In 2019, CIO Magazine published an article on how to implement a successful security policy.¹ This article begins by advising that one assess the current state of security. That is usually good advice in any security situation. The article also recommends implementing monitoring. This is the best way to have an ongoing understanding of what is happening on the network.

Only after those preliminary steps does one set security measures and controls. The article provides good general guidelines on how to do this. This includes the use of live documents that are easy to update and thus always current. The article also recommends end-to-end security. Most notably, CIO Magazine recommends working to foster a dynamic security culture.

The SANS Institute has a white paper on building and implementing a security policy.² This document actually provides examples of how to structure specific security policies. One of the examples is given in FIGURE 13-3.

Courtesy of SANS Institute, used with permission.

This is an older case, but it is still important because of the significant impact it has. In November 2012, South Carolina state officials disclosed a massive data breach at the Department of Revenue. Few details on the breach were disclosed, but it involved exposing more than 3.6 million taxpayers’ personal information records and 650,000 business tax–related records. The breach occurred in September 2012. It’s clear that massive amounts of personal information were stolen.

A former top official with the FBI estimated the cost to the state at more than $350 million, based upon past FBI experience, including the cost of offering free credit monitoring to affected individual taxpayers and businesses.

The root cause of the breach cited in news reports was the lack of mandatory security policies across 100 state agencies, boards, commissions, and colleges and universities.

All state agencies have some type of computer security system in place. It’s fair to assume they all have some level of security policy in place. But it is clear these policies were discretionary. That meant an approach to information security across state government that was at best inconsistent. Nor did the state appear to have a comprehensive approach to sharing best practices for information security or for coordinating response to these types of data breaches.

In the case of the South Carolina Department of Revenue, the policies clearly were neither adequate nor consistent. Additionally, reports indicate the source of the hack was in Eastern Europe. The hacker or hackers gained access through a phishing email. Phishing emails try to trick a user to open an email and execute a link or program with malware. Security awareness is a strong control that educates users on how to protect themselves from such attacks, including how to recognize such attacks and why not to open suspect links. If a phishing email was a source of the attack, it might be an indication that the security awareness program at this state agency was inadequate.

² https://www.sans.org/reading-room/whitepapers/policyissues/paper/509