Creating a Security Policy

A comprehensive security policy is fundamental to an effective information security program, providing a firm basis for all activities related to the protection of information assets. In creating their policies, organizations take one of two basic approaches: that which is not expressly prohibited is allowed, or that which is not explicitly allowed is prohibited. The chosen approach is usually reflective of the organization's overall culture.

Educating Network Users on Security Issues

The best security policies in the world will be ineffective if the network users are unaware of them or if the policies are so restrictive and place so many inconveniences on users that they go out of their way to attempt to circumvent them.

The security plan itself should contain a program for educating network users—not only regarding what the policies are but why they are important and how users benefit from them. Users should also be instructed in the best ways to comply with the policies and what to do if they are unable to comply or if they observe a deliberate violation of the policies on the part of other users.

If you involve users in the planning and policy-making stages, you will find it must easier to educate them and gain their support for the policies at the implementation and enforcement stages

Educating your users is one of the most important factors in eliminating or reducing internal incidents. This does not necessarily mean upgrading the users' technical skills (although it can). Turning all your users into power users might not be cost effective or otherwise desirable. What is essential is to train all your network users in the proper procedures and rules of use for the network.

Every person who accesses your company network should be aware of your user policies and should agree to adhere to them. This includes notifying technical support personnel immediately of any hardware or software problems, refraining from installing any unauthorized software on their machines or downloading files from the Internet without authorization, and never dialing their personal ISPs or other networks or services from company machines without permission.

Figure 1.3 shows a hierarchical security model. Each layer builds on the ones beneath it, with security policies serving as the foundation. An organization that implements security tools without defining good policies and architecture is likely to encounter difficulties.

Figure 1.3: Security Hierarchy

Creation of the security policy is guided by management's level of trust in the organization's people, de facto processes, and technology. Many organizations resist formalizing their policies and enforcing them, since they do not want to risk damaging their familial and trusting culture. When a security incident occurs, however, these organizations discover that they might have little or no guidance on how to handle it or that they do not have a legal foundation to prosecute or even terminate an employee who breaches security. Others follow a command-and-control model and find that defining policies fits right into their culture. These organizations, however, could wind up spending a great deal of money to enforce controls that provide little incremental reduction in risk and create an oppressive atmosphere that is not conducive to productivity. For most organizations, a middle approach is best, following the dictum "Trust, but verify."

The policy creation process might not be easy. People have very different ideas about what the policies represent and why they are needed. The process should strive to achieve a compromise among the various stakeholders:

• Executive managers

• Internal auditors

• Human resources

• IT staff

• Security staff

• Legal staff

• Employee groups

As you can see, some level of buy-in from each of these stakeholder groups is necessary to create a successful policy. Particularly important is full support from executive management. Without it, a security policy will become just another manual gathering dust on the shelf. Employees need to see that management is behind the policy, leading by example.

Once a representative policy development team has been put together, its members should begin a risk-assessment process. The result of this effort is a document that defines how the organization approaches risk, how risk is mitigated, and the assets that are to be protected and their worth. The policy should also broadly define the potential threats that the organization faces. This information will be a guideline to the amount of effort and money that will be expended to address the threats and the level of risk that the organization will accept.

The next step is to perform a business needs analysis that defines information flows within the organization as well as information flowing into and out of it. These flows should each have a business need defined; this need is then matched with the level of risk to determine whether it will be allowed, allowed with additional controls, or restricted.

A good policy has these characteristics:

• States its purpose and what or who it covers

• Is realistic and easy to implement

• Has a long-term focus—in other words, does not contain specifics that will change often

• Is clear and concise

• Is up to date, with provisions for regular review

• Is communicated effectively to all affected parties, including regular awareness training

• Is balanced between security of assets and ease of use

Probably the most important component of a security policy is the definition of acceptable use. It covers how systems are to be used, user password practices, what users can and cannot do, user responsibility in maintaining security, and disciplinary action if users engage in improper activity. It is essential that all users sign this policy, acknowledging that they have read and understood it. Ideally, users should review the acceptable use policy on an annual basis. This practice helps reinforce the message that security is important.

Finally, an organization's security policy guides the creation of a perimeter security policy (including firewalls), which we cover in a later section.