Compiling the Needed Documentation

With knowledge of the organization's critical systems, you can now turn your attention to directing the team to draw up lists of required documents for review. Several standards clearly define and delineate required security policies. These include ISO 17799, NIST 800-26, and the NSA IAM. Our favorite of the three is the NSA IAM. The NSA revised this list in 2003 to closely match NIST documentation. Unlike the NIST standards, which separate policies into 17 classes of information, the NSA has expanded this to 18. These are divided into the same three categories as used by NIST: management, technical, and operational. All 18 categories are shown in Table 5.1.

This doesn't mean that all the policies you will want to review will fit into one of these 18 categories, but don't be surprised to find out how well these 18 work in most cases. Although we will spend a considerable amount of time discussing these categories of policies in Chapter 7, "Performing the Assessment," there are a few things worth mentioning here, such as policy documents that can be broadly divided into the following three:

• Advisory The job of an advisory policy is to assure that employees know the consequences of certain behavior and actions. A sample advisory policy follows:

  Illegal copyingEmployees should never download or install any commercial software, shareware, or freeware onto any network drives or disks, unless they have written permission from the Network Administrator. BE PREPARED to be held accountable for your actions including: the loss of network privileges, written reprimand, probation, or employment termination if the Rules of Appropriate Use are violated.

• Informative This type of policy isn't designed with enforcement in mind; it is developed for education. Its goal is to inform and enlighten employees. A sample informative policy follows:

  In partnership with the Product Management Team, Instructor Resources job is to serve as advocates for all Security Evolution instructors, providing superior service in recruitment and career development, scheduling services, and fulfillment of administrative needs for our instructors.

• Regulatory These policies are used to make certain the organization complies with local, state, provincial, and federal laws. A sample regulatory policy might state the following:

  Because of recent changes to Virginia state law, the company will now retain records of employee inventions and patents for 10 years; all email messages and any backup of such email associated with patents and inventions will be stored for one year.

Because of potential regulatory requirements, you will also want to review any applicable state, provincial, and federal laws affecting your organization. You will want to make sure that the organization's policies meet these requirements; if not, this will need to be noted.

You will also want to gather all infrastructure documentation. If diagrams don't exist, you have two options: You can ask that they be created or you can provide assistance to get it done. Keep in mind that there are two types of system diagrams needed:

• Logical diagrams From the owners' and users' perspective, these depict the system(s) of information utilization and data flow.
• Physical diagrams Depict the system(s) from the physical component perspective of connectivity and interfaces.

Now you may be wondering how you are going to keep track of all these incoming documents. The best way is to develop a system to track the following:

• Date requested
• Date reviewed
• Date returned/disposed

It is best to appoint one person to collect and distribute all policies and documents requested. A simple form as shown in Table 5.2 can make your life much easier.