Corporate Information Assets Protection Program (CIAPP)

The ISSO knew that to successfully protect IWC's information-related assets there must be formal guidelines and directions provided to the IWC employees. There must also be some formal processes that are used to ensure that the IWC information assets are protected effectively and efficiently—in other words, "cheap and good." It was obvious to IWC's management and the ISSO that to do otherwise would cause employees to protect these information-related assets as they saw fit, or not protect them at all. Such was almost the case now, and the ISSO knew that there was an urgent need to quickly establish a CIAPP. ^[2]

The CIAPP would be developed taking into consideration or incorporating the following:

• Reasons for the CIAPP;

• IWC vision, mission, and quality statements;

• Information and systems legal, ethical, and best business practices;

• IWC's strategic, tactical, and annual business plans;

• Information and systems protection strategic, tactical, and annual business plans;

• IWC's overall information assets protection plans, policies, and procedures as directed by the IWC Corporate Security Office;

• InfoSec vision, mission, and quality statements;

• Current CIAPP-related and InfoSec policies;

• Current CIAPP-related and InfoSec procedures; and

• Other topics as deemed appropriate once the ISSO and the ISSO project team have established the baseline.

The CIAPP cannot be developed in a vacuum if it is to work. The input of others is a necessity: The CIAPP, if not done correctly, may have an adverse impact on the business of IWC. Remember that the ISSO's InfoSec functional organization must be a service- and support-driven organization. As part of that endeavor, the CIAPP must support the IWC business plans. It then follows that the plans call for certain actions to protect IWC's vital information and information systems assets.

Remember what is being discussed here are the plans, processes, policies, and procedures (P⁴) that are established, implemented, and maintained as applying to all IWC departments (P⁴ because as each of the "P's" is added to the others, protection baseline increases exponentially). This should not be confused with the ISSO's InfoSec organization's plans, policies, and procedures, such as work instructions and processes that apply strictly within that InfoSec organization.

As the ISSO, one of your first tasks is to obtain a copy of the IWC CIAPP that was to be established by the prior ISSO. You may find that:

1. There is no such document;

2. The current one is not really current at all and needs updating; or

3. To your shock and amazement, the IWC CIAPP is current and an excellent document.

Of the three options, which would you prefer and why? Actually, there are benefits to all of the options but they are listed in our preferred order. Does it seem strange that one would not opt for option 3? The one you choose will probably be based on where you are coming from and where you are going (your education and experience). OK, no more riddles.

Option 1 has some benefits. If there is no such document as the IWC CIAPP by any name, one can "do it right the first time" and develop one that meets the needs of IWC using your own tried and true methods. However, the less experience you have, the more difficult it will be to do it right the first time. If you are new to the IWC ISSO position, it may be doubly difficult and a real problem. No, not a problem, because you are now in a high management position. These are not called problems. They are called challenges.

Having an IWC CIAPP that has been approved by those who must approve it (executive management) has some benefits, of course. "Approve it?" you say. "Why does anyone have to approve it? I am the ISSO, the security professional, the expert in the business. I know what I am doing. I don't need any non-security people out there playing amateur information systems security expert." Great! That may have worked in the past, maybe in the times of the hunter-gatherers—but not now.

Here's the issue: As the ISSO, you are going to establish a CIAPP that will affect everyone and everything in IWC in one form or another, since information systems permeate all levels of IWC and IWC cannot function without them. You are new to IWC and really don't have a good handle on how information assets protection policies and procedures affect the IWC business of making widgets. You may have a great way to protect a certain, sensitive IWC information-related asset, but find that if it were implemented it would slow down production. That is not a good idea in the competitive, fast-paced, global marketplace in which IWC competes for business. That may get you a warning first, but then you'll be fired (as was the case of the last ISSO?); or it may increase costs in other ways (slowing down production is a cost matter also).

Option 2 also has some very good advantages, especially for the ISSO who has less experience in the profession and/or less experience at IWC. The advantage is that you have a framework on which to build, essentially changing it to how you envision the final baseline. However, as with option 1, some caution is advised. Option 2 allows you, as the new ISSO, the opportunity to see what executive management has authorized to date. In other words, you know how much "protection" the executive management of IWC will allow at what expense to productivity, costs, etc.

This is important also because if you increase security, you must provide sound, convincing business reasons why that should happen. In this cause, you have an edge because of the previous loss of IWC information assets, which caused the firing of the former ISSO. In addition, the CEO is supportive in that the Strategic Business Plan (SBP) and Tactical Business Plan (TBP) both have CIAPP goals, and those plans had to be approved by the CEO prior to implementation. Thus, the CIAPP already has high visibility and at least some executive management support. However, that honeymoon may not last long if you require protection mechanisms that aren't backed by sound business sense.

Option 3 is great if you are new to the ISSO position and/or lack confidence or experience in CIAPP development. However, caution is also needed here, because information assets were lost and the former ISSO fired. You must get answers for the following questions:

• Did the information assets protection processes as set forth in the CIAPP leave a vulnerability that allowed the threat agent to take advantage of it?

• Was the CIAPP not the issue—did some one or some group fail to follow proper procedures?

• Was the ISSO just not the right person for the job at IWC? (If this is the case, find out why so you don't make the same mistake, assuming you want to work for IWC for more than a year or two.)

As the new ISSO, you should find the answers to these questions, then determine how the CIAPP can be enhanced to mitigate future attacks. The benefit of a current CIAPP is that it has received the concurrence of executive management—but remember, it may be a bad plan. After all, what does executive management know of CIAPP matters except what the ISSO tells them, aside from the "common sense" knowledge?

Let us assume that no IWC CIAPP is in existence. So, the ISSO must start from the beginning. Actually, that is not entirely true. As an experienced ISSO, the IWC ISSO has brought knowledge and experience to the IWC ISSO position. In addition, there are always some sort of information and information systems protection policies and guidelines available. It may be just a matter of gathering them all together for analysis as part of establishing the CIAPP baseline.

In addition, the ISSO has swapped and collected CIAPP plans from other InfoSec professionals over the years that may prove useful. Several words of caution:

• Never take another's CIAPP (or any documents) without approval of his or her appropriate corporate authority. Such plans may be considered and marked as corporate-confidential, corporate-private, corporate-proprietary, or the like. There is an ethics issue here.

• Furthermore, the other CIAPPs may be outdated or may not meet the needs of IWC, perhaps because of technology changes, different corporate cultures, or environments.

Using formal project management techniques, the ISSO decides to establish an information and systems protection program project team (CIAPP PT) and selects a project lead, leads the team, or has the group select their own project lead. If the ISSO's InfoSec organization has one or more specialists in information assets protection policies and procedures, then one of those specialists would be the natural one to head up the project team. Other team members should include those within the InfoSec organization who are responsible for each of the InfoSec functions of the InfoSec organization.

These team members would not be used full-time on the project, but would represent the InfoSec functions and provide input as deemed appropriate by the CIAPP project team leader. The ISSO decided to use only specialists from the InfoSec organization at this time to speed up the draft of the baseline CIAPP's primary document—that which contains the requirements, and P⁴. To do otherwise—to add auditors, IT staff, human relations specialists, legal staff, etc.—would invariably cause too much time discussing such matters as policies as too restrictive or not restrictive enough, leading to a slowdown or committee paralysis. The ISSO determined that coordination would be done upon establishment of the initial draft document.

Let's now assume there is a plan in place with outdated portions. The ISSO, who has already read the document and does not agree with some of the requirements in it, and who sees other requirements that are obviously lacking, should first meet with the specialist currently responsible for the CIAPP and that person's manager (the assumption is that there are some InfoSec staff already employed and that someone in the current InfoSec organization has responsibility for the CIAPP—or equivalent plan or program). The main purpose of the meeting would be to determine why it is not current and discuss the rationale for all the requirements stated in the document. It may be that some portions were deleted because of executive management objections. These must be identified, because it is of little use to update the CIAPP if it is to meet resistance and rejection when it is briefed to and coordinated with executive management.

If the ISSO determines that there was resistance and disapproval of some aspects of the CIAPP, then the ISSO should look at that issue first. The approach the ISSO will use is to establish another InfoSec project team, which will conduct a limited risk assessment related to the identified issues: management's rejection of some much-needed information assets protection requirements. The risk assessment is limited to a specific objective: determining the risks to a specific asset, the costs of mitigating that risk, or the rationale for the requirement. It is also limited in time. For each of these issues where different information assets and departments have been involved, such as manufacturing and marketing, a separate, limited risk assessment will be conducted.

The results of the limited risk assessments will then be provided as part of a formal briefing to the Vice President of that particular department, and a copy of the report will be given to the IWC Corporate Information Officer (CIO). The copy to the CIO (the ISSO's boss) will be given just to ensure that the CIO is in the communications loop, and because a copy will be available for use when briefing the CEO and the executive management team on the new CIAPP and its changes. The limited assessment will be part of the backup documentation for the briefing. The ISSO reasons that a copy to the CEO would not be a good idea at this time, because then the ISSO would have to explain what it is and why the CEO has it.

The CEO does not currently understand how the new ISSO operates, and now is no time to take away from the priority CIAPP project management to provide a "for your information" report to the CEO. Some ISSOs may think that such things help the ISSO gain visibility and show the "great" things that the ISSO and InfoSec staff are accomplishing. However, it may have the opposite affect, as the CEO would ask questions:

• Why do I have this?

• What is it?

• What am I to do with it?

• Do I have to make a decision now based on it?

What is your reply as the ISSO? "Oh, I just thought you would enjoy reading it because I know you are not that busy; you don't have better things to do; my stuff is so much more important than what you do to run IWC; and no, you don't have any action items that come from this. I just want to show you what a great job I'm doing." That will work in getting you recognized—but for all the wrong reasons and in the wrong way.

The limited risk assessment will state the risks, the mitigation factors, and the estimated costs of the increased protection of that particular asset or set of information assets. If the Vice President of that department, who is also the person immediately responsible for the protection of that information asset or assets, does not concur with the increased protection, then the Vice President must formerly accept the risks in writing on the last page of the report and send it back to the ISSO.

The acceptance of risk statement reads as follows: I have reviewed the findings of the limited risk assessment conducted by members of the IWC InfoSec staff. I understand the potential loss of, or damage to, IWC information assets under my care that may occur if additional protective processes are not put in place. I accept that risk.

You will probably find that most people will be unwilling to sign such a document, or will try to delay signing and hope the issue is forgotten. The ISSO can never let that happen. To resolve that issue, a reply of concurrence or nonconcurrence will be set forth in the document with a suspense date. If none is forthcoming by that date, the report states that additional safeguards will be put into effect no later than a specific date because of the failure of the action person to sign the document. A non-reply is taken as a concurrence.

Often the executive will try to find a way out of the dilemma and "negotiations" will take place where various options will be examined, other than those already stated in the report. The ISSO cannot say no to such a request: To do so would allow the executive to say that the ISSO was not being cooperative, was not a team player, had a "take it or leave it" attitude. At the same time, this negotiation cannot go on indefinitely. If a roadblock is reached, then the executive and the ISSO should agree that the matter be discussed at a meeting with the CIO and/or CEO.

The IWC CIO would probably be wondering if there was some other way out of it. The CIO thinks: Here this ISSO hasn't even been in the job a month, and already I'm getting involved in conflicts. The CIO does not like becoming involved in conflicts.

As a side note, no matter what final decision is made, the ISSO's performance review and probably merit raise may be affected because the ISSO was not able to resolve the issue (even though the fault was that of others). The ISSO could have resolved the issue by just allowing the other vice presidents or managers to have it their way. However, the ISSO knows that also contributed to the previous ISSO being fired. It is a no-win situation, but that's life as an ISSO. For the ISSO to do otherwise is unprofessional and an ethics issue.

IWC CIAPP—Requirements

In developing a CIAPP, one must first look at requirements that drive the formation of policies, which lead to procedures, which turn into processes to be followed by all those having authorized access to the IWC information and information systems assets.

Requirements, also known as InfoSec drivers are those laws, regulations, common business practices, ethics, and the like on which the policies are based (Figure 7.1). The policies are needed to comply with the requirements; the procedures are required to implement the policy; and the processes are steps that are followed to support the procedures.

Figure 7.1: The flow of some of the requirements as drivers through to the CIAPP processes.

IWC CIAPP—Information Assets Protection Policies

When discussing information assets protection policy, we define it as a codified set of principles that are directive in nature and that provide the baseline for the protection of corporate information assets.

It is always the best policy to speak the truth, unless, of course, you are an exceptionally good liar.—Jerome K. Jerome

The corporate information assets protection policies are a series of policies that deal with the protection of various information assets categories within IWC. These policies make up a major portion of the CIAPP, as they are the protection "rules." They are the first building blocks of the IWC information assets protection environment. Information assets protection policies are the foundation for a CIAPP. It is crucial that they:

• Cover all information assets that must be protected;

• Cover all aspects of information assets protection;

• Do not have any loopholes that could contribute to vulnerabilities;

• Be clearly written;

• Be concise;

• Take into account the costs of protection;

• Take into account the benefits of protection;

• Take into account the associated risks to the information assets;

• Are coordinated with executive management and others as applicable;

• Are concurred in by executive management and others as applicable;

• Are actively supported by executive management and all employees; and

• Include a process to ensure that they are kept current at all times.

One cannot state these requirements too strongly. They are the key to a successful CIAPP. If it is not stated in writing, it does not exist. After the information assets protection policies are established and approved in accordance with IWC requirements (executive management approval for all policies that affect the entire corporation), the information contained in the policies must be given to all corporate employees. This will be done through the IWC CIAPP Education and Awareness Training Program (CIAPP-EATP).

A key process that the ISSO must establish is one that will maintain all information assets protection policies in a current state. Because this is a crucial function, the ISSO has assigned one staff member full-time to ensure that the policies are current at all times and ensure that when changes are considered, they are properly coordinated, and the information dispensed to all employees as soon as possible. After all, the changes may just be procedural, or they may mitigate a risk to some valuable IWC information assets.

The ISSO's focal point for information assets protection policies is the central InfoSec person to collect information that adversely affects the protection of information and information systems. That adverse information is analyzed by the focal point, with help from others as needed, to determine if policies must be added or modified to help mitigate the adverse effects—vulnerabilities—identified. If so, such changes are done based on a cost-benefits approach to mitigating the identified vulnerabilities.

For the position of an information assets protection policy specialist, the ISSO has chosen a person already employed by Human Resources. This was done after interviews and looking at the experiences of the InfoSec staff. None of the InfoSec staff were qualified or interested in such a position: The InfoSec staff saw it as being a "non-techie paper shuffler" job. The ISSO purposely looked for a qualified employee within IWC, since that person would already be familiar with IWC culture and processes—basically, how things were done at IWC.

The ISSO was able to get this new position approved by the Human Resources Department (HR) and rated at a sufficiently high position level to attract the best candidates. The ISSO's rationale was to rate all new positions at as high a level as possible, so the ISSO could attract the best candidates in IWC or outside IWC. Such a position would be seen as a promotion by many in IWC. This was not an easy task, but the ISSO had experience in working with HR specialists. The task was not as difficult as it might have been—and once had been for the ISSO.

The person hired had worked in an HR office whose duties included writing HR policy and procedures documents, coordinating document approvals, and maintaining the IWC documentation library. The individual responded to an IWC "vacant position" announcement that was available to all employees through the online HR network.

The job description for the Information Assets Protection Policy Specialist was developed by the ISSO based on past experiences. The person was not actively recruited within HR, as this violated IWC policy—people cannot actively try to "steal" employees from one another. As well as violating corporate policy, it is unethical.

One person who responded to the vacancy announcement had 2 years of experience at IWC and had a bachelor's degree in journalism, but no InfoSec or information assets protection experience. The ISSO wanted someone who could write and coordinate policies and procedures as the first priority and could secondarily learn about InfoSec-related matters. The incentive was that the position was a promotion from the person's previously held position, and the person would be the lead in this function, rather than "just another employee" in the HR organization ^[3].

At IWC, the ISSO developed an administrative document architecture where there is an overall information assets protection policy document followed by the other assets protection policy documents. The IWC overall policy document (IWC Information Assets Protection Policy Document 500-1, also known as IAPPD 500-1) begins with a letter from the IWC CEO to show employees that this program was supported by the CEO:

To:	All IWC Employees
Subject:	Protecting IWC's Information Assets to Maintain Our Competitive Edge

We are a leading international corporation in the manufacturing and sales of widgets. Today, we compete around the world in the global marketplace of fierce competition. In order to maintain a leadership position and grow, we depend first and foremost on all of you and provide you the resources to help you do your jobs to the best of your ability. You are vital to our success.

It is the policy of IWC to protect all our vital assets that are the key to our success, and among those are our information-related assets. These include information, automated manufacturing tools, technology, information and systems driven processes, hardware, software, and firmware that we all rely upon to be successful. You and these other vital IWC information assets must be able to work in a safe environment, and our resources must be protected from loss, compromise, or other adverse effects that affect our ability to compete in the marketplace.

It is also IWC policy to depend on all of you to do your part to protect these valuable information-related assets in these volatile times.

The protection of our information assets can only be accomplished through an effective and efficient information assets protection program. We have begun an aggressive effort to build such a program.

This directive is the roadmap to our corporate information assets protection program (CIAPP) and the continued success of IWC. In order for the CIAPP to be successful, you must give it your full support. Your support is vital to ensure that IWC continues to grow and maintain its leadership role in the widget industry.

(Signed by the IWC President and CEO)

It is crucial that the CEO lead the way in the support of the protection of IWC information assets. To get the preceding statement published, the ISSO relied on the policy InfoSec staff member to draft a statement for the CEO to sign. The ISSO reasoned that it is always better to write a draft for someone to ensure that what is published meets the needs of the CIAPP and IWC. The statement was drafted after reviewing numerous other documents and speeches made by the CEO to ensure that the words and format used were consistent with what the CEO normally signed.

The draft was edited by the ISSO and then coordinated by the ISSO with the Director of Corporate Security, since this had to do with IWC assets. The Director of Security had no issues with the policy and in fact was happy that the ISSO was aggressively moving forward on this matter. In addition, the Director of Security believed that the ISSO pushing forward would eventually benefit the Security Department. Furthermore, if the ISSO ran into trouble with executive management, the Director could see how far the ISSO was able to go in meeting the information assets protection objectives. He likened the ISSO to a lead scout going through IWC's executive management minefield. It would help the Director to politically choose his ground. After all, the Director was "old school." He didn't care much for computers, and he had no problem letting the ISSO take on the InfoSec matters while the Director concentrated on more "mundane" security matters while awaiting his time for retirement in another 4 or 5 years.

Because the draft was going to the CEO, it was also reviewed and edited by the ISSO's boss, the CIO. It was then sent to the CEO's public relations staff and legal staff for editing and subsequently presented to the CEO by the ISSO accompanied by the CIO, who was always concerned when the ISSO was involved in anything that brought CEO visibility to any aspects of the CIO's department.

The ISSO accomplished another objective toward building a CIAPP for IWC. The letter signed by the CEO was just one part of it. The ISSO also got support from the CEO to aggressively attack the vulnerabilities problems, because the CEO did not object to the assessment approach briefed by the ISSO as part of the CIAPP philosophy. That "hidden agenda" was used to initiate a more proactive effort that the Director of Audits and the ISSO had agreed to prior to the ISSO's meeting with the CEO. This tacit approval allowed the ISSO to establish a more proactive and aggressive CIAPP. All this may seem a little devious but not unethical—or is it? Do the results outweigh the tactics used to gain those results? You be the judge.

The information assets protection policy document had a coordination note attached that showed all those who had seen the document (CEOs rarely sign anything relating to corporate business without input from the staff). If the ISSO had just made an appointment with the CEO and asked for concurrence on the document, the ISSO would undoubtedly be asked if the CIO had seen it, had it been coordinated with his (CSO's) staff, etc. The ISSO would have said no, wasting the CEO's time and the ISSO's time. The CEO would never sign off on the document without CEO staff input. The whole incident would make the ISSO look foolish and unprofessional, and perhaps a little insecure, as though the CEO did not trust the ISSO.

One key factor is missing here. Do you know what it is? Would the CEO have signed the document without seeing the draft policy directive, IAPPD 500-1? The answer is probably yes. This is because the ISSO ensured that the letter was written without alluding to or identifying any "attached policy document," or any other document for that matter. Why is this important? It is important because this document is timeless and can be used as a standalone document. The ISSO thought that it could also be attached to any information assets protection policy directive, and would help enforce the policy directive because anyone would assume that the CEO's signed document is supporting the policy directive to which it is attached.

The fact is, it is probably true that the CEO would support the policy directive: That directive could not have been published and implemented without following the IWC directive publishing process. This process as stated in IWC directive, HRD 5–17, includes directions as to proper coordination with applicable departments that would be affected by the directive.

The next day, the ISSO happened to be in discussion with the InfoSec policy specialist around the coffeepot. They discussed the CEO's approval of the document, and the ISSO thanked the specialist for a great job. ^[4] The specialist said "Thanks" and also said, "You know, of course, that it is IWC policy that letters, regardless of who signs them, have no more than a 90-day lifespan? That policy was put in place because many executives and other managers were writing policy 'letters' to circumvent the coordination process for directives. So, these policy letters proliferated at IWC. No one knew what was current and what wasn't, and many failed to follow the letters because 'they didn't work for that person' (the person who signed the letters). So, the letters were ignored. The last thing that IWC needed was a bunch of letter policies flowing around and being ignored. That left the entire IWC atmosphere full of conflicts, some chaos, and an attitude of flouting any rules that one didn't like. In fact, that contributed to our loss of information assets, the firing of managers, including your predecessor. So, you don't want to end up starting that mess all over again. Do you?"

The ISSO didn't know that and was glad that the right person had been hired for the information assets protection policy specialist position. It's funny how things sometimes work out better than expected. An "InfoSec techie" in that position would probably not have known that valuable piece of information.

The ISSO thought about what the information assets protection policy specialist had said. The ISSO wanted to keep to a minimum any objections to the information assets policy directives.

So, the ISSO directed that a copy of the CEO's signed document be attached to any information assets protection policy document the ISSO was trying to get though the coordination process, published, and implemented. The ISSO also included a note on the coordination sheet that states: The attached document is an implementation document to meet the IWC information assets protection program requirements as stated in the CEO's document. The ISSO was very satisfied at this approach, and also directed that the CEO's letter be changed to a formal directive and so instructed the InfoSec policy specialist. That directive, the ISSO reasoned, should not require any coordination because the CEO had already signed it. This was the case, and the CEO's letter became IWC's IAPPD 500-1. Therefore, all other policy directives flowed from that overall directive—the CEO's memo-directive.

The ISSO directed that a project, with the InfoSec policy specialist as the project lead, be established and implemented. The objective was to bring all information assets protection policy directives up to date. This would require all IWC policy directives related to information assets protection to be reviewed, updated, coordinated, republished, and placed online, and all briefings, training, and other processes be updated accordingly. The ISSO also directed that the project lead should prioritize the directives based on a review with the following prioritized schedule:

• Directives that did not currently exist but must be developed to address the protection of various information assets; and

• Directives that were the most outdated (continuing to those that were the least outdated).

The ISSO reasoned that outdated directives were better than no information asset policy directives, because where some were needed and did not exist, the information assets were more vulnerable. Although the missing directives would take the longest to get implemented, they were the most important. The ISSO also directed the information assets protection policy project team, with the policy specialist as the project lead, to do as much as possible in parallel. Those requiring the least amount of work could be done faster, and every updated directive was another victory in the war to protect corporate information assets.

War? The choice of words was used in all seriousness. The ISSO and the staff must get on a "war footing" and not treat their professional duties as some 9-to-5 job. Corporate information assets are being attacked from inside and outside corporations, from within the home nation-state, and from competitors and nation-states from around the world on a 24/7 basis. IWC was no exception, and in fact because of its leadership role in the widget industry, it was probably more at risk than some other corporations.

The ISSO directed that all policy directives be limited to specific issues. The ISSO reasoned that to develop one large policy directive that covers all aspects of IWC's information assets protection needs was not a good idea. Do you agree? Before answering, think about it from an employee's perspective. The employee has a job do to as a specialist in a chosen profession. Employees are not, nor do they want to be, InfoSec specialists. To assist them in at least complying with the CIAPP, the "KISS principle" (Keep It Simple, Stupid) should always be applied.

An employee who wants to do the right thing and comply with all the IWC directives and information assets protection directives is part of the group. Let's say the employee works in a marketing group. If there were just one large policy document, the employee would look at this monster and might be intimated by its size. The employee does not need to know about many of the information assets' protection requirements—for example, those that pertain to the manufacturing environment. Yes, one could do keyword searches if the documents are online, but in all probability, pertinent information would be scattered throughout the document. With the capability of putting documents online and maintaining them online, it is easy in today's word processing environment to just cut and paste applicable portions of other information assets protection documents that apply to more multiple information environments.

Many employees have lost patience trying to read through such large—and boring—documents. Let's face it, even InfoSec professionals get bored reading InfoSec documents. Ironically, some InfoSec personnel never read the entire series of InfoSec-related documents unless they have to, or unless someone embarrasses them by pointing out that they (InfoSec personnel) are violating their own InfoSec rules!

Topic-oriented information assets protection policy documents can be developed, coordinated, and implemented faster. In addition, employees can easily determine which directive to search for guidance without reading volumes. Also, one large directive would be almost constantly in a state of change because of various aspects requiring changes at different times.

The ISSO directed that as a minimum, individual information assets policy directives were to be established providing guidance for the protection of the following corporate information assets ^[5]:

• Overall information assets protection (CEO's signed letter);

• Information valuation, marking, storing, distribution, and destruction;

• Information processed, displayed, stored, and transmitted by information systems on the IWC's intranet;

• IWC's private branch exchange (PBX) and voice mail;

• Cellular phones, PDAs, and pagers;

• Fax machines;

• Teleconferencing;

• Printers and scanners;

• Automated manufacturing;

• E-mail;

• Vital, automated records; and

• Violations of information assets protection policies, procedures, and processes.

IWC CIAPP Requirements and Policy Directive

The IWC CIAPP directives followed the standard format for IWC policies and included the following:

1. Introduction Section, which includes some history of the need for InfoSec at IWC;

2. Purpose Section, which describes why the document exists;

3. Scope Section, which defines the breadth of the Directive;

4. Responsibilities, which defines and identifies the responsibilities at all levels to include executive management, organizational managers, systems custodians, IT personnel, and users. The Directive will also include the requirements for customers', subcontractors', and vendors' access to IWC systems and information.

5. Requirements Section, which includes the requirements for:

   1. Identifying the value of the information;

   2. Access to the IWC systems;

   3. Access to specific applications and files;

   4. Audit trails and their review;

   5. Reporting responsibilities and action to be taken in the event of an indication of a possible violation;

   6. Minimum protection requirements for the hardware, firmware, and software. ^[6]

   7. Requirements for InfoSec procedures at an IWC department and lower level.

Physical Security and CIAPP Policy

The physical security functions for the most part fall under the Security Department. It was agreed by the Director of Security and the ISSO that the physical security program, as it related to InfoSec, was to remain under the purview of the Security Department; however, those aspects related to the InfoSec would be coordinated with the ISSO or the ISSO's designated representative.

The Technical Countermeasures Program relating to emanations of systems' signals or covert signals which may be placed in IWC's sensitive processing areas had been initially placed under the purview of the ISSO; however, the Director of Security apparently became concerned because the systems permeate throughout IWC, which appeared to give the ISSO a great deal of authority.

The ISSO's authority, which the Director equated to power, for physical security related to systems facilities was relinquished by the ISSO. The ISSO's rationale was:

• It showed the executive management and the Director of Security that the ISSO was interested in getting the job done right and not who had the authority to do it;

• This move, coupled with the InfoSec procedures responsibility place on IWC management, gave clear indications to everyone that the ISSO was interested in getting the job done in a cooperative effort where InfoSec responsibilities belonged to everyone in a true teaming effort; and

• It took a heavy responsibility off the shoulders of the ISSO. The ISSO was no longer responsible for the physical security aspects; thus, the ISSO's attention could be directed to more technical aspects of the InfoSec program—those more enjoyable to the ISSO.

  The agreement reached by the ISSO and Director of Security was for the Security Department to be responsible for:

• Physical access controls to information systems throughout IWC;

• Physical access control badge readers to areas containing sensitive information processing activities;

• Physical disconnects of all systems processing information so sensitive that the information could not be processed outside specified areas;

• Review, analyses, and action related to physical access controls' audit trails; and

• Physical access control of all visitors, vendors, subcontractors, customers, and maintenance personnel, and the escorting of such personnel into sensitive, information processing areas.

IWC CIAPP—Information Assets Protection Procedures

Over the years, the ISSO has had experience in several corporations. The ISSO learned that the best way to provide an updated CIAPP is to begin at the highest level and work down. This form of information assets protection evaluation, analysis, and improvements is based on the fact that information assets protection is driven and must be supported from the top down. Therefore, the ISSO began with the overall IWC assets protection requirements (drivers), followed by the information assets protection policies. Once they were in place, those related procedures that were already in place were analyzed, and projects established to update them and develop new ones where needed.

Each information assets protection policy requires compliance by those identified in the policy directives. Each of these directives requires one or more procedures to be established so that there is a standard method used to support and implement the policies, including their spirit and intent. The information assets protection directives previously discussed require procedures to be established in order to comply with those directives. For example, what procedures should be used to determine the classification to be given a piece of information: IWC trade secret, IWC sensitive, IWC proprietary? Some procedures may be written for everyone in IWC to follow, while various departments may write others based on their unique information environments.

There are various opinions as to how best to go about developing procedures. One continues to get to a more detailed level as one goes from requirements (drivers) to policies to procedures. The main issue is this: If the ISSO establishes a specific procedure to comply with a specific policy which in turn assists in meeting the IWC goals as stated in the SBP, TBP, and ABP, the procedures may not be practical in one or two of the IWC departments. The department head may so state, and may ask for a waiver saying that they can still comply if they have a different procedure that takes into account their unique working information environment. There may be more than one department with similar complaints. So, how does the ISSO ensure that people are following proper information assets protection procedures to comply with the information assets protection policies?

The ISSO has found that the best way to do this at IWC is to require that the individual departments establish, implement, and maintain their own set of information assets protection procedures that comply with the policies. This has several benefits:

• Having each department write their own procedures helps enforce the philosophy that information assets protection is everyone's responsibility.

• There will be fewer complaints and requests for waivers because one or more of the IWC departments cannot comply with the procedures as written by the ISSO's InfoSec staff. This benefits the ISSO, as tracking waivers may turn into a nightmare—who has what waivers, why, and for how long.

• The departments can develop procedures that meet their unique conditions and because of that, the procedures should be more cost-effective.

• The ISSO and InfoSec staff will save time and effort in writing and maintaining information assets protection procedures. To be blunt—it's the departments' problem. However, the ISSO has offered to make InfoSec staff available to answer questions and to provide advice as to what should be in the procedures' documents. This was done in the spirit of providing service and support to the IWC employees. The liaison contact for the ISSO would of course be the InfoSec policy specialist.

The question then arose as to how the ISSO could be sure that the procedures written by each department meet the spirit and intent of the policies. Two methods were identified:

• The InfoSec staff as part of their risk management processes would conduct limited risk assessment surveys, and as part of those surveys, the procedures would be reviewed. The limited risk assessments would indicate how well the procedures in place help protect IWC information assets under the control of each department or sub-organization.

• IWC's audit staff would compare the procedures with the policies during their routine audits. The Director of Audits agreed to conduct such reviews, since that department is responsible for auditing for compliance with federal, state, and local laws and regulations and IWC policies and procedures anyway. It also helped that since the ISSO's arrival, the ISSO and Director met and agreed to monthly meetings to share information of mutual concern. The ISSO learned long ago that InfoSec personnel have very few true supporters in helping them to get the job done, but auditors were one of them.

Procedures, along with their related processes, are the heart of a CIAPP because they provide the step-by-step approach for employees as to how to do their work and also ensure the protection of corporate information assets. And if the departments write their own procedures, they become actively involved as valuable team members in the process of protecting IWC's valuable information assets.

^[2]Some of the information from this section was modified from Dr. Kovacich's coauthored book with Edward P. Halibozek, The Manager's Handbook for Corporate Security: Establishing and Managing a Successful Information Assets Protection Program, published by Butterworth-Heinemann, 2003.

^[3]You may wonder why we go into such detail as to who is hired to do what or how it is done at IWC. The reason is to provide, as nearly as possible, real-world experiences to the reader. Such information helps the reader by providing information that can be applied in real corporations; it also develops an overall knowledge of establishing and managing a corporate information assets protection program. In this case, an ISSO may look for someone to write policies by first looking for someone who knows security, when in fact it is more important to hire someone who can write policy. What to write will come from many sources. The policy specialist will not operate in a vacuum. How to write in clear and concise terms without ambiguities is the key.

^[4]It is easy to take for granted the work of the staff. As an ISSO you should be sensitive to that and never forget to say thanks once in a while. It doesn't take a lot of effort, and it pays great dividends. Just like you, employees like to know they are appreciated.

^[5]Of course this list is just a sample, as the topics would be based on the corporation, the corporate culture, and the methods used for publishing and implementing directives with each corporation.

^[6]The physical security aspects of the requirements would have been coordinated with the applicable Security Department managers, since they have the responsibility for the physical security of IWC assets. The ISSO's rationale was that physical security should be addressed in this document, because it a basic protection process. The Director of Security agreed and approved that process.