By Harris Weisman
In a way, your information security operation is like a crew boat. It operates most efficiently and effectively when everything is in harmony. To make sure the metaphorical oars all hit the water at the exact same time, you need to establish some rules. Forget about a coxswain; sound policies and strong management systems steer your crew.
Part of managing risk requires periodically evaluating your policies and your enforcement program, and updating the guidelines and technology that ensure employee and system adherence to them. Similarly, vendors now offer products that can convert policies into specific configuration criteria and commands.
Policy management isn't just a matter of good practice -- today's regulatory requirements make it an imperative. You can create and manage policy manually, or you can turn to automated tools that implement controls enabling them to adhere to various regulations. Either way, by taking steps to ensure policies are established and managed consistently, you can steer swiftly through threats of security breaches, regulatory glitches and failed audits.
Setting the rules
When it comes to writing policies, there are many resources available, including the SANS Institute's Security Policy Project and the ISO 17799 security standard, which provides a policy framework. A number of organizations, mostly colleges and universities, have posted their infosecurity policies on the Internet, which can provide helpful sample materials.
If you don't want to write your policies from scratch, there are a number of vendors that provide canned policies; however, they tend to be generic and must be tailored to be effective. No matter what route you take, make sure the policies fit your organization -- those that don't meet an organization's needs are often neglected, exposing the enterprise to risk.
Also, it's critical that policies not be too specific -- let the details be addressed in subsequent procedures and guidelines. In policy development, policies should not need to be rewritten every time something changes: If you change your antivirus solution, you should not need to change your antivirus policy, although you may need to modify your antivirus procedure.
Keeping policies as nonspecific as possible will also help your organization deal with emerging threats. If a policy is too specific, it will need to be rewritten every time a threat emerges.
A policy should outline how to assess threats; procedures or guidelines can then be created to handle attacks as they develop. If policies are written openly without naming or describing specific attack vectors, such as spyware or phishing, they will help give your IT security the advantage by establishing criteria for recognizing possible problems, such as abnormal network traffic.
Once policies are established, you need to figure out how to use them to best manage your enterprise's information security posture. (Everyone has a different definition of policy management. For our purposes, policy management is the conversion of policies into practical and enforceable controls that can be implemented across the enterprise.)
To have an effective policy management solution, several key support mechanisms must be in place:
- Employees must be subject to a communication and training program. Staff members cannot be expected to comply with policies if they don't understand them; training also provides a way for them to provide feedback on what is and isn't working.
- Management must enforce the policies in a consistent manner across the enterprise; otherwise, employees will not take the policies seriously. Work with your human resources department on how to handle enforcement. At the very least, HR should always be informed when enforcement issues arise.
- Metrics must be developed to measure policy effectiveness. Metrics can be tricky, particularly in the security space (after all, if there's no breach, you have done your job properly). Metrics can examine how many users are being blocked from inappropriate Web sites, the number of viruses blocked in a given time period and the overall strength of user passwords.
- Implement a maintenance schedule to ensure that policies are reviewed and updated on a regular basis. Most regulators like to see this happen on a yearly basis.
Most importantly, an organization needs to decide what it's trying to accomplish through a policy management program. Will the program focus on a limited number of areas, such as access control or antivirus, or will it be deployed enterprise-wide? Is the program designed to meet compliance issues from SOX, GLBA or HIPAA, and, if so, will you need a system to measure compliance?
The manual way
There are two approaches to developing a policy management program: manual and automated. With the former, there is manual intervention to track adherence to the policies. For the latter, software tools are used to enforce policy compliance.
The first step in developing a manual policy management solution is creating a set of procedures that reflects your policies' goals. Keep the policies as high level as possible; the procedures and guidelines will provide the details necessary for day-to-day operations.
Some typical procedures include antivirus, password aging and log monitoring. Each procedure/guideline is an interpretation of a specific section of the policy and is used as criteria for implementing and configuring specific software solutions.
Using our procedure example, the antivirus policy sets the tone by establishing that an antivirus solution will be used within the enterprise. The antivirus procedure will outline exactly how the policy will be enforced, addressing issues such as updates and outbreak response. Normally, that is managed by a central console and the rules are pushed out to workstations and servers.
An acceptable-use policy is interpreted in several procedures that address email usage, data storage and Internet usage, among other activities. A Web usage procedure outlines which sites employees are allowed to visit, what type of technology -- such as Web content filtering -- will be in place to enforce the restrictions and how often the logs on the devices are checked.
Another example is the password-aging setting in Microsoft Windows. If the policy requires complex passwords, the guideline dictates the maximum age of a password, and Active Directory will be set to the maximum password life.
It's easy to see how information security policies can be used to create practical and enforceable controls for managing the enterprise. However, this process is extremely hands-on -- someone has to intervene to correlate the data between the various control points, including antivirus programs, IDSes, firewalls and authentication systems such as Active Directory. Manually monitoring for policy compliance can be quite cumbersome. Potential problems include the following:
- The antivirus management console could occasionally lose connectivity with individual servers or workstations, leaving an exposure point on the corporate network. Detecting this policy deviation and correcting it can be extremely time-consuming.
- It's not unheard of for content management providers to misclassify Web sites. For example, chocolate-maker The Hershey Company's site was once misclassified as pornographic. This type of error can lead to false positives and, if the site is not classified at all, can give users a way to bypass the system. Monitoring this control is time-consuming and frustrating. Plus, managing user exceptions -- those who can bypass the filtering system to conduct research -- complicates matters by creating a need to track exceptions for compliance reporting.
- Although systems like Active Directory can stipulate that users have complex passwords, it is possible to bypass the intent of the control, resulting in the user having a weak password. Because of this, it's important for security administrators to occasionally audit users' passwords with a password-cracking tool.
Automation to the rescue
The time and effort involved in manual policy management can make automated tools an attractive alternative, especially for large organizations.
In recent years, several vendors have come to market with policy management solutions, including Elemental Security, Solsoft and BindView (acquired by Symantec earlier this year). Most of these vendors' products couple the creation of policies with management software. Essentially, managers create the policies, and the software enforces them and measures compliance.
Elemental Security takes a host-centric view of policy management, implementing polices into servers and workstations on the network. Solsoft uses a network-centric approach by applying policies to network devices. BindView takes a host-based view, but also has an add-on component that helps write policies, push them out to users, and track user acceptance and exceptions.
Automated tools work by taking your security policies and procedures and implementing them into control points. As noted, some tools operate by controlling network devices -- they convert policies into configuration criteria for network devices, such as routers. With host-based tools, policy is converted into configuration commands.
What is especially helpful about some policy management products is that they provide the templates for different standards, such as ISO 17799 and CobiT, and cross-correlate them with relevant regulations. With the templates provided, you can choose the policies necessary for your organization.
Another noteworthy feature of many policy management products is that they integrate across the enterprise, pulling data from a variety of sources, including backup, antivirus, content filtering solutions, firewalls, operating systems and routers; these data feeds should reduce the amount of data the user has to sift through. Some automated tools also integrate vulnerability management, keeping systems up to date and addressing emerging threats and zero-day exploits.
The ability of policy management tools to automatically correlate large amounts of disparate data can also facilitate regulatory compliance and reporting since it allows users to pull compliance data for specific regulations. A major complaint among security professionals is the redundant requests for the same audit-related information from external auditors, internal auditors and government regulators. Instead of having to complete several different audits that address similar issues, these tools allow you to generate reports tailored for different groups.
Automated policy management tools can also monitor for violations and track policy exceptions. A key benefit is that all reports are consolidated into one management console, making them easier to track than with the manual approach. But they are not really active monitoring products -- they won't act like a fire alarm. Symantec, however, plans to integrate BindView with technology that manages incidents; other tools are designed to integrate with security event management products.
None of the products are plug-and-play -- all take time to implement; some even require companies to convert their policies into a specific format. Implementation times vary depending on the product and the state of the organization's policies.
Along with implementation times, software cost is a key consideration with automated tools. For instance, the Elemental Security Platform 2.0 starts at about $35,000 with server agents costing around $600; workstation and laptop agents cost $60.
Which Is best?
Both the manual and automated approaches can do the job well, but they clearly have limitations. In a large enterprise, automated policy management tools can be a tremendous help. But for smaller organizations, they may not be worth the cost.
Another possible problem with automated tools is that, instead of making customized policies for the enterprise, users can modify the company to fit the policies. Right now, many automated products are limited in scope by only taking a slice of the pie -- either the network- or host-based approach. To truly be effective, a policy management solution needs both. Symantec is moving in that direction, with plans to add a network-based component.
Policy development and policy management are a complex series of daily tasks, but companies must face the challenge. As our IT infrastructure becomes more complicated and threats continue to grow, we will increase our reliance on manual and automated tools to enforce policies and report on compliance. As policy management products continue to mature, we will see automated tools that are better equipped to deal with the problem holistically, and hopefully prices will drop to where businesses of any size can afford to implement them.
To be sure, effective policy management will only become even more critical in the future.
About the author
Harris Weisman is information systems security manager at Chemung Canal Trust Company in New York.
IT SECURITY POLICY MANAGEMENT
Introduction: IT security policy management
Defining IT security policy roles
Planning for an effective IT security policy
Setting up an IT security policy
Implementing a group IT security policy
Managing change in IT security policies
IT security policy management: Manual vs. automated tools