Implementing an Information Security Policy: Guidelines for Success

 

By Daniel I. Didier

Introduction

An information security policy enables an organization to establish a set of rules and regulations as defined by its management to enable compliance with applicable laws, industry regulations, and business drivers.[1]  Establishing an information security policy is one of the most important components of an effective information security program.  By doing so, an organization enables the alignment of business and technology initiatives that foster the implementation of reasonable and cost-effective information security measures. 

Unfortunately, many organizations fail to implement an information security policy that effectively enables business initiatives, lower risk, and ensures the ongoing information security of its data.  Often, the task of implementing an information security policy is in response to compliance requirements and is viewed as an added burden that hinders productivity.  As such, minimal effort, funding, and support is assigned to the task of implementing an information security policy.

 

Information Security Policy Drivers

Some organizations take a proactive approach to information security, but most implementations are forced by business and compliance requirements such as the US Health Insurance Portability and Accountability Act of 1996 (HIPAA), Sarbanes-Oxley Act of 2002, and the Graham-Leach-Bliley Act (GLBA).[2]  

At the national level, every federal agency must develop, document, and implement an information security program as defined in the Federal Information Security Management Act (FISMA) of 2002.[3]  Regulations and standards to protect private intellectual property have been developed that are specific to state and local government.  The first of its kind, the California (USA) Data Privacy Law (California SB 1386) enacted in July of 2003 requires private companies to disclose all security breaches that result in the disclosure of individual’s private information.  As of May of 2008, 43 states, the District of Columbia and Puerto Rico have enacted breach notification statutes similar to SB 1386.[4]  To comply with these mandates an organization must define guidelines for compliance in an information security policy. 

Entities associated with critical national infrastructure must comply with new federal mandates designed to protect our nation.  As an example, bulk power providers must comply with the requirements defined by the North American Electric and Reliability Council (NERC) to establish an information security program.[5] 

As the value and amount of electronically stored information continues to increase and the security of our nation, its people, and its critical infrastructure dependence on information also increases, the need for effective information security policies will become ever more important.  If your organization has been required to develop an information security policy as a compliance requirement or its management has decided to so as a proactive approach to information security management, you should take this as an opportunity to develop an information security policy that will meld business and information security initiatives, enable business functions, reduce risk, and help establish cost-effective solutions.

Developing an Information Security Policy

An effective information security policy is one that is designed to support the control objectives as defined by management to meet the critical assurance requirements of achieving business objectives and preventing, detecting, and correcting undesired events.[6]  An information security policy should enable high-level business requirements by protecting data with defined policy, controls, standards, and procedures for configuring and managing security.[7]  In doing so, and organization clearly establishes the guidelines necessary to meet the needs of securing business functions as defined by the key business stakeholders. 

Policy
This critical component of the information security policy can be thought of as the rules and regulations set by the organization that enables compliance with applicable law, industry regulation, and the decisions of key stakeholders.[8]  The policy should be brief and concise so that it clearly identifies the business requirements for the security of the information assets.  Typically, there are four key elements defined: “to whom and what the policy applies, the need for adherence, a general description, and consequences of nonadherence.”[9]  The policy will be used to develop the remaining controls, standards, and procedural components of the information security policy.

Controls
Controls are measures used to protect systems against specific threats.[10]  As an example, a policy might require all firewall adds, moves, or changes to be approved; a specific control that could be defined in the policy might state that all changes to the firewall must be facilitated with an appropriate change request form and approved by the information security officer.

Standards
Standards define what must be done to implement security as defined in a particular policy.  This includes descriptions of security controls and how they apply to the corporate environment.  As an example, a policy might define the need for strong authentication when accessing sensitive data; the resulting standard might specify a particular brand and model of smart card that should be used to satisfy these requirements.  Standards are typically the concern of those who must implement policies and, as such,; do not have to be made known to all employees.  Standards must be updated periodically as technical or regulatory changes occur.[11]

Procedures
The largest section of the information security policy, procedures, defines how individuals must behave when implementing policies.[12]  Procedures should match the accompanying standards, ensuring that standards require specific tasks to be completed to achieve full compliance.[13]  As an example, a policy might require the use of encryption when communicating over any external network; the corresponding standard might define the use of a proprietary VPN hardware and software solution necessary to implement that policy; and the corresponding procedure would provide detailed step-by-step instructions required for configuring that particular VPN solution.

Interpreting Risk

In order to compose effective policy and cost-effective actions, a clear understanding of the risks associated with business functions must be established.  To do this, an evaluation of the information assets and the impact of potential threats must be performed.  Typically, this will be accomplished in the form of a risk analysis.  A risk analysis should define both the monetary value and the intrinsic value of the organization assets.  Monetary value is calculated by interpreting the cost of any type of impact to an asset’s data, networks or systems.  Intrinsic value is calculated by interpreting the cost of a security incident that may affect credibility, reputation, and relationships with key stakeholders.[14] 

Once the value of organizational assets has been established, a risk assessment must be performed.  The assessment will enable an organization to calculate exposure and identify if an asset is under protected, over protected or adequately protected.  The goal of the assessment is to appropriate adequate resources to achieve the desired level of security as defined by the information security policy.[15]

Policy Enforcement

A well constructed policy takes considerable effort and can add substantial value to an organization’s business functions and information security program.  However, without proper enforcement mechanisms, a policy may be worth little more than the paper it was printed on.  Policy compliance reviews can be used to document the level of compliance as required by the information security policy and is typically performed by a group or individual that is not responsible for implementing the standards, controls, and procedures.  In addition, vulnerability assessments can be performed by operations personnel to pinpoint specific vulnerabilities in the systems and applications.[16] 

Policy Resources

The creation of a policy, especially without a preexisting document, can be extremely difficult.  Luckily, many resources exist that provide direction, recommendations, and policy templates.  Utilizing the past experiences and efforts of experience policy writers can greatly reduce the stress and frustration associated with policy development and also help to ensure a better end result.  Equally important to developing a successful policy is avoidance of common policy writing pitfalls, enablement of a cooperative team environment, and effective use of time.  Some of the resources available to assist in the policy writing process are listed below:

·        The SANS Security Policy Project
http://www.sans.org/resources/policies/

·        ISO/IEC 17799
http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_used_standards_other/information_security.htm

·        CobiT
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDi
splay.cfm&TPLID=55&ContentID=7981

·        NIST – Special Publications
http://csrc.nist.gov/publications/PubsSPs.html

·        CERT – Governing for Enterprise Security
http://www.cert.org/governance/

Conclusion

An organization can maximize its investment in developing an information security policy by understanding the breath of organizational involvement necessary to develop, implement, and manage a successful program.  In addition, aligning business and technology initiatives by the use of an information security policy can result in reduced risk, increased efficiencies, and ongoing compliance.  Development of an information security policy can be greatly enhanced by leveraging preexisting materials to avoid common pitfalls and establish effective policies, standards, controls, and procedures.


[1] Kabay, M. E., “Security Policy Guidelines.” Computer Security Handbook, 4th edition, (2002): 28-1

[2] Ungerman, Mark “Creating and Enforcing an Effective Information Security Policy” Information Systems Control Journal, Vol 6, (2005)

[3] “FISMA, Detailed Overview,” NIST Computer Security Division, http://csrc.nist.gov/groups/SMA/fisma/overview.html, (accessed June 2008)

[4] Rabbin, Gille Ann and Thomas Smith. 2008.  NYS Information Security Breach and Notification Act. In the 11th Annual New York State Cyber Security Conference, Albany, New York. Empire State Plaza.

[5] « Critical Infrastructure Protection,” North American Electric Reliability Corporation, http://www.nerc.com/cip.html, (accessed June 2008)

[6]Cobit 4.1 Excerpt, Executive Summary Framework,” IT Governance Institute, (2007): 5

[7] Kabay, M. E., “Security Policy Guidelines.” Computer Security Handbook, 4th edition, (2002): 28-2

[8] Ibid

[9] Ungerman, Mark “Creating and Enforcing an Effective Information Security Policy” Information Systems Control Journal, Vol 6, (2005)

[10] Kabay, M. E., “Security Policy Guidelines.” Computer Security Handbook, 4th edition, (2002): 28-2

[11] Kabay, M. E., “Security Policy Guidelines.” Computer Security Handbook, 4th edition, (2002): 28-2

[12] Kabay, M. E., “Security Policy Guidelines.” Computer Security Handbook, 4th edition, (2002): 28-3

[13] Ungerman, Mark “Creating and Enforcing an Effective Information Security Policy” Information Systems Control Journal, Vol 6, (2005)

[14] Ibid

[15] Ibid

[16] Ungerman, Mark “Creating and Enforcing an Effective Information Security Policy” Information Systems Control Journal, Vol 6, (2005)

 

Download this paper in PDF format

 

  
 

Daniel I. Didier - Information Assurance / Information Security Consultant

Information Systems Security (INFOSEC) Professional
Cisco Certified Security Professional CCSP
Cisco Technology Solution Specialist TSS
Cisco Advanced Security Field Specialist ASFE
Cisco Certified Network Administrator CCNA


NetSecureIA
Secure Network Design and Information Assurance Consulting