Information security policies underpin the security and well being of information resources. They are the foundation, the bottom line, of information security within an organization.
”Information Security Policy World
People frequently use the terms "policy," "standard," and "guidelines" to refer to documents that establish the security stance of an organization. For the purposes of this handbook, the following definitions will apply:
A Security Policy is a concise statement, by senior management, of the corporate commitment to take responsibility for protecting information. The policy is then implemented by taking specific actions, utilizing the specific security standards, procedures and mechanisms that are most effective.
” SANS Institute, website
A CORPORATE SECURITY POLICY is a document that outlines specific requirements or rules that must be met within the organization. In the information security realm, policies are usually goal-specific, and usually cover more than one platform or area. An example of a policy is "Users must be authorized to access the system by using at least a userid and password. Users who will have access to restricted applications must use an additional form of authentication such as a secure token or a biometric identification."
A STANDARD is a collection of system-specific and procedure-specific requirements that must be met by everyone. For example, an HP NonStop server policy would cover the security rules and regulations that harden the NonStop server. People must follow this standard exactly if they wish to add new servers or add applications to existing servers. An example of an HP NonStop server specific policy is:
"Users must have a unique Guardian userid that is assigned only to this user . The password for this userid must be at least six characters long, contain both alphanumeric and special characters and must be changed every 60 days."
This handbook uses BEST PRACTICES rather than GUIDELINES to mean a collection of system specific and procedure specific "suggestions" for best practice. They are not requirements to be met, but are strongly recommended to adequately secure the HP NonStop server.
Effective SECURITY POLICIES make frequent references to STANDARDS and BEST PRACTICES that exist within an organization.
Good security practices require the creation of both a corporate-wide SECURITY POLICY and platform-specific SECURITY STANDARDS . Without both, the group responsible for Information Security (Security) has no means to justify the enforcement of good security practices and the group responsible for Internal Audit (Audit) has nothing against which to judge the corporate security environment.
Because securing an HP NonStop server consists primarily of implementing access controls, discussions in this book concentrate on the principles of access control and how they are put into effect on the HP NonStop server.
Good security practices also include monitoring the system for compliance to the Corporate Security Policy and Standards. The Corporate Security Policy and Standards should dictate what is monitored and the frequency of audit reports and reviews.
It is unlikely that any given organization will exactly match every Best Practice recommendation. Those recommendations that absolutely cannot be put into use at a company should be documented. Documentation should include:
The reason the objective cannot be met in the environment
The steps taken to mitigate the risk caused by not meeting the objective
The signature of a person of authority who undertakes responsibility for the risk assumed by not meeting the objective.
This information should be made available to both Internal and External Audit, when requested or when the security staff responds to audit issues.