Developing Effective Information Systems Security Policies

This paper takes a top-down approach and provides a high-level overview for developing effective information systems policies. The opening section describes the importance of management commitment. A management oversight committee is introduced as the primary team representing an organization for the purposes of implementing an information systems security program based on policy. A general outline for designing an effective information systems security policy is then proposed. Finally, the conditions necessary for effective policies are described. INTRODUCTION Information systems security policies primarily address threats. In the absence of threats, policies would be unnecessary—one could do as one chooses with information. Unfortunately, threats do exist and information systems security policies are necessary to provide a framework for selecting and implementing countermeasures against them. An enforceable written policy helps ensure that everyone within the organization coherently behaves in an acceptable manner with respect to information security. A well-designed information security policy defines the objectives of the information system of an organization and outlines a strategy to achieve these stated objectives. Conversely, an information system without security policies is likely to be a disjoint collection of countermeasures that address a variety of threats [10]. Information systems security policies, then, can often be used to help integrate the many different aspects of an enterprise to achieve business objectives. Policies, standards, guidelines, and training materials that are obsolete and not enforced are particularly dangerous to an organization because management is often deceived into believing that s curity pol cies do not exist and that the organization is operating more effectively than it actually is. All organizations need to periodically review, test, and discard un-enforced and otherwise obsolete rules, controls, and procedures to avoid this false sense of security. An alternative to periodic reviews is to specify a time limit for applying policies and standards and © S A N S In st itu te 2 00 1, A ut ho r r et ai ns fu ll ri gh ts Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. assign limited life span to mandatory controls, specifying when they should become effective and when they should be nullified or replaced—a technique generally referred to as sunsetting. Computers are inherently vulnerable to a wide array of threats. It is generally worse to have no safeguards at all than to think that security is in place when it is not. This situation, known as negative value security, fosters complacency and diverts attention from the information assets, which are mistakenly presumed to be secure, making the information more attractive to hackers or more vulnerable to accidental loss. Information systems security policies are designed to address these threats. MANAGEMENT COMMITMENT Management commitment to security is essential to motivate information resource owners and users and to provide the visibility needed by the information systems security team to ensure the support of the business units. Because there are few natural motivations for security, other than actual loss experience, managerial commitment to information systems security is probably the most important factor in a successful security system. In a distributed computing environment, this commitment can be demonstrated to end-users and systems staff through the managers’ own practices and performance reviews. Security training materials, guidelines, and computing practices should be signed off and approved by the authoritative local sources—typically managers who decide and issue rewards and penalties. In an interview with Bob Artner of TechRepublic, William Malik, Vice President and Research Area Director for the Gartner Group, states that senior management has to recognize that the integrity of the enterprise depends on their commitment to information security and set the example for the organization [1]. It is important to note that management commitment does not guarantee success, but its absence will certainly increase the likelihood of failure. Management support of security provides the information systems security team with high visibility and fosters good rapport with high-level managers, particularly the senior managers of information intensive business units. Without the support of those individuals for the information systems security effort, their employees are less likely to support the effort. The best time to obtain visibility for information security is when a loss occurs. If the loss occurs in the organization or business unit with the most resistance to information systems security or the greatest need for security, then the need for information systems security becomes more apparent. Emphasizing the negative effects of a loss experience on the whole organization can be one way of applying pressure to motivate all business units to improve security. Another way to obtain visibility is for the information systems security team to publish lists of business units ranked by the quality of their information security. This offers a positive reinforcement for the business units that take an active role in information systems security and applies pressure to those business units that do not. MANAGEMENT OVERSIGHT COMMITTEE © S A N S In st itu te 2 00 1, A ut ho r r et ai ns fu ll ri gh ts Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. Many organizations have a management oversight committee for information systems security. Others organizations include information systems security issues in general oversight committees for technical or administrative concerns. In either case, the constituency of the oversight committee often reflects central IT services or corporate security, but does not specifically apply to information systems security for a distributed computing environment. In this case, the organization may need to reorganize or expand the existing committees to represent the new order of distributed computing needs. Members should include the senior managers of business units actively engaged in the distributed computing environment, as well as managers who rely on external data communications, such as field sales and services. This type of committee, which is crucial for ensuring ongoing managerial commitment, should be responsible for authorizing, reviewing, approving, and distributing corporate policies and standards. To increase the effectiveness of this committee, at least one member should have regular access to the senior managers of the organization. POLICY DEVELOPMENT RESPONSIBILITIES Either the information systems security team or the IT policies and standards group under the direction of the information systems security team should be responsible for drafting appropriate policies and policy updates. As an alternative, some organizations assign the responsibility to a task group under the auspices of a management oversight committee. This is a common arrangement when the policies are being written or updated in conjunction with a reorganization or more drastic re-engineering of the information systems security team. It is generally not a good idea to assign the policy-writing task to third-party consultants or use shelfware since the style and form should be consistent with existing policies and should reflect the corporate culture [3,5]. It is important that the team drafting information systems security policies be sufficiently familiar with both current technologies and corporate culture to make intelligent decisions. Familiarity with current technologies requires an understanding of both the security capabilities and the limitations of technological solutions to protect the organization against threats. Understanding the corporate culture additionally allows the policy development team to design an information systems security policy that can best ensure compliance. Prior to drafting new polices, it is often helpful to review policies of similar organizations to use as models. Although Mike Cunningham and Raymond Iandolo independently offer examples of acceptable use policies for review in the SANS Reading Room, Charles Cresson Wood and the SANS Institute offer a more comprehensive collection of policies that an organization can be tailored for its use [2,4,9,11]. © S A N S In st itu te 2 00 1, A ut ho r r et ai ns fu ll ri gh ts Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2001, As part of the Information Security Reading Room. Author retains full rights. TYPES OF POLICIES Establishing policy is very much an issue of corporate culture. Management support, wording, and distribution depend upon history, loss experience, the business and industry, government regulations, the personal philosophies of senior management, previous policies, and other factors within the organization [2,6,7,8,11]. If the corporate culture supports specific written policies on various subjects such as IT, various internal services, and ethics, then it is likely that a written policy on information systems security will exist. However, some organizations have a policy of not having written policies. Attorneys often do not like policies because they can be used against the organization if it violates them, and policies are often violated as a means to achieve shortterm objectives for resolving business problems or achieving business goals. If an orga ization distributes a written policy, it should be mandatory and reflect senior management’s requirements for organizational behavior. When policies are written at a sufficiently high level of abstraction, they do not need to be changed as the IT department and organization change. Organizational changes such as mergers, acquisitions, reengineering, or the adoption of an industry standard can occur with little or no need to modify the policies. Information systems security policies should be flexible and should permit exceptions, when appropriate. At the highest level of abstraction, policies are only a few pages long, with an officer or senior manager of the organization usually signing off on t e policy to give it the proper authority. Some organizations include operational or tactical requirements in the form of control objectives with their policy statements. Others combine brief, high-level policy statements with more detailed standards, resulting in a document that may create problems when the organization needs disclose policies without revealing its standards. Therefore, it is generally a good practice to separate high-level policy from specific standards. Operational or tactical policies are typically longer than high-level policy statements and may be either system-specific or issue-specific. Typically, middle managers, or higher, sign off on these documents.