The Role of Information Security Policy


Published on

A paper I wrote for an information security class at UOP.

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Role of Information Security Policy

  1. 1. THE ROLE OF INFORMATION SECURITY POLICY The Role of Information Security Policy Jarin Udom CMGT/400 November 22, 2013 Eric Clifford 1
  2. 2. THE ROLE OF INFORMATION SECURITY POLICY 2 The Role of Information Security Policy According to Kevin Mitnick, one of the world’s most famous (or infamous) hackers, “companies could spend millions of dollars towards technological protections and that's money wasted if somebody could basically call somebody on the telephone and either convince them to do something on the computer which lowers the computers defenses or reveals the information that they're seeking” (PBS, n.d.). Technical defenses have become increasingly sophisticated, but the human element is still the biggest—and will likely continue to be the biggest—security vulnerability at any organization. Although not completely effective, arguably the best ways to mitigate this risk are policies, standards, and a concerted organizational effort to train and educate employees and others working for the organization. Policies and Standards What is the difference between information security policies and standards? Information security policies outline the ways an organization will protect information in the form of highlevel business rules and guidelines (PJ, 2009). Information security standards dictate more detailed requirements for how an organization will implement those policies (PJ, 2009). For example, an information security policy may require all sensitive emails be encrypted and digitally signed. The corresponding standard may specify that all sensitive email is to be encrypted and digitally signed via PGP, using a 2048-bit key size and the RSA algorithm. Policies In any organization, it’s important to start with a high level security policy before considering standards, guidelines, or procedures. A security policy addresses the overarching goals, concerns, and risks of the organization’s overall information security efforts. Information
  3. 3. THE ROLE OF INFORMATION SECURITY POLICY 3 security policies are “made by management when laying out the organization’s position” (Conklin, White, Williams, Davis, Cothren, & Schou, 2011) on organizational security issues. According to Diver (2006), when developing a security policy it’s important to consider the company’s level of process maturity. She further elaborates that aiming too high at first, especially in large organizations, “isn’t likely to be successful for a number of reasons including lack of management buy-in, unprepared company culture and resources and other requirements not in place” (Diver, 2006). Since information security policies are generally created by management, it’s also important to assemble a team of subject matter experts to provide information and assist managers and executives during the process. Standards Most standards in an organization are developed based on the organization’s high-level security policy. However, according to Conklin et al. (2011), other standards are “externally driven. Regulations for banking and financial institutions, for example, may require certain security measures be taken by law.” Once a security policy is in place, engineers and subject matter experts can begin the task of determining the best standards for implementing the individual goals of the policy. For general information security, the National Institute of Standards and Technology’s (NIST) Computer Security Resource Center is an excellent place to start. NIST’s website contains a plethora of recommended cybersecurity standards and best practices. Similarly, the Open Web Application Security Project’s (OWASP) wiki is a community-maintained resource for web and other application security recommendations and vulnerabilities. Finally, the organization may wish to employ subject matter experts and consultants to develop standards based on industry-standard best practices and experience. Role of Employees
  4. 4. THE ROLE OF INFORMATION SECURITY POLICY 4 As stated above, people are the weak link in any organizational information security plan. Most people realize that employees with trusted access privileges may abuse their access to compromise an organization’s information. However, as Kevin Mitnick illustrated, employees can also be unwittingly tricked into divulging sensitive information or information that can assist an intruder in compromising computer systems. Organizations must include human factors in their security policies, and they must take efforts to inform employees and others working for the organization about policies, standards, procedures and guidelines. It is absolutely essential that employees understand that information compromises can have serious consequences, not just for the organization but also for the employee themselves. Employees and others working for the organization must be ever vigilant against social engineering attempts, phishing, physical security, and other human-oriented intrusion attempts. For example, an intruder may attempt to gain access to a secure facility by waiting for an authorized employee to swipe their security badge and then following them through the door, or “piggybacking”, before it closes. Organizations can prevent this kind of intrusion by implementing clear policies that every person passing into a secure area must swipe their badge before entering. This kind of policy counteracts the normal human tendency to avoid inconveniencing others. Another example might be an intruder attempting to gain sensitive security information over the phone. Kevin Mitnick famously exploited the natural human tendency to be helpful by calling government agencies and posing as a fellow employee who was having technical problems, and he was able to convince employees to give him the names of computer systems and even execute commands on his behalf (PBS, n.d.). Employees should verify the identity of any unknown caller, even if they claim to be in distress or a high-level executive (another
  5. 5. THE ROLE OF INFORMATION SECURITY POLICY 5 common tactic). However, an exception can be made for familiar voices, as studies have shown that people are quite good at recognizing voices—an accuracy rate of 92% when hearing a familiar voice for only 5.3 seconds and an accuracy rate of 79% when hearing a barely familiar voice for 15.3 seconds (Kreiman & Sidtis, 2011, p. 177). Conclusion As Kevin Mitnick said, “the human side of computer security is easily exploited and constantly overlooked” (PBS, n.d.). While the proliferation of botnets, worms, and easily available “script kiddy” tools has clearly made the role of technological information security measures more important than ever, the human element remains the weak point of any information security plan. In order to mitigate this risk, organizations must develop clear information security policies and then use them to develop standards to be implemented throughout the organization. In addition, they must train and educate employees about both the risks and importance of social engineering attempts, phishing, physical security, and other human-based intrusion attempts.
  6. 6. THE ROLE OF INFORMATION SECURITY POLICY 6 References Conklin, A., White, G., Williams, D., Davis, R., Cothren, C., & Schou, C. (2011). Principles of Computer Security CompTIA Security+ and Beyond (Exam SY0-301). (3 ed.). New York, NY: McGraw Hill Professional. Diver, S. (2006). Information security policy - a development guide for large and small companies.SANS Institute Reading Room, Retrieved from Kreiman, J., & Sidtis, D. (2011). Foundations of voice studies: An interdisciplinary approach to voice production and perception. (1st ed., p. 177). John Wiley & Sons. Retrieved from PBS. (n.d.). Testimony of an ex-hacker. Retrieved from PJ. (2009, February 03). What are policies, standards, guidelines and procedures?. Retrieved from