Sometimes, as an author, you find yourself writing on a topic that is both important and enduring. Information security policies is just such a topic. This chapter was originally written for the Microsoft SharePoint Products and Technologies Resource Kit (Microsoft Press, 2004). Since I was the principle author for that book as well as this book, and this topic is so important and the information has not changed much, I decided to use that chapter as the basis for this chapter and amend it where it seems appropriate.-Bill English
Information security policies are an essential part of any plan to help secure a network. Such policies are really business rules-rules that define acceptable and sometimes required behavior regarding your company's information. Information security policies continue to become more complex because the technologies that host an organization's mission-critical information are also becoming more complex every year, if not every month. From cell phones to laptops, from PDAs to servers, the access vectors and potential security holes are increasing as the technology complexity increases. Information security policies are one method of plugging many security holes by prescribing acceptable behavior as information is developed and stored.
The more an organization follows information security policies, the more dependent it becomes on these rules in a host of situations, such as guiding a manager on acceptable behavior about how information is accessed, informing a legal team as to whether a manager has performed due diligence, or using the policies as a guide to ensure a chain of evidence is retained during or after an attack on the network.
Information security policies (hereafter referred to simply as policies), in and of themselves, are just words on a page. They are essentially meaningless unless upper management both sees the need for such policies and possesses the will to enforce them. Ultimately, the enforcement of information security policies is a management responsibility.
Some say that the problem with information security policies is that the rules are only as effective as the people who obey them. But the presence of information security policies in an organization is fast becoming a legal assumption: companies that operate without information security policies might be subject to the charge that reasonable care for an organization's information was not executed. Regardless of an organization's size, purpose, or location, effective information security is vital.
After the information security policies are set, it's time to set up governance guidelines. A SharePoint Governance Plan acts as a guidebook outlining the administration, maintenance, and support of your SharePoint environment. It identifies lines of ownership for both business and technical teams, defining who is responsible for each area of the system. Furthermore, it establishes practical rules for appropriate usage of the SharePoint environments that are based on the information security policies.
An effective governance plan ensures that the system is managed and used in accordance with its designed intent to prevent it from becoming an unmanageable system. The management of an enterprise-wide system involves both a strategic, business-minded board to craft rules and procedures for the use of the system. It also involves having a tactical, technically-competent team to manage the routine operational tasks that keep the system running. Users of the system will be empowered by a support and developer community sponsored by the business leaders.
This chapter outlines the types of policies that should be considered when implementing either Microsoft Windows SharePoint Services 3.0 or Microsoft Office SharePoint Server 2007. The purpose is not to write the policies for you or even to give you a sample set of policies from which to work, but rather to highlight the types of policies that will be affected when implementing Office SharePoint Server 2007.
Why is an information security policy so important? There are two main reasons such a policy is important and should be adopted:
To provide a framework for best operational practice, so that the institution is able to minimize risk and respond effectively to any security incidents that might occur.
Security breaches, often involving prominent commercial organizations, are reported periodically in the press and often generate substantial publicity. Such incidents tend to fuel the popular conception that the major threat to information security comes from hostile attacks perpetrated via the Internet. Although there is some truth in this, the picture that it paints is highly oversimplified. Electronic information is at risk for a wide variety of reasons: natural disasters, failure of man-made equipment and services, and accidental as well as malicious acts by human beings.
Because neither the systems themselves nor those who operate them can ever be totally reliable, the institution must be able to react promptly and appropriately to any security incident and restore its information systems to their normal operational state in an acceptable period of time.
Investing in suitable security measures has a significant cost. Security concerns inevitably will consume considerable staff time, especially that of skilled IT staff, and in most cases there is likely to be security-related expenditure on hardware, software, and services as well.
This investment can only be correctly judged if a policy exists: without a proper assessment of the value of the information assets to the institution, and the consequences (financial and otherwise) of any data loss or interruption to services, it is all too easy to fund this area inadequately or inappropriately with potentially serious effects should a security breach occur. Conversely, there is little point in spending money unnecessarily to protect data of little value or which can easily be re-created.
Policies should define what behavior is and is not allowed, who is or is not allowed to do it, and in what circumstances these behaviors and permissions apply. A successful security policy will generate a high degree of consensus among all those involved and should foster a positive attitude toward security in terms of its benefits to the institution and the wider community of which it forms a part.
A useful concept in this context is that of a balance between privileges and responsibilities: making information and resources more freely available to members of an institution arguably places more responsibility on those members to behave responsibly. Some evidence is beginning to emerge that users of information systems would be willing to adhere to better security practices if they were more knowledgeable (that is, better trained) about what good practice actually involved.
Overall, the policy must define the role that information security plays in supporting the mission and goals of the institution. In a college or university, the security policy should be linked to (and should depend on) the information strategy, and it may well be drawn up by a subgroup of the body responsible for the information strategy. Even though much of the work on information security will be devolved to middle managers and technical staff, senior management should be committed to placing a high level of importance on information security and winning acceptance for the policy.
To ensure that the institution complies with relevant legislation in this area.
With the advent of the Sarbanes Oxley Act of 2002 and other legal requirements, organizations are having to adopt a framework that provides suitable standards of security for all personal data held by the institution throughout their life cycle. All recognized benchmarks of good security practice specify a top-level security policy as the key requirement in such a framework.
All organizations are strongly encouraged to adopt a recognized methodology for developing their security policies and plans: to do otherwise might leave them exposed in the event of a legal challenge. The choice of methodology is less critical: the issue of key importance is that sound policies should be drawn up and then embodied in effective operational security measures. 
Adapted from Developing and Information Security Policy located at http://www.jisc.ac.uk/index.cfm?name=pub_smbp_infosec.