10 steps to a successful security policy

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.computerworld.com/securitytopics/security/story/0,10801,85583,00.html

Advice by Adrian Duigan, NetIQ
OCTOBER 08, 2003 
COMPUTERWORLD

There are two parts to any security policy. One deals with preventing
external threats to maintain the integrity of the network. The second
deals with reducing internal risks by defining appropriate use of
network resources.

Addressing external threats is technology-oriented. While there are
plenty of technologies available to reduce external network threats --
firewalls, antivirus software, intrusion-detection systems, e-mail
filters and others -- these resources are mostly implemented by IT
staff and are undetected by the user.

However, appropriate use of the network inside a company is a
management issue. Implementing an acceptable use policy (AUP), which
by definition regulates employee behavior, requires tact and
diplomacy.

At the very least, having such a policy can protect you and your
company from liability if you can show that any inappropriate
activities were undertaken in violation of that policy. More likely,
however, a logical and well-defined policy will reduce bandwidth
consumption, maximize staff productivity and reduce the prospect of
any legal issues in the future.

These 10 points, while certainly not comprehensive, provide a
common-sense approach to developing and implementing an AUP that will
be fair, clear and enforceable.


1. Identify your risks

What are your risks from inappropriate use? Do you have information
that should be restricted? Do you send or receive a lot of large
attachments and files? Are potentially offensive attachments making
the rounds? It might be a nonissue. Or it could be costing you
thousands of dollars per month in lost employee productivity or
computer downtime.

A good way to identify your risks can be through the use of monitoring
or reporting tools. Many vendors of firewalls and Internet security
products allow evaluation periods for their products. If those
products provide reporting information, it can be helpful to use these
evaluation periods to assess your risks. However, it's important to
ensure that your employees are aware that you will be recording their
activity for the purposes of risk assessment, if this is something you
choose to try. Many employees may view this as an invasion of their
privacy if it's attempted without their knowledge.


2. Learn from others

There are many types of security policies, so it's important to see
what other organizations like yours are doing. You can spend a couple
of hours browsing online, or you can buy a book such as Information
Security Policies Made Easy by Charles Cresson Wood, which has more
than 1,200 policies ready to customize. Also, talk to the sales reps
from various security software vendors. They are always happy to give
out information.


3. Make sure the policy conforms to legal requirements

Depending on your data holdings, jurisdiction and location, you may be
required to conform to certain minimum standards to ensure the privacy
and integrity of your data, especially if your company holds personal
information. Having a viable security policy documented and in place
is one way of mitigating any liabilities you might incur in the event
of a security breach.


4. Level of security = level of risk

Don't be overzealous. Too much security can be as bad as too little.  
You might find that, apart from keeping the bad guys out, you don't
have any problems with appropriate use because you have a mature,
dedicated staff. In such cases, a written code of conduct is the most
important thing. Excessive security can be a hindrance to smooth
business operations, so make sure you don't overprotect yourself.


5. Include staff in policy development

No one wants a policy dictated from above. Involve staff in the
process of defining appropriate use. Keep staff informed as the rules
are developed and tools are implemented. If people understand the need
for a responsible security policy, they will be much more inclined to
comply.


6. Train your employees

Staff training is commonly overlooked or underappreciated as part of
the AUP implementation process. But, in practice, it's probably one of
the most useful phases. It not only helps you to inform employees and
help them understand the policies, but it also allows you to discuss
the practical, real-world implications of the policy. End users will
often ask questions or offer examples in a training forum, and this
can be very rewarding. These questions can help you define the policy
in more detail and adjust it to be more useful.


7. Get it in writing

Make sure every member of your staff has read, signed and understood
the policy. All new hires should sign the policy when they are brought
on board and should be required to reread and reconfirm their
understanding of the policy at least annually. For large
organizations, use automated tools to help electronically deliver and
track signatures of the documents. Some tools even provide quizzing
mechanisms to test user's knowledge of the policy.


8. Set clear penalties and enforce them

Network security is no joke. Your security policy isn't a set of
voluntary guidelines but a condition of employment. Have a clear set
of procedures in place that spell out the penalties for breaches in
the security policy. Then enforce them. A security policy with
haphazard compliance is almost as bad as no policy at all.


9. Update your staff

A security policy is a dynamic document because the network itself is
always evolving. People come and go. Databases are created and
destroyed. New security threats pop up. Keeping the security policy
updated is hard enough, but keeping staffers aware of any changes that
might affect their day-to-day operations is even more difficult. Open
communication is the key to success.


10. Install the tools you need

Having a policy is one thing, enforcing it is another. Internet and
e-mail content security products with customizable rule sets can
ensure that your policy, no matter how complex, is adhered to. The
investment in tools to enforce your security policy is probably one of
the most cost-effective purchases you will ever make.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.