Managing security within an organisation is a challenging task. Without a security policy, supporting guidelines and procedures, the challenge is even greater.
In general, organisations operating without a security policy have a tendency to have security controls implemented inconsistently resulting in loopholes that can be exploited or procedures that fail. Furthermore, detecting and resolving these weaknesses are difficult and time consuming.
A security policy outlines the requirements with regard to information security within an environment. Combined with standards, guidelines and procedures this allows management to take control of information security. What this means in real terms is that employees know what is expected of them, what is acceptable and what is not. This applies to both users of IT as well as to those who manage it.
Without a security policy, staff members are unaware of their responsibilities and duties regarding IT security. Consequently, they may deliberately or accidentally compromise corporate information. Management may have no recourse against perpetrators. Staff has no official guideline for configuring and administering systems with regard to IT security. The value of data may not be obvious and without a policy, and may therefore be secured inappropriately. A security policy will help address these issues.
After the risks have been identified, a policy can be created to help manage those risks. This is usually easiest to achieve using a "top down" approach. Begin with a high-level management statement of objectives. From this policies that are more detailed can be developed concerning mechanisms and standards, which in turn form the basis of specific guidelines and daily procedures.
The whole process does not need to be executed in one go, in fact the best policies "evolve" into an environment in an interactive manner, over time. Policies that are written in one sitting tend to not consider the business and operational environment and as a result are difficult to implement and lose focus.
The need for separate policies is often decided by the topic and the audience of the policy. For example an Internet and e-mail policy applies to all staff, as usually all will be using both the Internet and e-mail, however a firewall infrastructure policy applies only to those staff directly responsible for managing the firewall infrastructure. This separation of topic and audience provides a more focused policy and increases its usability.
Many security policies try to cover all aspects of security in the same document; this usually means the message is lost and the policy becomes unwieldy. The security policy describes the corporate strategy and direction, individual policies focus on particular areas.
When developing a security policy it is important to keep them realistic, a policy that cannot be implemented, or is not enforceable, may as well not exist.
Guidelines and procedures help enforce the security policy by giving staff direction on how to implement the security measures, providing a consistent approach to building servers, responding to security breaches, implementing firewalls, etc. The procedures and guidelines translate the generic language of the policies to the technical implementation of the policy on the specific systems.
When introducing a security policy it is important to have support from both management and the people directly affected by the policy. The way the policy is introduced can have an impact on how it will be accepted. Education once again is the key.
Mark Hofman is Senior Security Consultant of Global Business IT Solutions, an IT security solutions firm which is a member of the ACS Professional Recognition Program.