CHAPTER 66

DEVELOPING SECURITY POLICIES

M. E. Kabay and Sean Kelley

66.1 INTRODUCTION

66.2 COLLABORATING IN BUILDING SECURITY POLICIES

66.3 PHASE 1: PRELIMINARY EVALUATION

66.3.1 Introduction to the Study

66.3.2 State of Current Policy

66.3.3 Data Classification

66.3.4 Sensitive Systems

66.3.5 Critical Systems

66.3.6 Authenticity

66.3.7 Exposure

66.3.8 Human Resources, Management, and Employee Security Awareness

66.3.9 Physical Security

66.3.10 Software Development Security

66.3.11 Computer Operations Security

66.3.12 Data Access Controls

66.3.13 Network and Communications Security

66.3.14 Antimalware Measures

66.3.15 Backups, Archives, and Data Destruction

66.3.16 Incident Response

66.3.17 Business Resumption Planning and Disaster Recovery

66.4 PHASE 2: MANAGEMENT SENSITIZATION

66.5 PHASE 3: NEEDS ANALYSIS

66.6 PHASE 4: POLICIES AND PROCEDURES

66.7 PHASE 5: IMPLEMENTATION

66.7.1 Upper Management

66.7.2 Technical Support

66.7.3 Lower-Level Staff

66.7.4 Other Technical Staff

66.8 PHASE 6: MAINTENANCE

66.9 CONCLUDING REMARKS

66.10 NOTES

66.1 INTRODUCTION.

This chapter reviews methods for developing security policies in specific organizations. Some of the other chapters of this Handbook that bear on policy content, development, and implementation are listed next:

• Chapter 23 provides an extensive overview of physical security policies.
• Chapter 25 discusses local area network security issues and policies.
• Chapter 39 reviews software development policies and quality assurance policies.
• Chapter 44 presents resources and standards for creating effective security policies.
• Chapter 49 looks at methods for enhancing security awareness.
• Chapter 45 provides guidance on employment policies from a security standpoint.
• Chapter 47 makes explicit recommendations about operations management policies.
• Chapter 48 reviews specific recommendations for e-mail and Internet usage.
• Chapter 50 presents concepts and techniques from social psychology to make security policy implementation more effective.
• Chapter 52 discusses the policies that apply to application design.
• Chapter 72 looks at censorship and content filtering on the Internet.

66.2 COLLABORATING IN BUILDING SECURITY POLICIES.

Policies are the foundation of effective information security, but the task of policy creation is complicated by human and organizational resistance. Technology alone does not work. In changing human behavior, rationality and substance are not enough: The process of development affects how people feel about policies and whether they see these rules as needless imposition of power or as an expression of their own values.

Security is always described as being everyone's business; however, in practice, security interferes with everyone's business. For example, network managers work hard to make networks user friendly. They do everything they can to make life easier for users; they provide network access routines with a graphical user interface, client/server systems with hot links between local spreadsheets and corporate databases, and a gateway to the Internet for their users. Superficially, one might think that implementing network security would simply involve defining access controls, applying encryption, and providing people with handheld password generators. Unfortunately, as discussed in Chapter 50, security policies offend deep-seated self-conceptions. People form close-knit work groups in which they trust each other; they do not lock their desks when they leave them for a few minutes, so why should they obey the network security policy that dictates locking their sessions? They even lend people car keys in an emergency; why should it be such a terrible breach of security to lend access codes and passwords to trusted colleagues in an emergency?

Security policies challenge users to change the way they think about their own responsibility for protecting corporate information. Attempting to impose security policies on unwilling people results in resistance, both because more stringent security procedures make people's jobs harder and because people do not like being told what to do—especially by security officials perceived as being outside the chain of command.

The only approach that works in the long run is to present security to everyone in the organization in a way that causes recognition that each one, personally and professionally, has a stake in information protection. Security managers, to be successful, must involve employees from throughout the enterprise in developing security policies. Users must justifiably feel that they own their security procedures; employees with true involvement in the policy development process become partners, rather than opponents, of effective security.

66.3 PHASE 1: PRELIMINARY EVALUATION.

Studies of the extent to which information security policies are in place consistently show that relatively few of the respondents have adequate policies in place. For example, the 2007 Global Security Survey run by CIO Magazine and PricewaterhouseCoopers was based on interviews and questionnaires involving 7,200 executives, security professionals, and technology managers “across all industries and more than 100 countries” about their organization's security and privacy policies and practices. According to the summary on page 2 of the report:

1. Only 6 out of 10 respondents worldwide (57 percent) say their organization has an information security strategy in place. Only another 13 percent, however, consider putting one in place a “top priority.”
2. Almost half of all respondents worldwide (48 percent) say their organization does not actively engage both business and information technology decision makers in addressing information security.
3. More than 7 out of 10 security managers, administrators, and technicians worldwide believe that their organization's security policies and spending can be improved.¹

In what follows, it is assumed that a specific officer or manager (or group of officers or managers) in the enterprise has taken on the task of developing security policies. The group will be called the policy development group.

Before attempting to formulate policies, the policy development group needs formal authorization to use corporate resources in such a project. It should not be too difficult to obtain a short memorandum from top management to everyone in the organization that lays out the reasons for asking for their time and energy in gathering information about the current state of security. Such authorization and continuing top-level support are essential tools in convincing people to cooperate with the policy development group.

In the absence of existing or adequate security policies, a preliminary inventory is the first step in providing upper management with the baseline information that will justify developing a corporate information security policy. The preliminary evaluation should be quick and inexpensive—perhaps days of work by a few people. There is no point in wasting time in expensive detail work before getting approval, support, and budget from upper management.

The goal of the preliminary evaluation is to ask the people who work with information resources what they believe are their most important security needs. Even though they may not be conscious of security as a distinct need, in practice, employees and managers do have valuable insights that transcend theory and generalizations. Data entry clerks may tell the security staff about security violations that no one else has observed or even thought about; for example, they may observe that a bug in a particular program makes the previous operator's data entry screen available for unauthorized entries when the shift changes and a new operator sits at the same terminal.

The policy development group should work closely with human resources (HR) personnel in developing the research instruments for interviewing staff. HR members are likely to know the key managers to contact in each department. The managers have to be convinced to support the effort so researchers can interview willing staff. Some of the HR people are likely to have the professional skills and experience required to provide accurate and cost-effective evaluations of beliefs, attitudes, and behavior affecting security. They may be able to help construct unbiased questionnaires, organize focus groups, and guide interviews.

However, if the security staff and the HR staff are not confident about being able to handle this preliminary data collection, the policy development group should see if it can obtain authorization to hire a consultant with proven expertise in collecting and analyzing social attitudes. The policy development group might want to discuss such a study with a firm specializing in security audits and organizational analysis. If no one knows where to start looking for such resources, the policy development group can contact information security associations, security magazines, security Web sites, and local universities and colleges to ask for suggestions.

These key issues should be part of the preliminary study:

• Introduction to the study
• State of current policy
• Data classification
• Sensitive systems
• Critical systems
• Authenticity
• Exposure
• Human resources, management, and employee security awareness
• Physical security
• Software development security
• Computer operations security
• Data access controls
• Network and communications security
• Antimalware measures
• Backups, archives, and data destruction
• Business resumption planning and disaster recovery

The next sections suggest some typical questions that would be helpful in gathering baseline data about the current state of security. All these questions (and more site-specific topics) should be asked of all the respondents in the preliminary evaluation. Applicable questions are not necessarily repeated in each section; instead, questions in the earlier parts of this list may be adapted for use in later sections. These suggestions are not intended to limit creativity but rather to stimulate development of more questions that would be particularly useful for a specific enterprise.

66.3.1 Introduction to the Study.

Employees may perceive many of the questions as threatening. The preamble or introduction to the study, whether it is by survey or by interviews, should make it clear that this is not an audit and that its purpose is to establish the framework for an appropriate set of security policies—policies suited to the needs of the organization and its stakeholders. The information should be anonymized so that no person will be targeted for reprisal if the study discovers problems. Every effort should be made to reassure employees that the study is designed to learn about the facts of security with a view to improvement, rather than a search for culprits who will be punished.

66.3.2 State of Current Policy.

The questions that follow not only gather baseline information about security policies but also determine whether employees have any idea about who is responsible for formulation of those policies.

• Does the enterprise have any security policies at all?
• Who developed them: an individual? a group?
• Where and how are the security policies available (paper, electronic)?
• When were the policies last updated? Last disseminated?
• Who, if anyone, has explicit responsibility for maintaining security policies?
• Who implements security policy at the enterprise level?
• To whom does the chief information security officer report within the enterprise?
• Who monitors compliance with security policies, standards, and compliance?

66.3.3 Data Classification.

Questions to ask include:

• Are there levels of security classification that apply to your work? If so, what are they called?
• Are there rules for determining whether information you handle should be classified at a particular level of confidentiality?
• Are documents or files labeled to show their security classification?
• What is your opinion about the value of such classification?
• Do people in your group pay attention to security classifications?
• Do you have any suggestions for improvement of how data are classified?²

66.3.4 Sensitive Systems.

The questions in this section focus on information that ought to be controlled against unauthorized disclosure and dissemination.

• In your work, are there any kinds of information, documents, or systems that you feel should be protected against unauthorized disclosure? If so, name them.
• How do you personally protect sensitive information that you handle?
• How do others in your department deal with sensitive information? No names, please.
• To your knowledge, have there been any problems with release of sensitive information in your department?
• Do you have any suggestions for improving the handling of sensitive data in your area?

66.3.5 Critical Systems.

The questions in this section focus on information that requires special attention to availability and correctness.

• In your work, are there any kinds of information, documents, or systems that you feel are so critical that they must be protected against unauthorized modification or destruction? If so, name them.
• Are there any special precautions you use, or know of, to safeguard critical data in your area?

66.3.6 Authenticity.

Questions to ask include:

• Do you know of any cases in which anyone has used someone else's identity in sending out messages such as letters, faxes, or e-mail? If so, were there any consequences?
• Does everyone in your group use digital signatures on electronic documents?
• Does anyone in your group make or use unauthorized copies of proprietary software? If so, do you think there is any problem with that?

66.3.7 Exposure.

Questions to ask include:

• What are the worst consequences you can realistically imagine that might result from publication in the newspapers of the most sensitive information you control?
• What might happen, in your opinion, if key competitors obtained specific confidential information that you use or control in your area?
• Can you estimate monetary costs associated with the scenarios you have just described?
• What would be the worst consequences you can foresee if critical information you work with were to be altered without authorization, or through accidental modification?
• What might happen if you could not access critical information quickly enough for your work?
• Can you estimate the costs of such breaches of data integrity and data availability?
• Could there be trouble if someone forged documents in your name, or in the enterprise's name? Can you sketch out some scenarios and associated costs resulting from such breaches of authenticity?

66.3.8 Human Resources, Management, and Employee Security Awareness

• As far as you know, who is responsible for developing security policies?
• Do you know where to find the security policies that apply to your work?
• When, if ever, did you last sign any documents dealing with your agreement to security policies?
• Who is responsible for monitoring compliance with security policy in your work-group? In the enterprise as a whole?
• Have you ever received any training in security policies? If so, when was the last time?
• Have you ever seen any written materials circulating in your workgroup that discuss information security?
• Do you think of protecting corporate information as one of your official responsibilities?³

66.3.9 Physical Security

• Does anyone check your identity when you enter the building where you work? Always?
• Are there any electronic access-control systems limiting access to your work area? What are they?
• Do people hold a secured door open to let each other into your work area? Do you let people in after you open a secured door?
• Have you ever seen a secured door into your area that has been blocked open (e.g., for deliveries)?
• Do people leave your work area unlocked when everyone leaves?
• Do staff members wear identity badges at work? Are they supposed to? Do you wear your badge at work?
• Do visitors wear badges?
• Have you ever seen strangers in your area who are not wearing visitor badges?
• What would you do if you saw a stranger in your area who was not wearing a visitor's badge?
• Do you lock any parts of your desk when you leave your workspace?
• What would you do if you heard the fire alarm ring?
• Where is the nearest fire extinguisher?
• Who is the fire marshal for your floor?
• What would you do if someone needed emergency medical attention?
• Is there an emergency medical station in your area or on your floor?
• Do you know who is qualified in cardiopulmonary resuscitation (CPR) in your group or on your floor? Do such people wear identifying pins?
• Have you had recent training in what to do in the event of an emergency? Have you been trained in how to evacuate the building?
• Is there anything that comes to mind that you would like to see to improve physical security and safety in your work area?⁴

66.3.10 Software Development Security.

These questions would be asked only of the software development team:

• Are there any security policies that apply to your work? What are they?
• Have you ever discussed security policies in your group?
• Is security viewed positively, neutrally, or negatively in your group? And by yourself?
• Do you and your colleagues discuss security during the requirements analysis and specification phases when developing software?
• How do you see quality assurance as part of the development process?
• Do you use automated software testing tools?
• Do you use automated version control software? If not, how do you exercise control?
• How do you document your systems?
• Do you think that your source code is adequately protected against unauthorized disclosure and modification?
• What is your opinion about Easter eggs (unauthorized code for an amusing picture or game)?
• Could anyone plant an Easter egg or a logic bomb (unauthorized, harmful functions) in code being developed in your group?
• Have you ever seen an Easter egg or a logic bomb in code from your group? Did it get through to production?
• Can you think of ways you would like to see better security in your work?⁵

66.3.11 Computer Operations Security.

These questions would be asked only of the computer operations team:

• How long do you wait after initial release before installing new operating system versions on your production machines?
• How do you put new software into production?
• Can development personnel access production software? Production data?
• How do you handle problem reports? Do you have an automated trouble-ticket system?
• Can people from outside the operations group enter the operations center?
• Are contractors, including repair technicians, allowed to circulate in operations without being accompanied?
• Does the cleaning staff ever circulate within the secured areas of operations without operations staff present?
• Are system components labeled?
• Is there an emergency cutoff switch for main power to the entire data center? Does it include air conditioning?
• Are there uninterruptible power supplies for critical components of your systems?
• Do you keep records of system downtime? What is your downtime over the last three months? The last year?
• What accounts for most of the downtime? Have remedies been implemented?
• Who monitors system resource utilization? Are there automated reports showing trends in disk space usage? CPU utilization? Network bandwidth usage?
• What improvements in security would you like to see in operations?⁶

66.3.12 Data Access Controls

• Do you have to identify yourself to the computers and networks you work with?
• Do you have a user name (ID) that no one else shares?
• Are you required to use a password, passphrase, or personal identification number (PIN) as part of your routine when starting to use your computer?
• Have you ever shared your unique user ID and password or PIN with someone else? Or have you borrowed someone else's user ID and password to get some work done? If so, how often does this happen?
• Do you use a token, such as a physical key or a smart card, to prove who you are to the computer system? If so, have you ever lent or borrowed such tokens? What for? How often?
• In your work, are there any limitations on the data you are allowed to see, modify, add to, or delete?
• Are there data you can see but not change?
• Do you use encryption on any of the data you work with?
• Do you or members of your group use laptop computers? If so, do you encrypt sensitive data on the disks of those portable systems?
• Do you or anyone in your group take work home? If so, do you put corporate data on your own, personal (noncompany) computers? Does anyone else have access to those computers? Are there any controls on accessing corporate data on the home computers?⁷

66.3.13 Network and Communications Security.

Most of the next questions would be appropriate only for network managers, administrators, and technicians. However, some of the questions are suitable for everyone.

• As a user, do you know what the rules are about using your employer's e-mail system and Internet access?
• Do you know anyone who regularly violates system usage restrictions? No names, please.
• Have you ever seen pornography on corporate systems? Child pornography? Racist and other objectionable materials? If so, did you know what to do? And what did you do?
• Has anyone ever discussed rules for secure e-mail with you? Do you know how to encrypt sensitive messages? Do you ever encrypt messages?
• As a network manager, do you have up-to-date network diagrams, or can you produce them on demand?
• Do you know which services are running on your Internet-connected systems? Are all of the running services needed?
• How do you determine which patches are appropriate for installation on your systems? How often do you check? Who is responsible for managing patches? How long does it take between notification of a vulnerability and installation of an appropriate patch?
• Does your security architecture include firewalls? If so, what determines the security policies you instantiate in the filtering rules?
• Do you have egress filtering enabled on your firewalls?
• Do you have intrusion detection systems? If so, who responds to apprehended intrusions? How are the responsible people notified of an intrusion?
• What are the procedures for responding to an intrusion?
• If your organization uses passwords, how do you handle requests for new passwords?
• Do you have centralized remote-access controls?
• Do remote users use virtual private networks (VPNs) to access corporate systems from outside the firewalls?
• Are your users supposed to use encryption for sensitive e-mail that traverses the Internet? Do they? How do you know?
• Do your users apply digital signatures to all communications?
• Are your Web servers protected against intrusion and vandalism?
• Have you kept sensitive information off your Web servers?
• Do you encrypt all sensitive information stored on your Web servers?
• How long would it take you to recover a valid version of the Web site if it were destroyed or vandalized?
• Do your telephone voicemail boxes have unique, nonstandard passwords? How do you know?
• How do you find out if an employee is being fired or has resigned? How long does it take between termination of employment of such an employee and deactivation of all system and network access?

66.3.14 Antimalware Measures

• Do you and all of your users have antimalware products installed on every workstation?
• How often are antimalware products updated? How are they updated?
• How long does it take for all vulnerable systems to be brought up to date?
• Do you or your users open unexpected, unsolicited e-mail attachments?⁸

66.3.15 Backups, Archives, and Data Destruction

• How often do you do backups of your electronic data?
• Where do you store backup media? Are current copies retained off site as well as on? How do you know which media to use to restore a specific file?
• How long do you keep different types of backups? Why?
• How do you prevent unauthorized access to backup media?
• If you keep data backups for several years, how do you ensure that the old media will be readable and that the data developed for old applications will be usable?
• How do you dispose of magnetic and optical storage media after their useful life is over? Are the discarded media readable?
• Do you make backup copies of paper documents? Where are these copies kept? How would you locate a specific document you needed?
• How long do you keep various types of papers? Why?
• When you dispose of paper documents, does their content influence how they are destroyed? How do you dispose of sensitive paper documents?⁹

66.3.16 Incident Response

• Do you know what to do if you see a security problem such as strangers without badges in secured areas, threats of violence arriving by e-mail, damaged company Web pages, bad data in files you use, missing files or data, or forged messages?
• Is there a specific team dedicated to responding to computer security breaches?
• Are you part of a computer security incident response team (CSIRT)? If so:
  • Is this a long-term assignment?
  • Do you have documentation and training on how to respond to specific types of incidents?
  • How are out-of-hours incidents handled?
  • Does your CSIRT hold practice drills?
  • Are there incident postmortems?
  • Do you have relations with local law enforcement officials? If so, which levels (municipal, state, federal)?
  • Have you ever experienced pressures from management to suppress incident reports of criminal activity to law enforcement?¹⁰

66.3.17 Business Resumption Planning and Disaster Recovery

• Do you have business resumption planning (BRP) or disaster recovery plans (DRP)? If so, where are they kept?
• Who is responsible for keeping BRP and DRP up to date?
• Have you ever participated in a BRP or DRP testing? If so, how long ago was the last one? When is the next scheduled test?
• During BRP and DRP tests, does anyone use video cameras or tape recorders to keep track of critical steps in the recovery?
• After a test, have you participated in analyzing the results of the tests to improve the plans?¹¹

66.4 PHASE 2: MANAGEMENT SENSITIZATION.

Support from upper management is essential for further progress. The goal in this phase is to get approval for an organization-wide audit and for a policy formulation project. In conjunction with the rest of the information security project team, the responsible managers should plan on a meeting that lasts no more than one or two hours. The meeting should start with a short statement from a senior executive about the crucial role of information in the organization's business.

Professional aids, such as management-oriented training videos, are helpful to sensitize managers to the consequences of poor information security. For an up-to-date list of such videos, enter the keywords “information security training video” into a search engine such as Google. After the video film, the team can present its findings from the preliminary evaluation. The immediate goal is to constitute an information protection working group to set priorities, determine an action plan, define a timetable and milestones, and formulate policies and procedures to protect corporate information resources. The presenters should name the people you want to see in your working group; all of these people should be contacted before the meeting to be sure that they have agreed in advance to participate in the working group.

The presenters should provide estimates of the time involved and the costs of in-house, and consulting, services and software. To end the briefing, it is useful to offer upper managers a range of background reading about security. Some managers may be intrigued by this field; the more they learn, the more they will support security efforts. One of the best resources for such sensitization is “Managing Risk from Information Systems: An Organizational Approach.”¹² This 67-page summary provides “guidelines for managing risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems.” The authors state: “The guidelines provided in this special publication have been broadly developed from a technical perspective to be generally useful across a wide range of organizations employing information systems to implement mission and business processes.” They also provide extensive cross-indexing to other public documents issued by the National Institute of Standards and Technology (NIST), all of which are freely available online.¹³

66.5 PHASE 3: NEEDS ANALYSIS.

The information protection working group should include representatives from every sector of the enterprise. As the group investigates security requirements, the participants' wide experience and perspective will be crucial in deciding which areas to protect most strongly. More important, their involvement is a concrete expression of corporate commitment to a fundamental attitude change in the corporate culture: Security is to be an integral part of the corporate mission.

For example, in a manufacturing firm, the team would include managers and staff from the factory floor, the unions, engineering, equipment maintenance, shipping and receiving, facilities management (including those responsible for physical security), administrative support, sales, marketing, accounting, personnel, the legal department, and information systems. Each of these members of the working group will help improve enterprise security.

If the organization is very large, the group may have to set up subcommittees to deal with specific sectors. Each subcommittee evaluates to what degree the systems and networks are vulnerable to breaches of security. For example, one group could focus on local and campus communications, another on wide area enterprise networks, and a third on electronic data interchange with clients and suppliers.

A typical audit covers the facilities, personnel policies, existing security, application systems, and legal responsibility to stakeholders (owners, shareholders, employees, clients, and the surrounding community). Based on the findings, the subcommittees formulate proposals for improving security. This is where the specialized knowledge obtained from information security specialists and information security courses will prove especially useful.¹⁴

66.6 PHASE 4: POLICIES AND PROCEDURES.

Once the information protection working group has built a solid floor of understanding of enterprise information security needs, the members are ready to construct the policies and procedures that meet those needs. The process should start from existing templates and normally takes weeks to months to complete a workable draft.¹⁵

Genuine participation by all the representatives from every sector of the enterprise is a critical element of success; without a thoroughgoing sense of ownership of the policies, working group members will fail to internalize the new policies. All the members of the working group must become enthusiasts for their collective efforts; in some sense, these people become missionaries engaged in the long-term conversion efforts of phase 5, the implementation of the policies.

66.7 PHASE 5: IMPLEMENTATION.

Once the working group members have defined the new or improved security policies, they are about halfway to their goal. The hardest part is ahead: explaining the need for security and the value of the new policies to fellow employees and convincing them to change. Even if they agree intellectually, there is a good chance that their ingrained social habits will override the new rules for at least months and possibly years. The challenge is to overcome these habits.

Chapter 50 shows in detail how to use the insights of social psychology to change corporate culture by working on beliefs, attitudes, and behavior. In addition to the suggestions in that chapter, the information protection working group should organize and deliver awareness and training sessions for all levels of the enterprise:

• Upper management
• Technical support
• Lower-level staff
• Other technical staff

The next sections offer some simple agendas for such preliminary sessions.

66.7.1 Upper Management.

Security policies and procedures require management support and sanctions. The transformation of corporate culture should begin at the top. Although it is difficult to coordinate the presence of top executives, the working group should try to organize a half-day executive briefing session on enterprise security. In practice, the group may be able to convince upper management to attend for one or two hours. The focus should be intensely practical, and should show executives how to protect themselves and the enterprise against common dangers. Suggested topics:

• A review of the business case for improving security. Industrial espionage, natural and man-made disasters, vandalism
• Network security. Protection against eavesdropping and tampering
• Access controls. Tokens, biometrics, passwords
• Encryption. E-mail, laptops, provision for emergency data recovery
• Backup policies for PCs, networks, and mainframes
• Security agreements. Summaries of the policies and procedures to be read and signed annually
• Need for total support to convince other staff to comply with security policies

66.7.2 Technical Support.

The next target is the technical support group, the people who help explain security policies to users. In a one-day training session, the presentations can cover:

• Everything covered in the executive briefing
• Operating system security provisions
• Security software features
• Changes in operations to comply with new procedures

66.7.3 Lower-Level Staff.

Lower-level staff need a half-day session that answers these questions in terms that apply directly to their own work:

• Why should I care about information security?
• What are my obligations as an employee?
• How do I protect the PC I am responsible for against viruses?
• How do I back up my data?
• How do I manage my passwords?
• What must I do if I see someone violating our security policies?

The class ends with participants signing the security agreement.

66.7.4 Other Technical Staff.

More intensive training and education are needed for technical staff, such as members of the software development, operations, and network administration groups. More in-depth, specific material will have to be incorporated into their training; however, such training can be spread over a longer time than that for the groups already discussed, because of the rhythm of work and the crucial importance of technical competence for implementation of the policies. Most enterprises rely on outside trainers, specialized off-site or online courses, and certification programs to raise their staff to the appropriate levels of competence.

66.8 PHASE 6: MAINTENANCE.

Once the enterprise has begun to integrate a concern for security into every aspect of its work, the issue must be kept fresh and interesting. As described in Chapter 49, successful security awareness programs include amusing posters, interesting videos, occasional seminars on stimulating security topics such as recent frauds or computer crimes, and regular newsletters with up-to-date information. Finally, every employee should regularly reread and sign the annual security agreement. This practice ensures that no one can argue that the organization's commitment to security is a superficial charade.

66.9 CONCLUDING REMARKS.

For a secure installation, three things are essential:

1. Sound policies that have been developed with the cooperation of everyone concerned and that are updated periodically
2. Widespread dissemination of those policies, with ongoing observation of their implementation and with frequent training and continual reinforcement
3. Commitment to security on the part of everyone, from top management on down

When these essential elements are in place, the entire organization will function at a more productive level, one at which the possibilities of disruption and damage will have been reduced to a minimum. Nothing less is acceptable.

66.10 NOTES