IT Security Policy Framework
CIS 462: Security Strategy and Policy
IT Security Policy Framework
Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment. As a result of this increasing interconnectivity, information is now exposed to a growing number and a wider variety of threats and vulnerabilities (ISO/IEC 17799, 2005). For this reason, many organizations nowadays implement various security policies in order to protect the organization. Also, to have a secure flow of information, organizations implement an information security framework, which helps the organization to identify the risks associated with the organization’s information and ways to mitigate those risks.
Design a Security Policy Framework
The ISO/IEC 2700 series is an internationally adopted standard for any information management program for essentially any organization (Johnson , R., Merkow, M., 2011). The ISO/IEC 270002, titled “Information Technology-Security Techniques-Code of Practice for Information Security Management”, is the more popular industry standard for establishing and managing an IT security program (Johnson , R., Merkow, M., 2011). The ISO/IEC outlines 12 main areas that compose of the framework. These areas are risk assessment and treatment, security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisitions, development, and maintenance, information security incident management, business continuity management, compliance (Johnson , R., Merkow, M., 2011). The ISO/IEC also covers three aspects of the information security management program which are managerial, operational, and technical activities (Johnson , R., Merkow, M., 2011).
Section 1 – Introduction:
The purpose will be stated in the introduction section. This will provide the reader with a brief description of what this policy will state and why it is needed. The security stance of the agency will be stated here.
Section 2 – Roles and Responsibilities:
It is important that the policy detail the specific responsibilities of each identifiable user population, including management, employees and residual parties.
Section 3 – Policy Directives:
This section describes the specifics of the security policy. It will provide sufficient information to guide the development and implementation of guidelines and specific security procedures.
Section 4 – Enforcement, Auditing, Reporting:
This section states what is considered a violation and the penalties for non-compliance. The violation of a policy usually implies an adverse action which needs to be enforced.
Section 5 – References:
This section lists all references mentioned in the policy, including agency standards, procedures, government code, and State Administrative Manual sections.
Section 6 – Control and Maintenance:
This section states the author and owner of the policy. It also describes the conditions and process in which the policy will be reviewed. A policy review should be performed at least on an annual basis to ensure that the policy is current.
Compliance and Alignment of Security Controls
The importance of establishing compliance of IT security controls with U.S. laws and regulations is so the consumer will be protected, the promotion of a stable economy, and to maintain a reliable source of tax revenue (Johnson , R., Merkow, M., 2011). Also, with regards to the importance of establishing compliance of IT security controls, “Failure to comply with applicable laws and regulations creates risk to the organization as whole, its officers/executives managers personally, other stakeholders including employees and to owners or originators of information in its care.” (IsecT, 2011). Organizations can align their policies and controls with applicable regulations by first understanding the security requirements for each regulation and the business (Johnson , R., Merkow, M., 2011). Also the organization needs to understand the data handling requirements of the regulation (Johnson , R., Merkow, M., 2011). Once those areas are understood, then the organization can follow a three step approach. The three steps are:
Business Challenges within Each of the Seven Domains
- Document the concepts and principles you will adopt.
- Apply then to security policies and standards.
- Develop security controls and standards.
The security challenges within each of the seven domains in developing an effective IT security policy framework is as follows:
IT Security Policy Framework implementation Issues
- User Domain. The challenge here is to make sure that you have well defined policies that reflect the organization’s “reasonable expectation.” (Johnson , R., Merkow, M., 2011). Another challenge is to have processes that can run repeatedly and consistently to ensure high quality products and services (Johnson , R., Merkow, M., 2011).
- Workstation Domain. The challenge here is making sure that you are aware of the basic controls expected by regulators and also to install the necessary security, i.e., antivirus software without disrupting the businesses day to day operations (Johnson , R., Merkow, M., 2011).
- LAN Domain. The challenge here is defining and enforcing what is acceptable use over the LAN. LAN resources are not unlimited, but they are finite and this has to be regulated, but at the same time giving the customer or employee the necessary bandwidth to operate (Johnson , R., Merkow, M., 2011).
- LAN-to-WAN Domain. The major concern here is the protection of the Web sits servers. Making sure that the Web site is available and credible and the customers are being fed and seeing the correct information (Johnson , R., Merkow, M., 2011).
- WAN Domain. The major concern here is making sure the WAN is cost effective, reliable, and fast (Johnson , R., Merkow, M., 2011).
- Remote Access Domain. The point of contention here is with flexibility (Johnson , R., Merkow, M., 2011). Employees need to be able to connect to the company’s network wherever there is an Internet connection (Johnson , R., Merkow, M., 2011).
- System /Application Domain. When it comes to data collection, storage, and processing this domain has two areas of critical concern These areas are: Is the information safe? Can confidential information be prevented from leaving the organization?
A successful security policy implementation is contingent on people understanding key concepts and accepting the material. One also needs to be skilled in persuading people in the workplace the importance of these policies and how important these policies will be in the overall success of the organization. The leading issue here is motivation. Motivation which comprises of three elements (pride, self-interest, and success) is essential to framework implementation. One needs to make the employees feel like they are a part of the process and make the success of the policies the success of the employees. This leads into another issue of understanding and dealing with different personality types and being able to know how to get all of these personalities on board with the polices. In order to this a person must exhibit some good quality leadership skills that include values, goals, and the promotion of teamwork. A person must also be able to sell the policies to upper management. They need upper management to get on board to help push the policy and to be the example for the body to follow. To overcome these implementation issues, one must follow an eight step model that basically connects back to the leading issue of motivation. These eight steps are (Johnson , R., Merkow, M., 2011) :
In conclusion, an IT security policy framework protects the company, the employees, and the customers. The policy acts like an umbrella in that it protects everything under it. The problem is getting everyone to buy in on the process. Once everyone is on board, then you will have a better chance of success (fiscal, public relations), products, and services. These policies, although they can be a little cumbersome have great long term benefits for organizations.
- Create urgency. For change to happen there must be an urgent need.
- Form a powerful coalition. Leadership must back you.
- Create a vision for change. Change needs to be understandable.
- Communicate the vision. You need to let everyone aware of what is going on and what is coming.
- Remove obstacles. When barriers come, one needs to remove the barriers all while continuing to move forward with the change.
- Create short term wins. Success breeds success. Each time you have a small success it will silence the doubters
- Build on the change. Change takes time and continued effort
- Anchor the changes in corporate culture. Make it a habit and part of the culture.
IsecT (2011, March). Retrieved from http://www.iso27001security.com/IsecT_white_paper_on_security_compliance.pdf
ISO/IEC 17799:2005 Information technology – Security techniques – Code of practice for information security management. Retrieved on December 17, 2008. http://www.iso.org/iso/support/faqs/faqs_widely_used_standards/widely_used_standards_other/information_security.htm
Johnson , R., Merkow, M. (2011). Security Policies and Implementation Issues. Sudbury, MA: Jones & Bartlett.