HoW To SELL InFoRMATIon SECuRITY
by employing right people for the right job for the
right remuneration. PoLICY To THE oRGAnIZATIon
Does the organization’s information security pol-
icy identify the information, which is critical for the After reviewing the answers to the six questions,
business? Does it provide the direction to perform we realize that we have a lot of work to do before the
the business functions in a safe and secure manner? information security policy is considered as impor-
Why are these policies defined? The financial pol- tant for the organization as the financial or human
icy contains the accumulated financial wisdom on resources policy. The usual skeptical question will
what is appropriate for the business. It provides for be, if we are surviving quite well without an informa-
the consistency of financial decisions. The human tion security policy so far, why do we need it now?
resources policy is based on the sound values of We will have to do much internal convincing or sell-
human dignity and fair treatment. This provides an ing before converting the organization into believing
anchor for the right way to deal with people. in the importance of the information security policy,
Does the organization’s information security policy and implementing it in a wholehearted manner.
provide a clear insight into the information security We always needed financial policy to run a suc-
issues while dealing with the business processes? cessful business. I am sure that we had sound finan-
How are these policies used? The financial policy cial policy even in the days of businesses based on
is always referred to while making the business barter. The human resources policy became essential
decisions. The human resources policy is consulted in the industrial age because labor unions demanded
while taking complex decisions affecting the careers fair treatment to the workers. It has taken centuries
of the employees. of effort for both financial policy as well as human
Is the organization’s information security policy
resources policy to become well accepted and con-
referred to when a decision about the right approach
sidered essential for sound business. Comparatively,
for the information usage is to be taken?
the information age is very young. Although we
Who uses these policies? The senior management
started using information as a major resource during
constantly refers to both the financial policy as well
the past few decades, the major thrust to the infor-
as human resources policy to evaluate any decision
mation age came from the commercial exploitation
to be taken by them.
of the Internet, which started hardly a decade ago.
Does senior management refer to the organiza-
This is probably one of the reasons for the casual
tion’s information security policy to confirm whether
approach we witness while dealing with information
their decisions conform with such a policy?
Where are these policies used? The financial policy
Where do we begin our efforts? The answer is of
is used for taking all the financial decisions by the
course, at the very top. But do you think that you
company. The universal applicability of the policy
will get the top management’s attention and interest
ensures consistency of all the actions. Similarly, the
if we do not talk the same language that they speak,
human resources policy is the guiding light for all
and show the same concerns about the business as
the decisions taken pertaining to the people, irre-
they have? How do we get the mind space of the
spective of whether the decisions are taken at the
CEO, CFO, and other C-suite occupants? Let us ask
corporate level or at the remote branch location.
our six honest serving men.
Is the organization’s information security policy
What are top management’s concerns? How do
followed universally within the organization and do
we grow business, make it efficient and effective,
all the information security decisions demonstrate
and beat the competition? Do we, as information
security experts, have some information security
When are these policies used? The financial and
concerns which could affect the business? Can we
human resources policies are used almost constantly.
recommend some information security approaches
The organization stops functioning if it ignores using
which will help grow the business and make it more
efficient, effective, and beat the competition?
Can we say the same about organization’s infor-
Why is top management indifferent about infor-
mation security policy? Is it used each time an infor-
mation access is granted or revoked? mation security policy? Of course the business
247 Information Security Policy Development and Implementation
BuSInESS IMPACT AnALYSIS
pressures, competition, pressure on margins, and
anxieties about success or failure of new initiatives
The concept of business impact analysis (BIA)
are some factors, but the most important factor is the
looks out of place here. We usually talk about BIA
fear of the unknown. Most of the senior management
when we discuss business continuity and disaster
is not conversant with the IT field at present though
recovery plans. In my opinion, BIA should make its
the awareness is increasing. They will get interested
appearance right in the beginning when we conduct
only if the application of the information security
the interview with the top management for formulat-
policy shows appreciable positive gains. So, it is the
ing the information security policy. The depth, cover-
primary task of the information security experts to
age, and details of BIA will gradually increase as we
demonstrate the gains through the application of the
do more detailed business impact analysis. BIA is the
information security policy.
best tool to understand the importance of informa-
Do we have something to offer to reduce the
tion security for the organization, and also to make
pressure? Can we contribute our might toward the
the top management realize how much they depend
new initiatives by some measures of information
on information security for a successful business.
How do you conduct BIA where the top manage-
How do we conduct the business in an ever chang-
ment is involved? First, identify what are the critical
ing scenario? How do we keep the leading edge? Can
business processes for the organization. A critical
information security policy identify ways to cope
business process usually has the following features:
with the changing scenario and keep the business
at the leading edge? Who are the people top man-
It is one of the star performers for the business.
agement can trust to handle the complexities in ⦁
It is associated with the brand value.
the new information age? Can information security ⦁
Its failure could severely impact the organization.
experts identify new ways of handling the informa- ⦁
Any delays for this business process are
tion resources in a reliable manner, and safeguard ⦁
the company’s intellectual property?
Major investments have been made in perfecting
Where will top management look for successful ⦁
the business process.
approaches of handling new age initiatives? Can the
Major technical investments have been made in
information security policy provide the direction? ⦁
making the process efficient.
When does one spot information as a valuable
resource and create a differentiating factor? Can the
Based on the answers to these questions, you may
information security policy provide that differentia-
classify the business processes as critical, important,
tion between a successful organization and others?
and routine. Even a single affirmative answer may
You may frame many different questions using
provide adequate reason to name the business pro-
the same six words. Your focus should be to find:
cess as critical. It does not mean that you should
ignore the routine processes. It only means that the
What value the information has for the business
routine processes can be delayed or deferred with-
Why information security makes business sense
out having major impact on business. One of the
How you can help make the information secure
examples of routine processes could be the payroll
for the business
processing. If this is delayed, employees can still be
Who is responsible for making the information
paid but if the just-in-time delivery of goods is not
done just in time, you may have serious impact on
Where you deploy your resources to make the
Now that we have identified critical business pro-
When you know if the security measures are
cesses, we take the help of our six honest serving
Can we formulate questions to do a BIA with the
Finding answers to these questions will definitely
help of what, why, how, who, where and when? Let
improve the top management perception of the
us attempt some of these questions.
TABLE 1 Business impact analysis for business process ‘A’
Confidentiality Integrity Availability
What? What is the critical information for What is the critical information for What is the critical information for
this process which should be this process which should be this process which should always
confidential? always accurate and reliable? be available?
Why? Why this information should be Why this information should be Why this information should be
confidential? accurate and reliable? always available?
How? How will the business be affected if the How will the business be affected if How will the business be affected if
information does not remain the information is unreliable? the information is not available
confidential? when needed?
Who? Who is responsible for the confidentiality Who is responsible for the integrity Who is responsible to ensure the
of this information? of this information? availability of this information?
Where? Where do you store this information to Where do you store this information Where do you store this information
ensure its confidentiality? to ensure its integrity? to ensure its availability?
When? When does the confidentiality of this When does the integrity of this When does the availability of this
information become critical? information become critical? information become critical?
Your objective is to understand the impact of infor- We can design a matrix around our six questions
mation security on the business, favorable or other- and the three pillars of security, namely confidenti-
wise. The top management is in the best position to ality, integrity, and availability (see Table 1).
articulate their perception by answering questions These interviews will reveal the business impact
like the following: resulting from loss of confidentiality, integrity, or
availability of information as perceived by the senior
What is the critical information for running the management. Capturing their concerns will help
business process? us in formulating the top level information security
Why is it critical? policy which will be understood and accepted by
How can you run business if this information is them.
not available to you when you need it?
Can you run the business if the information is not
correct or if it is stolen?
ToP LEvEL InFoRMATIon
Who is responsible for guarding the information?
Where it is located?
When does the information become critical for
your business? How does the BIA help us in formulating the top
level information security policy? Actually, we have
When you pose these questions, you can keep just found out all the reasons why there should be
some examples ready to explain the concept. You a top level information security policy? The answers
can also give examples of some actual information that we got from asking the six questions for the
security incidences and the impact these had on three attributes for all the critical business pro-
(hopefully other people’s) business. Do you need cesses can be summarized in the top level informa-
a quantitative assessment of the business impact tion security policy. We may even write the policy
of loss of confidentiality or integrity or availabil- as if we are writing answers to the six questions.
ity at this stage? Probably not, but noting down The top-level information security policy may look
the responses is important. You may get these something like this.
“(What?) The organization recognizes informa-
responses quantified during subsequent interviews
with the middle management and the operational tion as one of the key resources, which helps in
staff. It will help you to develop the answers into running a very successful business, delivering vari-
a fully quantified statement when the risk mitiga- ous goods and services (we may be more specific
tion measures are decided and their costs have to here) to our customers and meets expectations of
be justified. the stakeholders.
249 Information Security Policy Development and Implementation
(Why?) We are very proud of the efficiency and specific to the organization and will reflect all the
effectiveness we have achieved by our fine tuned efforts spent in conducting a BIA. BIA will provide
business processes (can be more specific). These enough material to list the real concerns about any
business processes critically depend on our infor- compromise of information and how it could affect
mation systems (can be more specific). Any damage the organization. An information security policy
to any information that we possess can adversely thus designed will be owned by the top manage-
impact our business. We strive to maintain all the ment as their contributions in identifying various
information with utmost confidentiality, integrity, critical things that may impact the business, will be
and make sure that it is available whenever and clearly mentioned. They will also understand that
wherever it is required to be accessed by legitimate their involvement is the key success factor. All the
users. concerns that were identified during the BIA will be
(How?) We are aware that we constantly face subsequently followed through during the formula-
threats to our information systems. These threats tion of detailed information security policies.
could disrupt our business processes and cause
severe losses (can be more specific). It is our inten-
tion to deploy all possible resources to ensure that
we are able to thwart any such threats and main-
tain the customers’ and stakeholders’ confidence in We have now got a Top Level information security
us by having appropriate technical, procedural and policy for the organization. This is an excellent docu-
administrative measures in place. We have defined ment to get the top level commitment and clearly state
these measures against specific threats and risks in the intentions of the organization regarding informa-
our detailed information security policies. tion security. But it is still a statement of intention
(Who?) The information security measures will and not enough to develop implementable policies.
be implemented by our information security team, For this, we need to first identify all the threats to
headed by an information security officer, who the information. The threats we will identify will not
directly reports to an information security forum be just a general perception of threats. These will
(ISF), which is chaired by the CEO. The members now be more specific as we know what the really
of the ISF will be business unit heads and other critical business processes are. The BIA has given us
responsible persons. a good insight into this aspect of the business. We
(Where?) The information security measures will also know which aspects of the information secu-
be deployed throughout the organization and all the rity, that is, confidentiality, integrity, or availability
business processes (can be more specific) will be are critical for the particular business processes. So,
under the purview of this policy. Any breach of this we should be able to narrow down our list to the
policy will lead to appropriate disciplinary action. more realistic threats that can pose danger to the
(When?) Information security is a major concern critical information assets. We can also create plau-
for the organization. We will have incidence man- sible threat scenarios. By now we have got a good
agement teams working 24×7 to promptly resolve idea about these from conducting the BIA sessions
any incidents. We will ensure that all the persons that we had with the top management. We can also
working for the organization are appropriately take help of our six honest serving men and make a
trained so that they can be vigilant whenever they table which will reminds us not to forget any of the
are using the information. We will also educate our contributing threat factors. Please notice that there
customers so that they can promptly notify us if they could be different types of threats which affect the
notice any information security incidents and need three pillars of information security. A threat which
our help (e.g., receiving a suspicious email).” compromises confidentiality may not cause loss of
The top level information security policy should be integrity or cause unavailability. We need to identify
signed by the CEO to carry the message effectively. each of these separately, as shown in Table 2.
The above draft gives us a starting point to cre- The questions for threat identification can be
ate an ideal information security policy that reflects asked to the middle management as well as the
top level concerns of the organization. It will be operational staff. These persons will be facing such
TABLE 2 Identification of threats for business process ‘A’
Threats to Confidentiality Threats to Integrity Threats to Availability
What? What are the threats to confidentiality of What are the threats to integrity of What are the threats to availability of
critical information supporting this critical information supporting this critical information supporting this
business process? business process? business process?
Why? Why these threats exist? Why these threats exist? Why these threats exist?
How? How can these threats actually act? How can these threats actually act? How can these threats actually act?
Who? Who will carry out the threat actions? Who will carry out the threat actions? Who will carry out the threat
Where? Where can the attack happen? Where can the attack happen? Where can the attack happen?
When? When can the attack happen? When can the attack happen? When can the attack happen?
TABLE 3 Identification of vulnerabilities for business process ‘A’
Vulnerability corresponding to the Vulnerability corresponding to the Vulnerability corresponding to the
threats to Confidentiality threats to Integrity threats to Availability
What? What are the vulnerabilities What are the vulnerabilities What are the vulnerabilities
corresponding to the threats to corresponding to the threats to corresponding to the threats to
confidentiality? integrity? availability?
Why? Why these vulnerabilities exist? Why these vulnerabilities exist? Why these vulnerabilities exist?
How? How can these vulnerabilities be How can these vulnerabilities be How can these vulnerabilities be
exploited? exploited? exploited?
Who? Who will exploit these vulnerabilities? Who will exploit these vulnerabilities? Who will exploit these vulnerabilities?
Where? Where this may happen? Where this may happen? Where this may happen?
When? When this may happen? When this may happen? When this may happen?
threats in their normal day to day operations. Their
answers will give us a greater insight into the threat
perception. This in turn will help us in focusing our
HoW WELL THE oRGAnIZATIon IS
efforts in creating detailed Information Security poli-
PREPAREd AGAInST THESE THREATS
cies which address these specific threats.
The answers that we are seeking from our six
This will be the next logical step in our journey to
faithful serving men are:
develop the information security policy. Even with-
out a formal policy, organization will usually have a
What are the realistic threats to information for
few security measures in place. We will try to dis-
our business processes?
cover what these are and assess their adequacy. Once
What are the natural threats?
again we take the help of our six honest serving
What are the manmade threats?
men and start probing the middle and operational
Why do these threats exist?
management into revealing the various practices in
Is there a strong motivational factor for the man-
place. Some of these practices may even be docu-
mented by means of staff notices or departmental
Are there strong environmental factors which
circulars. We should collect all of these and study
cause the natural threats?
them before conducting the interviews. This will
How may the threats materialize?
help us understand the current state of information
Who are the major suspects?
security implementation in the organization. Notice
Where will we be hit?
the complex phrase “vulnerability corresponding to
When are we most prone to these threats?
the threats.” It means we want to discover if there
are any specific vulnerabilities that can be exploited
Once again, remember to ask these questions for
by specific threats to confidentiality/integrity/avail-
each type of information security requirement: con-
ability (see Table 3).
fidentiality, integrity, and availability.
251 Information Security Policy Development and Implementation
TABLE 4 Vulnerability of individual components of information systems ‘A’ supporting a critical business system
Confidentiality Integrity Availability
In So Ha Pe Se Da In So Ha Pe Se Da In So Ha Pe Se De
The answers that we are seeking to our six ques- Hardware
tions will be: − Servers, desktops, networking devices
What are the weaknesses in your defense system People
which may cause leakage of confidential informa- − Management, users, contract workers
tion or unauthorized modification of information or Services
unavailability of critical information? − Internet, HVAC, power
Why these weaknesses are there? Has no Documents
one noticed these before or these have been left − Agreements, contracts, legal papers
open hoping that no threat will ever exploit this
vulnerability? Thus we can trace the vulnerabilities of the infor-
How a threat will take advantage of these vulner- mation system to the vulnerability of an individual
abilities? If you were the enemy, who knows about component. We can use the Table 4 to identify and
these vulnerabilities, how will you use the knowl- document if any of the information system compo-
edge to cause maximum damage? nent is vulnerable to any of the threats identified
Who will most benefit from the knowledge of during our study.
these vulnerabilities? Will someone be strongly moti-
vated to cause harm to your business?
Identifying Action Plans
Where will the attack take place? What is the most
We need a number of detailed information secu-
When will the attack take place? When is your
rity policies to address the multitude of vulnerabili-
organization most susceptible?
ties of the information system components which
While seeking answers to these questions, we
could be exploited by threats and compromise the
will realize that each individual question seeks to
confidentiality, integrity, or availability of our critical
discover the vulnerability of the basic component
which will be the weakest link in the system. Thus,
We need to formulate individual policy state-
the vulnerabilities of a business process can be nar-
ments which address each of these vulnerabilities
rowed down to the individual components that con-
and the way to control them. We can use the Table 5
stitute an information system.
to pair the threats and vulnerabilities and link them
The components of an information system are
to the information system components under attack.
(first two letter of each of the information system
Remember, one threat can exploit multiple vulner-
components are underlined. These abbreviations are
abilities of multiple components.
used in the columns of Table 4 and 5):
The next step will be to define the action state-
Information (or the data) ments against each threat and vulnerability combi-
− Data, databases, data warehouses, nation for each of the affected information system
Software component so that we can reduce the possibility of
− Application programs, DBMS, Operating the threat exploiting the vulnerability of the compo-
System nent and compromising the security.
TABLE 5 Threat—vulnerability pairs and the action statement to address the risks
Confidentiality Integrity Availability Action Policy
Threat Vulnerability In So Ha Pe Se Da In So Ha Pe Se Da In So Ha Pe Se Da
The action statements could consist of a variety because the organization believes it is the best prac-
of actions. These could include deploying various tice to follow. Whatever the reason, it should be
technical solutions such as firewall, IDS, or antivirus stated clearly.
software or defining some physical measures such We would start the process of writing the infor-
as barriers or certain administrative (e.g., separation mation security policies by first selecting appropriate
of duty) or punitive (e.g., disciplinary actions) mea- control objectives that need to be achieved. These
sures. Each of these becomes an action statement. can be selected from a standard such as ISO 270014
or a framework such as ISO 177994 or COBIT3 or a
compliance requirement such as the Health Insur-
Writing Information Security Policies ance Portability and Accountability Act of 1996 (HIPAA)
or Basel II or a law such as the European Union
We now call upon our six honest serving men. The Data Protection Act. The selection will depend on
answers to who, what, and why will be included in the requirements of the organization.
policies. How, where, and when will be answered by The next step will be to write appropriate poli-
the procedures. The final list of information security cies that meet the requirements of the control objec-
policies may be large as each policy will be written tives. This will be followed by writing the detailed
with a specific what in mind. The what is answered procedures. The policies will cover the adminis-
by the selection of a control objective. The control trative, technical, management, and legal require-
objective is defined as a “statement of the desired ments. While writing the policy, we should ensure
result or purpose to be achieved by implementing that the action statements fall at right places in the
control procedures in a particular process” (Cobit policies. For example, if we have identified the
4.1, IT Governance Institute). threat of information theft and the vulnerability is
Further, the control is defined as “means of man- the weak implementation of the password, affecting
aging risk, including policies, procedures, guide- confidentiality of the information, then the action
lines, practices, or organizational structures, which plans will be:
can be of administrative, technical, management, or
legal nature” (ISO/IEC, 2005, 17799). Administrative
Who will achieve the control objectives by imple- − Provide appropriate training.
menting appropriate control procedures? We need ⦁ Technical
to define specific roles and responsibilities. The − Enforce strong password selection through
responsible persons should clearly know why the appropriate parameters.
control objective needs to be achieved. The why ⦁ Management
gives the main motivation factor behind the infor- − Ensure that the password policy is approved by
mation security policy. It may be a legal require- management.
ment, a contractual obligation; it may be required − Ensure user acceptance by asking them to sign
⦁ Legal (or compliance) requirements
− Define disciplinary action.
253 Information Security Policy Development and Implementation
Writing Procedures and Guidelines
Yet another threat could be information theft,
unauthorized modification and nonavailability due
to weak network security. Then the action plans will Remember, the how, where, and when will be
be: answered by procedures. We need to write answers
to these questions. Procedure is a step-by-step
Administrative method of “how to do it.” It may be a simple thing
− Background check of employees and contrac- such as selecting a password or a complex proce-
tors working in network administration. dure for defining access control rules on the firewall.
⦁ Technical The “how” should document the entire procedure in
− Access control lists, firewall, server hardening, as simple a manner as possible. If appropriate, you
IDS and so on. may use flow charts or decision tables or any other
⦁ Management method to convey the message.
− Periodic review of security incidences The “where” will describe the location or the
⦁ Legal requirements workstation or the right place where the procedure
− Appropriate non disclosure agreements with will be performed. For example, a fire evacuation
the networking staff and contract workers test procedure will be performed in the office or the
data center. The answer to “when” in this case may
be, last Friday of every month, between 3.00 and
How Many Policies? Clearly written procedure will be a great help
when implementing any policy.
You can classify policies in various groups: You may also include additional guidelines to
supplement the procedures. For example, a guide-
For defined target group line on how to select a complex password, which is
− Everyone in the organization also easy to remember, will be greatly appreciated.
− System managers, administrators
⦁ For specific topics
− Information classification
− Physical and environmental security You have completed all the back office work.
− Operations management You made your six honest serving men slog day
− Data communication and night. Now is the time to deliver the great meal
− Network security that you have cooked. Implementation is the hardest
− Back-up part. The acceptance by the organization depends
− Access control on many factors. You will have to constantly battle
− Password with conflicting demands of security versus ease of
− Incident management use. Implementation cannot be done just by issu-
− Business continuity ing a fiat. Human ingenuity will always find ways
⦁ Department specific topics of circumventing things which are viewed as obsta-
− Application development cles. You have to take the entire organization in
− Compliance confidence.
You may be required to define additional poli-
Implementation at the Top
cies for particular topics. For example, the topic of
access control could spawn many polices like oper-
Where do you begin your efforts? The answer is, as
ating system access control, database access control,
usual, at the very top. Top management has to give its
remote access control, and so on. Dividing policies
whole-hearted approval to all the policies you have
into target groups will help you to train the people
developed. These policies will have proposed many
only for the specific policies.
changes. These changes will be of different types. Have we assigned responsibility for each
Some will be mere procedural changes, but some policy?
may require a totally new approach. Some changes Where is the implementation planned?
will be technical in nature, others will be adminis- Will the implementation happen at all locations
trative. Changes will affect everyone in some way or or only at selected locations?
another. By proposing the information security pol- When is the implementation planned?
icy, we are trying to introduce discipline in handling Will it be a big-bang approach or a phase-wise
information for the organization. Discipline brings in approach?
restrictions and restrictions are usually resented, at
You will have to be very well prepared to defend
least in the beginning.
your proposal. Especially tricky part will be the
New information security policy may also require
response to the questions regarding ROSI. You will
additional investment in people, processes, and
have to convince the top management that avoiding
technology. You will have to prepare budgets and
a security incident is much cheaper than paying for
also do a cost/benefit analysis to justify the expendi-
the losses that a security incident may cause. The
ture. So, you will have to prepare a full report on the
return will be the savings from the potential future
new information security policy and present it to the
losses. Once you have got the approval, you have
top management forum. The report should include a
won half the battle.
complete project plan giving details of the activities
Next step will be to prepare a training program
required to implement various policies. These activi-
especially for the top management. You will have
ties will include procurement and implementation of
to clearly explain their ongoing role in information
new equipment or techniques such as firewall, IDS,
security for the organization. They will have to lead
single sign-on, and so forth. It will also include train-
the organization by setting good example. If the
ing plans for the entire organization. It will specify
boss participates in a fire evacuation drill, no one
how the implementation activities are to be moni-
will pretend to be too busy and avoid such exer-
tored and reported and, answer the most important
cises. If the senior management regularly changes
questions that top management loves to ask, what is
the passwords and learns how to encrypt the data
the return on security investment (ROSI).
on their laptops, no one will complain about the
How do you prepare and present the report? Ask
extra work involved to secure the information. The
our six honest serving men to help us. Explain to the
top management will have to “walk the talk” and
top management the answers to the six questions we
demonstrate complete adherence to the information
are so familiar with: what, why, how, who, where,
security policy that they have endorsed.
and when, through your report and presentation:
Implementation at the
What are the information security risks that
What is the total investment in security?
What is the ROSI? This is where you will train the actual implemen-
Why are these risks so critical? tation team. The system administrators, network
Why is the business impact due to these risks administrator, and various other operations staff will
not acceptable? be made familiar with the new information secu-
How will information security policies help rity policy. They would be already familiar with the
mitigate these risks? approach. They would be specifically trained on
How much money will be spent in procuring their areas or responsibilities so that they will have
the security products and techniques and an in-depth knowledge of the technology used and
implementing them? the new procedures to be followed. We will seek
How much time and money will be spent on help of our six faithful servants to make sure that
training all the persons in the organization? we do not miss anything of importance. We provide
Who will be responsible for the successful answers to the following questions during the imple-
implementation of these policies? mentation at this level:
255 Information Security Policy Development and Implementation
What are the new requirements of the infor- The training programs should be designed to pro-
mation security policy in individual areas of vide convincing answers to our six questions.
What are the new products and procedures 1. What is the objective of the information security?
being implemented? 2. Why is it necessary to follow the information
Why these products and procedures were security policy of the company? Will something
selected? really go wrong if we do not follow the policy?
How do these products and procedures work? Can you give us some examples?
How do we configure and customize them? 3. How do we work with all these security controls
How do we test them? around us?
How do we maintain them? 4. Who is responsible for the information security?
How do we trouble-shoot them? Am I really responsible for every piece of infor-
Who will be responsible for each product and mation that I access?
procedure? 5. Where are the security controls? Are they imple-
Where will the products and procedures be mented in my area of operation? Are they imple-
implemented? mented on e-mail servers, web servers, desk-tops?
When will the products and procedures be Are there physical security controls? Where are
operational? they located?
6. When these security controls are going to be
We will have to design the technical training pro-
grams for specific security products and procedures
selected for the implementation. The operations
You may devise various ways of delivering the
persons will have to become very well-versed with
training. It could be a classroom training or Web-
handling the new security measures. They will also
based e-learning or video-based training. There
need to be trained on various reporting and escala-
should be some amount of interactivity in any type
tion procedures. Incident management and response
of training. The audience should be made to par-
team will require specialized training. The business
ticipate in answering our famous six questions per-
continuity and disaster recovery team also will need
taining to the training topics designed for them. If
they get involved in answering these questions, they
All these training programs will have to be com-
will start appreciating the reason for the policy, the
pleted before the actual implementation. Operations
necessity of implementing the procedures and more
staff should be made responsible for implementing
importantly, their own role in guarding the informa-
the security controls. This will build their confi-
tion assets of the organization.
dence, expertise and the sense of ownership.
You have properly developed the information
security policy when the end users can answer the
Implementation for Everyone six questions. You have correctly implemented it
This can only be done by a major drive to educate when they feel responsible for their role.
everyone. The right message should reach the right
people. The training programs have to be designed
keeping in mind the actual groups being addressed.
The trainer has to talk the language of the audi-
ence. The same training that goes well with system
Avinash Kadam is the Chief Knowledge Resource at
administrators will be received with stony silence
MIEL e-Security, a company in the domain of Infor-
or yawns by the general users. Only the relevant
mation Security Consulting, Training, Implementation
policies and procedures should be covered for each and Audit. He has worked in the I.T. industry for more
group. You may have to customize the training pro- than 35 years of which the past 10 years were totally
grams. The application programming group may focused on Information Security. He has handled
require different training programs compared to the major information security consulting projects for large
helpdesk staff. organizations.