Fri Apr 8 06:47:17 PDT 2016

Management: Policy: What information security policies are needed and used?


Option 1: No security policies at all.
Option 2: Acceptable use policies.
Option 3: Legal and regulatory related policies.
Option 4: A wide array of standards-based and other policies.
Option 5: A policy based on a single well-recognized standard.

Policies have been checked for {Inconsistency / Circularity / Redundancy} and reconciled to eliminate all of these conditions.

Policies have been mapped into relevant {Standards / Requirements / Control standards / Procedures} and consistency established against all of these.

Identify standards covered by existing policy elements:

  • COSO
  • ISO-27001 (ISMS)
  • ISO-27002
  • CoBit
  • ITIL
  • ISO 27001
  • The Standards of Practice of this assessment
  • ISO 15489-1
  • All relevant government standards
  • Relevant industry-specific standards


No security policies at all

Policy free environments are the nicest ones to live in, until someone does something they aren't supposed to. When they do, the presence of an acceptable use policy can be the difference between legal liability and none, between termination for cause and retention of an employee you would rather not have, and between successful protection of your business and its loss.

Acceptable use policies.

An acceptable use policy is adequate for information protection issues for most small to medium sized businesses. Typically these policies include but are not limited to: (1) declaration that this is a Federal Interest Computer system and network, (2) that it is for authorized use only, (3) that there is no expectation of privacy, (4) that no solicitation is permitted, (5) that testing of security is only permitted by those authorized to do so, and (6) that response can and will range from nothing to termination to legal action at the sole discretion of management. Additional policies are required surrounding HR, legal issues, and all other aspects of employment, but they are not information protection specific.

Legal and regulatory related policies.

Regulatory compliance mandates some policies, including a policy that states that all regulatory and legal requirements will be fulfilled. Regulations like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Sarbanes Oxley Act (SOX), the Gramm-Leech-Bliley Act of 1999 (GLBA), the Payment Card Industry Data Security Standard (PCI DSS), the Red Flags Rule, and others require that notice of various kinds be provided and that specific policies about separation of different kinds of data, data retention, and nondisclosure be in place. The specifics are called out in each regulatory scheme and each should be followed to the letter of the law whenever possible in order to assure that negligence is not chargeable.

A wide array of standards-based and other policies.

Big-time information security policies are for companies with a lot of intellectual property or high information technology related consequences. These companies often have anywhere from 40 to 200 policy elements, sometimes have different and inconsistent policies for different divisions, and often do not track those policies and their proliferation in a meaningful way. They produce policy in response to situations without integrating those polices with other policies and rarely update existing policies over time. This situation ultimately leads to large policy holes where different policies refer to each other for policy elements that don't actually exist anywhere. They often have inconsistent coverage of the same policy issue in many places because they are not tracking to standards and they are writing policies that cover specific sorts of systems rather than creating broad policies and using control standards to specify policy implementation in specific systems.

A policy based on a single well-recognized standard.

For these situations, it is best to do a comprehensive policy reconciliation and rewrite. Proper reconciliation can be done for as little as $2500 per existing policy and produces a policy map that brings clarity to the existing policies and their coverage. From there, a by-reference policy rewrite mapping existing policies into a selected standard typically takes a week or two of effort and a rewrite of policy from the by-reference policy takes another week. The result is typically a new comprehensive and consistent policy that retains all of the existing policy elements but is simpler and more easily understood and tracked. The elements of policy that rightly belonged in control standards are left for ongoing use at the next level of detail.

Policies form the basis upon which governance operates. The governance issues in very small businesses tend to be minimal because everyone knows everyone else and what they are doing. But as businesses grow in size, increasing amounts of governance are required. But even the largest company may properly only have minimal information security policies for most employees if there is little in the way of intellectual property being protected. Generally, governance is best when it governs least. Only put in place policies you need.

Inconsistency: Policies are often inconsistent in that one policy requires or encourages an action prohibited or discouraged by another. Policies should be reconciled and inconsistencies eliminated.

Circularity: Policies sometimes refer to other policies or document elements that themselves refer and so forth in a circular manner. Such circularities are vacuous even if they appear to be present at fist glance. They should be sought out and reconciled to form a non-vacuous policy element or eliminate the element in all of its component parts.

Incompleteness: Policies often refer to other policies or document elements that don't exist. Such policy elements should be reconciled and either state policy directly or fill in the referenced policy element.

Redundancy: Policies are sometimes redundant. While this is not strictly speaking a problem, it creates a situation in policy changes tend to produce inconsistency, circularity, or incompleteness over time.

Mapping: policy into relevant standards, requirements, control standards, and procedures provides a way to demonstrate and assure that policies are being acted upon and that things being acted upon are codified in policies. Consistency checking against all of these helps to assure that policy is not violated by these other instruments of policy and thus reduced errors, omissions, and liabilities.

Some policy elements that should normally be present include:

Policy element Exists? Checked? Mapped? Type
Location requirements for systems, content, users, and use Y/N I/C/R/N S/R/C/P/N UO
Use of outside security expertise Y/N I/C/R/N S/R/C/P/N SO
Mobility of workforce, systems, content, and use Y/N I/C/R/N S/R/C/P/N UO
Workforce outsourcing Y/N I/C/R/N S/R/C/P/N O
Technology outsourcing Y/N I/C/R/N S/R/C/P/N O
Content outsourcing Y/N I/C/R/N S/R/C/P/N O
Duty to protect prioritization, creation, maintenance, application, and verification Y/N I/C/R/N S/R/C/P/N RO
Risk management definitions, methods, decision-making, recording, and implementation Y/N I/C/R/N S/R/C/P/N SO
Interdependencies, risk aggregation, thresholds of responsibility, and decision process Y/N I/C/R/N S/R/C/P/N O
Separation of duties in information- and technology-related areas Y/N I/C/R/N S/R/C/P/N O
Surety matching to risk Y/N I/C/R/N S/R/C/P/N O
Risk change management Y/N I/C/R/N S/R/C/P/N O
Protection lead roles, responsibilities, power, and influence Y/N I/C/R/N S/R/C/P/N O
Control architecture formation, elements, and changes Y/N I/C/R/N S/R/C/P/N O
Information and technology related inventory and valuation Y/N I/C/R/N S/R/C/P/N O
Workflows associated with protection Y/N I/C/R/N S/R/C/P/N O
Lifecycle elements and protection requirements Y/N I/C/R/N S/R/C/P/N O
Zoning (network, system, people) Y/N I/C/R/N S/R/C/P/N O
Access and connection facilitation and control Y/N I/C/R/N S/R/C/P/N UO
Incident management including deterrence, intervention, detection, response, adaptation, deception, and communication Y/N I/C/R/N S/R/C/P/N O
Content controls in use, storage, and motion Y/N I/C/R/N S/R/C/P/N RO
Control of desired and undesired content Y/N I/C/R/N S/R/C/P/N O
Version control, change control, and backout processes Y/N I/C/R/N S/R/C/P/N SO
Content retention and disposition Y/N I/C/R/N S/R/C/P/N RSO
Intellectual property protection Y/N I/C/R/N S/R/C/P/N RSO
Intelligence and counter-intelligence controls and activities Y/N I/C/R/N S/R/C/P/N O
Human factors in the protection program Y/N I/C/R/N S/R/C/P/N O
Redundancy in operations including people, content, and things Y/N I/C/R/N S/R/C/P/N SO
Business continuity and disaster recovery Y/N I/C/R/N S/R/C/P/N SO
Redundancy application to interdependencies and risk aggregation Y/N I/C/R/N S/R/C/P/N O
Data center and facility redundancy Y/N I/C/R/N S/R/C/P/N O
Backup creation, storage, movement, transmission, location, distance, frequency, content, verification, and protection Y/N I/C/R/N S/R/C/P/N RSO
Recovery from and testing of backup and recovery processes Y/N I/C/R/N S/R/C/P/N SO
Informational perimeters Y/N I/C/R/N S/R/C/P/N O
Physical perimeters Y/N I/C/R/N S/R/C/P/N SO
Acceptable use Y/N I/C/R/N S/R/C/P/N U
Email Use and protection Y/N I/C/R/N S/R/C/P/N U
Security and privacy Y/N I/C/R/N S/R/C/P/N RS
Awareness-training program Y/N I/C/R/N S/R/C/P/N SO
Business continuity management Y/N I/C/R/N S/R/C/P/N RSO
Change control Y/N I/C/R/N S/R/C/P/N SO
Protection assessment Y/N I/C/R/N S/R/C/P/N SO
Protection compliance Y/N I/C/R/N S/R/C/P/N R
Computer and Network Management Y/N I/C/R/N S/R/C/P/N SO
Electronic access control Y/N I/C/R/N S/R/C/P/N RSO
Encryption Y/N I/C/R/N S/R/C/P/N RSO
Incident response Y/N I/C/R/N S/R/C/P/N SO
Information asset classification Y/N I/C/R/N S/R/C/P/N SO
Information asset protection Y/N I/C/R/N S/R/C/P/N SO
Password management Y/N I/C/R/N S/R/C/P/N SO
Personnel security and hiring standards Y/N I/C/R/N S/R/C/P/N RSO
Physical access Y/N I/C/R/N S/R/C/P/N RSO
Privacy and confidentiality Y/N I/C/R/N S/R/C/P/N RSO
Remote access Y/N I/C/R/N S/R/C/P/N USO
Systems development and maintenance Y/N I/C/R/N S/R/C/P/N SO
Vendor/Third party management Y/N I/C/R/N S/R/C/P/N RSO
Web Application security Y/N I/C/R/N S/R/C/P/N SO
Virus protection Y/N I/C/R/N S/R/C/P/N SO
Policy elements
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved