This document discusses how to successfully implement an IT security policy. It begins by defining what an IT security policy is - a written, ever-changing document that explains how an organization will protect its IT assets. It then outlines the importance of such policies for protecting data and controlling access. The document also discusses challenges across the seven domains of IT (user, workstation, LAN, etc.) and how policies can address each domain. It notes some potential barriers to implementation like human factors but emphasizes that successful policies are created, assigned responsibilities, ensure compliance, and are continually maintained. The overall goal is for policies to safeguard organizational data and resources from both internal and external threats.
1. Running head: A SUCCESSFUL IT SECURITY POLICY 1
A Successful IT Security Policy
April 19th
2014
ISSC481- Planning & Policy
John Intindolo
American Public University
2. A SUCCESSFUL IT SECURITY POLICY 2
Information Technology security policies are used to protect information that is processed by an
organization. Without having the proper protections in place that information may become lost, altered,
stolen, even stolen. The protection of organizational data is so vital to a business’s health, that without
protection (through the use of IT security policies) the entire organization could crumble. So how does
one successfully implement security policies? There is a process to successful implementation for
information systems security professionals (positioned with the task of protecting an organization’s
assets) that begins with understanding just exactly what IT security policies are. From there it is
important to identify why IT security policies are of such importance, followed by the challenges within
the seven domains of IT, issues that may arise with implementation, creating a policy, and last (but most
certainly not least) would be maintaining the policy. Combined together these steps will showcase how
to successfully implement an IT security policy for an organization.
So what exactly are IT security policies? An IT security policy is an ever-changing, written
document which explains the necessary requirements to protect an organization IT assets. The term
ever-changing relates to the fact that an IT security policy is never finalized. Instead the document must
be continuously updated to keep up with technology changes, as well as employee requirement changes
when necessary. The policy essentially explains the culture of an organization. It lets everyone within the
organization know, from the CEO down to the mailroom clerk, how organizational data is going to be
secured. Furthermore, the security policies not only detail how the data is going to be secured, but they
also fortify the organization’s proficiency to safeguard its information assets while at the same time giving
secure access to employees as needed. What is the importance of IT security policies?
IT security policies are important to an organization’s vitality because they enable data to remain
secure at all times. So whether that data is in the form of backups or data that travels across the
3. A SUCCESSFUL IT SECURITY POLICY 3
organization’s network, one thing is certain, if security policies are implemented successfully then the
data will always be safe. This is fine when speaking of external threats such as malware attacks on the
Internet, but what about a disgruntled employee who has authorized access to important information?
To safeguard against an insider threat policies are used by monitoring authorized personnel’s activities.
This way if there is someone carrying out any form of transgression they can be discovered before the
situation escalates further. Another important role that security policies play is with change. Not change
in itself, but rather controlling how things are altered within the organization’s IT infrastructure. What are
some policies that help to ensure the organization’s success?
There are certain policies that enable the organization to not only be protected, but they also can
help the company thrive. Every company wants to know the costs involved with any implementation, so
if a policy is able to minimize costs or time it becomes a key component of the organization prospering.
For example, risk assessments costs money that may be reduced by providing controls and procedures
to manage the risk, which also enables change to be performed in a controlled manner (Johnson, 2010,
p.16). Incident response is another policy which supports operational success, because an incident
response plan will let everyone know their role in the event of an attack. This will avoid confusion and
downtime which in turn saves the company money that could be allocated to different resources within
the organization.
Without having policies in place the organization would become chaotic. Flying by the seat of
your pants is no way to run a successful organization, and that is exactly what is happening when an
organization does not implement IT security policies. People begin to do things that they believe to be
right, but making these type of decisions may cost the company money (if it is the wrong decision) or
upset the organization’s customers (again if the wrong decision is made). Policies ensure that the
4. A SUCCESSFUL IT SECURITY POLICY 4
business is ran smoothly and provide a list of guidelines or a “connect the dots” setting for employees to
follow. Again, if the policies are not followed chaos can occur. If there are no policies, then there is no
uniform method for employees to follow. In the event of a network intrusion, an attacker could gain
access to more IT resources and data than an organization that has an incident response plan
implemented for instance.
A typical IT infrastructure has seven domains which are as follows: User, Workstation, LAN,
LAN-to-WAN, WAN, Remote Access, and System/Applications (“Fundamentals of,” 2012). There
are policies for each domain of the seven listed that offer either a way to protect the domain or offer a
way control change. In the User Domain there are several policies that can be used to handle the
challenges associated with users. An example of this type of policy would be an acceptable use policy
which defines what and how a user is able to use a company workstation. The workstation domain
refers to the computers or even smartphones on the network. In this domain the controls within the
workstation itself are defined. The important step here is to place access controls for the users to
prevent an inadvertent download of malicious software. One security measure to take is to install a tool
such as the TriGeo Security Information Manager (SIM). SIM provides a thorough view into network
events and systems logs, integrates log management and event association with added features, like an
onboard intrusion detection system and instant active response to possible threats or suspicious activity
for example(“Security Information,” 2010).
The LAN Domain refers to every piece of equipment that is used to make up the companies
LAN. Limiting how and which computers are able to communicate with each other is a good way to
prevent an intrusion on the network. This is known a segmenting a network which makes the various
levels of trust obvious and “also facilitates identifying the variations in risk related to different classes of
5. A SUCCESSFUL IT SECURITY POLICY 5
computer systems and mitigating these risks through technical measures” (Malin, 2007, p.48). One such
example is an Acceptable Internet Use Policy (AIUP). An AIUP is used to stop Internet misuse in the
workplace including the following: accessing sites unrelated to work, email abuse, online chatting,
gaming, and the overuse of the Internet otherwise known as cyberslacking (Siau, Nah, & Teng, 2002,
p. 76).
In the LAN-to-WAN Domain is where the organization connects it LAN to a WAN such as
the Internet. This is dangerous because the Internet is available to anyone in the public and is unsecure.
A properly designed demilitarized zone (DMZ) solves this issue as well as the issue of protecting internal
resources from an internal attack when transmitting data between hosts on the network. In fact
according to Shimonski, “Much of the risk of data loss, corruption, and breach actually exists inside the
network perimeter” (2003, p. 25). Security policies provide a guideline on how the DMZ server is
configured as well as when security patches will be updated.
In a WAN Domain the challenge for businesses is to keep communication secure when
connecting multiple office locations. The commonly used mitigation technique for this issue is the use of a
virtual private network or VPN. As Johnson states, “By setting up network devices at both offices, you
can create an encrypted tunnel through the Internet” (2010, p. 73). This works great for large
businesses that have multiple locations, for sales people that are constantly on the road, or even for
those who work from home. The Remote Access Domain has all of the issues of the User Domain with
the additional requirement of remote authentication as well as dealing with network connectivity
problems. Multi-factor authentication is a good mitigation for this as is using a VPN to encrypt the tunnel
between the remote user’s workstation and the WAN. The System/Application Domain encompasses
6. A SUCCESSFUL IT SECURITY POLICY 6
all system and application software issues. Security policies will define a program that is intended to
reduce the likelihood of data loss, whether that is accidental or malicious.
So what stands in the way of implementing a successful IT security policy? There are several
things that can hinder the success of a security policy’s implementation. One such way is the human
element. If everyone within the organization is on board and happy then there will be no problem with
the employees following the security policy. However, what if some employees are unmotivated? This
could be for a variety of reasons, which is why it is important that company managers find a way to
motivate the individuals that work beneath them. There are several ways to motivate people including
performance enhanced bonuses (after all most people are motivated by money), pushing them to strive
for success, or even something as simple as thanking them for their hard work and dedication.
Sometimes just letting an employee know that you see their efforts and appreciate them can go a long
way and motivate them to continue to perform at a high level. Another key issue is with accountability. If
someone makes a mistake that causes a huge problem within the organization they must own up to that
mistake and be held accountable for their actions. If there is no accountability for their actions then the
security policy will not succeed.
The next step in the process is to create the IT security policy. When a security policy is created
it first must state its purpose and mission. This may include keeping the CIA principles of security intact.
The next portion of the policy is the scope which thoroughly details the extent of the policy. At this point
of the policy is where responsibilities are assigned to personnel in order for the policy to become
implemented. Compliance with the policy explains in detail what the guidelines are for everyone to
adhere to the policies of the security policy. It also should list the disciplinary actions that will ensue if an
employee does not comply with the policy rules. Maintaining a security policy is a never-ending process
7. A SUCCESSFUL IT SECURITY POLICY 7
because it needs to change and be updated as the technology does. Additionally, policies need to
change when the requirements of the employees change too.
To summarize, IT security policies are vital to the health of an organization in that they protect
the IT assets from both internal and external threats. Without the policy employees may not be aware of
what is or is not acceptable, which could be a recipe for disaster. In order for a policy to be successful,
there must be a process that the ISS team (designated to protect assets) follows and involves the
following steps: an understanding of IT security policies, the importance of the policy, understanding the
challenges within the seven domains of IT, implementation issues, creating a policy, and finally maintain
the policy. Through this process of successful implementation an organization can sleep safe at night
knowing that they are taking every measure possible to ensure the safety of their IT assets, and
therefore the business itself.
8. A SUCCESSFUL IT SECURITY POLICY 8
References
Fundamentals of information systems security [PowerPoint slides]. (2012). Retrieved from
http://www.ccahs.net/Fundamentals.U1.pdf
Johnson, Robert (2010). Security Policies and Implementation Issues, Jones & Bartlett. ISBN:
0763791326
Malin, A. (2007). Designing Networks that Enforce Information Security Policies. Information
Systems Security, 16(1), 47-53. doi:10.1080/10658980601051490
Security Information Manager (SIM). (2010). SC Magazine: For IT Security Professionals
(15476693), 21(8), 47.
Shimonski, R. (2003).Building DMZs for Enterprise Networks. Rockland, MA: Syngress Publishing.
Siau, K., Nah, F., & Teng, L. (2002). ACCEPTABLE INTERNET USE POLICY.Communications
Of The ACM, 45(1), 75-79.