M. E. Kabay and Sean Kelley
66.2 COLLABORATING IN BUILDING SECURITY POLICIES
66.3 PHASE 1: PRELIMINARY EVALUATION
66.3.1 Introduction to the Study
66.3.2 State of Current Policy
66.3.8 Human Resources, Management, and Employee Security Awareness
66.3.10 Software Development Security
66.3.11 Computer Operations Security
66.3.13 Network and Communications Security
66.3.15 Backups, Archives, and Data Destruction
66.3.17 Business Resumption Planning and Disaster Recovery
66.4 PHASE 2: MANAGEMENT SENSITIZATION
66.6 PHASE 4: POLICIES AND PROCEDURES
This chapter reviews methods for developing security policies in specific organizations. Some of the other chapters of this Handbook that bear on policy content, development, and implementation are listed next:
Policies are the foundation of effective information security, but the task of policy creation is complicated by human and organizational resistance. Technology alone does not work. In changing human behavior, rationality and substance are not enough: The process of development affects how people feel about policies and whether they see these rules as needless imposition of power or as an expression of their own values.
Security is always described as being everyone's business; however, in practice, security interferes with everyone's business. For example, network managers work hard to make networks user friendly. They do everything they can to make life easier for users; they provide network access routines with a graphical user interface, client/server systems with hot links between local spreadsheets and corporate databases, and a gateway to the Internet for their users. Superficially, one might think that implementing network security would simply involve defining access controls, applying encryption, and providing people with handheld password generators. Unfortunately, as discussed in Chapter 50, security policies offend deep-seated self-conceptions. People form close-knit work groups in which they trust each other; they do not lock their desks when they leave them for a few minutes, so why should they obey the network security policy that dictates locking their sessions? They even lend people car keys in an emergency; why should it be such a terrible breach of security to lend access codes and passwords to trusted colleagues in an emergency?
Security policies challenge users to change the way they think about their own responsibility for protecting corporate information. Attempting to impose security policies on unwilling people results in resistance, both because more stringent security procedures make people's jobs harder and because people do not like being told what to do—especially by security officials perceived as being outside the chain of command.
The only approach that works in the long run is to present security to everyone in the organization in a way that causes recognition that each one, personally and professionally, has a stake in information protection. Security managers, to be successful, must involve employees from throughout the enterprise in developing security policies. Users must justifiably feel that they own their security procedures; employees with true involvement in the policy development process become partners, rather than opponents, of effective security.
Studies of the extent to which information security policies are in place consistently show that relatively few of the respondents have adequate policies in place. For example, the 2007 Global Security Survey run by CIO Magazine and PricewaterhouseCoopers was based on interviews and questionnaires involving 7,200 executives, security professionals, and technology managers “across all industries and more than 100 countries” about their organization's security and privacy policies and practices. According to the summary on page 2 of the report:
In what follows, it is assumed that a specific officer or manager (or group of officers or managers) in the enterprise has taken on the task of developing security policies. The group will be called the policy development group.
Before attempting to formulate policies, the policy development group needs formal authorization to use corporate resources in such a project. It should not be too difficult to obtain a short memorandum from top management to everyone in the organization that lays out the reasons for asking for their time and energy in gathering information about the current state of security. Such authorization and continuing top-level support are essential tools in convincing people to cooperate with the policy development group.
In the absence of existing or adequate security policies, a preliminary inventory is the first step in providing upper management with the baseline information that will justify developing a corporate information security policy. The preliminary evaluation should be quick and inexpensive—perhaps days of work by a few people. There is no point in wasting time in expensive detail work before getting approval, support, and budget from upper management.
The goal of the preliminary evaluation is to ask the people who work with information resources what they believe are their most important security needs. Even though they may not be conscious of security as a distinct need, in practice, employees and managers do have valuable insights that transcend theory and generalizations. Data entry clerks may tell the security staff about security violations that no one else has observed or even thought about; for example, they may observe that a bug in a particular program makes the previous operator's data entry screen available for unauthorized entries when the shift changes and a new operator sits at the same terminal.
The policy development group should work closely with human resources (HR) personnel in developing the research instruments for interviewing staff. HR members are likely to know the key managers to contact in each department. The managers have to be convinced to support the effort so researchers can interview willing staff. Some of the HR people are likely to have the professional skills and experience required to provide accurate and cost-effective evaluations of beliefs, attitudes, and behavior affecting security. They may be able to help construct unbiased questionnaires, organize focus groups, and guide interviews.
However, if the security staff and the HR staff are not confident about being able to handle this preliminary data collection, the policy development group should see if it can obtain authorization to hire a consultant with proven expertise in collecting and analyzing social attitudes. The policy development group might want to discuss such a study with a firm specializing in security audits and organizational analysis. If no one knows where to start looking for such resources, the policy development group can contact information security associations, security magazines, security Web sites, and local universities and colleges to ask for suggestions.
These key issues should be part of the preliminary study:
The next sections suggest some typical questions that would be helpful in gathering baseline data about the current state of security. All these questions (and more site-specific topics) should be asked of all the respondents in the preliminary evaluation. Applicable questions are not necessarily repeated in each section; instead, questions in the earlier parts of this list may be adapted for use in later sections. These suggestions are not intended to limit creativity but rather to stimulate development of more questions that would be particularly useful for a specific enterprise.
Employees may perceive many of the questions as threatening. The preamble or introduction to the study, whether it is by survey or by interviews, should make it clear that this is not an audit and that its purpose is to establish the framework for an appropriate set of security policies—policies suited to the needs of the organization and its stakeholders. The information should be anonymized so that no person will be targeted for reprisal if the study discovers problems. Every effort should be made to reassure employees that the study is designed to learn about the facts of security with a view to improvement, rather than a search for culprits who will be punished.
The questions that follow not only gather baseline information about security policies but also determine whether employees have any idea about who is responsible for formulation of those policies.
Questions to ask include:
The questions in this section focus on information that ought to be controlled against unauthorized disclosure and dissemination.
The questions in this section focus on information that requires special attention to availability and correctness.
Questions to ask include:
Questions to ask include:
These questions would be asked only of the software development team:
These questions would be asked only of the computer operations team:
Most of the next questions would be appropriate only for network managers, administrators, and technicians. However, some of the questions are suitable for everyone.
Support from upper management is essential for further progress. The goal in this phase is to get approval for an organization-wide audit and for a policy formulation project. In conjunction with the rest of the information security project team, the responsible managers should plan on a meeting that lasts no more than one or two hours. The meeting should start with a short statement from a senior executive about the crucial role of information in the organization's business.
Professional aids, such as management-oriented training videos, are helpful to sensitize managers to the consequences of poor information security. For an up-to-date list of such videos, enter the keywords “information security training video” into a search engine such as Google. After the video film, the team can present its findings from the preliminary evaluation. The immediate goal is to constitute an information protection working group to set priorities, determine an action plan, define a timetable and milestones, and formulate policies and procedures to protect corporate information resources. The presenters should name the people you want to see in your working group; all of these people should be contacted before the meeting to be sure that they have agreed in advance to participate in the working group.
The presenters should provide estimates of the time involved and the costs of in-house, and consulting, services and software. To end the briefing, it is useful to offer upper managers a range of background reading about security. Some managers may be intrigued by this field; the more they learn, the more they will support security efforts. One of the best resources for such sensitization is “Managing Risk from Information Systems: An Organizational Approach.”12 This 67-page summary provides “guidelines for managing risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems.” The authors state: “The guidelines provided in this special publication have been broadly developed from a technical perspective to be generally useful across a wide range of organizations employing information systems to implement mission and business processes.” They also provide extensive cross-indexing to other public documents issued by the National Institute of Standards and Technology (NIST), all of which are freely available online.13
The information protection working group should include representatives from every sector of the enterprise. As the group investigates security requirements, the participants' wide experience and perspective will be crucial in deciding which areas to protect most strongly. More important, their involvement is a concrete expression of corporate commitment to a fundamental attitude change in the corporate culture: Security is to be an integral part of the corporate mission.
For example, in a manufacturing firm, the team would include managers and staff from the factory floor, the unions, engineering, equipment maintenance, shipping and receiving, facilities management (including those responsible for physical security), administrative support, sales, marketing, accounting, personnel, the legal department, and information systems. Each of these members of the working group will help improve enterprise security.
If the organization is very large, the group may have to set up subcommittees to deal with specific sectors. Each subcommittee evaluates to what degree the systems and networks are vulnerable to breaches of security. For example, one group could focus on local and campus communications, another on wide area enterprise networks, and a third on electronic data interchange with clients and suppliers.
A typical audit covers the facilities, personnel policies, existing security, application systems, and legal responsibility to stakeholders (owners, shareholders, employees, clients, and the surrounding community). Based on the findings, the subcommittees formulate proposals for improving security. This is where the specialized knowledge obtained from information security specialists and information security courses will prove especially useful.14
Once the information protection working group has built a solid floor of understanding of enterprise information security needs, the members are ready to construct the policies and procedures that meet those needs. The process should start from existing templates and normally takes weeks to months to complete a workable draft.15
Genuine participation by all the representatives from every sector of the enterprise is a critical element of success; without a thoroughgoing sense of ownership of the policies, working group members will fail to internalize the new policies. All the members of the working group must become enthusiasts for their collective efforts; in some sense, these people become missionaries engaged in the long-term conversion efforts of phase 5, the implementation of the policies.
Once the working group members have defined the new or improved security policies, they are about halfway to their goal. The hardest part is ahead: explaining the need for security and the value of the new policies to fellow employees and convincing them to change. Even if they agree intellectually, there is a good chance that their ingrained social habits will override the new rules for at least months and possibly years. The challenge is to overcome these habits.
Chapter 50 shows in detail how to use the insights of social psychology to change corporate culture by working on beliefs, attitudes, and behavior. In addition to the suggestions in that chapter, the information protection working group should organize and deliver awareness and training sessions for all levels of the enterprise:
The next sections offer some simple agendas for such preliminary sessions.
Security policies and procedures require management support and sanctions. The transformation of corporate culture should begin at the top. Although it is difficult to coordinate the presence of top executives, the working group should try to organize a half-day executive briefing session on enterprise security. In practice, the group may be able to convince upper management to attend for one or two hours. The focus should be intensely practical, and should show executives how to protect themselves and the enterprise against common dangers. Suggested topics:
The next target is the technical support group, the people who help explain security policies to users. In a one-day training session, the presentations can cover:
Lower-level staff need a half-day session that answers these questions in terms that apply directly to their own work:
The class ends with participants signing the security agreement.
More intensive training and education are needed for technical staff, such as members of the software development, operations, and network administration groups. More in-depth, specific material will have to be incorporated into their training; however, such training can be spread over a longer time than that for the groups already discussed, because of the rhythm of work and the crucial importance of technical competence for implementation of the policies. Most enterprises rely on outside trainers, specialized off-site or online courses, and certification programs to raise their staff to the appropriate levels of competence.
Once the enterprise has begun to integrate a concern for security into every aspect of its work, the issue must be kept fresh and interesting. As described in Chapter 49, successful security awareness programs include amusing posters, interesting videos, occasional seminars on stimulating security topics such as recent frauds or computer crimes, and regular newsletters with up-to-date information. Finally, every employee should regularly reread and sign the annual security agreement. This practice ensures that no one can argue that the organization's commitment to security is a superficial charade.
For a secure installation, three things are essential:
When these essential elements are in place, the entire organization will function at a more productive level, one at which the possibilities of disruption and damage will have been reduced to a minimum. Nothing less is acceptable.
1. PricewaterhouseCoopers (2007), “2007 Global State of Information Security Study,” http://tinyurl.com/4sq5b6.
2. See Chapter 67 in this Handbook.
3. For additional ideas in framing questions about security awareness, see Chapter 49. For ideas on appropriate questions dealing with employment practices and policies, see Chapter 45.
4. For more detail about physical security and additional ideas on appropriate questions, see Chapters 22 and 23.
5. For much more information suitable for devising questions about development security, see Chapters 38 and 39.
6. For more information suitable for devising questions about operations security, see Chapter 47.
7. For additional ideas on looking at identification and authentication, see Chapters 28 and 29.
8. See Chapter 41 for more ideas on checking for appropriate levels of antimalware precautions.
9. For additional suggestions to help in framing questions about data backups, see Chapter 57.
10. See Chapter 56.
11. For more ideas on questions that are appropriate in quickly evaluating the state of business resumption planning and disaster recovery, see Chapters 58 and 59.
12. R. Ross, S. Katzke, A. Johnson, M. Swanson, and G. Stoneburner, “Managing Risk from Information Systems: An Organizational Perspective,” National Institute of Standards and Technology NIST SP 800-39, Second Public Draft (April 2008), http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf.
13. The Further Reading sections of chapters in this Handbook (as well as sections of the chapters themselves) provide a wealth of material for management sensitization.
14. Chapters 54, 62, and 63 have information that will help the information protection working group develop an evaluation plan.
15. Chapter 44 contains many practical suggestions and resources for the content and style of security policies.
3.141.47.25