Information Security management: Security Policy Implementation
Security Policy Implementation
Security policies are the foundation of a sound security implementation. Often, organizations will implement technical security solutions without first creating this foundation of policies, standards, guidelines, and procedures, thus unintentionally creating unfocused and ineffective security controls.
We discuss the following questions in this section:
-
What are policies, standards, guidelines, and procedures?
-
Why do we use policies, standards, guidelines, and procedures?
-
What are the common policy types?
Policies, Standards, Guidelines, and Procedures
Policy is one of those terms that can mean several things. For example, there are security policies on firewalls, which refer to the access control and routing list information. Standards, procedures, and guidelines are also referred to as policies in the larger sense of a global information security policy.
A good, well-written policy is more than an exercise created on white paper - it is an essential and fundamental element of sound security practice. A policy, for example, can literally be a lifesaver during a disaster, or it might be a requirement of a governmental or regulatory function. A policy can also provide protection from liability due to an employee’s actions, or it can control access to trade secrets.
NIST categorizes computer system security policies into three basic types:
-
Program policy - used to create an organization’s computer security program
-
Issue-specific policies - used to address specific issues of concern to the organization
-
System-specific policies - technical directives taken by management to protect a particular system
Program policies and issue-specific policies both address policy from a broad level, usually encompassing the entire organization. Program policy is traditionally more general and strategic; for example, the organization’s overall computer security program may be defined in a program policy. An issue-specific policy is a nontechnical policy addressing a single or specific issue of concern to the organization, such as the procedural guidelines for checking disks brought to work or e-mail privacy concerns. Issue-specific policies are similar to program policies in that they are not technically focused.
However, program policy and issue-specific policies do not provide sufficient information or direction, for example, how to establish an access control list or train users on what actions are permitted. System-specific policies fill this need. A system-specific policy is technically focused and addresses only one computer system or device type.
|
Program policy |
High-level program policy |
Senior-level management statement |
|
Issue-specific policy |
Addresses single issue |
E-mail privacy policy |
|
System-specific policy |
Single-system directives |
Router access control lists |
|
Source: NIST Special Publication 800-12, “An Introduction to Computer Security: The NIST Handbook.” |
||
Policy Types
In the corporate world, when we refer to specific polices rather than a group policy, we generally refer to those policies that are distinct from the standards, procedures, and guidelines. Policies are considered the first and highest level of documentation, from which the lower level elements of standards, procedures, and guidelines flow. This order, however, does not mean that policies are more important than the lower elements. These higher-level policies, which are the more general policies and statements, should be created first in the process for strategic reasons, and then the more tactical elements can follow.
-
-
An acknowledgment of the importance of the computing resources to the business model
-
A statement of support for information security throughout the enterprise
-
A commitment to authorize and manage the definition of the lower-level standards, procedures, and guidelines
-
-
Regulatory policies. Regulatory policies are security policies that an organization must implement due to compliance, regulation, or other legal requirements. These companies might be financial institutions, public utilities, or some other type of organization that operates in the public interest. These policies are usually very detailed and are specific to the industry in which the organization operates.
-
Regulatory polices commonly have two main purposes:
-
To ensure that an organization is following the standard procedures or base practices of operation in its specific industry
-
To give an organization the confidence that it is following the standard and accepted industry policy
-
Advisory policies. Advisory policies are security polices that are not mandated to be followed but are strongly suggested, perhaps with serious consequences defined for failure to follow them (such as termination, a job action warning, and so forth). A company with such policies wants most employees to consider these policies mandatory. Most policies fall under this broad category.
-
Advisory policies can have many exclusions or application levels. Thus, these policies can control some employees more than others, according to their roles and responsibilities within that organization. For example, a policy that requires a certain procedure for transaction processing might allow for an alternative procedure under certain, specified conditions.
-
Informative policies. Informative policies are policies that exist simply to inform the reader. There are no implied or specified requirements, and the audience for this information could be certain internal (within the organization) or external parties. This does not mean that the policies are authorized for public consumption but rather that they are general enough to be distributed to external parties (vendors accessing an extranet, for example) without a loss of confidentiality.
 |
Fundamentally important to any security program’s success are the senior management’s high-level statement of commitment to the information security policy process and the senior management’s understanding of how important security controls and protections are to the enterprise’s continuity. Senior management must be aware of the importance of security implementation to preserve the organization’s viability (and for their own “due care” protection) and must publicly support that process throughout the enterprise.
|
Especially high visibility should be afforded the formal issuance of security policy. This is because nearly all employees at all levels will in some way be affected, major organizational resources will be addressed, and many new terms, procedures, and activities will be introduced.
Including security as a regular topic at staff meetings at all levels of the organization can be helpful. Also, providing visibility through such avenues as management presentations, panel discussions, guest speakers, question/answer forums, and newsletters can be beneficial.
Standards, Guidelines, and Procedures
The next level down from policies consists of the three elements of policy implementation: standards, guidelines, and procedures. These three elements contain the actual details of the policy, such as how it should be implemented and what standards and procedures should be used. They are published throughout the organization via manuals, the intranet, handbooks, or awareness classes.
It is important to know that standards, guidelines, and procedures are separate yet linked documents from the general policies (especially the senior-level statement). Unfortunately, companies will often create one document that satisfies the needs of all of these elements. This situation is not good. Here are a few good reasons why the standards, guidelines, and practices should be kept separate from the general policies:
-
Each of these elements serves a different function and focuses on a different audience. Also, physical distribution of the policies is easier.
-
Security controls for confidentiality are different for each policy type. For example, a high-level security statement might need to be available to investors, but the procedures for changing passwords should not be available to anyone who is not authorized to perform the task.
-
Updating and maintaining the policy is much more difficult when all the policies are combined into one voluminous document. Mergers, routine maintenance, and infrastructure changes all require that the policies be routinely updated. A modular approach to a policy document will keep the revision time and costs down.
-
Standards. Standards specify the use of specific technologies in a uniform way. This standardization of operating procedures can be a benefit to an organization by specifying the uniform methodologies to be used for the security controls. Standards are usually compulsory and are implemented throughout an organization for uniformity.
-
Guidelines. Guidelines are similar to standards; they refer to the methodologies of securing systems, but they are only recommended actions and are not compulsory. Guidelines are more flexible than standards and take into consideration the varying nature of the information systems. Guidelines can be used to specify the way standards should be developed, for example, or to guarantee the adherence to general security principles.
-
Procedures. Procedures embody the detailed steps that are followed to perform a specific task. Procedures are the detailed actions that personnel must follow. They are considered the lowest level in the policy chain. Their purpose is to provide detailed steps for implementing the policies, standards, and guidelines previously created. Practices is also a term that is frequently used in reference to procedures.
-
Baselines
Once a consistent set of baselines has been created, it is possible to design the security architecture of an organization and develop standards. Baselines take into consideration the difference between various operating systems, for example, to ensure that the security is being uniformly implemented throughout the enterprise
