Re: Institutional Security Policies

[Jere Retzer <retzerj () OHSU EDU>]

To what extent should you publicize these policies?

> > > spaf () CERIAS PURDUE EDU 08/26/02 08:41AM >>>
I just finished writing a high-level summary of this process for the
3rd edition of "Practical Unix & Internet Security."

Policy should be a statement of values, goals, and institutional
direction.  It should specify what is important, and who has the
authority and responsibility to ensure that the policies and goals
are met.  It should not mention specific machines, data items, or the
like.    In general, once written, policy stays the same for a long
time.

> From policy, you define standards.  Standards are meant to achieve
the goals.  They specify objectives that can be met and audited.
They state levels of performance.  These can be platform-specific, or
data-centric, or both.  In general, standards change slowly, and only
after considerable thought and discussion.

Guidelines are written around standards, and describe how to satisfy
them.   The provide site or situation-specific solutions and
procedures.   These may continually evolve.

As an example, the policy may state that "The availability of
current, correct data is crucial to the operation of our enterprise.
It is the duty of the CIO to ensure that correct versions of all
operational data are available and on-line within acceptable business
limits, even in the presence of major site disasters."

A corresponding standard, issued from the CIO's office (he was given
the responsibility by the policy) might be "All computing systems
with critical business data (as defined in some other standard) will
have that data archived to backups.   A daily backup will be
performed outside of normal business hours for each system and kept
on-site.    A monthly backup will also be performed and stored
off-site at a secured facility.  Monthly backups will be kept for a
period of not less than 12 months.  Backup media will be alternated
or new media used so as to avoid overwriting a current backup.
Every monthly backup will be read completely to ensure it is usable,
and once a month a daily backup will selected at random for similar
testing.   Once every twelve months each system will be reconstructed
solely from a monthly backup to ensure the utility of the backups.
A written report of these tests will be filed with the CIO's office
every quarter."

Note that these standards address the policy requirements, and
provide auditable goals without specifying products or particular
people/systems.

The guidelines/practices would then be written for each system type
(e.g., "How to do backups for Windows ,"  "How to do backups for Unix
systems,"  and so on).   These are adjusted for the individual
systems and environment in which the standards apply.


Standards need to be published so that people know how to meet them,
although they may be kept proprietary.   Policies should be published
to the organization so everyone knows them.   Guidelines are informal
and generally don't need publishing, although sharing among groups
helps keep from replicating work.

That's the more formal framework for your answer.  I hope that at
least partially addresses your question!

--spaf

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.