Developing Information Security

Policy
 Why is Developing Good Security Policy Difficult?

Effective Security/IA Policy is more than locking

doors and changing passwords
Must reflect the entire enterprise/organization
and its business goals and mission areas
Needs to address a multitude of issues
Human resources
IT
Physical Security
Costs
Governance
 Why is Developing Good Security Policy Difficult?

Must be comprehensive

To be effective the policy

must be unambiguous

Must be a human document

not technical
 Getting Started
The first step toward enhancing and organizations security is
the development and implementation of a precise, yet
enforceable security policy, informing staff of the various aspects
of their responsibilities, general use of organizational resources,
and explaining how sensitive information must be handled. The
policy will also describe in detail the meaning of the term
acceptable use, as well as listing prohibited activities.

Building and Implementing a Successful Information Security

Policy, by Dancho Danchev, WindowSecurity.com, 2003
 Know the Organization
When developing a Security/IA Policy it
is critical to first know the organization

Business model
Goals/Mission
Organizational Personality
Structure
 Risk Analysis
Policy developer(s) need to know
the risks facing an organization

Either conduct a Risk Analysis or

access existing risk data

Understand how the organization

does or intends to manage risk

Must include a Vulnerability

assessment
 Risk Assessment
Risk management approaches are better for connecting to
business drivers and for protecting the right assets.
However, even risk-based approaches are limiting if there is no
enterprise context or view:
Organizations are often not likely to act on findings even when
they direct or perform the assessment
Operational unit strategies for protecting assets frequently collide
with enterprise barriers, such as a lack of security policy or
training
Operational units cannot devise and deploy an effective protection
strategy for the enterprise

Therefore the need for effective policy!!

 Vulnerability Assessment
Technology-based approaches such as vulnerability
management approaches arent enough

Reactive
Tool driven
Focused in the technical domain
Performed by technicians (IT) primarily
Lack of connection to business drivers, mission
Security relegated to the responsibility of IT
IT-based security decisions based on their drivers
Focused on information or network security, but not
administration, operations, or infrastructure (physical)
 Standards
Know and understand the
organizational standards that will be
used for guidance within the policy.

Can be broader based standards

adopted by the organization

Used as a basis for developing

comprehensive and enforceable policy

Shall, Will, Must!!!

 Issue Statements
These statements define each of the
issues addressed within the policy
document

Access control
Unauthorized software
Unauthorized use
Data protection
Personnel requirements
Etc.
 Applicability
Identifies Where, How, When, To
Whom and To What the security/IA
policy applies

Making this clear critical to

governance/enforcement

Critical to eliminating ambiguities

 Establish Responsibilities
Clarifies who is responsible for
what or whom

Can be an effective way to bring

the organization together

Sharing responsibility for

organizational security can
expand the number of people
who believe they are
stakeholders in the success of the
organization

Important for compliance

 Compliance
Compliance requirements must be precise

Should be applied equally within the

organization
Needs to define consequences of compliance
failures
Consequences do not have to be punitive
Punitive measures should be able to be applied
at all levels of an organization

Compliance issues should be described as a

means of ensuring success not just identifying
failure
 Points of Contact
It is essential that people within an
organization know who to contact
with security issues

Questions on security/IA policy

should able to be resolved rapidly
and clearly

Security policy management

should be seen as an asset to the
workings of the organization
 Visibility
To be effective a security/IA
policy must be visible

Readily available to all personnel

Should be provided at hire

Security training must be part
of indoc

Continued training and security

awareness should be part of the
organizational culture
 Policy Challenges
Potential barriers to success for developing a
security/IA policy that is effective across the enterprise:

fail to realize security management is a business issue as

well as technological challenge
security goals are aligned with CIO, not the organization
good policy needs more than IT to work together to achieve
information security goals
effective policy will convince organizational units other
than IT that they should care about information security
 Policy Challenges
Security/IA Policy has to be part of the strategic plan for
an organization

Security strategies must also enable the organization,

but must be balanced against potentially limiting the
achievement of other strategic objectives