48
A Practical Guide to Security Assessments
critical data. Good security policies are tailored to address the specific security risks
facing the company. These risks are the starting point for developing the security
policies.
Security policies should be developed with input from both business process
owners and technology owners. The input from the business side is critical because
the business will play a significant role in driving what is done from an information
security perspective. Depending on how a company is organized, this input is
important also because it is the business units that may be ultimately responsible
for funding the implementation of security policies and other security initiatives.
Security policies are generally developed with input from both business and tech-
nology owners to ensure that the policies are both feasible and reasonable with
respect to addressing the specific security risks the company is facing.
Some standard security policies that almost every company has include Backup
and Recovery, Data Retention, Acceptable Use, etc. There are also some policy areas
such as Business-to-Business and Business-to-Consumer that many companies do
not have. The policies you end up developing will depend on the business process
and technology analysis of the company.
Once security policies are developed, they must be implemented by developing
procedures. This is an important concept and it brings us to the distinction between
policies and procedures. Where policies tell “what” needs to be done, procedures
tell “how” to do it. To clearly understand what policies and procedures are, it is
valuable to highlight some of the key differences:
• In the same way that policies were the next step after the development
of the security strategy, procedures are the next step after development of
policies.
• Policies tend to be global in nature, but procedures may be at a more
granular level in the organization (e.g., at the department or business unit
level).
Security policies by themselves do not tell users how to implement that policy.
For example, a monitoring policy might say, “system logs should be reviewed
periodically.” Based on this policy, users do not necessarily know “how” to review
logs or what “periodic” review means. In this case, there may be a procedure that
goes through the step-by-step process of how to review the logs, what to look for,
and how frequent the review should be. Notice that the policy can leave a fair amount
of latitude for interpretation. This is necessary because different groups within a
company may implement policies differently based on their specific requirements.
For example, one group might review system logs on a daily basis, but another group
might review them on a weekly basis. Both frequencies, daily and weekly, are
interpretations of “periodic.”
Policies will tend to remain relatively static, although procedures will vary based
on technology, organization, resources, and other requirements. For example, pro-
cedures related to ID administration will vary depending on what technology is used
(e.g., Microsoft, Novell), but the ID administration policy requirements should not
AU1706_book.fm Page 48 Wednesday, July 28, 2004 11:06 AM