For a security policy to succeed, the following minimum guidelines should be followed:
■ Management must support the policy.
■ The policy must be consistent.
■ The policy must be technically feasible.
■ The policy should not be written as a technical document.
■ The policy must be implemented globally throughout the organization.
■ The policy must clearly define roles and responsibilities.
■ The policy must be flexible enough to respond to changing technologies and organizational goals.
■ The policy must be understandable.
■ The policy must be widely distributed.
■ The policy must specify sanctions for violations.
■ The policy must include a response plan for security breaches.
■ Security is an ongoing process.
The next sections explore each of guidelines.
Management Must Support the Policy
As in most business endeavors, unless management actively supports a policy, it will not be effective. A policy that restricts a business function or is considered to lack flexibility but addresses a critical need requires the full support of management; otherwise, it will not be followed.
Remember that any security policy is going to restrict someone from performing a task that he thinks is necessary. The security policy is designed to weigh the good of the organization before the needs of the individual.
The Policy Must Be Consistent
An effective policy must be consistent. Few things frustrate and confuse users more than inconsis-tent policies. Consistency of the policy refers to the application of the policy, not equal access for all employees within the organization. Access for each user should be determined by job function and need for such access.
However, policies need to be consistent in scope and goal. For example, you should not have one group of employees that do not use passwords just because the manager of that group does not see the need. Likewise, managers should be required to maintain the same security precautions as the
average user. When one group of users needs additional resources, these resources should be allocated with the same care as any other access.
Inconsistent policies are very difficult to implement and, by their nature, demonstrate a lack of consistency within the organization. Inconsistent or vague policies are also open to interpretation and may cause a debate as to which policy applies to a particular situation.
The Policy Must Be Technically Feasible
This should be common sense. It is important to understand that the creation of a security policy is a management function. The security administrator should review the policy with management and ensure that they are advised as to its technical feasibility. The security administrator should recom-mend solutions that meet the business need without compromising the security of the organization.
The policy must also be feasible for the users. This is to say that the policy should not be so com-plicated that the user disregards it.
The Policy Should Not Be Written as a Technical Document
Writing the security policy in a nontechnical manner has a number of advantages. First, it is usually easier to understand than a technical document for the average employee. Second, because this document will be widely distributed, it is important that those receiving this document be able to understand it.
Making the policy a nontechnical document allows for the security concepts to be distributed without revealing the specific technologies used to accomplish the goals. For example, an administrator should be reluctant to distribute any document that specifies the make and model of firewall to be used or that specifies exactly how systems will be monitored. Making public such specific information can increase the vulnerability of an organization because a good cracker will use this information to form his or her attack strategy. Of course some portions (or documents) will be more technical than others. Whereas acceptable-use policies will be very nontechnical, the server and workstation configuration document will be more technical due to the nature of the topic.
The implementation plan is a section of the security policy where specific hardware and application information is defined. Access to the implementation plan must be restricted to authorized personnel only. Normally this includes the security team members and anyone involved in the implementation of the security plan.
The Policy Must Be Implemented Globally Throughout the Organization
Because most organizations with more than one office location interconnect via private Frame Relay networks, virtual private networks (VPNs), or other similar means, it is critical that all sites have the same emphasis on security. Although a good security design will limit and authenticate access between sites, a security hole at a single site poses a threat to the entire organization.
Security Policies 15
The Policy Must Clearly Define Roles and Responsibilities
Users need to be aware of what is allowed and prohibited. One can hardly blame a user for downloading music, for instance, if no policies prohibit such action.
Administrators must know their security goals and responsibilities if they are to be effective in accomplishing these goals. Management must also be aware of the role they are to play within the security efforts if these efforts are to be accomplished.
The Policy Must Be Flexible Enough to Respond to Changing Technologies and Organizational Goals
The security policy should be specific enough to define all requirements but not so inflexible that it does not account for changes in technology, growth within the organization, or infrastructure changes. The information technology field is ever evolving and system and infrastructure upgrades and improvements occur constantly. The security policy is a living document and should constantly be reviewed and modified as necessary to ensure its relevance for the organization.
The Policy Must Be Understandable
Often nontechnical employees have difficulty understanding technical terms and concepts. There-fore, it is imperative that the policy be clear and concise so that employees understand what is expected of them. Avoiding the use of terms that are unnecessarily ambiguous or technology specific ensures that the nontechnical reader understands his or her responsibilities. Many organizations present the policy to new employees during an orientation seminar and require them to acknowledge the training prior to receiving their network logon.
For example, a policy may address the issue of installing software in the following manner:
Software Installation: The Information Systems department is responsible for ensuring that all computers operate efficiently and effectively. To this end the Information Systems department will configure all systems within the organization with approved software. Downloading any software onto any computer is prohibited for all users except when specifically approved by the Information Systems department. Failure to abide by this policy is subject to disciplinary action as described in Section X.
The preceding statement starts by explaining the reasoning behind the policy. Following this is a statement defining who is responsible for installing applications. The reader is also directed to another part of the policy that lists the disciplinary actions that may be taken if this policy is disregarded.
Notice that the policy does not specifically state what applications are allowed or not allowed. This allows the Information Systems department to determine the appropriateness of applications without the need to rewrite the policy.
The Policy Must Be Widely Distributed
Many organizations publish their security policies on the Internet. This can be a valuable resource when starting to write your company’s policies. Most of the large colleges and universities are a good source of sample policies.
Because the policy should not reveal any of your technical specifics, there is no reason for this policy not to be released to all employees. Distributing the policy to everyone within the organization and having each employee acknowledge receipt makes it easier to enforce the policy.
The Policy Must Specify Sanctions for Violations
Employees should be made aware of the policy and understand that violations of the policy have consequences. However, these sanctions should also be constructed in a way that does not limit the company to a specific action.
Because the rights of employees vary by city, state, and country, it is very important to ensure that security team members from human resources and legal are involved when creating any policies that deal with disciplinary measures. The following policy is meant as an example only:
Sanctions for Violating the Corporate Security Policy: Management may impose any disciplinary action it sees fit for any violations of the corporate security policies. These actions, while not limited to the following, may include verbal counseling, written letter of counseling, written letter of reprimand, or termination.
The Policy Must Include an Incident Response Plan for Security Breaches
Any network has the potential of being compromised. Complex networks are more difficult to pro-tect and can be more difficult to monitor. It is important to identify when your network is under attack and when the attack has resulted in a system or network breach. It is also very important to develop an incident response plan so that the security personnel know how to react to the compro-mise. Although the ultimate goal is to discover all breaches, some may go unnoticed. The policy must state what actions to take if a breach is discovered. Most policies differentiate between breaches occurring from within the organization and those originating from the Internet. The differ-ence is because it is normally less difficult to identify the offender as long as the attack originated from within the network and not from an internal resource that was exploited by an external source.
A sample policy section follows:
Response to Internal Denial-of-Service (DoS) Attacks: Upon discovery of a DoS attack originating within the local-area network (LAN), the administrator will record and document the discovery for future forensics use. A secure machine should be utilized to track all packets originating from the source computer.
The administrator will attempt to isolate the offending machine from the LAN. Next, the network segment where the attack is originating will be isolated.