[ISN] 10 steps to a successful security policy

From: InfoSec News (isn@private)
Date: Wed Oct 15 2003 - 01:22:17 PDT

  • Next message: InfoSec News: "[ISN] Workshop on Cybersecurity, Research & Disclosure"

    Forwarded from: William Knowles <wk@private>
    
    http://www.computerworld.com/securitytopics/security/story/0,10801,85583,00.html
    
    Advice by Adrian Duigan, NetIQ
    OCTOBER 08, 2003 
    COMPUTERWORLD
    
    There are two parts to any security policy. One deals with preventing
    external threats to maintain the integrity of the network. The second
    deals with reducing internal risks by defining appropriate use of
    network resources.
    
    Addressing external threats is technology-oriented. While there are
    plenty of technologies available to reduce external network threats --
    firewalls, antivirus software, intrusion-detection systems, e-mail
    filters and others -- these resources are mostly implemented by IT
    staff and are undetected by the user.
    
    However, appropriate use of the network inside a company is a
    management issue. Implementing an acceptable use policy (AUP), which
    by definition regulates employee behavior, requires tact and
    diplomacy.
    
    At the very least, having such a policy can protect you and your
    company from liability if you can show that any inappropriate
    activities were undertaken in violation of that policy. More likely,
    however, a logical and well-defined policy will reduce bandwidth
    consumption, maximize staff productivity and reduce the prospect of
    any legal issues in the future.
    
    These 10 points, while certainly not comprehensive, provide a
    common-sense approach to developing and implementing an AUP that will
    be fair, clear and enforceable.
    
    
    1. Identify your risks
    
    What are your risks from inappropriate use? Do you have information
    that should be restricted? Do you send or receive a lot of large
    attachments and files? Are potentially offensive attachments making
    the rounds? It might be a nonissue. Or it could be costing you
    thousands of dollars per month in lost employee productivity or
    computer downtime.
    
    A good way to identify your risks can be through the use of monitoring
    or reporting tools. Many vendors of firewalls and Internet security
    products allow evaluation periods for their products. If those
    products provide reporting information, it can be helpful to use these
    evaluation periods to assess your risks. However, it's important to
    ensure that your employees are aware that you will be recording their
    activity for the purposes of risk assessment, if this is something you
    choose to try. Many employees may view this as an invasion of their
    privacy if it's attempted without their knowledge.
    
    
    2. Learn from others
    
    There are many types of security policies, so it's important to see
    what other organizations like yours are doing. You can spend a couple
    of hours browsing online, or you can buy a book such as Information
    Security Policies Made Easy by Charles Cresson Wood, which has more
    than 1,200 policies ready to customize. Also, talk to the sales reps
    from various security software vendors. They are always happy to give
    out information.
    
    
    3. Make sure the policy conforms to legal requirements
    
    Depending on your data holdings, jurisdiction and location, you may be
    required to conform to certain minimum standards to ensure the privacy
    and integrity of your data, especially if your company holds personal
    information. Having a viable security policy documented and in place
    is one way of mitigating any liabilities you might incur in the event
    of a security breach.
    
    
    4. Level of security = level of risk
    
    Don't be overzealous. Too much security can be as bad as too little.  
    You might find that, apart from keeping the bad guys out, you don't
    have any problems with appropriate use because you have a mature,
    dedicated staff. In such cases, a written code of conduct is the most
    important thing. Excessive security can be a hindrance to smooth
    business operations, so make sure you don't overprotect yourself.
    
    
    5. Include staff in policy development
    
    No one wants a policy dictated from above. Involve staff in the
    process of defining appropriate use. Keep staff informed as the rules
    are developed and tools are implemented. If people understand the need
    for a responsible security policy, they will be much more inclined to
    comply.
    
    
    6. Train your employees
    
    Staff training is commonly overlooked or underappreciated as part of
    the AUP implementation process. But, in practice, it's probably one of
    the most useful phases. It not only helps you to inform employees and
    help them understand the policies, but it also allows you to discuss
    the practical, real-world implications of the policy. End users will
    often ask questions or offer examples in a training forum, and this
    can be very rewarding. These questions can help you define the policy
    in more detail and adjust it to be more useful.
    
    
    7. Get it in writing
    
    Make sure every member of your staff has read, signed and understood
    the policy. All new hires should sign the policy when they are brought
    on board and should be required to reread and reconfirm their
    understanding of the policy at least annually. For large
    organizations, use automated tools to help electronically deliver and
    track signatures of the documents. Some tools even provide quizzing
    mechanisms to test user's knowledge of the policy.
    
    
    8. Set clear penalties and enforce them
    
    Network security is no joke. Your security policy isn't a set of
    voluntary guidelines but a condition of employment. Have a clear set
    of procedures in place that spell out the penalties for breaches in
    the security policy. Then enforce them. A security policy with
    haphazard compliance is almost as bad as no policy at all.
    
    
    9. Update your staff
    
    A security policy is a dynamic document because the network itself is
    always evolving. People come and go. Databases are created and
    destroyed. New security threats pop up. Keeping the security policy
    updated is hard enough, but keeping staffers aware of any changes that
    might affect their day-to-day operations is even more difficult. Open
    communication is the key to success.
    
    
    10. Install the tools you need
    
    Having a policy is one thing, enforcing it is another. Internet and
    e-mail content security products with customizable rule sets can
    ensure that your policy, no matter how complex, is adhered to. The
    investment in tools to enforce your security policy is probably one of
    the most cost-effective purchases you will ever make.
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Oct 15 2003 - 03:58:51 PDT