Writing policies that demonstrate compliance

When practitioners write information security policies, they should push management to consider the implications of using different compliance auditing technologies, such as the up-front costs for initial deployment, the on-going costs of operation and maintenance, and the costs of demonstrating compliance. Before going into these matters, to determine the extent to which compliance exists, it is first important to distinguish three different types of control environments.

• Is your company's information security resting on the wrong shoulders?
• Find out who is responsible for developing your company's security policies.
• Learn how policies can bring management into the information security loop.

• The first type of control environment is built so there is no need for periodically gathered compliance data. In these situations, controls often permit only the previously approved uses of certain types of information. For example, a digital rights management (DRM) system can be used to prevent anybody except those using specific desktop computer systems from displaying a readable version of certain sensitive information. Whatever the control environment, there will always be ways that security systems such as this can be broken, but the need in this type of control environment is for good problem-reporting systems, not compliance checking. In this case, problem-reporting systems would be able to deal with matters such as secondary dissemination, where an authorized person passed information to an unauthorized person. There is no need to have a compliance checking system to see whether the encryption routines in the DRM system were operating correctly.
• The second type of control environment provides indicators that can definitively show whether security policies are being observed. For example, a systems administrator should be following established policies and procedures when configuring operating systems, including installing patches and upgrades. Whether this has been done can be readily observed with vulnerability identification software. Another example involves fixed passwords chosen by end-users. Software can readily determine whether the users have followed a strong password policy. If passwords are easy-to-guess, the users are automatically notified that they need to change their passwords. Reports reflecting compliance in both of these examples are relatively inexpensive to automatically generate.
• The third type of control environment has few definitive types of evidence that can be examined to demonstrate compliance. For example, a data classification policy can define what types of information should be strictly kept within the organization. In the absence of a serious problem, such as a competitor using an internal trade secret for their own product, management will never know whether workers are observing this policy. While management could instruct auditors to interview workers about their knowledge and compliance with a policy like this, respondents would be unlikely to realistically and candidly respond.

Promote TCO
Without question, the control environments that don't require periodic compliance checking are the most expensive to initially deploy. Naturally, the environments involving the most difficult-to-perform and most-expensive compliance checking are the least expensive to initially deploy. When making decisions about policies that require the use of certain controls, management is often not aware of this important trade-off or of the total cost of adopting a particular control. Often, management is presented with the purchase cost, such as the license fee for a security software package, but not any credible estimate of the costs to maintain and operate this software, let alone the costs to perform compliance checks to ensure that it is operating correctly. Therefore, when practitioners write policies, they need to foster more of a total-cost-of-ownership (TCO) approach to controls, so management can clearly see the big picture.

This big picture in turn should provide management with an understanding that they often face a "pay me now, or pay me later" situation. In other words, if they skimp on the initial costs for security, they will pay later because compliance checking will be difficult and relatively expensive. However, if they pay a significant amount for security up-front, they will enjoy on-going operational and compliance checking costs that are significantly reduced.

About the author:
Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, Calif.. He specializes in the development of information security documents including policies, standards, procedures and job descriptions. He is also the author of the book and CD-ROM entitled Information Security Policies Made Easy.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? Information Security Policies, Procedures and Guidelines How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Expert: Information security spending often restricts innovation RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.