JOnline: Creating and Enforcing an Effective Information Security Policy 

Download Article

Two years ago, several Internet worms impacted business in a way that had never been seen before. Slammer, SoBig, Blaster and other fast-spreading worms leveled networks at private and public organizations and disrupted services on a global scale. Yet these threats pale in comparison to the potential dangers of future Internet attacks.

Compared to the time of Slammer and Blaster in 2003, exploit writers have increased their speed and sophistication in code writing. In 2003, the Slammer worm appeared six months after the vulnerability was found. In August of the same year, the wide-ranging Blaster worm leveled networks less than four weeks after the vulnerability was publicly disclosed. By the end of 2004, the average time between the disclosure of a vulnerability and the publication of its associated exploit was 6.4 days. And the exploit writers are only getting faster.

In the future, Warhol threats are likely to emerge with the ability to spread across the Internet, infecting vulnerable systems in 15 minutes or less. Flash threats, which are predicted to take less than 30 seconds to spread across the Internet, present an even greater danger to organizations interested in keeping networks secure, up and running. Reactive measures to these threats will merely be a case of too little, too late.

Aside from security concerns, corporations also need to comply with a variety of government regulations. The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) demands that US healthcare and insurance providers protect patient privacy by regulating the electronic transmission of all medical records. Companies with US operations are also subject to the Sarbanes-Oxley Act of 2002, which calls for publicly traded companies to attest to their financial statements and show that the data and procedures used to compile their financial statements are resistant to fraud. The Graham-Leach-Bliley Act (GLBA) affects the financial services industry in the US by mandating that institutions design, implement and maintain safeguards to protect customer information.

In addition to federal legislation, other regulations and standards are targeted at specific states and industries. The California (USA) Data Privacy Law (California SB 1386) forces companies to disclose any security breaches that result in the theft of residents’ personal information. The North American Electric Reliability Council (NERC) standards for reliability, with implications for Canada, the US and parts of Mexico, help regulate the utilities industry.

For the prevention of dangerous security threats and also for compliance to a variety of industry and federally mandated standards, corporations need to implement a proactive information security strategy. The first step to execute this strategy should be to create a solid, enforceable security policy.

The Purpose of a Policy

The main goal of a corporate security policy is to protect data by defining procedures, guidelines and practices for configuring and managing security in the corporate environment. It is imperative that the policy defines the organization’s philosophy and requirements for securing information assets. It is also important that the policy outlines how it will apply to corporate employees, processes and environments. Consequences for failed compliance must also be addressed.

A successful information security policy provides several benefits to corporations. Enforceable policies ensure that vulnerabilities are identified and addressed—protecting business continuity and fortifying the IT infrastructure. When employees throughout an organization follow a security policy, ensuring that information is safely shared within the organization as well as with customers, partners and vendors mitigates corporate risk. Also, the heightened security awareness once the security policy is in place increases the likelihood of individual compliance.

Forming an Information Security Policy

The first step to creating an effective information security policy is evaluating information assets and identifying threats to those assets. Some assets within an organization will be more valuable than others, but monetary value should not be the only factor. Determining both the monetary value and the intrinsic value of an asset is essential in accurately gauging its worth. To calculate an asset’s monetary value, an organization should consider the impact if that asset’s data, networks or systems are compromised in any way. To calculate intrinsic value, an organization must consider a security incident’s impact on credibility, reputation and relationships with key stakeholders.

When assessing potential threats, external and internal threats must be considered. External threats include viruses, worms, Trojan horses, hacking attempts and anything that tries to break an organization’s security infrastructure from the outside. Internal threats include abuse of critical systems and data, surfing objectionable Internet content, and inappropriate Internet use. The real costly danger with internal threats comes from inside perpetrators having extensive access to the network.

Following the identification of assets and threats, the next step in creating a policy is for organizations to perform a risk assessment. By weighing security against exposure, this assessment allows an organization to decide whether information is underprotected, overprotected or adequately protected. The goal for this risk assessment should be to minimize expenses without exposing an organization to unnecessary risk. This assessment will help in determining the proper allocation of resources once the security policy is effectively in place.

Since an information security policy will have an effect on people throughout the organization, a team should take the responsibility for drafting the policy together. This team should include executives, IT administrators, information security experts, human resource managers, public relations managers, legal counsel and IT auditors. Approval for the policy should come from the highest possible level in the corporate environment.

The Three Components of an Effective Security Policy

While an information security policy is commonly referred to in the singular, an actual policy includes a suite of living documents: the security policy document, a standards document set and a procedures document set. While the policy itself gets the most attention, it often is the shortest document, sometimes taking up only two full pages.

An information security policy makes up for its brevity with the importance of its content. There are usually four key elements to a successful security policy document: to whom and what the policy applies, the need for adherence, a general description, and consequences of nonadherence. These four tenets of the policy provide the foundation for the remaining documents. Once this document is finished, it must be approved by the most senior manager in the organization and then made available to all employees.

The standards document set defines what needs to be done to implement security, including descriptions of required security controls and how those controls apply to the corporate environment. The document set should address a variety of security issues, including, but not limited to, the following: roles and responsibilities of security personnel, protection against malicious code, information and software exchange, user responsibilities, mobile computing, and access control. In addition to the common security concerns, the standards document set outlines compliance issues, government regulations and industry standards.

Much like the security policy document, the information security standards document does not usually need to be changed. Only if new systems, applications or regulations are introduced will the document set need to be modified.

The procedures document set makes up the final component of the corporate information security policy suite. This document should be the biggest of the three components, and it will also be the most flexible. This document set specifically outlines how security controls will be implemented and managed. The procedures should match accompanying standards, making sure that any given standard requires many tasks to be completed to achieve full compliance. This document provides many of the details that can make or break an effective information security policy.

Making the Policy Count—Enforcement

Once the hard work of creating an information security policy and getting it approved is finally done, the enforcement of the policy begins. All the effort put into creating the policy is of little worth unless the policy is followed by the corporation and sufficiently enforced. A compliance program or a policy assessment can be instrumental in assisting an organization’s attempts to enforce an information security policy.

A policy compliance review reveals whether a designed security control is employed and used correctly. Policy compliance reviews differ from traditional vulnerability assessments in many ways. For example, IT and security auditors should handle policy compliance reviews, while security operations personnel should handle vulnerability assessments. Also, policy compliance reviews are used to determine compliance of systems and applications under the new policy, while vulnerability assessments pinpoint specifically the vulnerabilities in systems and applications. Finally, policy compliance reviews use standards and regulations such as ISO 17799 and HIPAA as baselines for measurement, while vulnerability assessments traditionally use security incident and other vulnerability databases for tracking.

Together, policy compliance reviews and vulnerability assessments are critical first-line tactics to proactively defend against escalating security threats. Policy compliance reviews ensure that policy objectives are being met, and vulnerability assessments contribute to overall resiliency by identifying vulnerabilities.

Security compliance tools are available to help corporate systems comply with information security policies and regulatory standards. These compliance tools also aid in discovering, containing and fixing unpatched vulnerabilities. The tools are able to define a policy online in a database and automatically measure compliance across the network. In some cases, policy compliance data can be correlated with other security event data from a wide range of other security sources, including antivirus software, firewalls, intrusion detection systems and vulnerability assessment products.

The Policy Serves as the Foundation

With security threats inundating IT administrators and government regulations forcing corporate compliance, organizations can streamline their security efforts by creating and enforcing strong information security policies. As Internet threats increase and as government regulations become more stringent, the importance of solid security policies will also increase.

Mark Ungerman
is director of product management at Symantec. He has more than 12 years of experience in the IT industry. Since joining Symantec, Ungerman has leveraged his unique information security expertise to guide product development and innovation of the company’s intrusion protection products, most recently the Symantec Security Management System. Prior to joining Symantec, Ungerman served as product manager at Novell and developed several applications for the financial services industry.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.