In-Depth

Q&A: Security Policy Best Practices

Communication and monitoring are key, but policies must evolve with changing regulations and new technologies

• By Mathew Schwartz
• 03/09/2005

Experts say security managers need to mind the three Ps: people, policies, and procedures. On the policy front, however, it’s not just a matter of rolling out hundreds of security policies on every topic—from acceptable wireless use to required password complexity and acceptable e-mail use.

For policies to function, organizations must tailor them to their environment, then effectively communicate the policies to end users and—often—monitor compliance. Furthermore these policies aren’t static: organizations change, regulations appear and evolve, and new technologies frequently complicate the picture.

To talk about best practices for maintaining effective security policies, Security Strategies spoke with David Lineman, president of Information Shield Inc., which publishes “Information Security Policies Made Easy,” containing over 1,360 policies.

Why publish enormous numbers of security policies?

Our goal for our customer is to basically save [them] money [when] doing security policies and job descriptions—anything that might be judged as painful for the end user. [That includes] things like writing policies; [and] there are a couple of things [there] that are challenging.

First of all it’s pretty rare that you get someone in the organization that’s full-time for writing policies, unless it’s the U.S. federal government. Typically, a company would engage a third-party firm, a consulting company, to come in and do these assessments. …

[Second,] how do you define an organization and assign rules and responsibilities so you don’t have things fall through the cracks? In today’s regulated world, there’s so much more at stake now, throwing [this responsibility] onto the board [of directors], so someone has to do this.

How have best-practices security policies been evolving? What’s changing?

There’s an evolution from a technology perspective. For example, in the next version of the [book], there’s more on wireless, more on outsourcing contracts, and more on data privacy from an employee perspective. So as you go forward, as the technologies emerge, or as trends in business emerge, [the policies change]. For example, trends on pictures with cell phones. Or jump drives—the little 128MB things you can just pop into the side of your computer, and away you go. It’s a big difference from lugging a huge file box past the security guard …

[Then] every so often, we’ll take out policies that no longer seem relevant, or which have been rolled into another one.

What are the standby policies that never get old?

Password controls, access controls, personnel security, background checks, policies for removing people once they leave the company, automatic log-off of terminals, failed log-in attempts. These are all based around the area of access control, but these policies don’t go away, they become more and more important.

Back in the ’60s and ’70s when you had big mainframes and lots of people logging into the mainframe, the one computer could enforce some pretty strong security policies. Now when you have one computer in pretty complex environments … enforcing a strong, consistent security policy is a lot more difficult. A company might run into the problem where they write a policy where they want the password to be eight characters, and of a certain complexity. Well, the problem is you go and look at technology to do that, and it won’t always do that. For example, Sun Solaris … the most popular operating system on Unix until Linux came along, it wouldn’t enforce, out of the box, a password-length or password-complexity rule.

[Now] Sarbanes-Oxley has really highlighted [a problem like] this … We have a control, but we can’t document it, so are we going to document a mitigating control? And how do we mitigate that control, because it’s usually a manual process?

Where do your policies—in “Information Security Policies Made Easy”—come from?

The publications are, in a sense, the conceptualization of the consulting experience of Charles Cresson Wood. He’s been [doing this] for over 20 years …

So [we have] whatever individual policy you might want … such as a sexual harassment policy, or travel policy, or a high-level security policy that could be distributed to everyone in the company …

Your policies are released both as a book and CD-ROM?

Yes. We’ve found a lot of people like to have a book, because it can be a significant amount of reading. “Information Security Policies Made Easy” comes in two parts: 1,300 prewritten policies with commentary, organized around the ISO 17799 framework, then there’s a section that’s basically prewritten, out-of-the-box policies, that … stand alone for companies. You’ve got “company x,” and you can just replace your company name in there. That happens.

Even so, with a binder of security policies, where do organizations start?

Cover the high-level stuff first. The last thing you want to do, especially for companies that start from having no policies—or they’ve been sitting on the shelf and users aren’t aware of them—is go through the ISO guidelines and blast out 1,000 new polices … What usually makes sense is for people to start [with] a light coverage in the area, then as they get comfortable [to introduce more] …

What about actually getting users to follow policies?

The biggest obstacle [is] making sure … that business owners have a stake in policies that will affect them. With Sarbanes-Oxley in the United States, this has taken on a whole new dimension. In one year, every public company has had to go through a process that used to be done just by the information security group. [Executives are used to] having a business to run … and security policies were not on the top of many executives’ mind.

Now with Sarbanes-Oxley, the hammer went in the completely opposite direction, with executives having to sign off on financial statements … It creates a tremendous inter-departmental burden that was never there before. But in a way, Sarbanes-Oxley has moved to legitimate the risk-assessment process that should have been done, but wasn’t always.

Is there still an imperative to tackle some of these policies in organizations not facing regulation?

There’s a lot of data to support—and some lawsuits beginning to surface [about this]—that the security policies are a contract of sorts between the organization and the employees, and with auditors, about what you intend to do. So if you don’t follow them … in the least case, you could be in trouble with auditors.

Or for example, if you say you’ll do e-mail filtering, and you don’t, and something nasty sneaks through, and an employee decides to do something, what will happen?

Typically … with violations of security policies, when it gets to court, the court will ask some simple questions—was security policy a regular part of your day-to-day job, did you follow some kind of standard of due care? And in most cases, especially in the early days, there were cases where they fired someone for doing something blatant—downloading pornography—and [these employees] sued and got reinstated with back pay, because what [courts] found was organizations weren’t diligent about enforcing their polices.

Beyond Sarbanes-Oxley, what’s the next big challenge organizations will face?

The next big wave will be privacy governance … [about] how do I protect information and be aggressive about marketing in a worldwide market, but not violating any laws when I do [this] in a foreign country. Chief privacy officer is a new role that’s starting to show up in a lot of places.

Are you seeing increased attention to privacy at large or small organizations in particular?

It’s across the board. Our company has 50 percent of the Fortune 100 [as customers], but the bulk of customers are small to mid-size companies just looking to get started. Many of the large companies already have a built-in relationship with the Big Four consulting companies, but a lot of times what we’ll see is, they buy the book, then get [assistance from] their consulting company help them.

Related Articles:

Human Error Tops List of Vulnerabilities
http://www.esj.com/security/article.aspx?EditorialsID=920

Best Practices in Security Training
http://www.esj.com/security/article.aspx?EditorialsID=673