Security Policies and Procedures : Principles and Practices

Security Policies and Procedures: Principles and Practices

Chapter 1: Definition of Policy

2

Objectives

Describe the cultural significance of policies Recognize the role policy plays in government Evaluate the role policy plays in corporate culture Identify how federal regulations apply to

corporations and other organizations Apply the psychology of policy Introduce a policy successfully Achieve acceptance of policy Enforce a policy

3

Introduction

Policy: “a definite course of action or procedure selected from among alternatives and in light of given conditions to guide and determine present and future decisions”**

(** per www.merriamwebster.com)

4

Information Security Policy: a document that states how an organization plans to protect its tangible and intangible information assets Components of an Information Security Policy

include: Acceptable Internet Use Policy Non-Disclosure Agreement Password Policy Backup Policy

Defining Policy

5

Defining Policy Cont.

What is an Information Asset? Any information item, regardless of storage

format, that represents value to the organization, is considered an Information Asset

6

Defining Policy Cont.

Tangible vs. Intangible Information Assets: Tangible information assets are assets that are

physical in nature, that can be “touched” Tangible information assets include:

Facilities Hardware Software

7

Defining Policy Cont.

Tangible vs. Intangible Information Assets: Intangible information assets are defined as the

business-critical body of information a company requires to conduct business

Intangible information assets include: Reputation Intellectual property Intellectual capital

8

Defining Policy Cont.

The goal of information security policies is to protect information –to protect: The company The company’s partners The company’s clients

9

Defining Policy Cont.

Information exists in three different states: Where and how it is stored Where and how it is processed Where and how it is transmitted

10

Defining Policy Cont.

Information resides in three different places: Information Technology Systems Paper Human Brain

11

Looking at Policy through the Ages

The role of the Torah and Bible as written policy

3000-year old documents include business rules still in practice today

First documented attempt at creating a code to preserve order

12

Looking at Policy through the Ages Cont.

The US Constitution as a Policy Revolution A collection of articles and amendments that codify all

aspects of American government along with citizens’ rights and responsibilities

A rule set with a built-in mechanism for change

13

Defining the Role of Policy in Government

Why do governments use policies? To specify actions, decisions & responses for specific

situations A policy for each government area

Areas include, among many others, Foreign Policy, Education and Health Care

14

Defining the Role of Policy in Government Cont. Laws in relationship to policy

Laws define what may or may not be done in a given society, along with the consequences of acting against the agreed upon legislative written text

Not unlike policies, laws must be accepted, enforced, fair, impartial and consistent

There is a clear parallel between governments and organizations in their need for policies

15

Defining the Role of Policy in Corporate Culture

What is a corporate culture? A combination of shared set of attitudes, values, goals

and practices that characterize an organization

16

Defining the Role of Policy in Corporate Culture Cont.

How do policies contribute to the success of an organization? By supporting the defined goal of the organization By providing consistency in the services, products and

culture within the organization By protecting the assets of the organization

17

Consistency in Services, Products, and Corporate Culture

Policies must be fair and consistent. The same violation should yield the same punishment, regardless of who the employee is and what their function is

Impact of inconsistent policies and policy enforcement: is negative on employee morale can lead to legal repercussions

18

Complying with Government Policies

It is the responsibility of all businesses to understand what federal mandate they may fall under

Examples of federal mandates include: HIPAA GLBA

If necessary, organizations should retain expert, third-party assistance to assure compliance

19

Understanding the Psychology of Policy

Policies should be implemented in a way that promotes acceptance

People at all levels of the organization should be involved in the creation of the policy Key employees must be identified Significant roles must be identified

Change Drivers must be monitored and integrated in the policy-making process

20

Introducing a Policy

Two action items: Getting approval from senior management Introducing the actual policy to the whole

organization

21

Achieving Acceptance of the Policy

True Leadership starts at the top Do as I do vs. do as I say

Repetition is the mother of all learning Regularly remind employees of security-centric topics

Keep the policy updated Some obsolete content may lead to complete disregard

of the whole document

22

Enforcing Information Security Policies

A lack of policy enforcement leads to a loss of credibility

Behavioral Policies: Maintain consistency and fairness in enforcing policies

Technical Policies Use built-in and 3rd-party solutions to automate policy

enforcement

23

SummaryPolicies apply to governments as well as to business organizations. When people are grouped to achieve a common goal, policies provide a framework that guides the company and protects the assets of that company. The policy must follow creation, distribution and maintenance guidelines to insure its acceptance and ultimately its success in protecting the organization, its partners, and its clients.