The Role of Information Security Policy Essay
The framework for an organization’s information security program is composed of policies and their respective standards and procedures. This article will examine the relationship between policies, standards, and procedures and the roles they play in an organization’s information security program. In addition, the roles that of individuals inside and outside of the organization with respect to the creation of policy and standards will be discussed. Finally, how an organization can meet information security need at each level of security and how this relates to the information security policy (ISP) content. Information Security Policy (ISP)
Policies form the foundation of everything an organization is and does. Likewise, an ISP is the beginning of a company’s information security program. A policy is a high-level plan on how an organization intends to respond to certain issues. An ISP sets the tone of the organizations information security program and establishes the will and intent of the company in all information security matters. The ISP also defines how the company will regulate its employees. Policies must support an organization’s objectives and promote the organization’s success. Policies must never be illegal and must be defensible in a court of law. Policies must be supported and administered fairly and consistently throughout the organization (Whitman & Mattford, 2010). The following paragraphs list some tips for developing and implementing an ISP.
A Clear Purpose
It is essential that an ISP have a clearly defined purpose. Specific objective should guide the creation of the ISP and the purpose should articulate exactly what the policy is to accomplish (McConnell, 2002). McConnell (2002) further notes that, “If you cannot explain why the policy exists, you cannot expect your employees to understand it or follow it” (p. 2).
In developing policies, it is a good idea to gain the input of the employees to which the policy will apply. Ideally, there should be at least one representative from each department. Allowing various employees give input to the policy, will help to ensure that nothing is overlooked and that the policy is easily understood (McConnell, 2002).
Security Awareness and Training Program
In addition to gaining the employee’s acknowledgement of the ISP at their orientation, the ISP should be part of the security awareness and training program. Ongoing awareness training can focus on various security policies (McConnell, 2002). It is important to keep the awareness of information security matters fresh in the minds of the employees to avoid complacent behaviors that may lead to serious violations.
Enforcement is critical to the success of any policy; policies that are not enforced are soon ignored. McConnell (2002) notes, “A policy that you are unable or unwilling to enforce is useless” (p. 2). If a policy is unenforceable, it should be removed or revised to the point where it is enforceable. Not only must a policy be enforceable, it must be enforced from the top down. When managers set the example, the rest of the staff are more likely to follow (McConnell, 2002).
While policy sets the overall plan or intent of the organization in regards to information security, standards define the specific elements required to comply with policy. For example, an acceptable usage policy may prohibit employees from visiting inappropriate websites; the standard defines what websites are considered inappropriate (Whitman & Mattford, 2010). Standards may be developed in house, but the common preferred way is to utilize already established industry standards that can then be tailored to the organization’s specific needs.
Procedures are the step-by-step actions necessary to comply with the policy. Procedures are driven by standards that are governed by policy (Whitman & Mattford, 2010). Most policy violations may be traced back to either a willful or negligent failure to follow procedures.
Senior management initiates the need for policy creation; it is their intent and purpose that the policy is created to communicate. Senior management is the final authority and gives the final approval for the policy.
Information Security Officer (ISO)
The ISO is essentially the policies champion overseeing all aspects of the ISP and the agent reporting to senior management. The ISO creates a governance committee that works together to develop and update policy. The ISO oversees organizational compliance with security policies (California Office of Information Security and Privacy Protection, 2008).
The information technology (IT) staff is responsible for installing and maintaining the technical controls to ensure users are compliant with the security policies. For example, the IT staff may install software that blocks access to prohibited websites. The IT staff also conducts monitoring of employee activity on the company network.
Mangers, as already stated, must lead by example. When managers do not follow and enforce policies, it communicates to the employees that policies are not important and that following them is optional. A body will always follow its head; likewise a department will always follow the example of its managers.
The average end user is perhaps the greatest security asset and the greatest security threat; clear security policies and proper security awareness training are the deciding factors. People should be made aware of common security threats such as social engineering attacks and the importance of safeguarding their password information. They should be trained to understand exactly what the organization expects form them in regards to information security (Whitman & Mattford, 2010).
There may be times when outside people may need to have access to an organizations network such vendors, consultants, and temporary employees. Such people should be required to sign an acknowledgement form agreeing to abide by all security policies, standards, and procedures.
The Bulls-eye Model
The bulls-eye model is a way of tailoring the ISP to the needs of the organization at various security levels. The four levels of the bulls-eye are: policies, networks, systems, and applications (Whitman & Mattford, 2010). Whitman and Mattford (2010) state, “In this model, issues are addressed by moving from the general to the specific, always starting with policy” (p. 120).
AN information security policy, as already discussed, sets the foundation for an organization’s information security program (Ungerman, 2005). While all policies are high-level, there are different levels that a policy may address. The enterprise information security policy (EISP) is the overall policy that encompasses all other information security policies within the organization. Issue specific security policies (ISSP) target specific issues and contain more low-level elements than the EISP. An example of an ISSP is an acceptable use policy (SUP). Finally, there are system specific security policies (SysSP). A SysSP is so low-levelthat it may appear more like a procedure than a policy. A SysSP through either managerial guidance or technical specifications defines system-specific controls needed to conform to an ISSP. An example of an SysSP would be the implementation of website filtering software to enforce the company’s AUP (Whitman & Mattford, 2010).
Network-level security is about securing the network and as such is heavily focused on controlling access through user authentication. EISP may define who may access the network in addition to how and why. An ISSP may then specify what type of authentication and access control models may be used. SysSPs can then proscribe technical specifications, such as software requiring a periodic password change, to facilitate compliance with the ISSP (Whitman & Mattford, 2010).
System-level security is concerned with securing the actual system components of the network such as the computers, printers, and servers. Examples of ISSPs at the system level are AUP, password policies, and policies prohibiting the installation of unapproved hardware and software by end users (Whitman & Mattford, 2010).
Application-level security deals with any type of application form out-of –the-box software like MS Office to enterprise resource planners (ERP) like SAP. Policy considerations here would be controlling user access and application update policy. Policy controls who has access to which applications and to which features (Whitman & Mattford, 2010).
California Office of Information Security and Privacy Protection. (2008, April). Guide for the Role and Responsibilities of an Information Security Officer Within State Government. Retrieved from http://www.cio.ca.gov/ois/government/documents/pdf/iso_roles_respon_guide.pdf McConnell, K. D. (2002). How to Develop Good Security Policies and Tips on Assessment and Enforcement. Retrieved from http://www.giac.org/paper/gsec/1811/develop-good-security-policies-tips-assessment-enforcement/102142 Ungerman, M. (2005). Creating and Enforcing an Effective Information Security Policy. Retrieved from http://www.isaca.org/Journal/Past-Issues/2005/Volume-6/Documents/jopdf-0506-creating-enforcing.pdf Whitman, M., & Mattford, H. (2010). Management of Information Security (3rd ed.). Mason, OH: Cengage Learning. Retrived from The University of Phoenix eBook Collection database.
The Role of Information Security Policy Essay
The failure of organizations to implement a comprehensive and robust information security program can mean the untimely demise for some and costly setbacks for others. At the heart of information security is security policy. Without security policy there can be no security program. Without people, security policies would not exist. They would not be written, implemented, and enforced. Security policies and the adoption of standards provide many benefits as shall be discussed in this paper. Further is discussed how information in systems often falls under different classifications to reflect a degree of sensitivity and how this relates to an organization’s security policy. 1.0 Security Policy and Standards. See more: My parents my role model.
1.1 Defining Information Security Policy
Conklin et al (2012, “Information Security Policy”) states, “policy is the essential foundation of an effective security program,” and “the centrality of information security policies to virtually everything that happens in the information security field is increasingly evident.” Webopedia.com defines security policy as “a document that outlines the rules, laws, and practices for computer network access” (2013, “Security Policy”). The document regulates how an organization will manage, protect, and distribute its sensitive information. Information security policy addresses many issues such as the following: disclosure, integrity, and availability concerns; who may access what information in what manner; maximized sharing versus least privilege; separation of duties; and who controls and who owns the information.
1.2 Defining Information Security Standards
Standards are recommended or imposed practices that should or must be followed. The businessdictionary.com website (2013, “Standards”) defines standards as “written definition, limit, or rule, approved and monitored for compliance by an authoritative agency or professional or recognized body as a minimum acceptable benchmark.” Government agencies and organizations publish standards as guidelines and best practices so that other organizations can follow suit and ensure they are implementing and maintaining an adequate level of security and controls. Some standards are mandatory. Federal regulations require compliance with these types of standards under penalty of law. Examples include: Payment Card Industry (PCI) standards, Sarbanes-Oxley, Gramm-Leach-Bliley, and HIPAA.
1.3 The Importance of Information Security Policy and Standards
In essence, information security policies govern the protection of information. The benefits of information security policy include: * Minimization of data leak or loss.
* Protecting the organization from malicious internal and external users. * Setting of guidelines, best practices of use, and ensuring proper compliance. * Announces internally and externally that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction. * Promoting a proactive as opposed to a reactive stance for the organization. Policies define allowed and disallowed behavior. More importantly, policies are explanatory when written so as to be understood by everyone in the organization and properly disseminated. To be effective, security policy needs to be visibly and uniformly practiced. Organizations should not need to be prodded to provide an adequate level of security to protect sensitive information.
Information is one of an organization’s most valuable assets. Unfortunately, many companies still do not understand the importance of allocating enough resources toward developing an information security blueprint. Time and time again these companies are punished for mishandling information. The importance of information security standards is to help organizations provide adequate security programs to protect their systems and sensitive information. It is important to protect information systems from threat and it is especially important to protect the private information of customers. In the eyes of customers, failure to protect their information is a violation of trust.
Responsible parties will have their reputations diminished and be held accountable for damages or loss. A kind of benchmarking is following the recommended practices of other organizations or industry standards (Conklin et al, 2012″ Security Management Models”). In this way organizations can adopt practices that are already proven to work. Federal regulations give the push some organizations need to implement and maintain adequate information security control levels. Mandatory audits help keep these organizations “honest” and in compliance.
2.0 The Role of Employees in Policy
Security policy comes down from the top. The enterprise information security policy (EISP) is a high-level document “drafted by the chief information security officer (CISO) in consultation with the chief information officer (CIO) and other executives” (Conklin et al, 2012, “Information Security Policy”). Security information policy, however, has an effect on everyone in the organization. Policies have to be uniformly applied to be effective. If management fails to support policy, the policy is typically ignored.
Employees often try to circumvent policy. People are generally resistant to rules and regulations that tell them what to do. The role of security education, training and awareness (SETA) is important in helping end users or employees understand security policy. When taken the time to educate and include employees in business decisions and processes, they are often more willing to abide by rules and even be proactive in defending them.
Security breaches often occur because of employee accident or inattentiveness. SETA helps mitigate this type of risk through education and training. Employees become more actively aware of situations that result in security breaches, such as tailgating and other tactics like social engineering attacks.
3.0 Security Levels and Policy
“An information security classification system is one of the critical components of good information security” (Office of the Chief Information Officer Province of British Columbia, 2010). Security levels pertain to access restrictions. Information can have various degrees of sensitivity. In other words some information must be better protected than other types of information.
Different levels of security are assigned for different data sensitivity levels or information classifications. The Bell-LaPadula security model reflects a multilevel security system based on data classification and security clearances. Such levels may include data classifications such as top secret, secret, confidential, sensitive but unclassified, and unclassified. Security policies such as a data classification and handling policy establish a framework for classifying and handling data based on its level of sensitivity. The classification of data aids in determining baseline security controls for the protection of the data.
Conklin, W. A., White, G., Williams, D., Davis, R., & Cothren, C. (2012). Principles of computer security: CompTIA Security+™ and beyond (3rd ed.). New York, NY: McGraw Hill. Office of the Chief Information Officer Province of British Columbia. (2010). Information Security Classification Framework. Retrieved from http://www.cio.gov.bc.ca/local/cio/informationsecurity/policy/ISCFramework.pdf Security Policy. (2013). Retrieved from http://www.webopedia.com/TERM/S/security_policy.html Standards. (2013). Retrieved from