Security Policy ISO

I. Introduction Information security consists of mainly confidentiality, integrity and availability. Information security policies define the organization’s rules and expectations regarding access, protection, and accountability of information assets and resources. These are essential for a sound security implementation. Ideally, security policies should be written first and then where necessary should be implemented, however, this is often not the case. Security policies may be requirement of government or regulatory functions and may be essential during a disaster.

They may also provide protection from liabilities or from a basis for certain security controls. Security policies are considered the highest level of documentation from which standards, guidelines, and procedures are formed. The higher level policies are created first for strategic reasons and than more tactical element can follows. There are several types of policies exists they are; user policies, physical security policy, authentication and authorization policy, server policies, network policies, coding policies, and legal compliance policy.

In any organization with the implementation of security policy various types of risks associated with data theft, user access, hardware (physical) can be avoided. But for that every member from top level to down level should be involved. II. Security Policy Security Policy: Security policy can be defined as a written policy outlining the implementation and management of network (organization) security. Security policies define the rules that regulate how an organization manages and protects its information and computing assets to achieve security objectives.

Security policies that are documented, well known, and visibly enforced establish expected user behaviour and server to inform users of their obligations for protecting computing assets. Here users include all those who access, administer, and manage organization systems and have authorized accounts on an organization’s systems. Different users of organizations play a vital role in implementing security policies.

Various types of documents are used for implanting security policies such as standards (use of specific technologies), guidelines (Best practice), procedures (Detailed steps to perform a specific task) and Baselines (Consistency of security implementations). A documented security policy contains various types of guidelines and instructions, some of them are given below: •    Generating and using passwords for authentication purposes. •    Protecting the privacy of user’s personally identifiable information (PII).

•    Defining who has what access rights and privileges to which resources on the network and why. •    Performing periodic audits of network security. •    Handling incidents in which systems are compromised by intruders. •    Establishing expectations for users regarding system availability. •    Purchasing policy for security tools, systems, and software. •    Limiting physical access to computing resources. •    Reporting violations of the policy and enforcing its provisions. •    Legal and regulatory issues in which user compliance is required. (Tulloch 2003, p306-7)

For developing security policy for any organization, one can follow different types of procedures. A simple procedures is written below which can be used for developing organization’s network security policy. 1)    Forming a team that includes IT staff, management, and legal counsel. 2)    Performing an inventory of organization’s security needs including an audit of organization’s current level of network security. 3)    Weighing organization’s security needs against their possible cost and how they can affect the ease of use of organization’s computing resources.

4)    Defining the practices needed to meet and maintain organization’s security needs from the perspective of the average user. 5)    Writing down organization’s policy in a clearly understandable fashion (simple English). 6)    Reviewing organization’s policy to ensure it can be implemented and enforced in a practical way. 7)    Publishing organization’s policy so that users can have easy access to it. 8)    Calling attention to it on a regular basis and enforce violations with consistency. 9)    Revising organization’s policy periodically after careful review.

(Tulloch 2003, p306-7) III. Components of Organizational Security Policy Different types of policy components exist but in general it can be of three types, which are Regulatory, advisory and informative. Regulatory: Regulatory policies are security policies that an organization is required to implement, due to compliance, regulation, or other legal requirements. Organizations with public interest usually use regulatory policies which are detailed and specific to the industry in which it operates.

The main purpose of regulatory policies is to ensure the organization is adhering to standard operating procedures or policies in their specific industry. Some of the regulatory policies are; Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Federal Information Security Act (FISMA, and European Community Directive on Personal Data Privacy. Advisory: (organizational requirements) Advisory policies are security policies that are strongly suggested but not mandatory. However there may be defined consequences for failure to follow them.

Most entities will want their personnel to consider these policies mandatory. This is broad category where most policies will fall. The prime examples are an Acceptable Use Policy and a Privileged User Policy. Informative: (Best practices) Informative policies exist to inform the reader. These policies contain no specified requirements and are general enough to be distributed to external customers or vendors without compromising confidentiality. An example in this category might consist of something similar to CERT’s Home Computer Security Guides, Symantec guides on virus and worms, etc.

(Student Handbook Modules 1-8) IV. Importance of Security Policy Without any policy there may be different types of problems occurs in any organizations. Employees can see various types of sites, which should be restricted in organizations; for example pornographic sites. Employees can use or see each other personal information, logon information. Worst case will be when any employee leaves the organization and still uses the access information of the previous organizations.

Various types of worms, virus related messages and mail can be send and opened by the users of organization that can effect the whole organization and sometimes can disturb the whole operation incurring major loss to organization. Without security policy any employees can see the data of other employees and take advantages of that or can harm the other employees and hence organization. Without security policy the privacy can be exploited. From administrative perspective various types of vulnerability and network traffic can not be easily monitored without having a security policy for network.

Taking these things into consideration the documentation and implementation of policies for user roles, physical security, authentication and authorization, server, network security, coding, and legal compliance is necessary. V. Points of Consideration for Organizational Security Policy Any security policy implemented must be enforceable to achieve its objectives. Sometimes in organizations, the administrators responsible for the technological aspects of information security do not have the authority to enforce security policies.

It is therefore necessary to educate management about security issues, the need for policies in specific topic areas such as acceptable use, and then to obtain a commitment to support the development, deployment, maintenance, and enforcement of those policies. Some of the main objectives of any security policy are described below: •    Traceable and Long Term Focus: Policies should remain relevant and applicable for a substantial period of time, until objectives or requirements changes.

•    Clearly Defined: Policies need to be stated simply and in plain English. Security policies should consider what critical information assets are to be protected and at what level. •    Involves Stakeholders and Affected Parties: All the employees of organization should be actively involved in implementing security policies effectively. •    Addresses What, Not How: Policies should be stated at the level of principles, objectives, priorities, and strategies. Each policy statement should allow for a range of interpretations and implementations.

•    Realistic: Policies must be realistic, balancing the need for protection with the need for user to be productive without undue barriers, and able to be implemented, maintained, and enforced for a reasonable cost. •    Visible and Actively Enforced , Actively Trained and Up-to-Date VI. Conclusion With the advancement of information technology and software’s every day, the need of various types of security policy for the organizations is necessary and should be implemented in organization. By implementing security policy properly an organization can secure data and information from unwanted people who are not authorized to see that.

In addition, the various risks and threats from internet can be avoided with the implementation of security policy. Therefore security policies should be implemented and updated on timely basis in any organization.

Reference Tulloch, M (2003). Microsoft Encyclopedia of Security. United States of America: Microsoft Press. p. 306-307. Student Handbook Modules 1-8 (2002-2006). Information Security for Technical Staff, CERT Training and Education Software Engineering Institutes, Carnegie Mellon University, Pittsburgh, PA. p 125-150.