Information Security Policy

• Policy In business, a statement of managerial

intent designed to guide and regulate employee
behavior in the organization, in IT. A computer
configuration specification used to standardize
system and user behavior.
• Policy is the essential foundation of an effective
information security program.
• Policy maker sets the tone (quality) and emphasis
on the importance of information security.
• Objectives
Reduced risk, Compliance with laws and
regulations, Assurance of operational continuity,
information integrity, and confidentiality.
 Why Policy?
• Policies are the least expensive means of
control.
• Policy is the essential foundation of an effective
information security program.
• A quality information security program begins
and ends with policy.
• Basic rules for shaping a policy
– Policy should never conflict with law.
– Policy must be able to stand up in court if
challenged.
– Policy must be properly supported and
managed.
• Information security policies are designed to
provide structure in the workplace and explain
the will of the organization's management in
controlling the behavior of its employees with
regard to the appropriate and secure use of its
information and information resources. Policy
is designed to create a productive and effective
work environment, free from unnecessary
distractions and inappropriate actions.
• Policy is simply a manager's or other governing
body's statement of intent; as such, a policy
(document) actually contains multiple policies
(statements).
• Following guidelines can help in the
formulation of IT policy as well as InfoSec
policy:
• All policies must contribute to the success of
the organization.
• Management must ensure the adequate sharing
of responsibility for proper use of information
systems.
• End users of information systems should be
involved in the steps of policy formulation.
Spheres of security
• The right side represents the levels and layers of
protection the organization can place between
information and those with access to it. To access
information from outside the organization, people
must navigate the Internet and go through the
organization's perimeter defense (gateway,
firewalls, and routers), across the organization's
network, into the organization's computer
systems, and finally onto the drives physically
storing that information. The right side of the
sphere shows that people within the organization,
employees, unfortunately have much less
restricted access to many forms of information,
especially when it is in physical form.
 Bull's-eye model
• Four layers of the bull's-eye model, are
• 1. Policies- This is the outer layer in the bull's-eye
diagram, reflecting that it is the initial viewpoint
that most users have for interacting with InfoSec.
It is available from the published documents that
express the will of management and seeks to
guide user behavior.
• 2. Networks- This is the environment where
threats from public networks meet the
organization's networking infrastructure. In the
past, most InfoSec efforts focused on networks.
InfoSec was often thought to be synonymous with
network security.
• 3. Systems- These are the collections of
hardware and software being used as servers or
desktop computers as well as those systems
used for process control and manufacturing
systems.
• 4. Applications- These are the application
systems, ranging from packaged applications,
such as office automation and e-mail programs,
to high-end enterprise resource planning (ERP)
packages to custom application software or
process control applications developed by the
organization.
Policies are important reference documents
– For internal audits
– For the resolution of legal disputes about
management's due diligence (proper actions
that a situation calls for, especially those
that help to avoid harm or risk)
– Policy documents can act as a clear
statement of management's intent (commit)
Types of information security policy
– Enterprise Information Security Program
– Issue-specific Information Security Policies
– Systems-specific Policies.
 Policy, Standards, and Practices
• Policy : A plan or course of action that influences
decisions
– must be properly distributed, read, understood,
agreed-to, and uniformly enforced
– require constant modification and maintenance
• Standards
– A more detailed statement of what must be done
to comply (confirm) with policy
• Practices
– Procedures and guidelines explain how
employees will comply with policy
• The three types of InfoSec policy are
as follows:
• Enterprise Information Security
Policy (EISP)
• Issue-Specific Security Policies
(ISSP)
• System-specific Security Policies
(SysSP)
Enterprise information security policy
• EISP is a set of rules that people with access to the
organization's data, assets, networks, and other IT
resources must follow to minimize cyber risk
exposure.
• EISP The high-level information security policy that
sets the strategic direction, scope, and tone(quality)
for all of an organization's security efforts. An EISP
is also known as a security program policy, general
security policy, IT security policy, high-level lnfoSec
policy, or simply an lnfoSec policy.
• Assigns responsibilities for the various areas of
InfoSec, including maintenance of InfoSec policies
and the practices and responsibilities of end users.
• EISP guides the development, implementation,
and management requirements of the InfoSec
program, which must be met by InfoSec
management and other specific security
functions.
• The EISP must directly support the
organization's vision and mission statements.
It is an executive-level document, usually
drafted by the CISO in consultation with the
CIO and other executives.
• EISP does not typically require frequent or
routine modification unless the strategic
direction of the organization changes.
 EISP Elements
• An overview of the corporate philosophy on
security.
• Information on the structure of the InfoSec
organization and individuals who fulfil the
InfoSec role.
•Fully articulated (verbalized) responsibilities for
security that are shared by all members of the
organization (employees, contractors, consultants,
partners, and visitors).
•Fully articulated responsibilities for security that
are unique to each role within the organization.
 Issue-Specific Security Policy
• An organizational policy that provides detailed,
targeted guidance to instruct all members of the
organization in the use of a resource, such as
one of its processes or technologies.
• ISSP is designed to regulate the use of some
technology or other resource issue within the
organization. In some organizations, ISSPs are
referred to as fair and responsible use policies,
describing the intent of the policy to regulate
appropriate use.
• Provides detailed, targeted guidance
– Instruction for secure use of a technology
systems
– Begins with introduction to fundamental
technological philosophy of the organization
• Protects organization from inefficiency and
ambiguity
– Documents how the technology-based system
is controlled
– Identifies the processes and authorities that
provide this control
• Protects the organization against liability for an
employee’s inappropriate or illegal system use.
• Every organization's ISSP has three
characteristics:
• It addresses specific technology-
based resources.
• It requires frequent updates.
• It contains a statement explaining the
organization's position on a particular
issue.
Use of ISSP in most organizations.
• Use of e-mail, instant messaging (IM), and other
electronic communications applications
• Use of the Internet, the Web, and company
networks by company equipment
• Malware protection requirements (such as anti-
malware software implementation)
• Installation and use of non organizationally issued
software or hardware on organization assets, such
as personal computing devices.
• Processing and/or storage of organizational
information on non organizationally owned
computers, such as cloud computing providers.
• Prohibitions against hacking or testing the
organization's security controls or attempting
to modify access control privileges
• Personal and/or home use of company-owned
computer equipment
• Removal of organizational equipment from
organizational property
• Use of personal equipment on company
networks, such as "BYOD" (bring your own
device)
• Use of personal technology during work hours
(mobile phones, tablets, etc.)
• Use of organizational telecommunications
technologies and networks (fax, phone, mobile
phone, intercom).
• Use of photocopying and scanning equipment
• Requirements for storage and access to company
information while outside company facilities (e.g.,
encryption).
• Specifications for the methods, scheduling,
conduct, and testing of data backups.
• Requirements for the collection, use, and
destruction of information assets.
• Requirements and permissions for storage of
access control credentials by users.
 Elements of the ISSP
• 1. Statement of Purpose
• The ISSP should begin with a clear statement of
purpose that outlines the scope and applicability
of the policy.
• It should address the following questions:
• What purpose does this policy serve?
• Who is responsible and accountable for policy
implementation?
• What technologies and issues does the policy
document address?
• 2. Authorized Uses
• The policy statement explains who can use the
technology governed by the policy and for
what purposes.
• The policy statement defines "fair and
responsible use" of equipment and other
organizational assets, and it addresses key legal
issues, such as protection of personal
information and privacy. Any use for any
purpose that is not explicitly identified is
considered a misuse of equipment according to
the policy.
• 3. Prohibited Uses
• The following actions might be prohibited:
personal use; misuse; criminal use; use of
offensive (aggressive) or harassing materials;
and violation of copyrighted, licensed, or other
intellectual property. In some organizations,
that which is not permitted is prohibited; in
others, that which is not prohibited is permitted.
• 4. Systems Management
• A company may want to issue specific rules
regarding the use of e-mail and electronic
documents, and storage of those documents, as
well as guidelines about authorized employer
monitoring & physical and electronic security
of e-mail and other electronic documents. If an
organization has established policies on data
management, including data backup and
retention policies, they should be summarized
and/or referenced here. The Systems
Management section should specify users' and
systems administrators' responsibilities,
• 5. Violations of Policy
• The penalties and repercussions (effects) of
violating the usage and systems management
policies. Penalties should be laid out for each
violation. This section should also provide
instructions on how to report observed or
suspected violations, either openly or
anonymously, because some employees may
fear that powerful individuals in the
organization could react against someone who
reports violations.
• 6. Policy Review and Modification
• Every policy should contain procedures and a
timetable for periodic review. This section
should outline a specific methodology for the
review and modification of the ISSP, including
who is responsible for reviewing and modifying
the policy as well as specifying the process by
which the policy may be modified and
specifying the schedule for such review.
• 7. Limitations of Liability
• The final section offers a general statement of
liability or a set of disclaimers. If an individual
employee is caught conducting illegal activities
with organizational equipment or assets,
management does not want the organization to
be held liable. In other words, if employees
violate a company policy or any law using
company technologies, the company will not
protect them and the company is not liable for
their actions, assuming that the violation is not
known or sanctioned by management.
 System-Specific Security Policy
• Organizational policies that often function as
standards or procedures to be used when
configuring or maintaining systems. SysSPs can
be separated into two general groups, managerial
guidance and technical specifications. SysSPs
often function as standards or procedures to be
used when configuring or maintaining systems
• For ex, to configure and operate a network
firewall, guidance to network engineers on
selecting, configuring, and operating firewalls;
and an access control list that defines levels of
access for each authorized user.
• Managerial Guidance SysSPs A managerial
guidance SysSP is created by management to
guide the implementation and configuration of
technology, as well as to address the behavior of
people in the organization in ways that support the
security of information. These SysSPs are targeted
at the technologists responsible for
implementation and/or configuration, in order to
ensure continuity of intent between management
and IT. For example, while the specific
configuration of a firewall belongs in the technical
specifications SysSP, the process of constructing
and implementing the firewall must follow
guidelines established by management.
• Technical Specification SysSPs
• Systems administrator can implement a technical
control within a specific application to enforce
the policy. So, while the manager is primarily
responsible for the creation of the managerial
specifications version of the SysSP, sys admins
may be the primary authors or architects of the
technical specifications version.
• Access control lists (ACLs) Specifications of
authorization that govern (manage) the rights and
privileges of users to a particular information
asset. ACLs include user access lists, matrices,
and capability tables.
• ACLs regulate the following aspects of access:
• Who can use the system?
• What authorized users can access?
• When authorized users can access the system?
• Where authorized users can access the system
from?
• How authorized users can access the system?
• Administrators assign user privileges (also
known as permissions), such as :
• • Read • Write • Execute • Delete
• Configuration Rules
• Configuration rules are instructional codes that
guide the execution of the system when
information is passing through it. Rule-based
policies are more specific to the operation of a
system than ACLs are, and they may or may not
deal with users directly. Many security systems
require specific configuration scripts that dictate
which actions to perform on each set of
information they process. Examples include
firewalls, intrusion detection and prevention
systems (IDPSs), and proxy servers.
• Combination SysSPs
• Many organizations create a single document
that combines elements of the management
guidance SysSP and the technical specifications
SysSP. While this document can be somewhat
confusing to the users of the policies, it is very
practical to have the guidance from both sides in
a single place. Such a document should carefully
articulate the required actions for each procedure
described.
• Enterprise Information Security Policy (EISP)
• Issue-Specific Security Policies (ISSP)
• System-specific Security Policies (SysSP)
 Guidelines for Effective Policy
Development and Implementation
• Policy is only enforceable and legally
defensible if it is properly designed,
developed, and implemented using a
process that assures repeatable results.
One effective approach has six stages:
development (writing and approving),
dissemination (distribution), review
(reading), comprehension (understanding),
compliance (agreement), and uniform
enforcement.
Developing Information Security Policy
• Policy development as a three-part project.
• In the first part of the project, policy is designed
and written (or, in the case of an outdated policy,
redesigned and rewritten).
• In the second part, a senior manager or
executive at the appropriate level and the
organization's legal counsel review and formally
approve the document.
• In the third part of the development project,
management processes are established to
continue the policy within the organization.
• Policy Distribution getting the policy document
into the hands of employees can require a
significant investment by the organization in order
to be effective. The most common alternatives are
hard copy distribution and electronic distribution.
Hard copies involve either directly distributing a
copy to the employee or posting the policy in a
publicly available location. In civil or criminal
law, ignorance of policy. Where policy is
incompetently distributed, is considered an
acceptable excuse. Another common method of
distribution is by electronic means: e-mail,
newsletter, intranet, or document management
systems.
• Policy Reading
• Barriers to employees reading policies can
arise from literacy or language issues. Large
percentage of the workforce is considered
functionally illiterate.
• Of the 11 million adults identified as illiterate
in the National Assessment of Adult Literacy
(NAAL) survey, 7 million could not answer
simple test questions due to pure reading
deficiencies, and 4 million could not take the
test because of language barriers.
• Policy Comprehension (Understanding)
• Simply making certain that a copy of the
policy gets to employees in a form they can
review may not ensure that they truly
understand what the policy requires of them.
• To understand the policy, the document must
be written at a reasonable reading level, with
minimal technical jargon and management
terminology. The readability statistics supplied
by most productivity suite applications can
help determine the current reading level of a
policy.
• Policy Compliance
• Policy compliance means the employee must
agree to the policy. Policies must be agreed to
by act or affirmation. Agreement by act occurs
when the employee performs an action, which
requires them to acknowledge understanding of
the policy.
• Policy Enforcement
• In law enforcement, policy enforcement must
be able to withstand external
scrutiny(analysis). Because this scrutiny may
occur during legal proceedings.
 Policy Development and
Implementation Using the SDLC
• Policy development or redevelopment
project should be well planned, properly
funded, and aggressively managed to
ensure that it is completed on time and
within budget. One way to accomplish
this goal is to use a Systems Development
Life Cycle (SDLC).
• Its phases are
• Investigation Phase
• During the investigation phase, the policy
development team or committee should attain::
• Support from senior management, because any project
without it has reduced chance of success
• Support and active involvement of IT management,
specifically the CIO.
• Clear articulation (pronunciation) of goals.
• Participation of the correct individuals from the
communities of interest affected by the recommended
policies.
• A detailed outline of the scope of the policy
development project and sound estimates for the cost
and scheduling of the project.
• Analysis Phase
• The analysis phase should produce :
• A new or recent risk assessment or IT audit
documenting the current InfoSec needs of the
organization.
• The gathering of key reference materials, including
any existing policies.
• Copies of all other relevant and current
organizational policy documents should be
collected. Relevant policies include application
systems development, computer operations,
computer equipment acquisition, human resources,
information systems quality control and physical
• Policy development committee must determine
the fundamental philosophy of the organization
when it comes to policy. This philosophy
typically falls into one of two groups:
• "That which is not permitted is prohibited:' Also
known as the "white list" approach, focuses on
creating an approach where specific
authorization is provided for various actions and
behaviors,
• "That which is not prohibited is permitted." Also
known as the "blacklist“ approach, specifies
what actions, behaviors, and uses are prohibited,
and then allows all others by default.
• Design Phase
• The first task in the design phase is the drafting
of the actual policy document. While this task
can be done by a committee, This document
should incorporate all of the specifications and
restrictions from the investigation and analysis.
• A number of resources at your disposal including
• The Web
• Government sites
• Professional literature
• Peer networks
• Professional consultants
• Implementation Phase
• In the implementation phase, the team must
create a plan to distribute and verify the
distribution of the policies. Members of the
organization must explicitly acknowledge that
they have received and read the policy.
• During the implementation phase, the policy
development team ensures that the policy is
properly distributed, read, understood, and agreed
to by those to whom it applies, and that their
understanding and acceptance of the policy.
• End-User License Agreement (EULA).
• Maintenance Phase
• During the maintenance phase, the policy
development team monitors, maintains, and
modifies the policy as needed to ensure that it
remains effective as a tool to meet changing threats.
The policy should have a built-in mechanism
through which users can report problems, preferably
anonymously through a Web form monitored either
by the organization's legal team or a committee
assigned to collect and review such content.
• Organization should make sure that everyone is
required to follow the policy equally, and that
policies are not implemented differently in different
areas.
 Software Support for Policy
•
Administration
The need for effective policy management has led to
the appearance of a class of software tools that
supports policy development, implementation, and
maintenance.
• One such tool, which couples policy publishing and
tracking with training videos and compliance quizzes,
is Compliance Shield by Information Shield. The
policies can be approved by management and then
published for users to review. The organization can
then add links to its training material and create and
administer compliance quizzes. All material is
electronic, meaning there is no need for hard-copy
documents.
 Other Approaches to Information
Security Policy Development
• The Information Security Policies Made Easy
Approach
• To keep policies current and viable(possible), an
individual must be responsible for scheduling reviews,
defining review practices and procedures, and ensuring
that policy and revision dates are present.
• Policy Administrator
• Information systems and InfoSec projects must have a
champion and a manager. The individual assigned to
manage the organization's InfoSec policies is referred to
as the policy administrator and is typically a mid-level
staff member responsible for the creation, revision,
distribution, and storage of the policy.
• Review Schedule
• In a changing environment, policies can retain
their effectiveness only if they are periodically
reviewed for currency and accuracy, and
modified to keep them updated.
• Any policy document should contain a
properly organized schedule of reviews.
Generally, a policy should be reviewed at least
annually. The policy administrator should ask
input from representatives of all affected
parties, management, and staff, and then use
this input to modify the document accordingly.
• Review Procedures and Practices
• To facilitate policy reviews, the policy
administrator should implement a mechanism by
which individuals can easily make
recommendations for revisions to the policies and
other related documentation. Recommendation
methods could include e-mail, office mail, or an
anonymous Web form. Once the policy has come
up for review, all comments should be examined
and management-approved changes should be
implemented.
• In reality, most policies are drafted by a single
responsible individual and are then reviewed and
approved.
• Policy and Revision Date
• In some organizations, policies are drafted and
published without a date, leaving users of the
policy unaware of its age or status. This practice
can create problems, including legal ones, if
employees are complying with an out-of-date
policy. Such problems are particularly common
in an environment where there is high turnover.
• The policy document should include its date of
origin, along with the dates of revisions, if any.
 A Final Note on Policy
• Lest you believe that the only reason to have
policies is to avoid litigation (legal action), it is
important to emphasize the preventative nature
of policy.
– Policies exist, first and foremost, to inform
employees of what is and is not acceptable
behavior in the organization.
– Policy seeks to improve employee
productivity, and prevent potentially
embarrassing situations.
54
Management of Information Security, 3rd ed.
• There are three general causes of unethical and
illegal behavior, such as an employee failing to
follow policy:
• Ignorance- Ignorance of the law is no excuse;
however, ignorance of policy and procedures is.
The first method of deterrence is education,
which is accomplished by designing, publishing,
and distributing an organization's policies and
relevant laws, and obtaining agreement to
comply with these policies and laws from all
members of the organization. Reminders,
training, and awareness programs keep policy
information in front of employees to support
retention and compliance.
• Accident- People who have authorization and
privileges to manage information within the
organization are most likely to cause harm or
damage by accident. Careful planning and control
help prevent accidental modification to systems
and data.
• Intent (Cause)- Criminal or unethical intent goes
to the state of mind of the person or organization
performing the act; it is often necessary to
establish criminal intent to successfully prosecute
offenders. Protecting a system against those with
intent to cause harm or damage is best
accomplished by means of technical controls.
• Many security professionals understand the
technology aspect of protection but
underestimate the value of policy. However,
laws, policies, and their associated penalties
only provide deterrence if three conditions are
present
• Fear of the penalty- Potential offenders must
fear the penalty. Threats of informal warning
or verbal warnings do not have the same
impact as the threat of termination, Custody, or
penalty of pay.
• Probability of being apprehended (arrest)-
Potential offenders(criminals) must believe
there is a strong possibility of being caught by
management or reported by a coworker.
• Probability of penalty being applied-
Potential offenders must believe that if they are
caught, the penalty will be administered, and
that they will not simply be "let off with a
warning."
 N IT
F U
S O
N D
E