Guidelines and working papers

Guidelines and working papers either summarize aspects of the control framework or provide further information on specific issues where this is necessary. Guidelines can usefully be used to summarize standards by using simplified graphic representations or checklists, for example. Similarly, a white paper suggesting an approach for securing a new technology would be considered a working paper.

The purpose of guidelines and working papers is to increase understand-ing without introducunderstand-ing any changes into the control framework. That these documents add nothing new to the framework is what distinguishes them from standards.

6.7 Summary

Successful management of the information-security process requires ade-quate control over a variety of documentation. Efficiently managing this documentation is not easy and usually requires an organized approach.

Organizations are therefore encouraged to design and implement a struc-tured documentation set at an early stage. Distinguishing between docu-mentation that is owned and produced by the department and other documentation is necessary in order to apply correct change-management procedures to the former. This distinction also simplifies the process of pub-lishing documents.

The control framework consists of all of the procedural and auto-mated controls put in place to secure day-to-day operations. Together with a

well-defined security architecture, policy statements and standards form the backbone of the control framework. This framework can be thought of as the slow-moving side of the information-security process. Risk-management techniques, on the other hand, provide the ability to rapidly assess the level of risk associated with a particular situation and can be used to verify the framework within a particular context.

Policy statements define in high-level terms how an organization has chosen to deal with a particular issue. As such, they form the foundations of the control framework. Just as the overall documentation structure needs to be well thought out, so does the way in which policy statements are organ-ized. In general, opting for a series of policy statements will result in short, focused policies, but managing dependencies between these policies may become difficult. At the other extreme, a single policy statement is likely to be unwieldy and difficult to comprehend by the different target audiences.

Standards reduce complexity, facilitate interoperability, and document a preference for a particular way of doing things. By adopting external stan-dards, an organization can align itself with tendencies in the outside world, which can have benefits when trying to resolve problems. Internal stan-dards, on the other hand, are likely to be highly specific to the organization and are used principally to interpret policy requirements. Internal standards are further divided into specification standards and procedural standards to reflect that the description of static entities is best achieved using a different vocabulary and different techniques from those used for describing activities.

Finally, guidelines and working papers provide a mechanism for clarify-ing standards or for discussclarify-ing new issues without introducclarify-ing any changes into the control framework.

References

[1] Guel, M. D., “A Short Primer For Developing Security Policies,” August 2003, http://www.sans.org/resources/policies/Policy_Primer.pdf.

[2] Barman, S.,Writing Information Security Policies, Indianapolis, IN: New Riders, 2002.

[3] Fraser, B., “Site Security Handbook,” RFC 2196, August 2003, http://www.ietf.

org/rfc/rfc2196.txt.

[4] Danchev, D., “Building and Implementing a Successful Information Security Policy,” August 2003, http://www.windowsecurity.com/pages/security-policy.

pdf.

[5] “SANS Security Policy Project,” August 2003, http://www.sans.org/resources/

policies.

[6] “Policies,” NIST, Information Technology Laboratory, Computer Security Division, CSRC, August 2003, http://csrc.nist.gov/policies.

[7] “The Information Security Policies/Computer Security Policies Directory,”

August 2003, http://www.information-security-policies-and-standards.com.

6.7 Summary 151

[8] “RUSecure Information Security Policies,” August 2003, http://www.

information-security-policies.com.

[9] “IT Security Policies and their Implementation,” August 2003, http://

www.network-and-it-security-policies.com.

[10] Wood, C. C., CISA, CISSP, Information Security Policies Made Easy, Version 9, Houston, Texas: Pentasafe Security Technologies, 2002.

[11] Malkin, G., “The Tao of IETF: A Guide For New Attendees of the Internet Engineering Task Force,” August 2003, http://www.faqs.org/rfcs/rfc1539.html.

[12] “WSSN: World Standards Services Network,” August 2003, http://www.wssn.

net/WSSN/index.html.

[13] “About ISO,” August 2003, http://www.iso.org/iso/en/aboutiso/introduction/

index.html.

[14] ISO/IEC 7498-1:1994, Information Technology—Open Systems Interconnection—

Basic Reference Model: The Basic Model,1994.

[15] ISO/IEC 7498-2:1994, Information Technology—Open Systems Interconnection—

Basic Reference Model: Part 2: Security Architecture,1994.

[16] “Information Security Standards,” August 2003, http://www.diffuse.org/

secure.html.

[17] ISO/IEC 17799:2000 Information Technology—Code of Practice for Information Security Management,2001.

[18] ISO/IEC 15408-1:1999 Information Technology—Security Techniques—Evaluation Criteria for IT Security: Part 1: Introduction and General Model,1999.

[19] ISO/IEC 15408-2:1999 Information Technology—Security Techniques—Evaluation Criteria for IT Security: Part 2: Security Functional Requirements,1999.

[20] ISO/IEC 15408-1:1999 Information Technology—Security Techniques—Evaluation Criteria for IT Security: Part 3: Security Assurance Requirements,1999.

[21] ITU-T Recommendation X.25.Interface Between Data Terminal Equipment and Data Circuit-Terminating Equipment for Terminals Operating in the Packet Mode and Connected to Public Data Networks by Dedicated Circuit.

[22] ITU-T Recommendation X.400,Message Handling Services: Message Handling System and Service Overview.

[23] ITU-T Recommendation X.500, Information Technology—Open Systems Interconnection—The Directory: Overview of Concepts, Models, and Services.

[24] ITU-T Recommendation X.509, Information Technology—Open Systems Interconnection—The Directory: Public-Key and Attribute Certificate Frameworks.

[25] “American National Standards Institute: Electronic Standards Store,” August 2003, http://webstore.ansi.org/ansidocstore/default.asp.

[26] “ANSI Homeland Security Standards Panel,” August 2003, http://www.

ansi.org/standards_activities/standards_boards_panels/hssp/overview.aspx?me nuid=3.

[27] “Standards,” August 2003, http://www.nist.gov/public_affairs/standards.htm.

[28] “Federal Information Processing Standards Publications (FIPS PUBS): FIPS Home Page,” August 2003, http://www.itl.nist.gov/fipspubs.

[29] “NIST Information Technology Laboratory, Computer Security Division (CSD), Computer Security Resource Center (CSRC),” August 2003, http://csrc.

nist.gov.

[30] “Public Key Cryptography Standards,” August 2003, http://www.rsasecurity.

com/rsalabs/pkcs/index.html.

6.7 Summary 153

Process design and