The success of any information security program lies in policy development. The lack of success in any particular program can often be attributed to this unmet need to build the foundation for success. In 1989, the National Institute of Standards and Technology addressed this point in Special Publication SP 500-169: Executive Guide to the Protection of Information Resources (1989):
The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems. You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency. Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality (p.1).
Policy is the essential foundation of an effective information security program. As stated here by Charles Cresson Wood, in his widely referenced topic Information Security Policies Made Easy (2003),
The centrality of information security policies to virtually everything that happens in the information security field is increasingly evident. These policies will stipulate the type of services that should be permitted, how to authenticate the identities of users, and how to log security-relevant events. An effective information security training and awareness effort cannot be initiated without writing information security policies because policies provide the essential content that can be utilized in training and awareness material (p.1).
Policy is essential because it is the primary mechanism an organization possesses to inform and enforce expected behaviors in employees. Policy has the effect of law within the confines of the institutions. However, while ignorantia legisneminem excusat (ignorance of the law is no excuse) is prevalent in the public domain, ignorance of policy is legally defensible.
Although information security policies are among the least expensive information security controls to create, they are often the most difficult to implement. Policy-based controls typically cost only the time and effort the management teams spends to create, approve, and communicate them, and the time and effort employees spend integrating the policies into their daily activities. Even when the management team hires an outside consultant to assist in the development of policy, the costs are minimal compared to the other forms of control, especially technical controls (Whitman & Mattord, 2004).
Policy is “a plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters” (Merriam-Webster, 2002). In other words, policies are a set of rules that dictate acceptable and unacceptable behavior within an organization. Policies must also specify the penalties for unacceptable behavior, and define an appeal process. An example of a policy would be an organization’s prohibiting the viewing of pornographic Web sites at the workplace.
To execute this policy, the organization must implement a set of standards. A standard is a more detailed statement of what must be done to comply with policy. In the implementation of the anti-pornography policy, the organization may create a standard that the network will block access to pornographic Web sites. Practices (i.e., procedures and guidelines) explain how employees will comply with policy.
For policies to be effective they must be properly disseminated, via personnel manuals, organizational intranets, periodic supplements, staff meetings and/or training (to name a few). All members of the organization must read, understand, and agree to abide by the organization’s policies. Failure to ensure each of these requirements can negate the regulatory effect of policy. Policies require constant modification and maintenance. As the needs of the organization evolve, so must its policies.
Some basic rules must be followed when shaping any policy, including information security policy:
• Policy should never conflict with law.
• Policy must be able to stand up in court, if challenged.
• Policy must be properly supported and administered.
Since policy is often difficult to implement, Bergeron and Berube (1990) have proposed guidelines for the formulation of computer policy, which are also directly applicable to information security policy:
1. “All policies must contribute to the success of the organization.
2. Management must ensure the adequate sharing of responsibility for proper use of information systems.
3. End users of information systems should be involved in the steps of policy formulation” (p. 16).
Bergeron and Berube further note that while it is an admirable goal for policies to be complete and comprehensive, too many policies or policies that are too complex can lower end-user satisfaction.
As is evidenced in Figure 1, in order to secure information an organization must place protection mechanisms at multiple points. This is easily done in the electronic arena, where most threats come through the Internet, to the internal network, to the systems that house information, and finally to the information itself. However, inside an organization you may only have a few opportunities to protect information from those that use it. These opportunities include security education, training and awareness programs (SETA) and policy.
The use of multiple layers of protection is a concept called defense-in-depth, whereby security components at multiple layers serve to back each other up in the event that one layer’s controls fail. Until sound and useable IT and information security policy is developed, communicated, and enforced, no additional resources should be spent on controls other than policy.
EFFECTIVE INFORMATION SECURITY POLICIES
To produce complete information security policy in the organization, management must use three types of information security policies. These three types are based on National Institute of Standards and Technology Special Publication 800-14 (1996), which outlines the requirements of writing policy for senior managers. This document is recommended for professionals involved in creating policy, and can be found at http://csrc.nist.gov/ publications/nistpubs/800-14/800-14.pdf. The three types of policy are:
• Enterprise information security program policy(EISP)
• Issue-specific information security policies (ISSP)
• Systems-specific information security policies (SysSP)
Figure 1. Spheres of use and protection of information (Whitman & Mattord, 2003)
Enterprise Information Security Policy
An enterprise information security policy (EISP)—also known as a security program policy, general security policy, IT security policy, high-level information security policy or information security policy—sets the strategic direction, scope, and tone for all of an organization’s security efforts. The EISP assigns responsibilities for the various areas of information security, including maintenance of information security policies, and the practices and responsibilities of end users. In particular, the EISP guides the development, implementation, and management requirements of the information security program, which must be met by information security management, IT development, IT operations and other specific security functions.
The EISP is an executive-level document, drafted by the Chief Information Security Officer (CISO) in consultation with the Chief Information Officer (CIO), and shapes the security philosophy in the IT environment. The EISP usually does not require repeated or routine modification, unless there is a change in the strategic direction of the organization.
The EISP plays a number of vital roles, not the least of which is to state the importance of information security in support of the organization’s mission and objectives. Information security strategic planning derives from the IT strategic policy (if the Information Security department is placed under the control of the CIO), which is derived from the organization’s strategic planning. Unless the EISP directly reflects this association, the policy will likely become confusing and counter-productive.
Though specifics of EISPs vary from organization to organization, most EISP documents should provide the following:
• An overview of the corporate philosophy on security
• Information on the structure of the information security organization and individuals that fulfill the information security role
• Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners and visitors)
• Fully articulated responsibilities for security that are unique to each role within the organization
The formulation of program policy in the EISP establishes the overall information security environment. As noted earlier, there are any number of specific issues that require policy guidance beyond what can be offered in the EISP. The next level of policy document, the issue-specific policy, delivers the specificity. The components of a good EISP are as follows:
1. Statement of Purpose - Answers the question “What is this policy for?” Provides a framework for the helps the reader to understand the intent of the document, that is, “This document will:
• Identify the elements of a good security policy
• Explain the need for information security
• Specify the various categories of information security
• Identify the information security responsibilities and roles
• Identify appropriate levels of security through standards and guidelines” (WUSTL, 2002).
2. Information Security Elements - Defines information security. It can also lay out security definitions or philosophies in order to clarify the policy. For example – “Protecting the confidentiality integrity and availability of information while in processing, transmission and storage, through the use of policy, education & training, and technology…” (WUSTL,2002).
3. Need for Information Security - Provides information on the importance of information security in the organization and the obligation (legal and ethical) to protect critical information whether regarding customers, employees, or markets.
4. Responsibilities and Roles - Defines the organizational structure designed to support information security within the organization. Includes identification of categories of individuals with responsibility for information security (IT dept, management, users) and their information security responsibilities, including maintenance of this document.
5. Reference to Other Standards and Guidelines - Outlines lists of other standards that influence and are influenced by this policy document. These could include relevant laws, federal and state, as well as other polices in place in the organization. (Note: this outline was derived from a number of sources, the most notable of which is WUSTL, 2002.)
Issue-Specific Security Policy (ISSP)
A sound issue-specific security policy provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems. The ISSP should begin with an introduction of the fundamental technological philosophy of the organization. It should assure the members of the organization that the purpose of the policy is not to provide a legal foundation for persecution or prosecution, but to provide a common understanding of the purposes for which an employee can and cannot use the technology. Once this understanding is established, employees are free to use the technology without seeking approval for each type of use. This serves to protect both the employee and the organization from inefficiency and ambiguity. According to Whitman et al., (1999) an effective ISSP:
• Articulates the organization’s expectations about how the technology-based system in question should be used
• Documents how the technology-based system is controlled and identifies the processes and authorities that provide this control
• Serves to indemnify the organization against liability for an employee’s inappropriate or illegal system use
An effective ISSP is a binding agreement between parties (the organization and its members) and shows that the organization has made a good faith effort to ensure that its technology is not used in an inappropriate manner. An ISSP may be drafted to cover many topics, including e-mail, use of the Internet and World Wide Web, office computing equipment, and a host of other fair and responsible use areas. The specific situation of any particular organization dictates the exact wording of the security procedures as well as issues not covered within these general guidelines. There are seven major sections of a good ISSP (Whitman, 2003). These are described here in detail.
1. Statement of Purpose - a clear statement of purpose that outlines the scope and applicability of the policy, addressing the purpose of this policy, who is responsible and accountable for policy implementation and what technologies and issues the policy document addresses.
2. Authorize Access and Usage of Equipment - who can use the technology governed by the policy, and for what purposes. This section defines “fair and responsible use” of equipment and other organizational assets, as well as addressing key legal issues,such as protection of personal information and privacy.
3. Prohibited Usage of Equipment - what the issue or technology cannot be used for, that is, personal use, disruptive use or misuse, criminal use, offensive or harassing materials, and infringement of copyrighted, licensed, or other intellectual property. Unless a particular use is clearly prohibited, the organization cannot penalize employees for such usage.
4. Systems Management - the users’ relationships to systems management, including systems maintenance and storage authorization and restriction. The Systems Management section should specify users’ and systems administrators’ responsibilities.
5. Violations of Policy - the penalties and repercussions of violating the usage and systems management policies, as well as instructions on how to report observed or suspected violations, either openly or anonymously.
6. Policy Review and Modification - procedures and a timetable for periodic review. This section should contain a specific methodology for the review and modification of the ISSP, to ensure that users always have guidelines that reflect the organization’s current technologies and needs.
7. Limitations of Liability - a general statement of liability or set of disclaimers. If an individual employee is caught conducting illegal activities with organizational equipment or assets, management does not want the organization held liable. Therefore, if employees violate a company policy or any law using company technologies, the company will not protect them, and is not liable for their actions, assuming that the violation is not known or sanctioned by management.
Systems-Specific Policy (SysSP)
While issue-specific policies are formalized as written documents, distributed to users, and agreed to in writing, systems-specific policies (SysSPs) are frequently codified as standards and procedures used when configuring or maintaining systems. One example of a SysSP is a document describing the configuration and operation of a network firewall. This document could include a statement of managerial intent, guidance to network engineers on selecting, configuring, and operating firewalls, and an access control list that defines levels of access for each authorized user. Systems-specific policies can be organized into two general groups, management guidance and technical specifications.
Management Guidance SysSPs
A management guidance SysSP is created by management to guide the implementation and configuration of technology intended to support the security of information. For example, while the specific configuration of a firewall belongs in the technical specifications SysSP, the general construction and implementation of the firewall must follow guidelines established by management. For example, an organization may not want its employees to have access to the Internet via the organization’s network; the firewall would have to be implemented according to this rule.
Systems-specific policies can be developed at the same time as ISSPs, or they can be prepared in advance of their related ISSPs. Before management can craft a policy informing users what they can do with the technology and how they may do it, it might be necessary for system administrators to configure and operate the system. Some organizations may prefer to develop ISSPs and SysSPs in tandem, so that operational procedures and user outcomes are developed at the same time.
Technical Specifications SysSPs
While a manager may work with a systems administrator to create managerial policy as specified previously, the system administrator may need to create a different type of policy to implement the managerial policy. Each type of equipment has its own type of policies, which are used to translate the management intent for the technical control into an enforceable technical approach. For example, an ISSP may require that user passwords be changed quarterly; a systems administrator can implement a technical control within a specific application to enforce this policy. There are two general methods of implementing such technical controls, access control lists – which include the user access lists, matrices, and capability tables that govern the rights and privileges of users, and configuration rules – the specific configuration codes entered into security systems to guide the execution of the system when information is passing through it.
In order to deal with the complexities of developing and implementing policies, organizations are increasingly turning to alternate solutions. These alternate solutions provide options ranging from templates based on established experts in the field (i.e., Charles Cresson Wood), to automated policy approval and distribution systems like Security Policy Management from NetIQ (Security Policy Management, 2004). These systems simplify the onerous task of drafting policy, obtaining management approval, distributing to end users, and documenting compliance with policy but creating a structure in which the draft policy is placed. Control and approval is passed from author to reviewer, and eventually published to end users. Once users have read the policy, the system documents their activities and eventually can provide quizzes on policy content. Use of systems like these greatly improves the organization’s ability to issue and manage policy as an effective tool in supporting ongoing operations.
The early years of the 21st century have seen the emergence of information security as both a practical area of specialization in information technology and as an academic discipline in post-secondary education. As many new members join the information security community, it is important that the primary role of policy as the mechanism whereby an organization defines what is to be secured is clearly understood. Without sound policy as a foundation, policy constructed with the same care and attention to detail required by all parts of the information security mission, an organization is less likely to be successful in its mission to protect information assets.
Access Control List (ACL): A list of people or other entities permitted to access a computer resource.
Capability Table: Synonymous with capabilities table. A list that specifies data items or physical devices (for example printers) that users are authorized to access.
Defense in Depth: The multiple levels of security controls and safeguards that an intruder faces.
Enterprise Information Security Policy (EISP): A policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts.
Issue-Specific Security Policy (ISSP): Policies that provides detailed, targeted guidance to instruct all members of the organization in the use of technology-based systems.
Policy: A body of expectations that describe acceptable and unacceptable behaviors of employees in the workplace.
Standards: Detailed statements of actions that comply with policy.
Systems-Specific Security Policy: Policies codified as standards and procedures used when configuring or maintaining systems.