Effective information security programs are well-written policy statements
The cornerstones of effective information security programs are well-written policy statements. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents. As with any assessment process, it is important to ensure that policies establish the direction management wants to go with regard to security
When reviewing policies, Thomas R. Peltier in his book about Managing a Network Vulnerability Assessment said that it will be necessary to remember that there are three general types of policies:
General or global policies.
These are high-level policy statements that define the intent of a specific topic and its scope within the organization. It also assigns responsibilities for implementation and compliance with the policy. Typical information security general or global policies include:
• Information security policy
• Information classification policy
• Business continuity planning
Key component areas of the information technology and information security areas are addressed in topic-specific policies. Unlike the general or global policies, the topic-specific policies narrow the focus to one issue at a time. Typical subjects for topic-specific policies include:
• Physical security
• Equipment security
• Network access controls
• Media disposal
• User access
• Technology disaster recovery plan
System-and application-specific policies.
These policies focus on one specific system or application. As the construction of security architecture for an organization takes shape, the final element will be the translation of program and topic-specific policies to the application and system level. Typical subjects for application-specific policies include:
• E-mail usage
• Internet usage
• Anti-virus programs
The components of a program policy should include:
The topic portion of the policy normally defines the goals of the program. When discussing information, most program policies concentrate on protecting the confidentiality, integrity, availability, and authenticity of the information resources. Additionally, it will attempt to establish that information is an item of value to the enterprise and, as such, must be protected from unauthorized access, modification, disclosure, and destruction, whether accidental or deliberate.
The scope is a way to broaden or narrow the topic, such as "all information wherever stored and however generated." This could expand the topic on information security, whereas a statement such as "computergenerated data only" would sharply narrow the topic scope. The scope statement can also broaden or narrow the audience affected by the policy. For example, the statement "the policy is intended for all employees" pretty much takes in all the people working for the enterprise, whereas "personnel with access to top-secret information" would limit the audience.
Typically, this section of the policy identifies who is responsible for what actions. The identification is done using job titles, not actual names. For a policy on information classification, the roles can be described as owner, custodian, and user. To be correct, ensure that every policy states what individual or groups of people are responsible for what action.