Developing and Maintaining Policies
The following tip is from "7 tips in 7 minutes: The Life Cycle of Internet Access Protection Systems," from Chapter 3 of the book
The Shortcut Guide to Protecting Business Internet Usage, published by Realtimepublishers.
The terms "policies and procedures" sound bureaucratic and, to many, is out of place in the dynamic world of information technology. IT departments are constantly tasked with adapting to new requirements, responding to changing business environments, and meeting aggressive project schedules. It is not uncommon to hear complaints about formal policies and procedures slowing things down—and sometimes they do, but that is not necessarily a bad thing. Policies and procedures define standards and methods for accomplishing specific tasks. In contrast, ad hoc methods tend to "re-invent the wheel," depend upon undocumented practices, and often leave systems more difficult to maintain than they should be.
Policies are statements of objectives and direction that guide implementations. For example, an organization might have a policy that all sensitive data that leaves the internal network should be strongly encrypted. Procedures are step-by-step instructions for implementing a policy. In the example just mentioned, a procedure for encrypting sensitive information on mobile devices might include the installation of a program that automatically encrypts all data stored on the devices long-term storage mechanism.
From an information asset protection perspective, several policies should be defined, including those that define:
Acceptable use—Who is allowed to use the organization's information systems? For what purpose? Under what conditions?
Access control standards—How are users authenticated to systems? What are password standards? How are users assigned to security roles? Who has authority to change access privileges?
Anti-malware practices—What anti-malware software should be used? How frequently should full scans be performed? How frequently should devices check for updates? Who is responsible for responding if a malware attack is detected?
Audit and vulnerability assessment procedures—What topics should be examined in an information security audit? How frequently should they be conducted? How should vulnerability assessments be performed? How should detected problems be remediated?
Client device security—What security programs must run on client devices? What specialized restrictions apply to notebooks, PDAs, smart phones, and other mobile devices? What privileges are users granted to modify their local machines? Is the use of USB memory devices allowed?
Email use and retention policies—What is the acceptable use of email systems? How should incoming and outgoing email be scanned? What are quarantine procedures for potentially malicious code or inappropriate content?
Encryption use—When should encryption be used? What algorithms and key lengths should be used? How should keys be stored and distributed?
Information privacy—What information is considered private, confidential, or sensitive? What are the rules for disclosing such information? In what situations should personally identifying information, such as Social Security numbers, be collected? What regulations and corporate governance policies apply to privacy protections in information systems?
Risk analysis—How should information assets be valued? What are the organization's levels of risk tolerance?
Server security—How should servers be locked down? What OS services should be allowed to execute? What restrictions are applied to servers that are accessible directly from the Internet, for example, those in a DMZ?
Wireless security—Under what conditions are wireless access points deployed? Which wireless security protocols will be used? How will rogue devices be detected?
It might be difficult o develop polices for all of these areas immediately. Start with the acceptable use policy, access control standards, anti-malware, and information privacy area. If wireless devices are used in your organization, develop a wireless security policy as soon as possible. As with any aspect of security, you must prioritize based on the needs of your organization. There are other areas that warrant formal policies—for example, when virtual private networks (VPNs) are used, when third parties are granted access to key applications, and when procuring IT assets. Policies serve a unifying purpose by describing what is to be accomplished; this is especially important when multipoint solutions are deployed.
This was first published in January 2007