Developing Information Security Policy Why is Developing Good Security Policy Difficult? • Effective Security/IA Policy is more than locking doors and changing passwords • Must reflect the entire enterprise/organization and its business goals and mission areas • Needs to address a multitude of issues – – – – – Human resources IT Physical Security Costs Governance Why is Developing Good Security Policy Difficult? • Must be comprehensive • To be effective the policy must be unambiguous • Must be a human document – not technical Getting Started • “The first step toward enhancing and organization’s security is the development and implementation of a precise, yet enforceable security policy, informing staff of the various aspects of their responsibilities, general use of organizational resources, and explaining how sensitive information must be handled. The policy will also describe in detail the meaning of the term acceptable use, as well as listing prohibited activities.” • Building and Implementing a Successful Information Security Policy, by Dancho Danchev, WindowSecurity.com, 2003 Know the Organization • When developing a Security/IA Policy it • is critical to first know the organization – – – – Business model Goals/Mission Organizational Personality Structure Risk Analysis • Policy developer(s) need to know the risks facing an organization • Either conduct a Risk Analysis or access existing risk data • Understand how the organization does or intends to manage risk • Must include a Vulnerability assessment Risk Assessment • Risk management approaches are better for connecting to business drivers and for protecting the right assets. • However, even risk-based approaches are limiting if there is no enterprise context or view: – Organizations are often not likely to act on findings even when they direct or perform the assessment – Operational unit strategies for protecting assets frequently collide with enterprise barriers, such as a lack of security policy or training – Operational units cannot devise and deploy an effective protection strategy for the enterprise • Therefore – the need for effective policy!! Vulnerability Assessment • Technology-based approaches such as vulnerability management approaches aren’t enough – – – – – – – – Reactive Tool driven Focused in the technical domain Performed by technicians (IT) primarily Lack of connection to business drivers, mission Security relegated to the responsibility of IT IT-based security decisions based on their drivers Focused on information or network security, but not administration, operations, or infrastructure (physical) Standards • Know and understand the organizational standards that will be used for guidance within the policy. • Can be broader based standards adopted by the organization • Used as a basis for developing comprehensive and enforceable policy • Shall, Will, Must!!! Issue Statements • These statements define each of the issues addressed within the policy document • • • • • • Access control Unauthorized software Unauthorized use Data protection Personnel requirements Etc. Applicability • Identifies Where, How, When, To Whom and To What the security/IA policy applies • Making this clear critical to governance/enforcement • Critical to eliminating ambiguities Establish Responsibilities • Clarifies who is responsible for what or whom • Can be an effective way to bring the organization together • Sharing responsibility for organizational security can expand the number of people who believe they are stakeholders in the success of the organization • Important for compliance Compliance • Compliance requirements must be precise • Should be applied equally within the organization • Needs to define consequences of compliance failures • Consequences do not have to be punitive • Punitive measures should be able to be applied at all levels of an organization • Compliance issues should be described as a means of ensuring success – not just identifying failure Points of Contact • It is essential that people within an organization know who to contact with security issues • Questions on security/IA policy should able to be resolved rapidly and clearly • Security policy management should be seen as an asset to the workings of the organization Visibility • To be effective a security/IA policy must be visible • Readily available to all personnel • Should be provided at hire • Security training must be part of indoc • Continued training and security awareness should be part of the organizational culture Policy Challenges • Potential barriers to success for developing a security/IA policy that is effective across the enterprise: – fail to realize security management is a business issue as well as technological challenge – security goals are aligned with CIO, not the organization – good policy needs more than IT to work together to achieve information security goals – effective policy will convince organizational units other than IT that they should care about information security Policy Challenges • Security/IA Policy has to be part of the strategic plan for an organization • Security strategies must also enable the organization, but must be balanced against potentially limiting the achievement of other strategic objectives