iss policy development

8/14/2019 ISS Policy Development

1/12

246

ABSTRACT Development o the in ormation security policy is a criticalactivity. Credibility o the entire in ormation security program o an organi-zation depends upon a well-dra ted in ormation security policy. Most o thestakeholders do not have time or inclination to wade through a lengthy pol-icy document. This article tries to ormulate an approach to the in ormationsecurity policy development that will make the policy document capture the

essentials o in ormation security as applicable to a business. The document will also convey the urgency and importance o implementing the policy,not only in letter but also in spirit.

InTRoduCTIon

Rudyard Kipling probably had no idea that his Six Honest Serving Men would be employed by modern day computer scientists, engineers, andarchitects or diverse applications. John A. Zachman used them or de ningEnterprise Architecture whereas John Sherwood used them or de ningEnterprise Security Architecture. These aith ul servants serve anyone seek-ing a deeper understanding o any complex subject. They are the six simplequestions starting with: what, why, how, who, where, and when. I youpersist in getting the answers to these six questions, a seemingly impossibletask such as developing an in ormation security policy, which is relevant tothe business, covers major risks and is practical to implement can actually be done with con dence.

Let us look at the policies which are developed or other business unc-tions. We will look only at two examples, the nancial policy and the humanresources policy, and ask our six honest men to nd i these policies indeeddo what they are expected to do. We will simultaneously map the possibleanswers to these questions about in ormation security policy.

What do these policies contain? The nancial policy provides overall direc-tion which the organization should take or having sound nancial basisand which leads to success ul business operations. The human resourcespolicy provides the basis or attracting the right talent and retaining them,

http://www.zi a.com http://www.sabsa.org

Address correspondence toAvinash W. Kadam,MIEL e-Security Pvt. Ltd.,Education Services,C-611/612/Floral Deck Plaza,Mumbai 400014, IndiaE-mail: [email protected]

Address correspondence toAvinash W. Kadam,MIEL e-Security Pvt. Ltd.,Education Services,C-611/612/Floral Deck Plaza,Mumbai 400014, IndiaE-mail: [email protected]

In ormation Security Policy Development and Implementation

A i ash W. Ka amMIEL e-Security Pv t. Ltd.,Education Services,Mumbai, India

Information Systems Security, 16:246256, 2007Copyright Taylor & Francis Group, LLCISSN: 1065-898X print/1934-869X onlineDOI: 10.1080/10658980701744861


2/12

247 Information Security Policy Development and Implementation

by employing right people or the right job or theright remuneration.

Does the organizations in ormation security pol-icy identi y the in ormation, which is critical or thebusiness? Does it provide the direction to per ormthe business unctions in a sa e and secure manner?

Why are these policies defned? The nancial pol-icy contains the accumulated nancial wisdom on

what is appropriate or the business. It provides orthe consistency o nancial decisions. The humanresources policy is based on the sound values o human dignity and air treatment. This provides ananchor or the right way to deal with people.

Does the organizations in ormation security policy provide a clear insight into the in ormation security issues while dealing with the business processes?

How are these policies used? The nancial policy is always re erred to while making the businessdecisions. The human resources policy is consulted

while taking complex decisions a ecting the careerso the employees.Is the organizations in ormation security policy

re erred to when a decision about the right approachor the in ormation usage is to be taken?

Who uses these policies? The senior managementconstantly re ers to both the nancial policy as wellas human resources policy to evaluate any decisionto be taken by them.

Does senior management re er to the organiza-tions in ormation security policy to con rm whethertheir decisions con orm with such a policy?

Where are these policies used? The nancial policy is used or taking all the nancial decisions by thecompany. The universal applicability o the policy ensures consistency o all the actions. Similarly, thehuman resources policy is the guiding light or allthe decisions taken pertaining to the people, irre-spective o whether the decisions are taken at thecorporate level or at the remote branch location.

Is the organizations in ormation security policy ollowed universally within the organization and doall the in ormation security decisions demonstrateconsistency?

When are these policies used? The nancial andhuman resources policies are used almost constantly.The organization stops unctioning i it ignores usingthese policies.

Can we say the same about organizations in or-mation security policy? Is it used each time an in or-mation access is granted or revoked?

HoW To SELL InFoRMATIon SECuRITYPoLICY To THE oRGAnIZATIon

A ter reviewing the answers to the six questions, we realize that we have a lot o work to do be ore thein ormation security policy is considered as impor-tant or the organization as the nancial or humanresources policy. The usual skeptical question will

be, i we are surviving quite well without an in orma-tion security policy so ar, why do we need it now?

We will have to do much internal convincing or sell-ing be ore converting the organization into believingin the importance o the in ormation security policy,and implementing it in a wholehearted manner.

We always needed nancial policy to run a suc-cess ul business. I am sure that we had sound nan-cial policy even in the days o businesses based onbarter. The human resources policy became essentialin the industrial age because labor unions demanded

air treatment to the workers. It has taken centurieso e ort or both nancial policy as well as humanresources policy to become well accepted and con-sidered essential or sound business. Comparatively,the in ormation age is very young. Although westarted using in ormation as a major resource duringthe past ew decades, the major thrust to the in or-mation age came rom the commercial exploitationo the Internet, which started hardly a decade ago.This is probably one o the reasons or the casualapproach we witness while dealing with in ormationsecurity.

Where do we begin our e orts? The answer is o course, at the very top. But do you think that you

will get the top managements attention and interesti we do not talk the same language that they speak,and show the same concerns about the business asthey have? How do we get the mind space o theCEO, CFO, and other C-suite occupants? Let us askour six honest serving men.

What are top managements concerns? How do we grow business, make it e cient and e ective,and beat the competition? Do we, as in ormationsecurity experts, have some in ormation security concerns which could a ect the business? Can werecommend some in ormation security approaches

which will help grow the business and make it moree cient, e ective, and beat the competition?

Why is top management indi erent about in or-mation security policy? O course the business


3/12

Kadam 248

pressures, competition, pressure on margins, andanxieties about success or ailure o new initiativesare some actors, but the most important actor is theear o the unknown. Most o the senior managementis not conversant with the IT eld at present thoughthe awareness is increasing. They will get interestedonly i the application o the in ormation security policy shows appreciable positive gains. So, it is the

primary task o the in ormation security experts todemonstrate the gains through the application o thein ormation security policy.

Do we have something to o er to reduce thepressure? Can we contribute our might toward thenew initiatives by some measures o in ormationsecurity?

How do we conduct the business in an ever chang-ing scenario? How do we keep the leading edge? Canin ormation security policy identi y ways to cope

with the changing scenario and keep the business

at the leading edge? Who are the people top man-agement can trust to handle the complexities inthe new in ormation age ? Can in ormation security experts identi y new ways o handling the in orma-tion resources in a reliable manner, and sa eguardthe companys intellectual property?

Where will top management look or success ul approaches o handling new age initiatives? Can thein ormation security policy provide the direction?

When does one spot in ormation as a valuable resource and create a di erentiating actor? Can thein ormation security policy provide that di erentia-tion between a success ul organization and others?

You may rame many di erent questions usingthe same six words. Your ocus should be to nd:

What value the in ormation has or the business Why in ormation security makes business senseHow you can help make the in ormation secureor the business

Who is responsible or making the in ormationsecure

Where you deploy your resources to make thein ormation secure

When you know i the security measures areindeed success ul

Finding answers to these questions will de nitely improve the top management perception o thein ormation security.

BuSInESS IMPACT AnALYSIS

The concept o business impact analysis (BIA)looks out o place here. We usually talk about BIA

when we discuss business continuity and disasterrecovery plans. In my opinion, BIA should make itsappearance right in the beginning when we conductthe interview with the top management or ormulat-

ing the in ormation security policy. The depth, cover-age, and details o BIA will gradually increase as wedo more detailed business impact analysis. BIA is thebest tool to understand the importance o in orma-tion security or the organization, and also to makethe top management realize how much they dependon in ormation security or a success ul business.

How do you conduct BIA where the top manage-ment is involved? First, identi y what are the criticalbusiness processes or the organization. A criticalbusiness process usually has the ollowing eatures:

It is one o the star per ormers or the business.It is associated with the brand value.Its ailure could severely impact the organization.

Any delays or this business process areunacceptable.Major investments have been made in per ectingthe business process.Major technical investments have been made inmaking the process e cient.

Based on the answers to these questions, you may classi y the business processes as critical, important,and routine. Even a single a rmative answer may provide adequate reason to name the business pro-cess as critical. It does not mean that you shouldignore the routine processes. It only means that theroutine processes can be delayed or de erred with-out having major impact on business. One o theexamples o routine processes could be the payrollprocessing. I this is delayed, employees can still bepaid but i the just-in-time delivery o goods is notdone just in time, you may have serious impact onbusiness.

Now that we have identi ed critical business pro-cesses, we take the help o our six honest servingmen.

Can we ormulate questions to do a BIA with thehelp o what, why, how, who, where and when? Letus attempt some o these questions.


4/12


Your objective is to understand the impact o in or-mation security on the business, avorable or other-

wise. The top management is in the best position to

articulate their perception by answering questionslike the ollowing:

What is the critical in ormation or running thebusiness process?

Why is it critical?How can you run business i this in ormation isnot available to you when you need it?Can you run the business i the in ormation is notcorrect or i it is stolen?

Who is responsible or guarding the in ormation? Where it is located? When does the in ormation become critical or your business?

When you pose these questions, you can keepsome examples ready to explain the concept. Youcan also give examples o some actual in ormationsecurity incidences and the impact these had on(hope ully other peoples) business. Do you needa quantitative assessment o the business impacto loss o con dentiality or integrity or availabil-ity at this stage? Probably not, but noting downthe responses is important. You may get theseresponses quanti ed during subsequent interviews

with the middle management and the operationalsta . It will help you to develop the answers intoa ully quanti ed statement when the risk mitiga-tion measures are decided and their costs have tobe justi ed.

We can design a matrix around our six questionsand the three pillars o security, namely con denti-ality, integrity, and availability (see Table 1).

These interviews will reveal the business impactresulting rom loss o con dentiality, integrity, oravailability o in ormation as perceived by the seniormanagement. Capturing their concerns will helpus in ormulating the top level in ormation security policy which will be understood and accepted by them.

ToP LEvEL InFoRMATIon

SECuRITY PoLICYHow does the BIA help us in ormulating the top

level in ormation security policy? Actually, we havejust ound out all the reasons why there should bea top level in ormation security policy? The answersthat we got rom asking the six questions or thethree attributes or all the critical business pro-cesses can be summarized in the top level in orma-tion security policy. We may even write the policy as i we are writing answers to the six questions.The top-level in ormation security policy may looksomething like this.

(What?) The organization recognizes in orma-tion as one o the key resources, which helps inrunning a very success ul business, delivering vari-ous goods and services (we may be more speci chere) to our customers and meets expectations o the stakeholders.

TABLE 1 Business impact analysis for business process A

Confdentiality Integrity Availability

What? What is the critical in ormation orthis process which should beconfdential?

What is the critical in ormation orthis process which should bealways accurate and reliable?

What is the critical in ormation orthis process which should alwaysbe available?

Why? Why this in ormation should beconfdential?

Why this in ormation should beaccurate and reliable?

Why this in ormation should bealways available?

How? How will the business be a ected i the

in ormation does not remainconfdential?

How will the business be a ected i

the in ormation is unreliable?

How will the business be a ected i

the in ormation is not availablewhen needed?

Who? Who is responsible or the confdentialityo this in ormation?

Who is responsible or the integrityo this in ormation?

Who is responsible to ensure theavailability o this in ormation?

Where? Where do you store this in ormation toensure its confdentiality?

Where do you store this in ormationto ensure its integrity?

Where do you store this in ormationto ensure its availability?

When? When does the confdentiality o thisin ormation become critical?

When does the integrity o thisin ormation become critical?

When does the availability o thisin ormation become critical?


5/12

Kadam 250

(Why? ) We are very proud o the e ciency ande ectiveness we have achieved by our ne tunedbusiness processes (can be more speci c). Thesebusiness processes critically depend on our in or-mation systems (can be more speci c). Any damageto any in ormation that we possess can adversely impact our business. We strive to maintain all thein ormation with utmost con dentiality, integrity,

and make sure that it is available whenever and wherever it is required to be accessed by legitimateusers.

(How?) We are aware that we constantly acethreats to our in ormation systems. These threatscould disrupt our business processes and causesevere losses (can be more speci c). It is our inten-tion to deploy all possible resources to ensure that

we are able to thwart any such threats and main-tain the customers and stakeholders con dence inus by having appropriate technical, procedural and

administrative measures in place. We have de nedthese measures against speci c threats and risks inour detailed in ormation security policies.

(Who?) The in ormation security measures willbe implemented by our in ormation security team,headed by an in ormation security o cer, whodirectly reports to an in ormation security orum(ISF), which is chaired by the CEO. The memberso the ISF will be business unit heads and otherresponsible persons.

(Where?) The in ormation security measures willbe deployed throughout the organization and all thebusiness processes (can be more speci c) will beunder the purview o this policy. Any breach o thispolicy will lead to appropriate disciplinary action.

(When?) In ormation security is a major concernor the organization. We will have incidence man-agement teams working 247 to promptly resolveany incidents. We will ensure that all the persons

working or the organization are appropriately trained so that they can be vigilant whenever they are using the in ormation. We will also educate ourcustomers so that they can promptly noti y us i they notice any in ormation security incidents and needour help (e.g., receiving a suspicious email).

The top level in ormation security policy should besigned by the CEO to carry the message e ectively.

The above dra t gives us a starting point to cre-ate an ideal in ormation security policy that refectstop level concerns o the organization. It will be

speci c to the organization and will refect all thee orts spent in conducting a BIA. BIA will provideenough material to list the real concerns about any compromise o in ormation and how it could a ectthe organization. An in ormation security policy thus designed will be owned by the top manage-ment as their contributions in identi ying variouscritical things that may impact the business, will be

clearly mentioned. They will also understand thattheir involvement is the key success actor. All theconcerns that were identi ed during the BIA will besubsequently ollowed through during the ormula-tion o detailed in ormation security policies.

THREAT IdEnTIFICATIon

We have now got a Top Level in ormation security policy or the organization. This is an excellent docu-

ment to get the top level commitment and clearly statethe intentions o the organization regarding in orma-tion security. But it is still a statement o intentionand not enough to develop implementable policies.For this, we need to rst identi y all the threats tothe in ormation. The threats we will identi y will notbe just a general perception o threats. These willnow be more speci c as we know what the really critical business processes are. The BIA has given usa good insight into this aspect o the business. Wealso know which aspects o the in ormation secu-rity, that is, con dentiality, integrity, or availability are critical or the particular business processes. So,

we should be able to narrow down our list to themore realistic threats that can pose danger to thecritical in ormation assets. We can also create plau-sible threat scenarios. By now we have got a goodidea about these rom conducting the BIA sessionsthat we had with the top management. We can alsotake help o our six honest serving men and make atable which will reminds us not to orget any o thecontributing threat actors. Please notice that therecould be di erent types o threats which a ect thethree pillars o in ormation security. A threat whichcompromises con dentiality may not cause loss o integrity or cause unavailability. We need to identi y each o these separately, as shown in Table 2.

The questions or threat identi cation can beasked to the middle management as well as theoperational sta . These persons will be acing such


6/12


threats in their normal day to day operations. Theiranswers will give us a greater insight into the threatperception. This in turn will help us in ocusing oure orts in creating detailed In ormation Security poli-cies which address these speci c threats.

The answers that we are seeking rom our sixaith ul serving men are:

What are the realistic threats to in ormation orour business processes?

What are the natural threats? What are the manmade threats? Why do these threats exist?Is there a strong motivational actor or the man-made threats?

Are there strong environmental actors whichcause the natural threats?How may the threats materialize?

Who are the major suspects? Where will we be hit? When are we most prone to these threats?

Once again, remember to ask these questions oreach type o in ormation security requirement: con-dentiality, integrity, and availability.

vuLnERABILITY ASSESSMEnToRHoW WELL THE oRGAnIZATIon IS

PREPAREd AGAInST THESE THREATS

This will be the next logical step in our journey todevelop the in ormation security policy. Even with-out a ormal policy, organization will usually have aew security measures in place. We will try to dis-cover what these are and assess their adequacy. Onceagain we take the help o our six honest servingmen and start probing the middle and operationalmanagement into revealing the various practices inplace. Some o these practices may even be docu-mented by means o sta notices or departmentalcirculars. We should collect all o these and study them be ore conducting the interviews. This willhelp us understand the current state o in ormationsecurity implementation in the organization. Noticethe complex phrase vulnerability corresponding tothe threats. It means we want to discover i thereare any speci c vulnerabilities that can be exploitedby speci c threats to con dentiality/integrity/avail-ability (see Table 3).

TABLE 2 Identi cation of threats for business process A

Threats to Confdentiality Threats to Integrity Threats to Availability

What? What are the threats to confdentiality ocritical in ormation supporting thisbusiness process?

What are the threats to integrity ocritical in ormation supporting thisbusiness process?

What are the threats to availability ocritical in ormation supporting thisbusiness process?

Why? Why these threats exist? Why these threats exist? Why these threats exist?How? How can these threats actually act? How can these threats actually act? How can these threats actually act?Who? Who will carry out the threat actions? Who will carry out the threat actions? Who will carry out the threat

actions?Where? Where can the attack happen? Where can the attack happen? Where can the attack happen?When? When can the attack happen? When can the attack happen? When can the attack happen?

TABLE 3 Identi cation of vulnerabilities for business process A

Vulnerability corresponding to thethreats to Confdentiality

Vulnerability corresponding to thethreats to Integrity

Vulnerability corresponding to thethreats to Availability

What? What are the vulnerabilitiescorresponding to the threats toconfdentiality?

What are the vulnerabilitiescorresponding to the threats tointegrity?

What are the vulnerabilitiescorresponding to the threats toavailability?

Why? Why these vulnerabilities exist? Why these vulnerabilities exist? Why these vulnerabilities exist?

How? How can these vulnerabilities beexploited? How can these vulnerabilities beexploited? How can these vulnerabilities beexploited?Who? Who will exploit these vulnerabilities? Who will exploit these vulnerabilities? Who will exploit these vulnerabilities?Where? Where this may happen? Where this may happen? Where this may happen?When? When this may happen? When this may happen? When this may happen?


7/12

Kadam 252

The answers that we are seeking to our six ques-tions will be:

What are the weaknesses in your de ense system which may cause leakage o con dential in orma-tion or unauthorized modi cation o in ormation orunavailability o critical in ormation?

Why these weaknesses are there? Has no

one noticed these be ore or these have been le topen hoping that no threat will ever exploit this vulnerability?

How a threat will take advantage o these vulner-abilities? I you were the enemy, who knows aboutthese vulnerabilities, how will you use the knowl-edge to cause maximum damage?

Who will most bene t rom the knowledge o these vulnerabilities? Will someone be strongly moti-

vated to cause harm to your business? Where will the attack take place? What is the most

vulnerable spot? When will the attack take place? When is yourorganization most susceptible?

While seeking answers to these questions, we will realize that each individual question seeks todiscover the vulnerability o the basic component

which will be the weakest link in the system. Thus,the vulnerabilities o a business process can be nar-rowed down to the individual components that con-stitute an in ormation system.

The components o an in ormation system are

( rst two letter o each o the in ormation systemcomponents are underlined. These abbreviations areused in the columns o Table 4 and 5):

In ormation (or the data)Data, databases, data warehouses,

So tware Application programs, DBMS, OperatingSystem

HardwareServers, desktops, networking devices

PeopleManagement, users, contract workers

ServicesInternet, HVAC, power

Documents

Agreements, contracts, legal papersThus we can trace the vulnerabilities o the in or-

mation system to the vulnerability o an individualcomponent. We can use the Table 4 to identi y anddocument i any o the in ormation system compo-nent is vulnerable to any o the threats identi edduring our study.

I e tifyi g Acti Pla s

We need a number o detailed in ormation secu-rity policies to address the multitude o vulnerabili-ties o the in ormation system components whichcould be exploited by threats and compromise thecon dentiality, integrity, or availability o our criticalbusiness systems.

We need to ormulate individual policy state-ments which address each o these vulnerabilitiesand the way to control them. We can use the Table 5to pair the threats and vulnerabilities and link themto the in ormation system components under attack.Remember, one threat can exploit multiple vulner-abilities o multiple components.

The next step will be to de ne the action state-ments against each threat and vulnerability combi-nation or each o the a ected in ormation systemcomponent so that we can reduce the possibility o the threat exploiting the vulnerability o the compo-nent and compromising the security.

TABLE 4 Vulnerability of individual components of information systems A supporting a critical business system

Confdentiality Integrity Availability

In So Ha Pe Se Da In So Ha Pe Se Da In So Ha Pe Se De

What?

Why?

How?

Who?

Where?When?


8/12


The action statements could consist o a variety o actions. These could include deploying varioustechnical solutions such as rewall, IDS, or antivirusso tware or de ning some physical measures suchas barriers or certain administrative (e.g., separationo duty) or punitive (e.g., disciplinary actions) mea-sures. Each o these becomes an action statement.

Writi g I f rmati Sec rity P licies

We now call upon our six honest serving men. Theanswers to who, what, and why will be included inpolicies. How, where, and when will be answered by the procedures. The nal list o in ormation security policies may be large as each policy will be written

with a speci c what in mind. The what is answeredby the selection o a control objective. The controlobjective is de ned as a statement o the desiredresult or purpose to be achieved by implementingcontrol procedures in a particular process (Cobit4.1, IT Governance Institute).

Further, the control is de ned as means o man-aging risk, including policies, procedures, guide-lines, practices, or organizational structures, whichcan be o administrative, technical, management, orlegal nature (ISO/IEC, 2005, 17799).

Who will achieve the control objectives by imple-menting appropriate control procedures? We needto de ne speci c roles and responsibilities. Theresponsible persons should clearly know why thecontrol objective needs to be achieved. The why gives the main motivation actor behind the in or-mation security policy. It may be a legal require-ment, a contractual obligation; it may be required

http://www.itgi.org http://www.iso.org

because the organization believes it is the best prac-tice to ollow. Whatever the reason, it should bestated clearly.

We would start the process o writing the in or-mation security policies by rst selecting appropriatecontrol objectives that need to be achieved. Thesecan be selected rom a standard such as ISO 27001 4 or a ramework such as ISO 17799 4 or COBIT3 or a

compliance requirement such as the Health Insur-ance Portability and Accountability Act o 1996 ( HIPAA)or Basel II or a law such as the European UnionData Protection Act. The selection will depend onthe requirements o the organization.

The next step will be to write appropriate poli-cies that meet the requirements o the control objec-tives. This will be ollowed by writing the detailedprocedures. The policies will cover the adminis-trative, technical, management, and legal require-ments. While writing the policy, we should ensurethat the action statements all at right places in thepolicies. For example, i we have identi ed thethreat o in ormation the t and the vulnerability isthe weak implementation o the password, a ectingcon dentiality o the in ormation, then the actionplans will be:

AdministrativeProvide appropriate training.

TechnicalEn orce strong password selection throughappropriate parameters.

ManagementEnsure that the password policy is approved by management.Ensure user acceptance by asking them to signappropriate orm.

Legal (or compliance) requirementsDe ne disciplinary action.

TABLE 5 Threatvulnerability pairs and the action statement to address the risks

Threat Vulnerability

Confdentiality Integrity Availability Actionstatement

Policyre erenceIn So Ha Pe Se Da In So Ha Pe Se Da In So Ha Pe Se Da


9/12

Kadam 254

Yet another threat could be in ormation the t,unauthorized modi cation and nonavailability dueto weak network security. Then the action plans willbe:

AdministrativeBackground check o employees and contrac-tors working in network administration.

Technical Access control lists, rewall, server hardening,IDS and so on.

ManagementPeriodic review o security incidences

Legal requirements Appropriate non disclosure agreements withthe networking sta and contract workers

H w Ma y P licies? You can classi y policies in various groups:

For de ned target groupEveryone in the organizationSystem managers, administratorsManagement

For speci c topicsIn ormation classi cationPhysical and environmental security Operations managementData communicationNetwork security Back-up

Access controlPasswordIncident managementBusiness continuity

Department speci c topics Application developmentCompliance

You may be required to de ne additional poli-cies or particular topics. For example, the topic o access control could spawn many polices like oper-ating system access control, database access control,remote access control, and so on. Dividing policiesinto target groups will help you to train the peopleonly or the speci c policies.

Writi g Pr ce res a G i eli es

Remember, the how, where, and when will beanswered by procedures. We need to write answersto these questions. Procedure is a step-by-stepmethod o how to do it. It may be a simple thingsuch as selecting a password or a complex proce-dure or de ning access control rules on the rewall.The how should document the entire procedure inas simple a manner as possible. I appropriate, youmay use fow charts or decision tables or any othermethod to convey the message.

The where will describe the location or the workstation or the right place where the procedure will be per ormed. For example, a re evacuationtest procedure will be per ormed in the o ce or thedata center. The answer to when in this case may be, last Friday o every month, between 3.00 and4.00 p.m.

Clearly written procedure will be a great help when implementing any policy.

You may also include additional guidelines tosupplement the procedures. For example, a guide-line on how to select a complex password, which isalso easy to remember, will be greatly appreciated.

IMPLEMEnTATIon

You have completed all the back o ce work. You made your six honest serving men slog day and night. Now is the time to deliver the great mealthat you have cooked. Implementation is the hardestpart. The acceptance by the organization dependson many actors. You will have to constantly battle

with conficting demands o security versus ease o use. Implementation cannot be done just by issu-ing a at. Human ingenuity will always nd wayso circumventing things which are viewed as obsta-cles. You have to take the entire organization incon dence.

Impleme tati at the T p

Where do you begin your e orts? The answer is, asusual, at the very top. Top management has to give its

whole-hearted approval to all the policies you havedeveloped. These policies will have proposed many


10/12


changes. These changes will be o di erent types.Some will be mere procedural changes, but somemay require a totally new approach. Some changes

will be technical in nature, others will be adminis-trative. Changes will a ect everyone in some way oranother. By proposing the in ormation security pol-icy, we are trying to introduce discipline in handlingin ormation or the organization. Discipline brings in

restrictions and restrictions are usually resented, atleast in the beginning.

New in ormation security policy may also requireadditional investment in people, processes, andtechnology. You will have to prepare budgets andalso do a cost/bene t analysis to justi y the expendi-ture. So, you will have to prepare a ull report on thenew in ormation security policy and present it to thetop management orum. The report should include acomplete project plan giving details o the activitiesrequired to implement various policies. These activi-

ties will include procurement and implementation o new equipment or techniques such as rewall, IDS,single sign-on, and so orth. It will also include train-ing plans or the entire organization. It will speci y how the implementation activities are to be moni-tored and reported and, answer the most importantquestions that top management loves to ask, what isthe return on security investment (ROSI).

How do you prepare and present the report? Askour six honest serving men to help us. Explain to thetop management the answers to the six questions weare so amiliar with: what, why, how, who, where,and when, through your report and presentation:

What are the in ormation security risks that were identi ed?

What is the total investment in security? What is the ROSI? Why are these risks so critical? Why is the business impact due to these risks

not acceptable?How will in ormation security policies help

mitigate these risks?How much money will be spent in procuring

the security products and techniques andimplementing them?

How much time and money will be spent ontraining all the persons in the organization?

Who will be responsible or the success ulimplementation o these policies?

Have we assigned responsibility or eachpolicy?

Where is the implementation planned? Will the implementation happen at all locations

or only at selected locations? When is the implementation planned? Will it be a big-bang approach or a phase-wise

approach?

You will have to be very well prepared to de end your proposal. Especially tricky part will be theresponse to the questions regarding ROSI. You willhave to convince the top management that avoidinga security incident is much cheaper than paying orthe losses that a security incident may cause. Thereturn will be the savings rom the potential uturelosses. Once you have got the approval, you have

won hal the battle.Next step will be to prepare a training program

especially or the top management. You will haveto clearly explain their ongoing role in in ormationsecurity or the organization. They will have to leadthe organization by setting good example. I theboss participates in a re evacuation drill, no one

will pretend to be too busy and avoid such exer-cises. I the senior management regularly changesthe passwords and learns how to encrypt the dataon their laptops, no one will complain about theextra work involved to secure the in ormation. Thetop management will have to walk the talk anddemonstrate complete adherence to the in ormationsecurity policy that they have endorsed.

Impleme tati at theoperati s Le el

This is where you will train the actual implemen-tation team. The system administrators, networkadministrator, and various other operations sta willbe made amiliar with the new in ormation secu-rity policy. They would be already amiliar with theapproach. They would be speci cally trained ontheir areas or responsibilities so that they will havean in-depth knowledge o the technology used andthe new procedures to be ollowed. We will seekhelp o our six aith ul servants to make sure that

we do not miss anything o importance. We provideanswers to the ollowing questions during the imple-mentation at this level:


11/12

Kadam 256

What are the new requirements o the in or-mation security policy in individual areas o operation?

What are the new products and proceduresbeing implemented?

Why these products and procedures wereselected?

How do these products and procedures work?

How do we con gure and customize them?How do we test them?How do we maintain them?How do we trouble-shoot them?

Who will be responsible or each product andprocedure?

Where will the products and procedures beimplemented?

When will the products and procedures beoperational?

We will have to design the technical training pro-grams or speci c security products and proceduresselected or the implementation. The operationspersons will have to become very well-versed withhandling the new security measures. They will alsoneed to be trained on various reporting and escala-tion procedures. Incident management and responseteam will require specialized training. The businesscontinuity and disaster recovery team also will needspecialized training.

All these training programs will have to be com-pleted be ore the actual implementation. Operationssta should be made responsible or implementingthe security controls. This will build their con -dence, expertise and the sense o ownership.

Impleme tati f r E ery eThis can only be done by a major drive to educate

everyone. The right message should reach the rightpeople. The training programs have to be designedkeeping in mind the actual groups being addressed.The trainer has to talk the language o the audi-ence. The same training that goes well with systemadministrators will be received with stony silenceor yawns by the general users. Only the relevantpolicies and procedures should be covered or eachgroup. You may have to customize the training pro-grams. The application programming group may require di erent training programs compared to thehelpdesk sta .

The training programs should be designed to provide convincing answers to our six questions.

1. What is the objective o the in ormation security? 2. Why is it necessary to ollow the in ormation

security policy o the company? Will somethingreally go wrong i we do not ollow the policy?Can you give us some examples?

3. How do we work with all these security controlsaround us?

4. Who is responsible or the in ormation security? Am I really responsible or every piece o in or-mation that I access?

5. Where are the security controls? Are they imple-mented in my area o operation? Are they imple-mented on e-mail servers, web servers, desk-tops?

Are there physical security controls? Where arethey located?

6. When these security controls are going to be

made operational?

You may devise various ways o delivering thetraining. It could be a classroom training or Web-based e-learning or video-based training. Thereshould be some amount o interactivity in any typeo training. The audience should be made to par-ticipate in answering our amous six questions per-taining to the training topics designed or them. I they get involved in answering these questions, they

will start appreciating the reason or the policy, thenecessity o implementing the procedures and moreimportantly, their own role in guarding the in orma-tion assets o the organization.

You have properly developed the in ormationsecurity policy when the end users can answer thesix questions. You have correctly implemented it

when they eel responsible or their role.

BIoGRAPHY

Avinash Kadam is the Chie Knowledge Resource atMIEL e-Security, a company in the domain o In or-mation Security Consulting, Training, Implementationand Audit. He has worked in the I.T. industry or morethan 35 years o which the past 10 years were totally ocused on In ormation Security. He has handledmajor in ormation security consulting projects or largeorganizations.


12/12