CHAPTER 46


DEVELOPING SECURITY POLICIES

M. E. Kabay


    1. INTRODUCTION. This chapter reviews methods for developing security policies. Some of the other chapters of this Handbook that bear on policy content, development, and implementation are as follows:


      image Chapter 15 provides an extensive overview of physical security policies. image Chapter 18 discusses local area network security issues and policies.

      image Chapter 25 reviews software development policies and quality assurance policies.


      image Chapter 28 presents principles, topics, and resources for creating effective security policy guidelines.


      image Chapter 29 looks at methods for enhancing security awareness.

      image Chapter 31 provides guidance on employment policies from a security standpoint. image Chapter 32 makes explicit recommendations about operations management policies. image Chapter 33 reviews specific recommendations for e-mail and Internet usage.

      image Chapter 35 presents concepts and techniques from social psychology to make security policy implementation more effective.


      image Chapter 39 discusses the policies that apply to application design. image Chapter 51 looks at censorship and content filtering on the Internet.

    2. COLLABORATING IN BUILDING SECURITY POLICIES. Policies are the foundation of effective information security, but the task of policy creation is complicated by human and organizational resistance. Technology alone does not work. In changing human behavior, rationality and substance are not enough: The process of development affects how people feel about policies and whether they see these rules as needless imposition of power or an expression of their own values.


      Security is always described as being everyone's business; however, in practice, security interferes with everyone's business. For example, network managers work hard to make networks user-friendly. They do everything they can to make life easier for users; they provide network access routines with a graphical user interface, client-server systems with hot links between local spreadsheets and corporate databases, and a gateway to the Internet for the engineering users. Superficially, one might think that implementing network security would

      simply involve defining access controls, applying encryption, and providing people with hand- held password generators. Unfortunately, as discussed in Chapter 35, security policies offend deep-seated self-conceptions. People form close-knit work groups in which people trust each other; they do not lock their desks when they leave them for a few minutes, so why should they obey the network security policy that dictates locking their sessions? They even lend people car keys in an emergency; why should it be such a terrible breach of security to lend access codes and passwords to trusted colleagues in an emergency?


      Security policies challenge users to change the way they think about their own responsibility for protecting corporate information. Attempting to impose security policies on unwilling people results in resistance both because more stringent security procedures make people's jobs harder, and because people do not like being told what to do—especially by security officials perceived as being outside the chain of command.


      The only approach that works in the long run is to present security to everyone in the organization in a way that causes them to recognize that they, personally and professionally, have a stake in information protection. Security managers, to be successful, must involve employees from throughout the enterprise in developing security policies. Users must justifiably feel that they own their security procedures; employees with true involvement in the policy development process become partners rather than opponents of effective security.


    3. PHASE 1: PRELIMINARY EVALUATION. Studies of the extent to which information security policies are in place consistently show that relatively few of the respondents have adequate policies in place. For example, the 2000 Global Security Survey run by InformationWeek and PricewaterhouseCoopers interviewed 4,900 executives, security professionals, and technology managers about their organization’s security policies. According to the report, “only 38% of the respondents say their security policies are very well aligned with

      their business goals. Forty-five percent say their security policies are somewhat aligned with business goals, and 17% say the two don't mesh at all.”1 In other words, almost two-thirds of the organizations represented had inadequate security policies.


      In what follows, it is assumed that a specific officer or manager (or group of officers or managers) in the enterprise have taken on the task of developing security policies. The group will be called the policy development group.


      Before attempting to formulate policies, the policy development group needs formal authorization to use corporate resources in such a project. It should not be too difficult to obtain a short memorandum from top management to everyone in the organization that lays out the reasons for asking for their time and energy in gathering information about the current state of security. Such authorization and continuing top-level support are essential tools in convincing people to cooperate with the policy development group.


      In the absence of existing or adequate security policies, a preliminary inventory is the first step in providing upper management with the baseline information that will justify developing a corporate information security policy. The preliminary evaluation should be quick and inexpensive—perhaps days of work by a few people. There is no point in wasting time in expensive detail work before getting approval, support, and budget from upper management.

      The goal of the preliminary evaluation is to ask the people who work with information resources what they believe are their most important security needs. Even though they may not be conscious of security as a distinct need, in practice employees and managers do have valuable insights that transcend theory and generalizations. Data entry clerks may tell the security staff about security violations that no one else has observed or even thought about; for example, they may observe that a bug in a particular program makes the previous operator’s data entry screen available for unauthorized entries when the shift changes and a new operator sits at the same terminal.


      The policy development group should work closely with the human resources (HR) personnel in developing the research instruments for interviewing staff. The HR staff members are likely to know the key managers to contact in each department. The managers have to be convinced to support the effort so researchers can interview willing staff. Some of the HR people are likely to have the professional skills and experience required to provide accurate and cost-effective evaluations of beliefs, attitudes, and behavior affecting security. They may be able to help construct unbiased questionnaires, organize focus groups, and guide interviews.


      However, if the security staff and the HR staff are not confident about being able to handle this preliminary data collection, the policy development group should see if it can obtain authorization to hire a consultant with proven expertise in collecting and analyzing social attitudes. The policy development group might want to discuss such a study with a firm specializing in security audits and organizational analysis. If no one knows where to start looking for such resources, the policy development group can contact information security associations, security magazines, security Web sites, and local universities and colleges to ask for suggestions.


      The following key issues should be part of the preliminary study: image Introduction to the study

      image State of current policy

      image Data classification image Sensitive systems image Critical systems image Authenticity

      image Exposure

      image

      image Human resources, management, and employee security awareness image Physical security

      Software development security

      image Computer operations security image Data access controls

      image Network and communications security image Antimalware measures

      image Backups, archives, and data destruction


      image

      Business resumption planning and disaster recovery


      The following sections suggest some typical questions that would be helpful in gathering baseline data about the current state of security. All these questions (and more site-specific topics) should be asked of all the respondents in the preliminary evaluation. Applicable questions are not necessarily repeated in each section; instead, questions in the earlier parts of this list may be adapted for use in later sections. These suggestions are not intended to limit creativity but rather to stimulate development of more questions that would be particularly useful for a specific enterprise.


      1. Introduction to the Study. Employees may perceive many of the following questions as threatening. The preamble or introduction to the study, whether it is by survey or by interviews, should make it clear that this is not an audit or an attempt to punish people. The information should be anonymized so that no person will be targeted for reprisal if the study discovers problems. Every effort should be made to reassure employees that the study is designed to learn about the facts of security with a view to improvement rather than a search for culprits who will be punished.


      2. State of Current Policy. The questions that follow not only gather baseline information about security policies but also determine whether employees have any idea about who is responsible for formulation of those policies.


        image Does the enterprise have any security policies at all? image Who developed them? An individual? A group?

        image Where and how are the security policies available (paper, electronic)? image When were the policies last updated? Last disseminated?

        image Who, if anyone, has explicit responsibility for maintaining security policies? image Who implements security policy at the enterprise level?

        image To whom does the chief information security officer report within the enterprise?


        image

        Who monitors compliance with security policies, standards, and compliance?

      3. Data Classification. Questions to ask include:


        image Are there levels of security classification that apply to your work? If so, what are they called?


        image Are there rules for determining whether information you handle should be classified at a particular level of confidentiality?


        image Are documents or files labeled to show their security classification? image What is your opinion about the value of such classification?

        image Do people in your group pay attention to security classifications?

        image Do you have any suggestions for improvement of how data are classified?

      4. Sensitive Systems. The questions in this section focus on information that ought to be controlled against unauthorized disclosure and dissemination.


        image In your work, are there any kinds of information, documents, or systems that you feel should be protected against unauthorized disclosure? If so, name them.


        image How do you personally protect sensitive information that you handle?

        image How do others in your department deal with sensitive information? No names, please.


        image To your knowledge, have there been any problems with release of sensitive information in your department?


        image Do you have any suggestions for improving the handling of sensitive data in your area?

      5. Critical Systems. The questions in this section focus on information that requires special attention to availability and correctness.


        image In your work, are there any kinds of information, documents, or systems that you feel are so critical that they must be protected against unauthorized modification or destruction? If so, name them.


        image Are there any special precautions you use or know of to safeguard critical data in your area?


      6. Authenticity. Questions to ask include:


        image Do you know of any cases in which anyone has used someone else’s identity in sending out messages such as letters, faxes, or e-mail? If so, were there any consequences?


        image

        Does anyone in your group use digital signatures on electronic documents?

        image Does anyone in your group make or use unauthorized copies of proprietary software? If so, do you think there is any problem with that?


      7. Exposure. Questions to ask include:


        image What are the worst consequences you can realistically imagine that might result from publication of the most sensitive information you control in the newspapers?


        image What might happen, in your opinion, if key competitors obtained specific confidential information that you use or control in your area?


        image Can you estimate monetary costs associated with the scenarios you have described above?


        image What would be the worst consequences you can foresee if critical information you work with were altered without authorization or through accidental modification?


        image What might happen if you could not access critical information quickly enough for your work?


        image Can you estimate the costs of such breaches of data integrity and data availability?

        image Could there be trouble if someone forged documents in your name or in the enterprise’s name? Can you sketch out some scenarios and associated costs resulting from such breaches of authenticity?


      8. Human Resources, Management, and Employee Security Awareness. For additional ideas in framing questions about security awareness, see Chapter 29. For ideas on appropriate questions dealing with employment practices and policies, see Chapter 31.


        image As far as you know, who is responsible for developing security policies? image Do you know where to find the security policies that apply to your work?

        image When, if ever, did you last sign any documents dealing with your agreement to security policies?


        image Who is responsible for monitoring compliance with security policy in your work group?

        In the enterprise as a whole?


        image Have you ever received any training in security policies? If so, when was the last time?


        image Have you ever seen any written materials circulating in your work group that discuss information security?


        image

        Do you think of protecting corporate information as one of your official responsibilities?

      9. Physical Security. For more detail about physical security and additional ideas on appropriate questions, see Chapters 14 and 15.


        image Does anyone check your identity when you enter the building where you work?

        image Are there any electronic access-control systems limiting access to your work area? What are they?


        image Do people hold a secured door open to let each other into your work area? Do you let people in after you open a secured door?


        image Have you ever seen a secured door into your area that has been blocked open (e.g., for deliveries)?


        image Do people leave your work area unlocked when everyone leaves?


        image Do staff members wear identity badges at work? Are they supposed to? Do you wear your badge at work?


        image Do visitors wear badges?

        image Have you ever seen strangers in your area who are not wearing visitor badges?


        image What would you do if you saw a stranger in your area who was not wearing a visitor’s badge?


        image Do you lock any parts of your desk when you leave your workspace? image What would you do if you heard the fire alarm ring?

        image Where is the nearest fire extinguisher? image Who is the fire marshal for your floor?

        image What would you do if someone needed emergency medical attention? image Is there an emergency medical station in your area or on your floor?

        image Do you know who is qualified in cardiopulmonary resuscitation (CPR) in your group or on your floor? Do such people wear identifying pins?


        image Have you had recent training in what to do in the event of an emergency? Have you been trained in how to evacuate the building?


        image Is there anything that comes to mind that you would like to see to improve physical security and safety in your work area?

      10. Software Development Security. The following questions would be asked only of the software development team. For much more information suitable for devising questions about development security, see Chapter 25.


        image Are there any security policies that apply to your work? What are they? image Have you ever discussed security policies in your group?

        image Is security viewed positively, neutrally, or negatively in your group? And by yourself?


        image Do you and your colleagues discuss security during the requirements analysis and specification phases when developing software?


        image How do you see quality assurance as part of the development process? image Do you use automated software testing tools?

        image Tell us about version control in your group. Do you use automated version control software?


        image How do you document your systems?


        image Do you think that your source code is adequately protected against unauthorized disclosure and modification?


        image What is your opinion about Easter eggs (unauthorized code for an amusing picture or game)?


        image Could anyone plant an Easter egg or a logic bomb (unauthorized, harmful functions) in code being developed in your group?


        image Have you ever seen an Easter egg or a logic bomb in code from your group? Did it get through to production?


        image Can you think of ways you would like to see better security in your work?

      11. Computer Operations Security. The following questions would be asked only of the computer operations team. For more information suitable for devising questions about operations security, see Chapter 32.


        image How long do you wait after initial release before installing new operating system versions on your production machines?


        image How do you put new software into production?

        image Can development personnel access production software? Production data?


        image

        How do you handle problem reports? Do you have an automated trouble-ticket system?

        image Can people from outside the operations group enter the operations center?

        image Are contractors, including repair technicians, allowed to circulate in operations without being accompanied?


        image Do cleaning staff ever circulate within the secured areas of operations without operations staff present?


        image Are system components labeled?

        image Is there an emergency cutoff switch for main power to the entire data center? Does it include air conditioning?


        image Are there uninterruptible power supplies for critical components of your systems?


        image Do you keep records of system downtime? What is your downtime over the last three months? The last year?


        image What accounts for most of the downtime?


        image Who monitors system resource utilization? Are there automated reports showing trends in disk space usage? CPU utilization? Network bandwidth usage?


        image

        What improvements in security would you like to see in operations?


      12. Data Access Controls. For additional ideas on looking at identification and authentication, see Chapter 16.


        image Do you have to identify yourself to the computers and networks you work with? image Do you have a user name (ID) that no one else shares?

        image Are you required to use a password, passphrase, or personal identification number (PIN) as part of your routine when starting to use your computer?


        image Have you ever shared your unique user ID and password or PIN with someone else? Or have you borrowed someone else’s user ID and password to get some work done? If so, how often does this happen?


        image Do you use a token, such as a physical key or a smart card, to prove who you are to the computer system? If so, have you ever lent or borrowed such tokens? What for? How often?


        image

        image In your work, are there any limitations on the data you are allowed to work with? image Are there data you can see but not change?

        Do you use encryption on any of the data you work with?

        image Do you or members of your group use laptop computers? If so, do you encrypt sensitive data on the disks of those portable systems?


        image Do you or anyone in your group take work home? If so, do you put corporate data on your own, personal (noncompany) computers? Does anyone else have access to those computers? Are there any controls on accessing corporate data on the home computers?


      13. Network and Communications Security. Most of the following questions would be appropriate only for network managers, administrators, and technicians. However, some of the questions are suitable for everyone. For more ideas to help in developing detailed technical questions, see Chapters 8, 17, 18, 19, 20, 21, and 22.


        image As a user, do you know what the rules are about using your employer’s e-mail system and Internet access?


        image Do you know anyone who regularly violates system usage restrictions? No names, please.

        image Have you ever seen pornography on corporate systems? Child pornography? Racist and other objectionable materials? If so, did you know what to do? And what did you do?


        image Has anyone ever discussed rules for secure e-mail with you? Do you know how to encrypt sensitive messages? Do you ever encrypt messages?


        image As a network manager, do you have up-to-date network diagrams, or can you produce them on demand?


        image Do you know which services are running on your Internet-connected systems? Are all of the running services needed?


        image How do you determine which patches are appropriate for installation on your systems? How often do you check? Who is responsible for managing patches? How long does it take between notification of a vulnerability and installation of an appropriate patch?


        image Does your security architecture include firewalls? If so, what determines the security policies you instantiate in the filtering rules?


        image Do you have egress filtering enabled on your firewalls?

        image Do you have intrusion detection systems? If so, who responds to apprehended intrusions? How are the responsible people notified of an intrusion?


        image What are the procedures for responding to an intrusion?

        image If your organization uses passwords, how do you handle requests for new passwords?


        image

        Do you have centralized remote-access controls?

        image Do remote users use virtual private networks (VPNs) to access corporate systems from outside the firewalls?


        image Are your users supposed to use encryption for sensitive e-mail that traverses the Internet?

        Do they? How do you know?


        image Do your users apply digital signatures to all communications?

        image Are your Web servers protected against intrusion and vandalism? image Have you kept sensitive information off your Web servers?

        image Do you encrypt all sensitive information stored on your Web servers?


        image How long would it take you to recover a valid version of the Web site if it were destroyed or vandalized?


        image Do your telephone voice-mail boxes have unique, nonstandard passwords? How do you know?


        image How do you find out if an employee is being fired or has resigned? How long does it take between termination of employment of such an employee and deactivation of all system and network access?


      14. Antimalware Measures. See Chapter24 for more ideas on checking for appropriate levels of antimalware precautions.


        image Do you and all of your users have antimalware products installed on every workstation? image How often are antimalware products updated? How are they updated?

        image How long does it take for all vulnerable systems to be brought up to date? image Do you or your users open unexpected, unsolicited e-mail attachments?

      15. Backups, Archives, and Data Destruction. For additional suggestions to help in framing questions about data backups, see Chapter 41.


        image How often do you do backups of your electronic data?

        image Where do you store backup media? Are current copies retained off site as well as on?

        How do you know which media to use to restore a specific file?


        image

        image How long do you keep different types of backups? Why? How do you prevent unauthorized access to backup media?

        image If you keep data backups for several years, how do you ensure that the old media will be readable and that the data developed for old applications will be usable?


        image How do you dispose of magnetic and optical storage media after their useful life is over?

        Are the discarded media readable?


        image Do you make backup copies of paper documents? Where are these copies kept? How would you locate a specific document you needed?


        image How long do you keep various types of papers? Why?

        image When you dispose of paper documents, does their content influence how they are destroyed? How do you dispose of sensitive paper documents?


      16. Business Resumption Planning and Disaster Recovery. For more ideas on questions that are appropriate in quickly evaluating the state of business resumption planning and disaster recovery, see Chapters 42 and 43.


image Do you have business resumption planning (BRP) or disaster recovery plans (DRP)? If so, where are they kept?


image Who is responsible for keeping BRP and DRP up to date?

image Have you ever participated in a BRP or DRP testing? If so, how long ago was the last one? When is the next scheduled test?


image During BRP and DRP tests, does anyone use movie cameras or tape recorders to keep track of critical steps in the recovery?


image After a test, have you participated in analyzing the results of the tests to improve the plans?


    1. PHASE 2: MANAGEMENT SENSITIZATION. Support from upper management is essential for further progress. The goal in this phase is to get approval for an organization-wide audit and policy formulation project. In conjunction with the rest of the information security project team, the responsible managers should plan on a meeting that lasts no more than one or two hours. The meeting should start with a short statement from a senior executive about the crucial role of information in the organization's business.


      Professional aids such as management-oriented training videos are helpful to sensitize the managers to the consequences of poor information security. For an up-to-date list of such videos, enter the keywords “information security training video” into a search engine such as Google.2 After the video film, the team can present its findings from the preliminary evaluation. The immediate goal is to constitute an information protection working group to set priorities, determine an action plan, define a timetable and milestones, and formulate policies and procedures to protect corporate information resources. The presenters should name the people

      you want to see on your working group; all of these people should be contacted before the meeting to be sure that they have agreed in advance to participate in the working group.


      The presenters should provide estimates of the time involved and the costs of in-house, and consulting, services and software. To end the briefing, it is useful to offer upper managers a range of background reading about security; Appendix A2 on the Internet at www.XXXXX.com has suggestions for such readings. Some managers may be intrigued by this field; the more they learn, the more they will support security efforts.


    2. PHASE 3: NEEDS ANALYSIS. The information protection working group should include representatives from every sector of the enterprise. As the group investigates security requirements, the participants’ wide experience and perspective will be crucial in deciding which areas to protect most strongly. More important, their involvement is a concrete expression of corporate commitment to a fundamental attitude change in the corporate culture: Security is to be an integral part of the corporate mission.


      For example, in a manufacturing firm, the team would include managers and staff from the factory floor, the unions, engineering, equipment maintenance, shipping and receiving, facilities management (including those responsible for physical security), administrative support, sales, marketing, accounting, personnel, the legal department, and information systems. Each of these members of the working group will help improve enterprise security.


      If the organization is very large, the group may have to set up subcommittees to deal with specific sectors. Each subcommittee evaluates to what degree the systems and networks are vulnerable to breaches of security. For example, one group could focus on local and campus communications, another on wide area enterprise networks, and a third on electronic data interchange with clients and suppliers.


      A typical audit covers the facilities, personnel policies, existing security, application systems, and legal responsibility to stakeholders (owners, shareholders, employees, clients, and the surrounding community). Based on the findings, the subcommittees formulate proposals for improving security. This is where the specialized knowledge obtained from information security specialists and information security courses will prove especially useful.


      Chapters 36, 45, and 47 have information that will help the information protection working group develop an evaluation plan. In addition, the National Institute of Standards and Technology has published the Guide for Selecting Automated Risk Analysis Tools3; risk analysis tools can help practitioners speed up the evaluation process in this phase of the policy development process.


    3. PHASE 4: POLICIES AND PROCEDURES. Once the information protection working group have built a solid floor of understanding of enterprise information security needs, they are ready to construct the policies and procedures that meet those needs. Chapter 28 contains many suggestions and resources for the content and style of security policies. The process should start from existing templates and normally takes weeks to months to complete a workable draft.


      Genuine participation by all the representatives from every sector of the enterprise is a critical element of success; without a thoroughgoing sense of ownership of the policies, working group

      members will fail to internalize the new policies. All the members of the working group must become enthusiasts for their collective efforts; in some sense, these people become missionaries engaged in the long-term conversion efforts of phase 5, the implementation of the policies.


    4. PHASE 5: IMPLEMENTATION. Once the working group members have defined the new or improved security policies, they are about halfway to their goal. The hardest part is ahead: explaining the need for security and the value of the new policies to fellow employees and convincing them to change. Even if they agree intellectually, there is a good chance that their ingrained social habits will override the new rules for at least months and possibly years. The challenge is to overcome these habits.


      Chapter 35 shows in detail how to use the insights of social psychology to change corporate culture by working on beliefs, attitudes, and behavior. In addition to the suggestions in that chapter, the information protection working group should organize and deliver awareness and training sessions for all levels of the enterprise:


      image Upper management image Technical support image Lower-level staff

      image Other technical staff.

      The following sections offer some simple agendas for such preliminary sessions.


      1. Upper Management. Security policies and procedures require management support and sanctions. The transformation of corporate culture should begin at the top. Although it is difficult to coordinate the presence of top executives, the working group should try to organize a half-day executive briefing session on enterprise security. In practice, the group may be able to convince upper management to attend for one or two hours. The focus should be intensely practical and show executives how to protect themselves and the enterprise against common dangers. Suggested topics:


        image A review of the business case for improving security: industrial espionage, natural and man-made disasters, vandalism


        image Network security: protection against eavesdropping and tampering image Access controls: tokens, biometrics, passwords

        image Encryption: e-mail, laptops, provision for emergency data recovery image Backup policies for PCs, networks, and mainframes

        image Security agreements: summaries of the policies and procedures to be read and signed annually

        image

        Need for total support to convince other staff to comply with security policies


      2. Technical Support. The next target is the technical support group, the people who help explain security policies to users. In a one-day training session, the presentations can cover


        image Everything covered in the executive briefing image Operating system security provisions

        image Security software features

        image Changes in operations to comply with new procedures

      3. Lower-level Staff. Lower-level staff need a half-day session that answers the following questions in terms that apply directly to their own work:


        image Why should I care about information security? image What are my obligations as an employee?

        image How do I protect the PC I am responsible for against viruses? image How do I back up my data?

        image How do I manage my passwords?

        image What must I do if I see someone violating our security policies?

        The class ends with participants signing the security agreement.


      4. Other Technical Staff. More intensive training and education are needed for technical staff, such as members of the software development, operations, and network administration groups. More in-depth, specific material will have to be incorporated into their training; however, such training can be spread over a longer time than that for the groups already discussed because of the rhythm of work and the crucial importance of technical competence for implementation of the policies. Most enterprises rely on outside trainers, specialized off-site or online courses, and certification programs to raise their staff to the appropriate levels of competence.


    1. PHASE 6: MAINTENANCE. Once the enterprise has begun to integrate a concern for security into every aspect of its work, the issue must be kept fresh and interesting. As described in Chapter 29, successful security awareness programs include amusing posters, interesting videos, occasional seminars on stimulating security topics such as recent frauds or computer crimes, and regular newsletters with up-to-date information. Finally, every employee should regularly reread and sign the annual security agreement. This practice ensures that no one can argue that the organization's commitment to security is a superficial charade.


    2. CONCLUSION. For a secure installation, three things are essential:

  1. Sound policies that have been developed with the cooperation of everyone concerned and that are updated periodically


  2. Widespread dissemination of those policies, with ongoing observation of their implementation, and with frequent training and continual reinforcement

  3. Commitment to security on the part of everyone, from top management on down When these essential elements are in place, the entire organization will function at a more

productive level, one at which the possibilities of disruption and damage will have been reduced to a minimum. Nothing less is acceptable.





END NOTES


image


1 See www.informationweek.com/794/security.htm.

2 www.google.com.

3 csrc.nist.gov/publications/nistpubs/500-174/sp174.txt.