Information Security Policy 101 – Policy Approval

Information Security

OK, the time has come for us to wrap this up!  July is over and so is “Information Security Policy Month”. This is the 19th and final installment in the Information Security Policy 101 Series.

If you have been following along over the last month you will notice that we have covered 16 of the most common information security policies, but we haven’t tied them together or sought formal approval yet.

NOTE: The “approval” we are seeking now is the approval of the written policies. This should not be confused with the initial approval you should have received prior to even beginning an information security policy project.

The advice that I will give in this article is based on what has worked for me in the past. I have had the honor of leading multiple information security projects in the past for both private and public companies from assessment through to final approval and adoption.

The Company XYZ Corporate Information Security Policy
The Company XYZ Corporate Information Security Policy is the one document that everyone in the organization is expected to read and understand. Some portions of the policy may apply more directly than others, but everything is meant to be understood by the audience.

Take the 16 policies (or however many your organization has deemed necessary) and place the “Company XYZ Corporate Information Security Policy” wrapper around them adding some important information that may include:

Header explaining the document
Versioning information
Table of contents
Introduction
Purpose (of the Corporate Information Security Policy)
Scope (of the Corporate Information Security Policy)
Definitions
Responsibilities
Waivers
Disciplinary Actions
Supporting Information, and;
References

Woah! Seems like a lot of information, doesn’t it? Admittedly, yes it does. Take a look at the sample and it should be clearer

SAMPLE CORPORATE INFORMATION SECURITY POLICY

Once the document is complete, it’s ready for approval!

NOTE: Be prepared for mutiple "back and forth" go arounds with management before the policy is "golden"!

Approval
The detailed process for approval of the newly written Corporate Information Security Policy will differ greatly from organization to organization. Some organizations have a more “approachable” executive team than do others so use judgment and care in your approach. When in doubt follow the chain of command by seeking the advice of your direct up line manager.

Approval must come from the leaders of your organization. If you have any hope of adopting, implementing and enforcing your policy then executive approval is a must. Too many times have I seen information security personnel attempt to implement policy without seeking the right approvals and every single time their efforts have failed miserably. Who has overall authority in your organization? This is the person that needs to approve.

Ideally, you have included your organization's leaders all along during the information security policy project. This makes communication and approval much easier. All is not lost however if you have not.

What does management need to know?
1. The Corporate Information Security Policy is based on sound security “best practices”.

Ensure management that the policy is a best of breed policy that was written after careful analysis and research.

2. Approval of the policy will not disrupt business.

The bottom line is that a company is in business to make money. You will not receive the approval of management if they perceive that information security will in any way hinder the ability of the company to make money.  An art of information security is that it must NOT EVER stand in the way of business or be percieved as such.

Inform management that “approval” of the policy does not mean that the policy has been “adopted” or “implemented”. Approval gives the organization (and information security personnel) the ability to begin adoption and start the “secure” process. Create an adoption/implementation timeline that highlights when information security believes that the organization could be compliant with most of the policy and inform management that the organization will never be fully-compliant. Remember, security is evolutionary not stationary!

3. The expected costs involved through the approval of the information security policy will be more than offset by reduced risk and exposure

You can probably think of other items of note to use in your approval process, but the ones above have consistently worked for me.

Next Steps
The real work begins!
Now that you have your new approved policy in hand, decide how you will train the organization’s personnel. There are a variety of training options available including CBT, web-based, instructor-led, in-sourced, out-sourced, etc. Once a training timeline has been tentatively agreed upon, formally announce the new policy to the organization.

It is also time to decide how you will adopt and implement. Read through the policy and detail what you have in place now and what you will need in order to be compliant. Create projects and/or timelines for the implementation of the various standards, procedures, administrative and technical controls.

Closing
Thank you to all that have read and provided feedback to this series!  You know who you are.  I will be posting a summary post that includes all of the "Information Security Policy Month" articles in a nice consice format.

Feel free to contact me if you have and feedback or need any assistance in your own policies.

Previous: "Information Security Policy 101 – Virus Protection Policy"
Read more!

Information Security Policy 101 – Virus Protection Policy

Information Security

Part 18 in the Information Security Policy 101 Series

For many organizations the threats posed by viruses are manageable given appropriate controls. A Virus Protection Policy is the first step towards ensuring that appropriate controls are in place on workstations, laptops, email gateways, servers, etc.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Virus Protection Policy is to describe the
requirements for dealing with computer virus, worm and Trojan horse infection,
prevention, detection and cleanup.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Virus Protection Policy applies to all persons with any type of access to an %ORGANIZATION% information resource.

SAMPLE:
Audience
The %ORGANIZATION% Virus Protection Policy applies equally to all individuals
that use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Virus Protection Policy
The Virus Protection Policy is simple policy that you may find some overlap with other information security policies. One additional benefit of having a separate Virus Protection Policy is the ease of reference for users and support personnel. Be careful to write statements that do not contradict those in another policy, however rare.

SAMPLE VIRUS PROTECTION POLICY STATEMENTS:

- All %ORGANIZATION% owned and/or managed workstations, including laptops whether connected to the %ORGANIZATION% network, or standalone, must use the %ORGANIZATION% IT management approved virus protection software and configuration.
- All non-%ORGANIZATION% owned and/or managed workstations, including laptops must use %ORGANIZATION% IT management approved virus protection software and configuration, prior to any connection to an %ORGANIZATION% Information Resource.

Conclusion
The draft, approval, implementation, and enforcement of a Virus Protection Policy can decrease the amount of risk to an organization’s information resources as a result of malware (virus and/or spyware).

Download the SAMPLE VIRUS PROTECTION POLICY.

Next in the series: “Information Security Policy 101 – Policy Approval”

Previous: “Information Security Policy 101 – “Vendor/Third-Party Access Policy”
Read more!

Information Security Policy 101 – Vendor/Third-Party Access Policy

Information Security

Part 17 in the Information Security Policy 101 Series

Some organizations call on the support of a third-party and/or vendor rarely. Other organizations have third-party support personnel in and out of various areas all day, every day. Most organizations fall somewhere in the middle. I cannot think of a single organization that has not allowed a third-party and/or vendor at least physical access to restricted areas to conduct seemingly innocent tasks.

Question: What governs a vendor and/or other third party's access?

Answer: Vendor/Third-Party Access Policy.

NOTE: Some organizations have already negotiated detailed contracts with vendors and other third-party entities. In some instances an existing contract may need to be appended, a new contract drawn up, or a waiver request approved.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Vendor Access Policy is to establish the
rules for vendor access to %ORGANIZATION% Information Resources and support
services (A/C, UPS, PDU, fire suppression, etc.), vendor responsibilities, and
protection of %ORGANIZATION% information. Vendor access to
%ORGANIZATION% Information Resources is granted solely for the work
contracted and for no other purposes.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Third-Party/Vendor Access Policy typically applies to those persons involved in contracting third-party/vendor support and representatives of the third-party/vendor itself.

SAMPLE:
Audience
The %ORGANIZATION% Vendor Access Policy applies to all individuals that are
responsible for the installation of new %ORGANIZATION% Information Resource
assets, and the operations and maintenance of existing %ORGANIZATION%
Information Resources, and who do or may allow vendor access for support,
maintenance, monitoring and/or troubleshooting purposes.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Vendor/Third-Party Access Policy
The Vendor/Third-Party Access Policy is longer and more in-depth than some of the policies we have covered most recently. Use the information gleaned from your business assessment to determine to what extent your policy should be detailed towards the information resources you are trying to protect.

TIP: Have your legal department (or whoever is in charge for negotiating contracts) review the policy in detail. You may also choose to have your legal department assist you in the drafting of this policy.

SAMPLE THIRD-PARTY/VENDOR ACCESS POLICY STATEMENTS:

- Vendors must comply with all applicable %ORGANIZATION% policies, practice standards and agreements, including, but not limited to:
@ Safety Policies
@ Privacy Policies
@ Security Policies
@ Auditing Policies
@ Software Licensing Policies
@ Acceptable Use Policies
- Vendor agreements and contracts must specify:
@ The %ORGANIZATION% information the vendor should have access to
@ How %ORGANIZATION% information is to be protected by the vendor
@ Acceptable methods for the return, destruction or disposal of %ORGANIZATION% information in the vendor’s possession at the end of the contract
@ The Vendor must only use %ORGANIZATION% information and Information Resources for the purpose of the business agreement
@ Any other %ORGANIZATION% information acquired by the vendor in the course of the contract cannot be used for the vendor’s own purposes or divulged to others

Conclusion
The draft, approval, and implementation of a Vendor/Third-Party Access Policy will assist in ensuring that information security is forethought in contract negotiations and no longer an afterthought. Seasoned information security personnel understand the benefit of information security applied early on vs. retrofitting an existing solution with security after the fact.

Download the SAMPLE VENDOR/THIRD-PARTY ACCESS POLICY.

Next in the series: “Information Security Policy 101 – Virus Protection Policy”

Previous: “Information Security Policy 101 – “Software Licensing Policy”
Read more!

Information Security Policy 101 – Software Licensing Policy

Information Security

Part 16 in the Information Security Policy 101 Series

“The Business Software Alliance (BSA) is gearing up for a final push to convince companies to fill in their voluntary audit forms.” – VNUNet.com UK

“Thirty-five percent of the world's software is pirated. Software piracy is not only a crime, but it can destroy computers and data.” – Business Software Alliance

There is little doubt that the use of unlicensed and/or pirated software can pose significant risk to an organization’s information resources and assets. Risks can range from malware installation to significant fines. You may notice that there is some slight overlap between the Software Licensing Policy and our Acceptable Use Policy. If you remember, there was mention of using “unauthorized” software in our Acceptable Use Policy.

NOTE: A well-written software licensing policy can limit the amount of time required to satisfy BSA requests for information because it demonstrates proactive action on the part of the organization.

TIP: Many Windows-based organizations grant their users local administrator rights to their workstations. Disallowing this practice can significantly reduce the risk of users installing unauthorized and/or unlicensed software.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Software Licensing Policy is to establish
the rules for licensed software use on %ORGANIZATION% Information Resources.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Software Licensing Policy applies to all of an organization’s information resource users.

SAMPLE:
Audience
The %ORGANIZATION% Software Licensing Policy applies equally to all
individuals that use any %ORGANIZATION% Information Resources.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Software Licensing Policy
Like many of the policies already covered in this series, the Software Licensing Policy is short and simple. The policy makes management’s views regarding software licensing “official”.

SAMPLE SOFTWARE LICENSING POLICY STATEMENTS:

- %ORGANIZATION% provides a sufficient number of licensed copies of software such that workers can get their work done in an expedient and effective manner. Management must make appropriate arrangements with the involved vendor(s) for additional licensed copies if and when additional copies are needed for business activities.
- Users must refrain from knowingly violating license agreements and/or requirements.
- Third party copyrighted information or software, that %ORGANIZATION% does not have specific approval to store and/or use, must not be stored on %ORGANIZATION% systems or networks. Systems administrators reserve the right to remove such information and software unless the involved users can provide proof of authorization from the rightful owner(s).

Conclusion
A well-written Software Licensing Policy can save an organization a considerable amount of time and effort, especially given how easy it is to write and get approved. A subject of much debate is the BSA’s million dollar reward to turn-in software pirates:

BSA Rewards Page:
https://reporting.bsa.org/usa/rewardsconditions.aspx

A twist:

Would You Rat Out Your Boss for $1 Million?: http://blogs.pcworld.com/staffblog/archives/004849.html

Wouldn’t it be nice to take out the drama by using a simple policy and enforcement?

Download the SAMPLE SOFTWARE LICENSING POLICY.

Next in the series: “Information Security Policy 101 – Vendor/Third-Party Access Policy”

Previous: “Information Security Policy 101 – “Security Training and Awareness Policy”
Read more!

Information Security Policy 101 – Security Training and Awareness Policy

Information Security

OK, we're back!

Part 15 in the Information Security Policy 101 Series

“there is a substantial increase in the respondents’ perception of the importance of security awareness training. On average, respondents from most sectors do not believe their organization invests enough in this area.” - 2006 CSI/FBI Computer Crime and Security Survey. If I were going to overspend on any one area of my information security program, it would be for information security training and awareness.

Information security personnel can write whatever they want in their policies, but if nobody is aware of the policies or trained on how they can comply with them then what good are they?

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Information Security Training and Awareness
Policy is to describe the requirements that must be met, in order ensure that each user of
%ORGANIZATION% Information Resources receives adequate training on information
security issues.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Security Training and Awareness Policy applies to all of an organization’s information resource users.

SAMPLE:
Audience
The %ORGANIZATION% Information Security Training and Awareness Policy applies
equally to all individuals that use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Security Training and Awareness Policy
The Security Training and Awareness Policy is a simple policy that states what management expects and gives authority to information security personnel. The policy should state general rules that the audience must comply with and lay the groundwork for the training program.

SAMPLE SECURITY TRAINING AND AWARENESS POLICY STATEMENTS:

- All new users must complete an approved Security Awareness training class prior to, or at least within 30 days of, being granted access to any %ORGANIZATION% Information Resources.
- All users must acknowledge they have read and understand the ORGANIZATION% Corporate Information Security Policy
- All users (employees, consultants, contractors, temporaries, etc.) must be provided with this policy to allow them to properly protect %ORGANIZATION% Information Resources.

Conclusion
Do not underestimate the importance of a formal information security training and awareness program. Understand that many people do not understand their critical role in keeping organization assets secure.

TIP: Find things that you can use to prove a ROI in you training and awareness program. I have used help desk staff in the past for this. We took a one month time frame before information security training, where we tracked the number of laptops that came in for service from field staff with passwords on Post-it notes before training. We tracked the same afterwards then calculated a percentage and extrapolated the number over a one year period. The change was dramatic.

Download the SAMPLE SECURITY TRAINING AND AWARENESS POLICY.

Next in the series: “Information Security Policy 101 – Software Licensing Policy”

Previous: “Information Security Policy 101 – “Privacy Policy”
And here is the rest of it. Read more!

Information Security Policy 101 – Privacy Policy

Information Security

Part 14 in the Information Security Policy 101 Series

Writing an organization's privacy policy is not as clear-cut as it may seem. An entire book could easily be written around privacy in the workplace. What an organization states, what it actually does, and what an employee reasonably expects are all critical to privacy/employment matters. To make things worse, privacy rights are not entirely clear under the law.

Two rules of privacy rights (although you could probably come up with more):

One, Write a policy that is focused. Do NOT write “you have no expectation of privacy” as a blanket statement. Privacy is not “all or nothing”.

Two, Do what you say you are going to do consistently. Do NOT follow your policy only when there is an enforcement action. As the US Supreme Court has noted, "[W]hile police, and even administrative enforcement personnel, conduct searches for the primary purpose of obtaining evidence for use in criminal or other enforcement proceedings, employers most frequently need to enter the offices and desks of their employees for legitimate work-related reasons wholly unrelated to illegal conduct."

TIP: Privacy policy should be reviewed by a legal counselor that is familiar with privacy rights and law. Many corporate counselors are not experts in this area.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Privacy Policy is to clearly communicate
the %ORGANIZATION% privacy expectations to Information Resource users.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Privacy Policy should apply to all personnel, and in some cases (depending on your organization) contractors, vendors, and other third-parties.

SAMPLE:
Audience
The %ORGANIZATION% Privacy Policy applies equally to all individuals who use
any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Privacy Policy
Privacy policy is a critical policy in most organizations and needs to clearly communicate what amount of privacy a user should expect when using the organization information assets.

NOTE: A very good article written by Mark Rasch; Employee Privacy, Employer Policy.

SAMPLE PRIVACY POLICY STATEMENTS:

- Electronic files created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of %ORGANIZATION% are not private and may be accessed by %ORGANIZATION% Information Security employees at any time, under the direction of %ORGANIZATION% executive management and/or Human Resources, without knowledge of the Information Resource user or owner.
- To manage systems and enforce security, %ORGANIZATION% may log, review, and otherwise utilize any information stored on or passing through its Information Resource systems in accordance with the provisions and safeguards provided in %ORGANIZATION% Information Resource standards. For these same purposes, %ORGANIZATION% may also capture user activity such as telephone numbers dialed and web sites visited.

Conclusion
Be careful in using a sample Privacy Policy. Be sure that it fits your organization and internal processes. A poorly written or implemented Privacy Policy can leave your organization open to a legal quagmire. Most of the investigation and forensic work I have done in the past has been governed by what the organization’s Privacy Policy stated.

Download the SAMPLE PRIVACY POLICY.

Next in the series: “Information Security Policy 101 – Security Training and Awareness Policy”

Previous: “Information Security Policy 101 – “Mobile Computing Policy”

Read more!

Information Security Policy 101 – Mobile Computing Policy

Information Security

Part 13 in the Information Security Policy 101 Series

Few things in my profession give me more shivers than the amount and sensitivity of data that is carried outside the corporate boundary every day on mobile devices such as PDAs, laptops, and Smartphones. Without effective controls mobile devices are easily lost or stolen, data transmissions are easily intercepted, and shoulder-surfing is commonplace. Nearly every week a company is forced to publicly disclose a lost or stolen laptop that contained personally identifiable data (PII).

See: http://attrition.org/dataloss/, http://breachalerts.trustedid.com/, http://doj.nh.gov/consumer/breaches.html, http://www.privacyrights.org/ar/ChronDataBreaches.htm


Often information security is a discipline that constantly attempts to balance the risk of using a technology versus the business benefits gained as a result from such use. How can an information security professional effectively balance the risks inherent with using mobile devices while still allowing the business to benefit from their use?

In order to provide protection to the data that may be contained on a mobile device, organizations must extend protections and controls to such devices. Protection starts with policy.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Mobile Computing Security Policy is to
establish the rules for the use of mobile computing devices and their connection to the
network. These rules are necessary to preserve the Integrity, Availability, and
Confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Mobile Security Policy applies to all individuals in the organization that use, possess, manage, secure, and/or approve the use of mobile devices.

SAMPLE:
Audience
The %ORGANIZATION% Mobile Computing Security Policy applies equally to all
individuals that utilize mobile computing devices and access %ORGANIZATION%
Information Resources.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Mobile Computing Policy
If an organization does not use or allow the use of mobile devices, then a simple statement in an Acceptable Use policy may be all that is needed. If the organization does allow the use of mobile computing devices, general rules around this usage need to be communicated to all relevant personnel. As with all policies, the Mobile Computing Policy should state general rules, leaving room supporting documentation (procedures, standards, and guidelines) to define the specifics.

NOTE: At least 35 states have laws regarding security breach notification and most have safe harbor provisions around data that has been encrypted.

SAMPLE MOBILE COMPUTING POLICY STATEMENTS:

- Only %ORGANIZATION% approved portable computing devices may be used to access %ORGANIZATION% Information Resources.
- Portable computing devices must, at a minimum be password protected in accordance with the %ORGANIZATION% Password Policy.
- %ORGANIZATION% Confidential data should not be stored on portable computing devices. However, in the event that there is no alternative to local storage, all Confidential %ORGANIZATION% data must be encrypted using approved encryption techniques, wherever possible.

Conclusion
Due to the increased risks that mobile computing devices pose to many organizations and the increased reliance on these devices to complete “business critical” tasks, it is recommended that a stand-alone Mobile Computing Policy be developed.

Download the SAMPLE MOBILE COMPUTING POLICY.

Next in the series: “Information Security Policy 101 – Mobile Computing Policy”

Previous: “Information Security Policy 101 – “Physical Security Policy”
Read more!

Information Security Policy 101 – Physical Security Policy

Information Security

Part 12 in the Information Security Policy 101 Series

In some organizations “physical” security and “information” security are separated into different groups or teams. Whether this is a good idea or not has been the subject of some debate over the years. One issue that should not be debated is the tight interdependence between the two.

Information security is a balance of physical, logical, and administrative controls. Every control must have its roots written in somewhere in policy.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Physical Security Policy is to establish the
rules for the granting, control, monitoring, and removal of physical access to
Information Resource facilities.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Physical Security Policy applies to any person or entity that has the potential to physically interact with information resources or facilities that house information resources under the control of an organization. The policy is specifically written to provide direction to those individuals whom are charged with maintaining physical security.

SAMPLE:
Audience
The %ORGANIZATION% Physical Security Policy applies to all
%ORGANIZATION% individuals that install and support Information Resources, are
charged with Information Resource security and data owners.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Physical Security Policy
The form that a Physical Security Policy takes is dependant on many factors. This article is written with small to medium sized organizations in mind. These organizations do not typically have the staff to support a separate physical security group and/or opt to integrate physical security into a single information security program. In order to determine where a physical security policy fits best in an organization the earlier business assessment should be used.

NOTE: Physical security policy is a must in almost all organizations. If physical security is not adequately defined and applied, all other controls could be easily defeated.

SAMPLE PHYSICAL SECURITY POLICY STATEMENTS:

- Physical security systems must comply with all applicable regulations including but not limited to building codes and fire prevention codes.
- Physical access to all %ORGANIZATION% restricted facilities must be documented and managed.
- All Information Resource facilities must be physically protected in proportion to the criticality or importance of their function at %ORGANIZATION%.

Conclusion
The science involved with physical security is often specialized and there seem to be a limitless supply of available technologies and controls that can be applied. The physical Security Policy should be written in broad enough terms as to not restrict the use of any one specific control. The policy does not usually require an in-depth knowledge of all the available controls, whereas the application and implementation typically do. In most cases, I write the policy then call upon physical security consultants to design effective controls.

NOTE: If you have a keen interest in the physical nature of information security and would like to demonstrate your mastery, check out the Physical Security Professional (PSP) certification from ASIS International.

Download the SAMPLE PHYSICAL SECURITY POLICY.

Next in the series: “Information Security Policy 101 – Mobile Computing Policy”

Previous: “Information Security Policy 101 – “Password Policy”
Read more!

Information Security Policy 101 – Password Policy

Information Security

Part 11 in the Information Security Policy 101 Series

Passwords get a bad rap. Nobody likes them, users, administrators, and information security personnel alike. Users don’t like passwords because us “information security police” make them so complex and hard to remember, administrators don’t like them because they have so many that they have to remember, and information security personnel don’t like them because they are arguably the most insecure means of authentication.

All the more reason and justification for a Password Policy.

A Password Policy should be required in all organizations that rely on passwords as a source of authentication.

Let’s get to it.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:.
Purpose
The purpose of the %ORGANIZATION% Password Policy is to establish the rules for the creation, distribution, safeguarding, termination, and reclamation of %ORGANIZATION% user authentication mechanisms.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Password Policy aptly applies to any person or entity uses a password.

SAMPLE:
Audience
The %ORGANIZATION% Password Policy applies equally to all individuals who use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Password Policy
The Password Policy should communicate the general rules for password creation, use, storage, transmission and destruction (the “lifecycle”). Most likely the policy will state many general security “best practices” of password management along with some home grown statements based on the business assessment.

NOTE: People will inevitably break some rules in password policy. It is proven that the number and severity of incidents can be reduced by training and awareness. Give users a better way to do things rather than telling them what they cannot do.

SAMPLE PASSWORD POLICY STATEMENTS:

- Password history must be kept to prevent the reuse of passwords
- Stored passwords are classified as Confidential Data and must be encrypted

Conclusion
A Password Policy is not just an efficient method of communicating good password management practices, but it is also an implement for enforcement. A well-written and implemented Password Policy can significantly reduce the amount of risk to the organization’s information.

Download the SAMPLE PASSWORD POLICY.

Next in the series: “Information Security Policy 101 – Physical Security Policy”

Previous: “Information Security Policy 101 – “Network Access Policy”
Read more!

Information Security Policy 101 – Network Access Policy

Information Security

Part 10 in the Information Security Policy 101 Series

This is now the 10th entry into the “Information Security Policy 101” series. Are these policies starting to blur at all? Are they all starting to look the same? Believe it or not, the policies look similar on purpose and there are statements in one that may be found in another (also on purpose). The repetition can make things a little boring for the information security personnel, but it really does help “normal” people retain the information.

The Network Access Policy is found in many organizations, or at least the language of the policy statements. Often I will find Network Access Policy statements included in an Acceptable Use Policy instead. Tomayto tomahto.

As always…

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Network Access Policy is to establish the rules for the access and use of the %ORGANIZATION% network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Network Access Policy aptly applies to any person or entity that access the organization’s network either locally or through a WAN, VPN, modem, wireless, etc.

SAMPLE:
Audience
The %ORGANIZATION% Network Access Policy applies equally to all individuals with access to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Network Access Policy
The Network Access Policy is a simple policy that should outline some basic ground rules that people need to follow when using the organization’s network.

NOTE: Although the statements in a policy may seem basic and common sense to the author, don’t assume that they are for everyone.

STORY: I once had a user complain to me that a policy I wrote for a client company was too simple and common sense.

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- Remote users may connect to the %ORGANIZATION% corporate networks only after formal approval;
- Remote users may connect to %ORGANIZATION% Information Resources using only the protocols approved by %ORGANIZATION% IT;

Conclusion
The Network Access Policy is simple and you may be able to get away with ditching it in favor of adding the required statements to your Acceptable Use Policy. This decision is up to you. The business assessment exercise could help you in this decision. I almost always separate the policy statements for easy-of-reference, simplified reviews and changes, and reinforcement through repetition.

Download the SAMPLE NETWORK ACCESS POLICY.

Next in the series: “Information Security Policy 101 – Password Policy”

Previous: “Information Security Policy 101 – “Network Configuration Policy”
Read more!

Information Security Policy 101 – Network Configuration Policy

Information Security

Part 9 in the Information Security Policy 101 Series

Most network configuration policies are fairly straightforward.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Network Configuration Policy is to establish the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the Integrity, Availability, and Confidentiality of %ORGANIZATION% information.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically a Network Configuration Policy applies to all individuals in an organization.

SAMPLE:
Audience
The %ORGANIZATION% Network Configuration Policy applies equally to all individuals with access to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Network Configuration Policy
Although many organizations do not have a separate Network Configuration Policy, many of the statements are important enough to communicate in one form or another. Some organizations will include these statements in other information security policies. I prefer to separate.

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- %ORGANIZATION% IT owns and is responsible for the %ORGANIZATION% network infrastructure and will continue to manage further developments and enhancements to this infrastructure
- To provide a consistent %ORGANIZATION% network infrastructure capable of leveraging new networking developments, all cabling must be installed by %ORGANIZATION% IT or an approved contractor.

Conclusion
Read through the sample policy, and together with the business assessment, determine if a Network Configuration Policy makes sense in your organization.

Download the SAMPLE NETWORK CONFIGURATION POLICY.

Next in the series: “Information Security Policy 101 – “Network Access Policy”

Previous: “Information Security Policy 101 – “Incident Management Policy”
Read more!

Information Security Policy 101 – Incident Management Policy

Information Security

Part 8 in the Information Security Policy 101 Series

Let’s start off with a scenario. Bill Johnson works as the Information Security Officer of a medium-sized regional bank and its Monday morning. Bill receives a phone call from the bank service desk reporting that a laptop was lost or stolen over the weekend. Uh oh, Bill doesn’t have incident response policy or procedures.

Try to put yourself in Bill’s shoes for a moment. What risk does this incident pose? Does the laptop contain regulated data, i.e. social security numbers, credit card numbers, other personally identifiable (PII) data, etc.? Does the laptop contain usernames and passwords? Will this incident make the evening news? Who should Bill notify? Should Bill contact the authorities, i.e. local police, Secret Service, FBI, etc.? Panic might begin to set in for Bill. Maybe Bill should just drop everything, run, and find a new profession.

Bill shouldn’t have to worry about how to respond to such an incident.

All companies large and small should have an incident management program. What the program looks like and how it is run will differ from company to company as expected, but they all start with policy.

NOTE: The first actions taken following an incident are often critical and could dictate the entire course of an investigation. If an incident is handled incorrectly, cause identification and eventual prosecution could be impossible.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Incident Management Policy is to describe the requirements for dealing with computer security incidents. Security incidents include but are not limited to: virus, worm, and Trojan horse detection, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of Information Resources as outlined in the Acceptable Use Policy.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Incident Management Policy applies to all individuals in an organization. The policy is meant to be referred to by personnel charged with incident response.

SAMPLE:
Audience
The %ORGANIZATION% Incident Management Policy applies equally to all individuals that use any %ORGANIZATION% Information Resource

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Incident Management Policy
The Incident Management Policy is intended to communicate what is expected of personnel when confronted with an incident pertaining to information resource confidentiality, integrity, and/or availability. The policy provides the vital framework necessary to develop detailed incident response procedures.

NOTE: Incident response procedures will detail (preferably step-by-step) how personnel are expected to respond to an incident. Incident response procedures should be tested on a regular basis (quarterly, semi-annually, or yearly).

SAMPLE INCIDENT MANAGEMENT POLICY STATEMENTS:

- %ORGANIZATION% management will establish and provide overall direction to an %ORGANIZATION% Incident Response Team (IRT)
- %ORGANIZATION% IRT members have pre-defined roles and responsibilities which can take priority over normal duties

Conclusion
Do yourself a favor and create an incident management program. The incident management program does not need to be complicated and account for every possible scenario that could occur. Supporting procedures can be written in such a manner to be flexible enough to apply to most conceivable incidents. Incidents WILL occur, so be prepared!

Download the SAMPLE INCIDENT MANAGEMENT POLICY.

Next in the series: “Information Security Policy 101 – Network Configuration Policy”

Previous: “Information Security Policy 101 – “Data Classification Policy”
Read more!

Information Security Policy 101 – Data Classification Policy

Information Security

I will forewarn you, data classification can be a real doozy. The policy is simple enough to write and the concepts are simple enough to sell, but adoption and implementation is usually a whole different story. If done well the benefits can far outweigh the risks.

The purpose for most data classification projects (yours may differ) is to identify the data that is sensitive to an organization, classify (or label) this data, and apply appropriate controls based on the sensitivity-label pair.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Data Classification Policy is to provide a system for protecting information that is critical to the organization, and its customers. In order to provide more appropriate levels of protection to the information assets entrusted to %ORGANIZATION%, data must be classified according to the risks associated with its storage, processing, and transmission. Consistent use of this data classification policy will facilitate more efficient business activities and lower the costs of ensuring adequate information security.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Data Classification Policy applies to all entities that interact with data in any tangible manner.

SAMPLE:
Audience
The %ORGANIZATION% Data Classification Policy applies equally to any individual, or process that interacts with %ORGANIZATION% Information Resources in any tangible manner. All personnel who may come in contact with Confidential information are expected to familiarize themselves with this Data Classification Policy and consistently use it.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Data Classification Policy
The Data Classification Policy differs from most other information security policies due to the additional information required. The Data Classification Policy will introduce new concepts, roles, and responsibilities.

Roles and Responsibilities:
The following are typical roles and responsibilities defined in the Data Classification policy:

Data Owner
The Data Owner is normally the person responsible for, or dependent upon the business process associated with an information asset. The Data Owner is knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise processed.

- The Data Owner determines the appropriate value and classification of information generated by the owner or department;
- The Data Owner must communicate the information classification when the information is released outside of the department and/or the organization;
- The Data Owner controls access to his/her information and must be consulted when access is extended or modified; and
- The Data Owner must communicate the information classification to the Data Custodian so that the Data Custodian may provide the appropriate levels of protection.

Data Custodian
- The Data Custodian maintains the protection of data according to the information classification associated to it by the Data Owner.
- The Data Custodian role is delegated by the Data Owner and is usually Information Technology personnel

Data User
The Data User is a person, organization or entity that interacts with data for the purpose of performing an authorized task. A Data User is responsible for using data in a manner that is consistent with the purpose intended and in compliance with policy.

Data Classifications
Confidential
Confidential Data is information protected by statutes, regulations, organizational policies or contractual language. Managers may also designate data as Confidential.

Confidential Data is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-know” basis only.

Disclosure to parties outside of the organization must be authorized by executive management, approved by a Vice President and General Counsel, or covered by a binding confidentiality agreement.

Examples of Confidential Data include:

- Medical records
- Clinical trial data
- Credit card numbers
- Social Security Numbers
- Personnel and/or payroll records
- Any data identified by government regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction
- Any data belonging to an %ORGANIZATION% customer that may contain personally identifiable information
- Patent information
- Regulatory filings

Internal
Internal Data is information that must be guarded due to proprietary, ethical, or privacy considerations and must be protected from unauthorized access, modification, transmission, storage or other use. This classification applies even though there may not be a civil statute requiring this protection. Internal Data is information that is restricted to personnel designated by %ORGANIZATION%, who have a legitimate business purpose for accessing such data.

Examples of Internal Data include:
- Employment data
- Business partner information where no more restrictive confidentiality agreement exists
- Internal directories and organization charts
- Planning documents
- Contracts

Public
Public data is information that may or must be open to the general public. It is defined as information with no existing local, national, or international legal restrictions on access or usage. Public data, while subject to organizational disclosure rules, is available to all %ORGANIZATION% employees and all individuals or entities external to the corporation.

Examples of Public Data include:
- Publicly posted press releases
- Publicly available marketing materials
- Publicly posted job announcements

Disclosure of public data must not violate any pre-existing, signed non-disclosure agreements.

NOTE: The policy MUST NOT define HOW data will be classified (or tagged), use standards, guidelines and/or procedures to communicate how the different types of data should be appropriately labeled.

SOME SAMPLE Classification Protections
Confidential
- When stored in an electronic format must be protected with a minimum level of authentication to include strong passwords, wherever possible.
- When stored on mobile devices and media, protections and encryption measures provided through mechanisms approved by %ORGANIZATION% IT Management must be employed.

Internal
- Must be protected to prevent loss, theft, unauthorized access and/or unauthorized disclosure
- Must be protected by a confidentiality agreement before access is allowed

Conclusion
In my experience, the Data Classification Policy has been the most difficult policy to create and receive approval on. The most common and valid question I receive is “How will we ever comply?” Compliance with a Data Classification Policy has proven to be extremely difficult is most organizations due to a number of primary factors:

- People do not want to assume the responsibilities that come with their role, primarily the data owner
- Labeling standards are sometimes extensive and time consuming to write
- Data is strewn throughout the organization without centralized management
- Classifications assigned will vary from data owner to data owner and management is not “cut and dry”

Understand that information security is a science of evolution and it will take time to get data classification properly implemented. This is expected and accepted. All things in information security should start in policy and data classification is no exception. Approval of a policy does not mean formal adoption and compliance (we will cover post-approval of policy in “Information Security Policy 101 – Policy Approval” due on 7/30).

Download the SAMPLE DATA CLASSIFICATION POLICY.

TIP: Write your Data Classification Policy without worrying about the details of implementation, but at the same time make sure you will be able to implement each statement through the use of additional supporting documentation.

Next in the series: “Information Security Policy 101 – "Incident Management Policy”

Previous: Information Security Policy 101 – “Information Security Policy 101 - Backup Policy”

Read more!

Information Security Policy 101 – Backup Policy

Information Security

On the surface it may seem that data backups are mundane and simple tasks to carry out. Backups are often repetitive and change infrequently. Don’t believe it! Although there are SOME tasks that a backup administrator does that are simple and mundane, anyone who has spent any amount of time with or as a backup administrator knows how complex the job can be. There are a vast number of options and methods available to conduct and manage backups. Of these options and methods, some are more secure than others.

The Backup Policy is meant to address some of the grey area and provide direction to the development of more detailed procedural and standardization documentation.

General Policy Format

All information security policies should have the following sections at a minimum:



Purpose – This is the stated purpose of the policy and clearly communicates why it was written.



SAMPLE:

Purpose

The purpose of the %ORGANIZATION% Backup Policy is to establish the rules for the backup and storage of electronic %ORGANIZATION% information.



Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Backup Policy applies to IT administrative personnel and those persons responsible for data backups specifically.



SAMPLE:

Audience

The %ORGANIZATION% Backup Policy applies to all individuals within the enterprise whom are responsible for the installation and support of %ORGANIZATION% Information Resources, individuals charged with %ORGANIZATION% Information Resource backups, security and data owners.


Policy – The section that contains the actual policy statements.



Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.



Backup Policy

A Backup Policy is written to provide rules and expectations around the treatment and management of data backups. It is a simple policy that rarely exceeds a page in length, but should/could be viewed as important in many organizations.

NOTE: A Backup Policy should not state backup settings requirements except in a general sense. The Backup Policy should not be confused with a Disaster Recovery Plan (DRP) which is much more extensive and outside of the scope of this article.


SAMPLE BACKUP POLICY STATEMENTS:
- The frequency and extent of backups must be in accordance with the importance of the information and the acceptable risk as determined by the data owner.
- The %ORGANIZATION% Information Resource backup and recovery process for each system must be documented and periodically reviewed.

Conclusion
Do not assume that backups are simple tasks with limited options and flexibility. Backups are often a critical process for many organizations so it would only make sense to develop some policy around them.



Download the SAMPLE BACKUP POLICY.



Next in the series: “Information Security Policy 101 – Data Classification Policy”



Previous: Information Security Policy 101 – "Administrative and Special Access Policy"

Read more!

Information Security Policy 101 – Administrator and Special Access Policy

Information Security

And now I present to you the Administrative and Special Access Policy! OK, I admit it isn’t all that exciting, but it is a policy that provides value in many organizations. In many instances users of administrative accounts have the ability to do just about anything in a corporate server and/or network environment. Administrators can often create accounts, change passwords, change access rights, delete audit logs, etc. Without proper control, the risk of inadvertent errors and malicious abuse of rights is unacceptable.

All information security controls must have their roots in policy and those meant to limit the risk inherent with the use administrative access accounts is no different.

NOTE: This has been stated before, but I state it again in order to drive the point home. Supporting standards, guidelines, and/or procedures will need to be created in support the policy after the policy has been formally approved and adopted by management.

General Policy Format

All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %ORGANIZATION% Administrative and Special Access Policy is to establish the rules for the creation, use, monitoring, control and removal of accounts with special access privilege.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically Administrative and Special Access Policy applies to IT administrative personnel or persons authorized and responsible for information resource management.

SAMPLE:
Audience
The %ORGANIZATION% Administrative and Special Access Policy applies equally to all individuals that have, or may require, special access privilege to any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Administrative and Special Access Policy
The Administrative and Special Access Policy is written to communicate the general rules and guidance to those persons in an organization with authorized access to administrative accounts. The policy also applies to users of accounts that have access rights that exceed those of "general" user accounts.

As with all information security policies, the Administrative and Special Access Policy should be general in nature and not detail specific settings requirements. The Administrative and Special Access Policy should adequately address all areas of administrative access that reflect expected and acceptable use.

SAMPLE POLICY STATEMENTS:

- All users of Administrative and Special access accounts must have account management instructions, documentation, and authorization

- Each individual that uses Administrative and Special access accounts must refrain from abuse of privilege and must only perform the tasks required to complete his/her job function

Conclusion
Remember that a policy is a series of statements that accurately reflect management’s expectations with respect to information security in the organization. It is easy to forget about those users in an organization that have “special” rights and privileges. This is a mistake. Users with these rights and privileges, if not properly informed and trained can pose one of the most significant threats to the confidentiality, integrity and/or availability of organizational information.

Download the SAMPLE ADMINISTRATIVE AND SPECIAL ACCESS POLICY.

TIP: The use of administrative and special access accounts needs to be strictly monitored and reviewed. Include regular monitoring and auditing in supporting procedures.

Next in the series: “Information Security Policy 101 – Backup Policy”

Previous: Information Security Policy 101 – Account Management Policy

Read more!

Information Security Policy 101 – Account Management Policy

Information Security

The Account Management Policy is next in our alphabetical list of information security policies that I will be covering as part of the Information Security Policy 101 series. Typically an Account Management Policy has more usefulness in organizations with a group of individuals whom are authorized to create, monitor, control, and/or remove user accounts.

The business assessment process that we covered in “Information Security Policy 101 – Assess the Business” should give information security personnel the information needed to determine if an Account Management Policy will provide value to the organization.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
The purpose of the %Organization% Account Management Policy is to establish the rules for the creation, monitoring, control, and removal of user accounts.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically an Account Management Policy applies to persons authorized and responsible for account management.

SAMPLE:
Audience
The %Organization% Account Management Policy applies equally to all individuals whose authorized business duties include account management pertaining to any %Organization% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Account Management Policy
The Account Management Policy is written to communicate the general rules and guidance to those persons in an organization with account management responsibilities. As with all information security policies, the Account Management Policy should be general in nature and not detail specific settings requirements. The Account Management Policy should adequately address account creation, monitoring, control, expiration, disablement, and deletion.

SAMPLE POLICY STATEMENTS:

• All accounts created must have an associated and documented request and approval
• All accounts must be uniquely identifiable using the user name assigned by MGI IT

Conclusion
In the companies that I have had the opportunity to assess, many did not include an Account Management Policy in their greater global information security policy, although most of these companies could benefit from having one. The Account Management Policy is a very simple policy to write due to its limited scope and in most cases its creation, approval, and adoption is well worth the investment

Download the SAMPLE ACCOUNT MANAGEMENT POLICY.

TIP: Be sure that each account in your organization corresponds to a single entity (person, service, application, etc.) whenever possible.

Next in the series: “Information Security Policy 101 – Administrator/Special Access Policy”

Previous: Information Security Policy 101 – Acceptable Use Policy

Read more!

Information Security Policy 101 – Acceptable Use Policy

Information Security

Finally, our first policy! If we have done this right, we have already done much legwork. So far we have defined what a policy is, and obtained management’s endorsement. We have also identified what information our organization uses, how our organization uses the information it possesses, and identified the laws that pertain to the security of information. We should be in a good position to write policy according to what our organization needs.

As stated in the first Information Security Policy 101 post, I will cover some of the more common policies found in organizations. I will cover them in alphabetical order, NOT in order of importance. The first policy is Acceptable Use.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

SAMPLE:
Purpose
This policy is established to achieve the following:

• To ensure compliance with applicable statutes, regulations, and mandates regarding the management of Information Resources.
• To establish prudent and acceptable practices regarding the use of %Organization% Information Resources.
• To educate individuals who may use %Organization% Information Resources with respect to their responsibilities associated with such use.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically an Acceptable Use Policy applies to all persons.

SAMPLE:
Audience
The %Organization% Acceptable Use Policy applies equally to all individuals granted access privileges to any %Organization% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Acceptable Use Policy
An Acceptable Use Policy is written to communicate what practices are prudent and acceptable to management in regards to the use of the organization’s information resources. An Acceptable Use Policy should address:

General Information Resource Use

SAMPLE “General Information Resource Use” POLICY STATEMENTS:

• Users must not attempt to access any data or programs contained on %Organization% systems for which they do not have authorization or explicit consent
• Users must not intentionally access, create, store or transmit material which %Organization% may deem to be offensive, indecent or obscene

Email Access and Use

SAMPLE “Email Access and Use” POLICY STATEMENTS:

• Auto-forwarding electronic messages to e-mail addresses other than those within the %Organization% internal e-mail system is prohibited
• An employee’s personal e-mail account may not be used to send or receive %Organization% Confidential Information

Internet Access and Use

SAMPLE “Internet Access and Use” POLICY STATEMENTS:

• Use of the Internet with %Organization% networking or computing resources for recreational games, or for obtaining or distributing pornographic or sexually oriented materials, is prohibited
• Using %Organization% networking and computing resources to make or attempt unauthorized entry to any network or computer accessible via the Internet is prohibited

Voicemail Access and Use

SAMPLE “Voicemail Access and Use” POLICY STATEMENTS

• Use of the %Organization% voice mail system to defame, harass, intimidate or threaten any other person(s), or to send unnecessarily repetitive messages (i.e. chain mail) is prohibited
• Users must refrain from disclosing any Confidential data in voice mail greetings

Incidental Use

SAMPLE “Incidental Use” POLICY STATEMENTS

• Incidental personal use of electronic mail, Internet access, fax machines, printers, copiers, and so on, is restricted to %Organization% approved users; it does not extend to family members or other acquaintances
• Incidental use must not interfere with the normal performance of an employee’s work duties

Many times there are statements in an Acceptable Use Policy that overlap with statements in other policies.

Conclusion
An Acceptable Use Policy in a necessary policy in many organizations. It is important to keep the communication as clear as possible and encourage constant reference.

Download the SAMPLE ACCEPTABLE USE POLICY.

TIP: When all policies are written, combine them together as a global %Organization% Information Security Policy.

Next in the series – “Information Security Policy 101 – Account Management Policy”

Previous: “Information Security Policy 101 – Assess the Business”

Read more!

Information Security Policy 101 – Assess the Business

Information Security

Let’s assume a couple of things; you have identified the need for information security policy and you have executive management endorsement. Now you are ready to start writing policy, but before we open Word and start typing away, we need more information. The policies we write need to be relevant to the business and provide value. Enter business assessment.

A good business assessment for our purposes will attempt to answer the following questions:

What types of information does the business use?

How does the business use information?

What is the law?

The order in which these questions are answered is not important. What is most important is how accurately we answer them. The answers to these questions will provide direction in identifying which policies we need and what they should say.

What types of information does the business use?
It is important to identify the types of information used by the business in order to design controls (policy is a control) that apply the right amount of protection to the right information.

Information security personnel rarely know the information types that every business unit within an organization uses so it is important at this stage to reach out to the business units. Information Security can reach out to the business units in a variety of ways; in-person interviews, questionnaires, creation of an Information Security Steering Committee staffed by personnel across the organization, etc. No single approach works best for all organizations.

IMPORTANT: Information security must reach out to the various business units.

The goal of the “What types of information does the business use?” answers is to identify what information is most sensitive to the organization. Information that is typically more sensitive in nature:

• Personally Identifiable Information (PII) – Credit card numbers, social security numbers, authentication data, etc.
• Personal Health Information (PHI) – typically that information which is addressed by the HIPAA Privacy Rule
• Financial information – financial information that has not been released by the organization for public consumption
• Intellectual Property (IP) – inventions, formulas, trade secrets, etc.
• Other information that if disclosed, altered, or destroyed has the potential to cause significant harm to the organization.

Gathering the types of information used by the organization will give guidance as to what should be protected the most.

How does the business use information?
The determination of how the business uses (creates, accesses, stores, transmits, discards, etc.) information will provide information security personnel guidance as to how to write policy that does not interfere with business.

Information security personnel should constantly remind themselves that a business is in business to make money. If information security controls are designed that hinder the ability of a business to make money efficiently and expeditiously, and not reduced risk accordingly then the control has been designed a poorly. Policy is no exception.

The goal in determining how the business uses information is to determine where information creation, access, storage, transmission, and destruction should be authorized and where it should be prohibited. Again, communication with business units is critical.

What is the law?
There are an abundance of laws that pertain to information security. It is very important to understand how the various laws affect the information security program and policy.

Public companies have the Sarbanes-Oxley Act of 2002 (SOX), companies involved in health care have the Health Insurance Portability and Accountability Act (HIPAA), companies involved in financial transactions may have Payment Card Industry Data Security Standard (PCI), pharmaceutical companies may have FDA 21 CFR Part 11, and the list goes on and on.

Information security personnel should consult the legal department to determine what laws and regulations apply to ensure that written policy will be in compliance.

Conclusion
There is plenty of groundwork that needs to be laid before writing an effective policy. Armed with the information obtained thus far, we should be a good position to begin writing policies. Next we will take a look at the various policies that are common in many organizations to help you choose which are right for you.

Next in the series – “Information Security Policy 101 – Acceptable Use Policy”

Previous: "Information Security Policy 101 - Introduction to Information Security Policy"

Read more!

Information Security Policy 101 – Introduction to Information Security Policy

Information Security

Information security policy is arguably the single most important component of an information security program. Most information security personnel understand and agree that information security is a discipline based on a lifecycle. The goal of the lifecycle is the continuous improvement of an organization’s information security posture in terms of reduced risk.

“Information security is NOT a destination, but a continuous cycle”

As you can see in the conceptual diagram, information security policy is at the core. All other components of the lifecycle are dependent upon policy.

Information Security Policy Defined
Great, I understand where policy fits within a greater information security program, but what is “information security policy”? Great question! We should probably answer this before we embark on the creation of our own! Information security policy is:

A series of statements that accurately represent the views and expectations of management with respect to the protection of information assets employed by the organization.

Sound good? Yeah maybe, but let’s elaborate a little:

“A series of statements” – The statements are meant to be short, easily understood, broad and not relevant to minute details. Details are typically mentioned in supporting documentation such as guidelines, standards and procedures.

“that accurately represent the views and expectations of management” – This means that we must involve management. Typically management does not know what an information security policy should say so a dialog will need to be opened between information security personnel and management. We will dig deeper into this later.

“with respect to the protection of information assets” – Protection of the confidentiality, integrity and availability of information.

“employed by the organization.” – The keyword is “employed” not be confused with “owned”.

Every company needs security policy
The things that seem obvious to information security personnel may not be so obvious to “normal” people.

“Why do we need a policy?” Well written information security policy provides the foundation to an information security program and helps to ensure consistency, enforceability, organization, and cost-effectiveness of the information security program.

Management involvement
After writing nearly 100 policies over the years I can boldly say that writing policy is the easy part. Most good policies can be written in less than a month. Getting management endorsement and final approval averages 4-6 months.

Note: “Management” refers to C-level executives in many companies, i.e. CEO, CIO, CSO, COO, CFO, etc.

Some tips:

• Management involvement and endorsement is critical. Without management endorsement, the information security policy is worthless.
• Get management involved as early and regularly in the process as possible.
• Understand that management is typically more “revenue focused” and security does not generate revenue. This requires some selling on the part of information security personnel.
• Management probably understands that there is a need to protect information but do not understand how to go about it.
• Do NOT be intimidated. Management wants to do the right thing.

Next in the series – “Information Security Policy 101 – Assess the Business”

Previous: Information Security Policy 101

Read more!