ISO Certification and Security
Compliance with any internationally recognized standards is becoming more necessary. As a result, and because standards relevance is a common currency of instant legitimization, many companies are pursuing such a course. The ISO offers many standards, and all are valuable in their own right. You can find a lot of useful information on ISO standards, the processes used, and the implementation of those standards at www.iso.org. For purposes of this discussion, the concern lies with standard ISO/IEC 27002: Information Technology Security Techniques Code of Practice for Information Security Management.
Delivery
When delivering the security policy to users, you must then determine the most effective communication manner in which to present them to help facilitate compliance and support from your users. This is often much easier said than done.
Many discussions on the concepts and goals of security policies always seem to gloss over the delivery of these policies, especially when they are business-focused, nontechnical users. Yet it is crucial for everyone to understand and support these policies. To not reach for this goal and to make the effort dooms the policy to failure and backlash from users because they will resent the policy from the beginning.
Handling these types of situations is similar to handling interpersonal relationships. Beyond good interpersonal skills, consider the following additional suggestions:
• Ensure that all policies are presented clearly during new employee orientation.
• Always allow a sample of the personnel affected by a security policy to review it and provide input comment before implementing.
• Provide a security policy refresher course and delivery methodology.
In general, you should keep policies short, fewer than two pages. There is no need to complicate the situation. Occasionally, you might have to go over, but not usually. In closing, ensure that your policies are updated annually, if not sooner, to reflect the changes of the past year.
ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electro-technical Commission (IEC). It was originally published as ISO/IEC 17799:2005. In July 2007, it was redesignated ISO/IEC 27002:2005, bringing it inline with other 27000-series standards.
This de facto standard is extremely comprehensive in its security coverage, providing you with best practice recommendations on information security management for implementing and maintaining an Information Security Management System (ISMS).
ISO/IEC 27002 contains a significant number of information security controls arranged into 12 different areas. The information security controls are considered best practice means of achieving those objectives:
• Risk assessment: Includes risk management
• Security policy: Management direction and support
• Organization of information security: Governance of information security
• Asset management: Inventory and classification of information assets
• Human resources security: Security aspects for employees joining, moving, and leaving an organization
• Physical and environmental security: Protection of the computer facilities
• Communications and operations management: Management of technical security controls in systems and networks
• Access control: Restriction of access rights to networks, systems, applications, functions, and data
• Information systems acquisition, development, and maintenance: Building security into applications
• Information security incident management: Anticipating and responding appropriately to information security breaches
• Business continuity management: Protecting, maintaining, and recovering business-critical processes and systems
• Compliance: Ensuring conformance with information security policies, standards, procedures, guidelines, laws, and regulations
As the title suggests, these are international standards and as such they have equivalent standards across the globe: AS/NZS ISO/IEC 27002:2006 in Australia, JIS Q 27002 in Japan, and BS ISO/IEC 27002:2005 in the United Kingdom, just to name a few.
The ISO certification is briefly discussed here, but the standard is perhaps one of the most comprehensive and will be growing in use. To learn more, visit the ISO website at www.iso.org.
Sample Security Policies on the Internet
The policies presented here are simply one means to meet an organization’s needs; what works well for one organization might not be ideal for another. Thus, you should refer to the following additional resources on security policies:
• www.sans.org/reading_room/whitepapers/policyissues/: This site contains articles and papers written by GIAC-certified professionals.
• www.ietf.org/rfc/rfc2196.txt: The Site Security Policies Procedure Handbook.
• www.assurityriver.com/securityalerts-05052005.shtml: A discussion on why security policies fail.
Some general websites with information security policies include the following:
• www.security.kirion.net/securitypolicy/
• www.utoronto.ca/security/documentation/policies/policy_5.htm
• http://doit.missouri.edu/security/
• www.windowsecurity.com/whitepapers/ - for Microsoft specific security related items
• https://security.berkeley.edu/policies.html
• www.ruskwig.com/security_policies.htm
If you want to be overwhelmed, go to your favorite search engine and search on security policy templates. When I did it I got more than 20.9 million results. The information is out there, reader. All you have to do is look.