Information Security Management
Governance, policies, and things of that ilk

Electronic information and automated systems are essential to virtually all businesses and other organizations throughout the world. If organizations cannot protect the availability, integrity, and, in some cases, the confidentiality, of this information, their ability to carry out their missions will be severely impaired. However, despite the enormous dependence on electronic information and systems, audits continue to disclose serious information security weaknesses. As a result, billions of dollars in commercial and public assets are at risk of loss, vast amounts of sensitive data are at risk of inappropriate disclosure, and critical computer-based operations are vulnerable to serious disruptions.

In too many organizations senior executives are just beginning to recognize the significance of these risks and to fully appreciate the importance of protecting their information resources… and the need to establish a management framework for more effective information security programs.

What is “governance”?

The Report of the Committee on the Financial Aspects of Corporate Governance (Cadbury Report, 1992) focused global thinking on the issue of governance. While the report is aimed at financial reporting and auditing, it alludes to wider concepts of governance. It recommends openness, integrity and accountability to improve standards of corporate behaviour, strengthening controls over enterprises and their public accountability while retaining the essential spirit of enterprise. It identifies various board governance responsibilities, such as setting strategic aims, providing leadership, supervising management, and reporting to shareholders on their stewardship. That stewardship is extending to IT as boards investigate the depth of their enterprise’s reliance on IT. Information technology, long considered solely an enabler of an enterprise’s strategy, is now regarded as an integral part of that strategy.

CEOs, CFOs, and CIOs alike agree that strategic alignment between IT and enterprise objectives is a critical success factor. IT governance helps ensure achievement of this critical success factor by efficiently and effectively deploying secure, reliable information and applied technology. IT governance is a structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes. The relationships are between management and its governing body. The processes cover setting objectives, giving direction on how to attain them and measuring performance.

Executive management has a responsibility to ensure that the organization provides all users with a secure information systems environment. Furthermore, organizations need to protect themselves against the risks inherent in the use of information systems while simultaneously recognising the benefits that can accrue from having secure information systems. Thus, as dependence on information systems increases, so too does the criticality of information security, bringing with it the need for effective information security governance.

[Adapted from ITGI documentation.]

What are “policies”?

Policy means different things to different people… In the context of information security management, a policy is a document that states management commitment and sets out the organization’s approach to managing information security: its goals; managers’ and users’ responsibilities; the rules and practices that specify or regulate how the organization provides security services to protect sensitive and critical system resources.

For a policy to be effective, it must fit the unique culture and environment of the organization – there is simply no such thing as a “one size fits all” policy… although there are things that all good policies have in common!

According to BS ISO/IEC 17799:2000, a policy must be published throughout the organization and should included at least the following:

• A definition of information security, its overall objectives and scope, and the importance of security as an enabling mechanism.
• A statement of management intent, supporting the goals and principles of information security.
• A brief explanation of the security policies, principles, standards, and compliance requirements of particular importance to the organization, for example:
  • compliance with legislative and contractual requirements;
  • security education requirements;
  • prevention and detection of viruses and other malicious software;
  • business continuity management;
  • consequences of security policy violations.
• A definition of general and specific responsibilities for information security management, including reporting security incidents.
• References to documentation which may support the policy, e.g. issue-specific and system-specific policies; standards; guidelines.

Some of the other resources listed below can help too, especially:

• NIST SP 800-12, Computer Security Handbook
• NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems
• ISO/IEC TR 13335, Information technology – Guidelines for the management of IT Security (GMITS)

A good document of any type should be accurate, brief, and clear (ABC!). A good policy should be all these things… and more besides:

• Realistic. To be effective a policy must be seen to be relevant to everyone’s work environment – not some ivory tower!
• Up to date. A policy must be periodically reviewed and revised as necessary to reflect changes in the organization’s structure, business, and technology… but not too frequently that changes become confusing. However, any significant change in these may prompt an additional review.
• General. A policy should be based on key principles that cover all aspects of information security throughout the organization.
• Concise. A policy should briefly describe the organization’s security goals, the security services that should be provided, and management and users’ responsibilities. It should not specify technologies, methodologies, configurations, etc. – this is the province of standards and guidelines. Policy, standards, and guidelines should not be intertwined in a single, rambling document. But meaningful links between “policy” and “standards and guidelines” documents is desirable, and especially powerful if the policy is published on the organization’s intranet.
• Accessible. Management and users must be have easy and free access to the policy. If the policy is published as a printed document, a copy must be available to all users in each organizational unit. If it’s published on the organization’s intranet, which is a great idea, it should be accessible directly from the home page.
• Informative. A good policy educates its intended audience. An indication of why something is the way it is will aid understanding (and, hence, acceptance and compliance).
• Targeted. A policy should be structured so that management and users can easily find the parts pertinent to them.
• Well marketed. However well a policy meets the criteria above, it cannot be effective if no one reads it. A policy must be marketed withing the organization to ensure the management and users understand the importance of compliance and the cost of failure.
• Supported by management. A policy will be endorsed by executive management, but all tiers of management must demonstrate their commitment and set an example to users in their organizational units.
• Persuasive. A policy is not a stick to beat people with. Although it certainly should indicate what breaches might be treated as disciplinary offences, the tone should be cooperative. A hostile or authoritarian attitude can only cause resistance and resentment.

Ravi Sandhu notes that security policy is one of four layers of the security engineering process (as shown in the following diagram). Each layer provides a different view of security, ranging from what services are needed to how services are implemented.

What are “standards” and “guidelines”?

Because policy is – or should be! – written at a broad level, organizations also develop standards and guidelines that offer users, managers, and others a clearer approach to implementing policy and meeting organizational goals. Standards and guidelines specify technologies and methodologies to be used to secure systems. They may be promulgated throughout an organization in a handbook of some kind or, increasingly, via an intranet.

Standards (i.e., organizational standards, rather than national or international standards) specify uniform use of specific technologies, parameters, or procedures when such uniform use will benefit an organization. Standardization of organization-wide identification badges is a typical example, providing ease of employee mobility and automation of entry/exit systems. Standards are normally compulsory within an organization.

Guidelines assist users, systems personnel, and others in effectively securing their systems. The nature of guidelines, however, immediately recognizes that systems vary considerably, and imposition of standards is not always achievable, appropriate, or cost-effective. For example, an organizational guideline may be used to help develop system-specific standard procedures. Guidelines are often used to help ensure that specific security measures are not overlooked, although they can be implemented, and correctly so, in more than one way.