more specific and narrow than a policy, and tells you how do what you need to do so you don't break the rules
  • practice - if a policy and its standards are still a bit vague, a practice is document that spells out more specifically what we must do to be in compliance;
    if standards are specific enough, a statement of practice may not be necessary;
    if different work areas, for example, must follow the rules in different ways, they may each have a statement of practice to tell staff how to comply in their jobs

The text has a long list of requirements for a policy to be effective:

  • must be properly written - understandable, relevant, clear
  • must be distributed - despite the principle that ignorance of the law is not an excuse, it is not sensible to expect staff to comply with a policy they are not told about
  • must be read - if we email a policy statement to all employees, does that guarantee that they all will read it?
  • must be understood and agreed to - it is frequently amazing that people will agree completely with a policy as long as it applies to someone else, not them
  • must be uniformly applied - the rules should be the same rules for everyone, or the policy will cause those who must follow it to resent those who do not and those who make and enforce the rules

The points above are sensible but arguable. Have you ever worked someplace where all the rules apply equally to all employees? If so, it must not have been a very large organization.

The text continues with a list of topics that should be addressed by issue-specific security policies:

  • email
  • Internet use
  • system configurations (of workstations and other equipment, such as Point of Sale devices)
  • rules about hacking, including rules about installing unapproved software
  • approved use of company equipment at home
  • allowed use of personal equipment on company networks
  • allowed use of networks/telephones for company or personal business
  • allowed use of photocopiers
  • prohibited uses of company resources

Assignment 1: Consider the list of security topics above. Write a policy that relates to your hypothetical company. This is a group and individual assignment (see below).  Everyone must do steps 1 through 6. Groups will present their chosen work for discussion next week.

  1. State the topic from the list above.
  2. State the general uses that are acceptable to the company. Give at least one example of an appropriate, specific use.
  3. State the general uses that are unacceptable to the company. Give at least one example of an inappropriate, specific use.
  4. State the business reason for the policy to exist.
  5. State the outcome of an employee being found in violation of the policy. (Note: not all policy violations require capital punishment.)
  6. Present your policy to your group, and have the group pick and modify the "best" one, which will be presented in class next week.

The text makes a large distinction between policies created at three levels:

  • Enterprise Information Security Policies - high level, enterprise-wide rules
  • Issue-Specific Security Policies - concerned with usage and operational rules for specific systems
  • System-Specific Security Policies - may be standards for setting up or maintaining systems
Notice that the third item is not simply a tighter focus of the second, it is a different focus. Why do we need security rules for the installation of equipment? A system can be most vulnerable while it is being installed, or while it is down for maintenance. We should not ignore these windows of vulnerability. How do you remember that? Recall how Nick Cage stole the Declaration of Independence. He got them to move it from the public, bulletproof display to the "safety" of the preservation room. (National Treasure, © Walt Disney Pictures, 2004)

The text reminds us that in the creation phase of a policy, it should be approved by your management, human relations authorities, and appropriate legal staff before you consider distributing it an putting it in force. All staff should understand that a policy is a work rule and that it must be followed,

A large part of the chapter concerns complicated methods for constructing policies that are not often used. It is suggested that policies be examined for the reading level and grade level of the words and phrases used in them, but this is also frequently unavailable to writers unless they use software that supports it. On the positive side, modern versions of Microsoft Word do include the statistics shown in figure 4-9. Note the recommendations for the two pertinent scales in the text:

  • A higher score on the Flesch Reading Ease scale means "easier to read". The text recommends a score of 60 to 70 for most corporate documents.
  • The Flesch-Kincaid Grade Level score corresponds to the number of American grade school years needed to comprehend the item scored. The text recommends 7th or 8th grade levels for most corporate documents. Would lower be better? Can you say "not necessarily", neighbor? I thought you could.

Assignment 2: Reconsider the policy you submitted for assignment 1. This is to be done as a second assignment, for each person, and may not be combined the first assignment. This is an individual assignment.

  1. Run your document through the spelling/grammar checker for scores on the two scales above. Note the two initial scores.
  2. Make changes that you think may work to bring your document closer to the two targets stated above.
  3. Check for a closer match to the two targeted statistics. Repeat as necessary to get a closer match than you started with.
  4. Submit your revised document along with the statistics for its original and final forms. You can just tell me the statistics, or you can use the Windows 7 Snipping Tool to grab screen images.