Alberta Health Services established a policy development and document management framework in 2016.¹ Its policy framework began with a clear statement of the purpose and mission. The mission statement is:

The framework clearly describes processes, stakeholders, and committees that are involved in policy formulation. The framework also identifies principles that guide policy development. Chapter 1 and section C provide step-by-step processes for developing plans for policies, drafting policies, consulting with subject matter experts, and policy approval.

The framework established by Alberta Health Services goes beyond policy creation and approval. It has a whole section on policy implementation. It also has a section on how to review the policy and evaluate its efficacy. In addition to clear processes, the final step of review and evaluation of policy are worth study and emulation. The framework specifically states, “The review and evaluation process provides a regular opportunity for careful consideration of existing policy documents. The scheduled periodic review period is typically every 3 years, or as directed by the Sponsor or Approval Authority. A policy may be re-confirmed with no changes of content, modified, or a decision may be made that the policy is no longer needed.”

Policy development is an international concern. Thus, it should come as no surprise that frameworks for developing policies can be found around the world. The University of Huddlesfield in England published a policy development framework for its 2017/2018 school year.² The University of Huddlesfield policy framework is less detailed than that for Alberta Health Services, but does provide essentials.

The university framework describes a policy owner responsible for the development and dissemination of the policy as well as maintenance and review. This framework also suggests, when needed, consultation with subject matter experts. A large section of the framework is devoted to approval of policies and policy changes. Unlike the Alberta Health framework, this framework has only a small section devoted to compliance.

This case study is a bit older, but still worthy of study as an example of a policy development framework. In 2006, the State of Tennessee determined the need for a comprehensive information security program. One of the main goals was to protect the state’s revenues, resources, and reputation. The state accomplished this by researching, selecting, and implementing risk management methodologies, security architectures, control frameworks, and security policies.

The policies for Tennessee were based on the ISO/IEC 17799 (now ISO/IEC 27002) standard framework. The policies comply with applicable laws and regulations. The policies in the framework are considered the minimum requirements to provide a secure computing operation for the state.

The framework defines the information security policies for the State of Tennessee and the organizational structure required to communicate, implement, and support these policies. The policy framework was developed to establish and uphold the controls needed to protect information resources against unavailability, unauthorized or unintentional access, modification, destruction, or disclosure.

The policies and framework cover any information asset owned, leased, or controlled by the State of Tennessee. They control the practices of external parties that need access to the State of Tennessee’s information resources. The policies were developed to protect:

• All state-owned desktop computing systems, servers, data storage devices, and mobile devices
• All state-owned communication systems, firewalls, routers, switches, and hubs
• Any computing platforms, operating system software, middleware, or application software under the control of third parties that connect to the State of Tennessee’s computing or telecommunications network
• All data stored on the State of Tennessee’s computing platforms and/or transferred by the state’s networks

Target is a major retailer with more than 1800 stores in the United States and 133 in Canada. Target employs more than 360,000 people. Since 1962 it has built its reputation as a trusted member of many communities. It’s hard to imagine there’s anyone who grew up in the United States who doesn’t recognize the brand or hasn’t shopped at Target. This case study is a bit dated, but is such a major case as to be worthy of study despite its age.

In December 2013, during a very heavy Christmas selling season, the retailer announced that a data breach had occurred. It included the theft of about 40 million credit card records. Additionally, the breach resulted in the theft of 70 million records containing personal information such as addresses and phone numbers. The cause of the breach was linked to a vendor who had access to Target’s network, through which point of sale (POS) devices were infected with malware. The malware was on thousands of POS systems for weeks. This was one of the largest retail data breaches of its kind.

When the breach was revealed on December 19, the company’s stock dropped 11 percent. The stock price largely rebounded within a few months, but the retailer continued to feel the impact for many months after the breach. In February 2014, Target reported it had incurred $61 million in costs related to the breach. In March 2014, the CIO resigned, and Target announced it would hire a new CIO and, for the first time, a dedicated CSO. Additionally, in March 2014, news stories outlined a lawsuit against Target Corporation and Trustwave Holdings Inc., which provides credit card security services to Target. Two banks sued for “monumental” losses. Some estimate that the losses may have exceeded $1 billion for card issuers and $18 billion for banks and retailers combined.

The stakes are high in the case of such a breach. It may put the very survival of a small or midsize company at risk. Even for a large company, the financial impact can be significant. Most important is the impact on the customer. It may be felt for years, given the potential for identity theft and credit problems.

The public may never know exactly what led to the breach. What is known is that there were serious weaknesses in the information security framework and related controls. Take a look at three major impact areas that a security framework, if well implemented, should have addressed:

1. The lack of a dedicated CSO
2. Lack of vendor access management
3. Lack of network POS controls

With no dedicated chief security officer, information security leadership responsibility was spread around the organization, with the CIO responsible for execution.

This lack of a dedicated CSO created an inherent conflict of interest. The CIO in effect had to wear two hats: one to deliver the latest technology to drive sales throughout the store, and the other to protect the security interests of the customers and the company. All CIOs have this challenge of balance. The difference is that within a large organization, the CSO has a seat at the executive table and can challenge CIO decisions. Full-time CSOs can immerse themselves in the information security discipline. That includes gaining a deeper appreciation of emerging security risks than a CIO can typically achieve.

Vendor access must be properly managed if it is to be limited and monitored. If, in fact, a vendor was the source of the malware infection of the POS network, that indicates a failure to manage vendors and their access. In an ideal world, the breach of a vendor system or account should not lead to a breach of an organization’s systems. These accounts and connections should be highly controlled. At a minimum, such a breach should be detected and stopped from spreading. But neither preventive nor detective controls seemed to work in this case.

It’s fair to conclude that the network for the POS devices was not segmented effectively. Effective segmentation would have offered several key advantages. It limits access to the devices, which reduces the likelihood of malware infection in the first place. It allows a network to be purpose built, meaning that traffic can be more closely monitored to detect unusual activity such as that of malware. Segmentation also limits egress traffic. This means that even when a malware infection occurs, the information it captures cannot leave the network. This layered security approach using segmentation provides a strong security control.

The public may never know for sure what happened in the case of the Target breach. But it’s clear that these controls, which are part of most large-company security frameworks, either did not exist or were not effectively implemented.