Mon Sep 29 18:51:59 PDT 2014

Management: Policy: What information security policies are needed and used?


Option 1: No security policies at all.
Option 2: Acceptable use policies.
Option 3: Legal and regulatory related policies.
Option 4: A wide array of standards-based and other policies.
Option 5: A policy based on a single well-recognized standard.


IF maturity level is None or Initial THEN use no security policies at all.
OTHERWISE IF no regulatory mandates apply to the enterprise THEN use acceptable use policies.
OTHERWISE IF the enterprise is small or medium AND maturity level is below Defined AND regulatory mandates apply to the enterprise, THEN use legal and regulatory related policies AND Acceptable use policies.
OTHERWISE IF the enterprise is large OR maturity level is Managed or higher. THEN use a wide array of standards-based and other policies AND use legal and regulatory related policies,
OTHERWISE use a policy based on a single well-recognized standard approach, preferably ISO-27001 and ISO-27002.


No security policies at all

Policy free environments are the nicest ones to live in, until someone does something they aren't supposed to. When they do, the presence of an acceptable use policy can be the difference between legal liability and none, between termination for cause and retention of an employee you would rather not have, and between successful protection of your business and its loss.

Acceptable use policies.

An acceptable use policy is adequate for information protection issues for most small to medium sized businesses. Typically these policies include but are not limited to: (1) declaration that this is a Federal Interest Computer system and network, (2) that it is for authorized use only, (3) that there is no expectation of privacy, (4) that no solicitation is permitted, (5) that testing of security is only permitted by those authorized to do so, and (6) that response can and will range from nothing to termination to legal action at the sole discretion of management. Additional policies are required surrounding HR, legal issues, and all other aspects of employment, but they are not information protection specific.

Legal and regulatory related policies.

Regulatory compliance mandates some policies, including a policy that states that all regulatory and legal requirements will be fulfilled. Regulations like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Sarbanes Oxley Act (SOX), the Gramm-Leech-Bliley Act of 1999 (GLBA), the Payment Card Industry Data Security Standard (PCI DSS), the Red Flags Rule, and others require that notice of various kinds be provided and that specific policies about separation of different kinds of data, data retention, and nondisclosure be in place. The specifics are called out in each regulatory scheme and each should be followed to the letter of the law whenever possible in order to assure that negligence is not chargeable.

A wide array of standards-based and other policies.

Big-time information security policies are for companies with a lot of intellectual property or high information technology related consequences. These companies often have anywhere from 40 to 200 policy elements, sometimes have different and inconsistent policies for different divisions, and often do not track those policies and their proliferation in a meaningful way. They produce policy in response to situations without integrating those polices with other policies and rarely update existing policies over time. This situation ultimately leads to large policy holes where different policies refer to each other for policy elements that don't actually exist anywhere. They often have inconsistent coverage of the same policy issue in many places because they are not tracking to standards and they are writing policies that cover specific sorts of systems rather than creating broad policies and using control standards to specify policy implementation in specific systems.

A policy based on a single well-recognized standard.

For these situations, it is best to do a comprehensive policy reconciliation and rewrite. Proper reconciliation can be done for as little as $2500 per existing policy and produces a policy map that brings clarity to the existing policies and their coverage. From there, a by-reference policy rewrite mapping existing policies into a selected standard typically takes a week or two of effort and a rewrite of policy from the by-reference policy takes another week. The result is typically a new comprehensive and consistent policy that retains all of the existing policy elements but is simpler and more easily understood and tracked. The elements of policy that rightly belonged in control standards are left for ongoing use at the next level of detail.

Policies form the basis upon which governance operates. The governance issues in very small businesses tend to be minimal because everyone knows everyone else and what they are doing. But as businesses grow in size, increasing amounts of governance are required. But even the largest company may properly only have minimal information security policies for most employees if there is little in the way of intellectual property being protected. Generally, governance is best when it governs least. Only put in place policies you need.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved