Iss Policy Development
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Iss Policy Development

  • 808 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
808
On Slideshare
808
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
15
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Information Systems Security, 16:246–256, 2007 Copyright © Taylor & Francis Group, LLC ISSN: 1065-898X print/1934-869X online DOI: 10.1080/10658980701744861 Information Security Policy Development and Implementation Avinash W. Kadam ABSTRACT  Development of the information security policy is a critical MIEL e-Security Pvt. Ltd., activity. Credibility of the entire information security program of an organi- Education Services, Mumbai, India zation depends upon a well-drafted information security policy. Most of the stakeholders do not have time or inclination to wade through a lengthy pol- icy document. This article tries to formulate an approach to the information security policy development that will make the policy document capture the essentials of information security as applicable to a business. The document will also convey the urgency and importance of implementing the policy, not only in letter but also in spirit. InTRoduCTIon Rudyard Kipling probably had no idea that his Six Honest Serving Men would be employed by modern day computer scientists, engineers, and architects for diverse applications. John A. Zachman used them for defining Enterprise Architecture whereas John Sherwood used them for defining Enterprise Security Architecture. These faithful servants serve anyone seek- ing a deeper understanding of any complex subject. They are the six simple questions starting with: what, why, how, who, where, and when. If you persist in getting the answers to these six questions, a seemingly impossible task such as developing an information security policy, which is relevant to the business, covers major risks and is practical to implement can actually be done with confidence. Let us look at the policies which are developed for other business func- tions. We will look only at two examples, the financial policy and the human resources policy, and ask our six honest men to find if these policies indeed do what they are expected to do. We will simultaneously map the possible answers to these questions about information security policy. What do these policies contain? The financial policy provides overall direc- tion which the organization should take for having sound financial basis Address correspondence to and which leads to successful business operations. The human resources Avinash W. Kadam, policy provides the basis for attracting the right talent and retaining them, MIEL e-Security Pvt. Ltd., Education Services, C-611/612/Floral Deck Plaza,  http://www.zifa.com Mumbai 400014, India E-mail: awkadam@vsnl.net  http://www.sabsa.org 246
  • 2. HoW To SELL InFoRMATIon SECuRITY  by employing right people for the right job for the right remuneration. PoLICY To THE oRGAnIZATIon Does the organization’s information security pol- icy identify the information, which is critical for the After reviewing the answers to the six questions, business? Does it provide the direction to perform we realize that we have a lot of work to do before the the business functions in a safe and secure manner? information security policy is considered as impor- Why are these policies defined? The financial pol- tant for the organization as the financial or human icy contains the accumulated financial wisdom on resources policy. The usual skeptical question will what is appropriate for the business. It provides for be, if we are surviving quite well without an informa- the consistency of financial decisions. The human tion security policy so far, why do we need it now? resources policy is based on the sound values of We will have to do much internal convincing or sell- human dignity and fair treatment. This provides an ing before converting the organization into believing anchor for the right way to deal with people. in the importance of the information security policy, Does the organization’s information security policy and implementing it in a wholehearted manner. provide a clear insight into the information security We always needed financial policy to run a suc- issues while dealing with the business processes? cessful business. I am sure that we had sound finan- How are these policies used? The financial policy cial policy even in the days of businesses based on is always referred to while making the business barter. The human resources policy became essential decisions. The human resources policy is consulted in the industrial age because labor unions demanded while taking complex decisions affecting the careers fair treatment to the workers. It has taken centuries of the employees. of effort for both financial policy as well as human Is the organization’s information security policy resources policy to become well accepted and con- referred to when a decision about the right approach sidered essential for sound business. Comparatively, for the information usage is to be taken? the information age is very young. Although we Who uses these policies? The senior management started using information as a major resource during constantly refers to both the financial policy as well the past few decades, the major thrust to the infor- as human resources policy to evaluate any decision mation age came from the commercial exploitation to be taken by them. of the Internet, which started hardly a decade ago. Does senior management refer to the organiza- This is probably one of the reasons for the casual tion’s information security policy to confirm whether approach we witness while dealing with information their decisions conform with such a policy? security. Where are these policies used? The financial policy Where do we begin our efforts? The answer is of is used for taking all the financial decisions by the course, at the very top. But do you think that you company. The universal applicability of the policy will get the top management’s attention and interest ensures consistency of all the actions. Similarly, the if we do not talk the same language that they speak, human resources policy is the guiding light for all and show the same concerns about the business as the decisions taken pertaining to the people, irre- they have? How do we get the mind space of the spective of whether the decisions are taken at the CEO, CFO, and other C-suite occupants? Let us ask corporate level or at the remote branch location. our six honest serving men. Is the organization’s information security policy What are top management’s concerns? How do followed universally within the organization and do we grow business, make it efficient and effective, all the information security decisions demonstrate and beat the competition? Do we, as information consistency? security experts, have some information security When are these policies used? The financial and concerns which could affect the business? Can we human resources policies are used almost constantly. recommend some information security approaches The organization stops functioning if it ignores using which will help grow the business and make it more these policies. efficient, effective, and beat the competition? Can we say the same about organization’s infor- Why is top management indifferent about infor- mation security policy? Is it used each time an infor- mation access is granted or revoked? mation security policy? Of course the business 247 Information Security Policy Development and Implementation
  • 3. BuSInESS IMPACT AnALYSIS pressures, competition, pressure on margins, and anxieties about success or failure of new initiatives The concept of business impact analysis (BIA) are some factors, but the most important factor is the looks out of place here. We usually talk about BIA fear of the unknown. Most of the senior management when we discuss business continuity and disaster is not conversant with the IT field at present though recovery plans. In my opinion, BIA should make its the awareness is increasing. They will get interested appearance right in the beginning when we conduct only if the application of the information security the interview with the top management for formulat- policy shows appreciable positive gains. So, it is the ing the information security policy. The depth, cover- primary task of the information security experts to age, and details of BIA will gradually increase as we demonstrate the gains through the application of the do more detailed business impact analysis. BIA is the information security policy. best tool to understand the importance of informa- Do we have something to offer to reduce the tion security for the organization, and also to make pressure? Can we contribute our might toward the the top management realize how much they depend new initiatives by some measures of information on information security for a successful business. security? How do you conduct BIA where the top manage- How do we conduct the business in an ever chang- ment is involved? First, identify what are the critical ing scenario? How do we keep the leading edge? Can business processes for the organization. A critical information security policy identify ways to cope business process usually has the following features: with the changing scenario and keep the business at the leading edge? Who are the people top man- It is one of the star performers for the business. agement can trust to handle the complexities in ⦁ It is associated with the brand value. the new information age? Can information security ⦁ Its failure could severely impact the organization. experts identify new ways of handling the informa- ⦁ Any delays for this business process are tion resources in a reliable manner, and safeguard ⦁ unacceptable. the company’s intellectual property? Major investments have been made in perfecting Where will top management look for successful ⦁ the business process. approaches of handling new age initiatives? Can the Major technical investments have been made in information security policy provide the direction? ⦁ making the process efficient. When does one spot information as a valuable resource and create a differentiating factor? Can the Based on the answers to these questions, you may information security policy provide that differentia- classify the business processes as critical, important, tion between a successful organization and others? and routine. Even a single affirmative answer may You may frame many different questions using provide adequate reason to name the business pro- the same six words. Your focus should be to find: cess as critical. It does not mean that you should ignore the routine processes. It only means that the What value the information has for the business ⦁ routine processes can be delayed or deferred with- Why information security makes business sense ⦁ out having major impact on business. One of the How you can help make the information secure ⦁ examples of routine processes could be the payroll for the business processing. If this is delayed, employees can still be Who is responsible for making the information ⦁ paid but if the just-in-time delivery of goods is not secure done just in time, you may have serious impact on Where you deploy your resources to make the ⦁ business. information secure Now that we have identified critical business pro- When you know if the security measures are ⦁ cesses, we take the help of our six honest serving indeed successful men. Can we formulate questions to do a BIA with the Finding answers to these questions will definitely help of what, why, how, who, where and when? Let improve the top management perception of the us attempt some of these questions. information security. Kadam 248
  • 4. TABLE 1  Business impact analysis for business process ‘A’ Confidentiality Integrity Availability What? What is the critical information for What is the critical information for What is the critical information for this process which should be this process which should be this process which should always confidential? always accurate and reliable? be available? Why? Why this information should be Why this information should be Why this information should be confidential? accurate and reliable? always available? How? How will the business be affected if the How will the business be affected if How will the business be affected if information does not remain the information is unreliable? the information is not available confidential? when needed? Who? Who is responsible for the confidentiality Who is responsible for the integrity Who is responsible to ensure the of this information? of this information? availability of this information? Where? Where do you store this information to Where do you store this information Where do you store this information ensure its confidentiality? to ensure its integrity? to ensure its availability? When? When does the confidentiality of this When does the integrity of this When does the availability of this information become critical? information become critical? information become critical? Your objective is to understand the impact of infor- We can design a matrix around our six questions mation security on the business, favorable or other- and the three pillars of security, namely confidenti- wise. The top management is in the best position to ality, integrity, and availability (see Table 1). articulate their perception by answering questions These interviews will reveal the business impact like the following: resulting from loss of confidentiality, integrity, or availability of information as perceived by the senior What is the critical information for running the management. Capturing their concerns will help ⦁ business process? us in formulating the top level information security Why is it critical? policy which will be understood and accepted by ⦁ How can you run business if this information is them. ⦁ not available to you when you need it? Can you run the business if the information is not ⦁ correct or if it is stolen? ToP LEvEL InFoRMATIon  Who is responsible for guarding the information? ⦁ SECuRITY PoLICY Where it is located? ⦁ When does the information become critical for ⦁ your business? How does the BIA help us in formulating the top level information security policy? Actually, we have When you pose these questions, you can keep just found out all the reasons why there should be some examples ready to explain the concept. You a top level information security policy? The answers can also give examples of some actual information that we got from asking the six questions for the security incidences and the impact these had on three attributes for all the critical business pro- (hopefully other people’s) business. Do you need cesses can be summarized in the top level informa- a quantitative assessment of the business impact tion security policy. We may even write the policy of loss of confidentiality or integrity or availabil- as if we are writing answers to the six questions. ity at this stage? Probably not, but noting down The top-level information security policy may look the responses is important. You may get these something like this. “(What?) The organization recognizes informa- responses quantified during subsequent interviews with the middle management and the operational tion as one of the key resources, which helps in staff. It will help you to develop the answers into running a very successful business, delivering vari- a fully quantified statement when the risk mitiga- ous goods and services (we may be more specific tion measures are decided and their costs have to here) to our customers and meets expectations of be justified. the stakeholders. 249 Information Security Policy Development and Implementation
  • 5. (Why?) We are very proud of the efficiency and specific to the organization and will reflect all the effectiveness we have achieved by our fine tuned efforts spent in conducting a BIA. BIA will provide business processes (can be more specific). These enough material to list the real concerns about any business processes critically depend on our infor- compromise of information and how it could affect mation systems (can be more specific). Any damage the organization. An information security policy to any information that we possess can adversely thus designed will be owned by the top manage- impact our business. We strive to maintain all the ment as their contributions in identifying various information with utmost confidentiality, integrity, critical things that may impact the business, will be and make sure that it is available whenever and clearly mentioned. They will also understand that wherever it is required to be accessed by legitimate their involvement is the key success factor. All the users. concerns that were identified during the BIA will be (How?) We are aware that we constantly face subsequently followed through during the formula- threats to our information systems. These threats tion of detailed information security policies. could disrupt our business processes and cause severe losses (can be more specific). It is our inten- THREAT IdEnTIFICATIon tion to deploy all possible resources to ensure that we are able to thwart any such threats and main- tain the customers’ and stakeholders’ confidence in We have now got a Top Level information security us by having appropriate technical, procedural and policy for the organization. This is an excellent docu- administrative measures in place. We have defined ment to get the top level commitment and clearly state these measures against specific threats and risks in the intentions of the organization regarding informa- our detailed information security policies. tion security. But it is still a statement of intention (Who?) The information security measures will and not enough to develop implementable policies. be implemented by our information security team, For this, we need to first identify all the threats to headed by an information security officer, who the information. The threats we will identify will not directly reports to an information security forum be just a general perception of threats. These will (ISF), which is chaired by the CEO. The members now be more specific as we know what the really of the ISF will be business unit heads and other critical business processes are. The BIA has given us responsible persons. a good insight into this aspect of the business. We (Where?) The information security measures will also know which aspects of the information secu- be deployed throughout the organization and all the rity, that is, confidentiality, integrity, or availability business processes (can be more specific) will be are critical for the particular business processes. So, under the purview of this policy. Any breach of this we should be able to narrow down our list to the policy will lead to appropriate disciplinary action. more realistic threats that can pose danger to the (When?) Information security is a major concern critical information assets. We can also create plau- for the organization. We will have incidence man- sible threat scenarios. By now we have got a good agement teams working 24×7 to promptly resolve idea about these from conducting the BIA sessions any incidents. We will ensure that all the persons that we had with the top management. We can also working for the organization are appropriately take help of our six honest serving men and make a trained so that they can be vigilant whenever they table which will reminds us not to forget any of the are using the information. We will also educate our contributing threat factors. Please notice that there customers so that they can promptly notify us if they could be different types of threats which affect the notice any information security incidents and need three pillars of information security. A threat which our help (e.g., receiving a suspicious email).” compromises confidentiality may not cause loss of The top level information security policy should be integrity or cause unavailability. We need to identify signed by the CEO to carry the message effectively. each of these separately, as shown in Table 2. The above draft gives us a starting point to cre- The questions for threat identification can be ate an ideal information security policy that reflects asked to the middle management as well as the top level concerns of the organization. It will be operational staff. These persons will be facing such Kadam 250
  • 6. TABLE 2  Identification of threats for business process ‘A’ Threats to Confidentiality Threats to Integrity Threats to Availability What? What are the threats to confidentiality of What are the threats to integrity of What are the threats to availability of critical information supporting this critical information supporting this critical information supporting this business process? business process? business process? Why? Why these threats exist? Why these threats exist? Why these threats exist? How? How can these threats actually act? How can these threats actually act? How can these threats actually act? Who? Who will carry out the threat actions? Who will carry out the threat actions? Who will carry out the threat actions? Where? Where can the attack happen? Where can the attack happen? Where can the attack happen? When? When can the attack happen? When can the attack happen? When can the attack happen? TABLE 3  Identification of vulnerabilities for business process ‘A’ Vulnerability corresponding to the Vulnerability corresponding to the Vulnerability corresponding to the threats to Confidentiality threats to Integrity threats to Availability What? What are the vulnerabilities What are the vulnerabilities What are the vulnerabilities corresponding to the threats to corresponding to the threats to corresponding to the threats to confidentiality? integrity? availability? Why? Why these vulnerabilities exist? Why these vulnerabilities exist? Why these vulnerabilities exist? How? How can these vulnerabilities be How can these vulnerabilities be How can these vulnerabilities be exploited? exploited? exploited? Who? Who will exploit these vulnerabilities? Who will exploit these vulnerabilities? Who will exploit these vulnerabilities? Where? Where this may happen? Where this may happen? Where this may happen? When? When this may happen? When this may happen? When this may happen? threats in their normal day to day operations. Their answers will give us a greater insight into the threat vuLnERABILITY ASSESSMEnT—oR  perception. This in turn will help us in focusing our HoW WELL THE oRGAnIZATIon IS  efforts in creating detailed Information Security poli- PREPAREd AGAInST THESE THREATS cies which address these specific threats. The answers that we are seeking from our six This will be the next logical step in our journey to faithful serving men are: develop the information security policy. Even with- out a formal policy, organization will usually have a What are the realistic threats to information for ⦁ few security measures in place. We will try to dis- our business processes? cover what these are and assess their adequacy. Once What are the natural threats? ⦁ again we take the help of our six honest serving What are the manmade threats? ⦁ men and start probing the middle and operational Why do these threats exist? ⦁ management into revealing the various practices in Is there a strong motivational factor for the man- ⦁ place. Some of these practices may even be docu- made threats? mented by means of staff notices or departmental Are there strong environmental factors which ⦁ circulars. We should collect all of these and study cause the natural threats? them before conducting the interviews. This will How may the threats materialize? ⦁ help us understand the current state of information Who are the major suspects? ⦁ security implementation in the organization. Notice Where will we be hit? ⦁ the complex phrase “vulnerability corresponding to When are we most prone to these threats? ⦁ the threats.” It means we want to discover if there are any specific vulnerabilities that can be exploited Once again, remember to ask these questions for by specific threats to confidentiality/integrity/avail- each type of information security requirement: con- ability (see Table 3). fidentiality, integrity, and availability. 251 Information Security Policy Development and Implementation
  • 7. TABLE 4  Vulnerability of individual components of information systems ‘A’ supporting a critical business system Confidentiality Integrity Availability In So Ha Pe Se Da In So Ha Pe Se Da In So Ha Pe Se De What? Why? How? Who? Where? When? The answers that we are seeking to our six ques- Hardware tions will be: − Servers, desktops, networking devices What are the weaknesses in your defense system People which may cause leakage of confidential informa- − Management, users, contract workers tion or unauthorized modification of information or Services unavailability of critical information? − Internet, HVAC, power Why these weaknesses are there? Has no Documents one noticed these before or these have been left − Agreements, contracts, legal papers open hoping that no threat will ever exploit this vulnerability? Thus we can trace the vulnerabilities of the infor- How a threat will take advantage of these vulner- mation system to the vulnerability of an individual abilities? If you were the enemy, who knows about component. We can use the Table 4 to identify and these vulnerabilities, how will you use the knowl- document if any of the information system compo- edge to cause maximum damage? nent is vulnerable to any of the threats identified Who will most benefit from the knowledge of during our study. these vulnerabilities? Will someone be strongly moti- vated to cause harm to your business? Identifying Action Plans Where will the attack take place? What is the most vulnerable spot? We need a number of detailed information secu- When will the attack take place? When is your rity policies to address the multitude of vulnerabili- organization most susceptible? ties of the information system components which While seeking answers to these questions, we could be exploited by threats and compromise the will realize that each individual question seeks to confidentiality, integrity, or availability of our critical discover the vulnerability of the basic component business systems. which will be the weakest link in the system. Thus, We need to formulate individual policy state- the vulnerabilities of a business process can be nar- ments which address each of these vulnerabilities rowed down to the individual components that con- and the way to control them. We can use the Table 5 stitute an information system. to pair the threats and vulnerabilities and link them The components of an information system are to the information system components under attack. (first two letter of each of the information system Remember, one threat can exploit multiple vulner- components are underlined. These abbreviations are abilities of multiple components. used in the columns of Table 4 and 5): The next step will be to define the action state- Information (or the data) ments against each threat and vulnerability combi- − Data, databases, data warehouses, nation for each of the affected information system Software component so that we can reduce the possibility of − Application programs, DBMS, Operating the threat exploiting the vulnerability of the compo- System nent and compromising the security. Kadam 252
  • 8. TABLE 5  Threat—vulnerability pairs and the action statement to address the risks Confidentiality Integrity Availability Action Policy statement reference Threat Vulnerability In So Ha Pe Se Da In So Ha Pe Se Da In So Ha Pe Se Da The action statements could consist of a variety because the organization believes it is the best prac- of actions. These could include deploying various tice to follow. Whatever the reason, it should be technical solutions such as firewall, IDS, or antivirus stated clearly. software or defining some physical measures such We would start the process of writing the infor- as barriers or certain administrative (e.g., separation mation security policies by first selecting appropriate of duty) or punitive (e.g., disciplinary actions) mea- control objectives that need to be achieved. These sures. Each of these becomes an action statement. can be selected from a standard such as ISO 270014 or a framework such as ISO 177994 or COBIT3 or a compliance requirement such as the Health Insur- Writing Information Security Policies ance Portability and Accountability Act of 1996 (HIPAA) or Basel II or a law such as the European Union We now call upon our six honest serving men. The Data Protection Act. The selection will depend on answers to who, what, and why will be included in the requirements of the organization. policies. How, where, and when will be answered by The next step will be to write appropriate poli- the procedures. The final list of information security cies that meet the requirements of the control objec- policies may be large as each policy will be written tives. This will be followed by writing the detailed with a specific what in mind. The what is answered procedures. The policies will cover the adminis- by the selection of a control objective. The control trative, technical, management, and legal require- objective is defined as a “statement of the desired ments. While writing the policy, we should ensure result or purpose to be achieved by implementing that the action statements fall at right places in the control procedures in a particular process” (Cobit policies. For example, if we have identified the 4.1, IT Governance Institute). threat of information theft and the vulnerability is Further, the control is defined as “means of man- the weak implementation of the password, affecting aging risk, including policies, procedures, guide- confidentiality of the information, then the action lines, practices, or organizational structures, which plans will be: can be of administrative, technical, management, or legal nature” (ISO/IEC, 2005, 17799). Administrative ⦁ Who will achieve the control objectives by imple- − Provide appropriate training. menting appropriate control procedures? We need ⦁ Technical to define specific roles and responsibilities. The − Enforce strong password selection through responsible persons should clearly know why the appropriate parameters. control objective needs to be achieved. The why ⦁ Management gives the main motivation factor behind the infor- − Ensure that the password policy is approved by mation security policy. It may be a legal require- management. ment, a contractual obligation; it may be required − Ensure user acceptance by asking them to sign appropriate form. ⦁ Legal (or compliance) requirements  http://www.itgi.org − Define disciplinary action.  http://www.iso.org 253 Information Security Policy Development and Implementation
  • 9. Writing Procedures and Guidelines Yet another threat could be information theft, unauthorized modification and nonavailability due to weak network security. Then the action plans will Remember, the how, where, and when will be be: answered by procedures. We need to write answers to these questions. Procedure is a step-by-step Administrative method of “how to do it.” It may be a simple thing ⦁ − Background check of employees and contrac- such as selecting a password or a complex proce- tors working in network administration. dure for defining access control rules on the firewall. ⦁ Technical The “how” should document the entire procedure in − Access control lists, firewall, server hardening, as simple a manner as possible. If appropriate, you IDS and so on. may use flow charts or decision tables or any other ⦁ Management method to convey the message. − Periodic review of security incidences The “where” will describe the location or the ⦁ Legal requirements workstation or the right place where the procedure − Appropriate non disclosure agreements with will be performed. For example, a fire evacuation the networking staff and contract workers test procedure will be performed in the office or the data center. The answer to “when” in this case may be, last Friday of every month, between 3.00 and 4.00 p.m. How Many Policies? Clearly written procedure will be a great help when implementing any policy. You can classify policies in various groups: You may also include additional guidelines to supplement the procedures. For example, a guide- For defined target group line on how to select a complex password, which is ⦁ − Everyone in the organization also easy to remember, will be greatly appreciated. − System managers, administrators − Management IMPLEMEnTATIon ⦁ For specific topics − Information classification − Physical and environmental security You have completed all the back office work. − Operations management You made your six honest serving men slog day − Data communication and night. Now is the time to deliver the great meal − Network security that you have cooked. Implementation is the hardest − Back-up part. The acceptance by the organization depends − Access control on many factors. You will have to constantly battle − Password with conflicting demands of security versus ease of − Incident management use. Implementation cannot be done just by issu- − Business continuity ing a fiat. Human ingenuity will always find ways ⦁ Department specific topics of circumventing things which are viewed as obsta- − Application development cles. You have to take the entire organization in − Compliance confidence. You may be required to define additional poli- Implementation at the Top cies for particular topics. For example, the topic of access control could spawn many polices like oper- Where do you begin your efforts? The answer is, as ating system access control, database access control, usual, at the very top. Top management has to give its remote access control, and so on. Dividing policies whole-hearted approval to all the policies you have into target groups will help you to train the people developed. These policies will have proposed many only for the specific policies. Kadam 254
  • 10. changes. These changes will be of different types. Have we assigned responsibility for each Some will be mere procedural changes, but some policy? may require a totally new approach. Some changes Where is the implementation planned? will be technical in nature, others will be adminis- Will the implementation happen at all locations trative. Changes will affect everyone in some way or or only at selected locations? another. By proposing the information security pol- When is the implementation planned? icy, we are trying to introduce discipline in handling Will it be a big-bang approach or a phase-wise information for the organization. Discipline brings in approach? restrictions and restrictions are usually resented, at You will have to be very well prepared to defend least in the beginning. your proposal. Especially tricky part will be the New information security policy may also require response to the questions regarding ROSI. You will additional investment in people, processes, and have to convince the top management that avoiding technology. You will have to prepare budgets and a security incident is much cheaper than paying for also do a cost/benefit analysis to justify the expendi- the losses that a security incident may cause. The ture. So, you will have to prepare a full report on the return will be the savings from the potential future new information security policy and present it to the losses. Once you have got the approval, you have top management forum. The report should include a won half the battle. complete project plan giving details of the activities Next step will be to prepare a training program required to implement various policies. These activi- especially for the top management. You will have ties will include procurement and implementation of to clearly explain their ongoing role in information new equipment or techniques such as firewall, IDS, security for the organization. They will have to lead single sign-on, and so forth. It will also include train- the organization by setting good example. If the ing plans for the entire organization. It will specify boss participates in a fire evacuation drill, no one how the implementation activities are to be moni- will pretend to be too busy and avoid such exer- tored and reported and, answer the most important cises. If the senior management regularly changes questions that top management loves to ask, what is the passwords and learns how to encrypt the data the return on security investment (ROSI). on their laptops, no one will complain about the How do you prepare and present the report? Ask extra work involved to secure the information. The our six honest serving men to help us. Explain to the top management will have to “walk the talk” and top management the answers to the six questions we demonstrate complete adherence to the information are so familiar with: what, why, how, who, where, security policy that they have endorsed. and when, through your report and presentation: Implementation at the  What are the information security risks that operations Level were identified? What is the total investment in security? What is the ROSI? This is where you will train the actual implemen- Why are these risks so critical? tation team. The system administrators, network Why is the business impact due to these risks administrator, and various other operations staff will not acceptable? be made familiar with the new information secu- How will information security policies help rity policy. They would be already familiar with the mitigate these risks? approach. They would be specifically trained on How much money will be spent in procuring their areas or responsibilities so that they will have the security products and techniques and an in-depth knowledge of the technology used and implementing them? the new procedures to be followed. We will seek How much time and money will be spent on help of our six faithful servants to make sure that training all the persons in the organization? we do not miss anything of importance. We provide Who will be responsible for the successful answers to the following questions during the imple- implementation of these policies? mentation at this level: 255 Information Security Policy Development and Implementation
  • 11. What are the new requirements of the infor- The training programs should be designed to pro- mation security policy in individual areas of vide convincing answers to our six questions. operation? What are the new products and procedures 1. What is the objective of the information security? being implemented? 2. Why is it necessary to follow the information Why these products and procedures were security policy of the company? Will something selected? really go wrong if we do not follow the policy? How do these products and procedures work? Can you give us some examples? How do we configure and customize them? 3. How do we work with all these security controls How do we test them? around us? How do we maintain them? 4. Who is responsible for the information security? How do we trouble-shoot them? Am I really responsible for every piece of infor- Who will be responsible for each product and mation that I access? procedure? 5. Where are the security controls? Are they imple- Where will the products and procedures be mented in my area of operation? Are they imple- implemented? mented on e-mail servers, web servers, desk-tops? When will the products and procedures be Are there physical security controls? Where are operational? they located? 6. When these security controls are going to be We will have to design the technical training pro- made operational? grams for specific security products and procedures selected for the implementation. The operations You may devise various ways of delivering the persons will have to become very well-versed with training. It could be a classroom training or Web- handling the new security measures. They will also based e-learning or video-based training. There need to be trained on various reporting and escala- should be some amount of interactivity in any type tion procedures. Incident management and response of training. The audience should be made to par- team will require specialized training. The business ticipate in answering our famous six questions per- continuity and disaster recovery team also will need taining to the training topics designed for them. If specialized training. they get involved in answering these questions, they All these training programs will have to be com- will start appreciating the reason for the policy, the pleted before the actual implementation. Operations necessity of implementing the procedures and more staff should be made responsible for implementing importantly, their own role in guarding the informa- the security controls. This will build their confi- tion assets of the organization. dence, expertise and the sense of ownership. You have properly developed the information security policy when the end users can answer the Implementation for Everyone six questions. You have correctly implemented it This can only be done by a major drive to educate when they feel responsible for their role. everyone. The right message should reach the right people. The training programs have to be designed keeping in mind the actual groups being addressed. BIoGRAPHY The trainer has to talk the language of the audi- ence. The same training that goes well with system Avinash Kadam is the Chief Knowledge Resource at administrators will be received with stony silence MIEL e-Security, a company in the domain of Infor- or yawns by the general users. Only the relevant mation Security Consulting, Training, Implementation policies and procedures should be covered for each and Audit. He has worked in the I.T. industry for more group. You may have to customize the training pro- than 35 years of which the past 10 years were totally grams. The application programming group may focused on Information Security. He has handled require different training programs compared to the major information security consulting projects for large helpdesk staff. organizations. Kadam 256