Contact Us   |   FAQ   |   Cart/Checkout
  |   Register   |  
Search  
SHOP BY TOPIC

Information Security Policies and Procedures: A Practitioner's Reference, Second Edition

Last Updated 2/3/2009 3:43:03 PM


Abstract
In this chapter from "Information Security Policies and Procedures," you'll learn how to develop a well-written security policy statement that creates an information security program, establishes senior management's goals and measures, and targets and assigns responsibilities.

1 POLICY IS THE CORNERSTONE

The cornerstone of an effective information security architecture is a well-written policy statement. This is the source from which all other directives, standards, procedures, guidelines, and other supporting documents will spring. As with any foundation, it is important to establish a strong footing. As will be discussed, a policy performs two roles: one internal and one external.

A policy is senior managements directives to create an information security program, establish its goals and measures, and target and assign responsibilities. Management is faced with many choices in directing the protection of information resources. Some choices are easy and are based on cost-benefit analysis or return on investment; but others involve granting concessions, questions of enterprise strategic direction versus implementing information security controls. Once these decisions have been made, policy will have been created de facto. The task at hand is to take these decisions, common practices, or folklore and fashion them into published policy that can be used as the basis for protecting information resources and guiding employee behavior.


2 WHY IMPLEMENT INFORMATION SECURITY POLICY?

In the absence of an established policy, the organizations current and past activities become the de facto policy. Because there is no formal policy to be defended, the organization may be in greater danger of a breach of security, loss of competitive advantage, loss in customer confidence, or an increase in government interference. By implementing policies, the organization takes control of its destiny. In the absence of established policies, the internal and external audit staffs and the courts can step in and set policy. Most organizations would prefer to establish their own policies instead of having some third party impose policy.

The goal of an information security policy is to maintain the integrity, confidentiality, and availability of information resources. The basic threats that can prevent an organization from reaching this goal are unauthorized access, modification, disclosure, or destruction — whether deliberate or accidental — of the information or the systems and applications that process the information.

It is a well-accepted fact that it is important to protect the information resources essential to an organization, in the same manner that it is important to drive on the correct side of the road. Unlike the driving scenario, which has regulations and laws to support it, the protection of information is all too often left to the individual. As with the driving scenario, everyone knows what solutions are available for protecting information. Identifying these requirements is not enough; to enforce controls, it is necessary to have a formal policy. This will form the basis for all necessary controls.


3 SOME MAJOR POINTS FOR ESTABLISHING POLICIES

When developing the policy, there is as much danger in saying too much as there is in saying too little. The policy should provide the direction required by the organization while maintaining business unit management discretion in the actual implementation of the policy. The more intricate and detailed the policy, the more frequent the update requirements and the more complicated the training process for employees.

Although it is important to keep to the facts and keep the document brief, it is also important to include a clear discussion on the proprietary rights of the organization. The employees deserve to know what is expected of them and how they will be apprised with respect to their obligations. By establishing well-written policies, the enterprise can expect that management will (if properly trained) take approximately the same course of action in similar circumstances.


4 WHAT IS A POLICY?

Policy means different things to different people. For our purposes, the term "policy" is defined as a high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area. A policy is brief (which is highly recommended) and set at a high level.

Because policy is written at a broad level, organizations must also develop standards, procedures, and guidelines that offer employees, managers, and others a clearer method for implementing the policy and meeting the organizations business objectives or mission.

A policy is not a specific and detailed description of the problem and each step that is needed to implement the policy. A policy on requiring access control for remote users has exceeded its scope if there is a discussion about passwords, password length, password history, etc.


5 DEFINITIONS

5.1 Policy


A policy (see Table 1) is a high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area. When we hear discussions on intrusion detection systems (IDSs) monitoring compliance to company policies, these are not the policies we are discussing. The IDS is actually monitoring standards, which we discuss in more detail later) or rules sets or proxies. We will be creating policies like the following policy on information security. Later in this chapter we examine a number of information security policies and critique them based on an established policy template.

5.2 Standards


Standards are mandatory requirements that support individual policies. Standards can range from what software or hardware can be used, to what remote access protocol is to be implemented, to who is responsible for approving what. We examine standards in more detail later in this book. When developing an information security policy, it will be necessary to establish a set of supporting standards. Table 2 provides an example of what standards for a specific topic might look like.

TABLE 1. SAMPLE INFORMATION SECURITY POLICY
Information Security Policy
Business information is an essential asset of the Company. This is true of all business information within the Company, regardless of how it is created, distributed, or stored and whether it is typed, handwritten, printed, filmed, computer generated, or spoken.
     All employees are responsible for protecting corporate information from unauthorized access, modification, duplication, destruction, or disclosure, whether accidental or intentional. This responsibility is essential to Company business. When information is not well protected, the Company can be harmed in various ways such as significant loss to market share and a damaged reputation.
     Details of each employees responsibilities for protecting Company information are documented in the Information Protection Policies and Standards Manual. Management is responsible for ensuring that all employees understand and adhere to these policies and standards. Management is also responsible for noting variances from established security practices and for initiating corrective actions.
     Internal auditors will perform periodic reviews to ensure ongoing compliance with the Company information protection policy. Violations of this policy will be addressed as prescribed in the Human Resource Policy Guide for Management.


TABLE 2. EXAMPLE OF STANDARDS
Information Systems Manager/Team Leader
Managers with responsibility for Information Systems must carry out all the appropriate responsibilities as a Manager for their area. In addition, they will act as Custodian of information used by those systems but owned by other managers. They must ensure that these owners are identified, appointed, and made aware of their responsibilities.

     All managers, supervisors, directors, and other management-level people also have an advisory and assisting role to IS and non-IS managers in respect of:
  • Identifying and assessing threats
  • Identifying and implementing protective measures (including compliance with these practices)
  • Maintaining a satisfactory level of security awareness
  • Monitoring the proper operation of security measures within the unit
  • Investigating weaknesses and occurrences
  • Raising any new issues or circumstances of which they become aware through their specialist role
  • Liaising with internal and external audit

5.3 Procedures


Procedures are mandatory, step-by-step, detailed actions required to successfully complete a task. Procedures can be very detailed. Recently, I was reviewing change management procedures, similar to the one in Table 3, and found one that consisted of 42 pages. It was very thorough, but I found it difficult to believe that anyone has ever read the entire document. We discuss procedures in more detail later in this book.

5.4 Guidelines


Guidelines are more general statements designed to achieve the policys objectives but by providing a framework within which to implement procedures. Where standards are mandatory, guidelines are recommendations. An everyday example of the difference between a standard and a guideline would be a STOP sign, which is a standard, and a "Please Keep Off the Grass" sign, which would be nice, but it is not a law.

TABLE 3. SAMPLE APPLICATION CHANGE MANAGEMENT PROCEDURE
Application Change Management Procedure
General
The System Service Request (SSR) is used to initiate and document all programming activity. It is used to communicate customer needs to Application Development (AD) personnel. An SSR may be initiated and prepared by a customer, a member of the AD staff, or any other individual who has identified a need or requirement, a problem, or an enhancement to an application. No tasks are to be undertaken without a completed SSR.

System Service Request
General
This form, specifying the desired results to be achieved, is completed by the customer and sent, together with supporting documentation, to AD. The request may include the identification of a problem or the documentation of a new request. Customers are encouraged to submit their request in sufficient detail to permit the AD project leader to accurately estimate the effort needed to satisfy the request, but it may be necessary for the project leader to contact the customer and obtain supplementary information. This information should be attached to a copy of the SSR.
     After the requested programs have been completed, the agreed-upon Acceptance tests will be conducted. After the customer has verified that the request has been satisfied, the customer will indicate approval on the SSR. This form will also be used to document that the completed project has been placed into production status.

Processing
This section describes the processing of a System Service Request:
  1. The customer initiates the process by completing the SSR and forwarding it to the appropriate Project Manager (PM) or the Director of Application Development.
  2. The SSR is received in the AD department. Regardless of who in AD actually receives the SSR, it must be delivered to the appropriate PM.
  3. If the PM finds the description of requirements on the SSR inadequate or unclear, the PM will directly contact the customer for clarification.
     When the PM fully understands the requirements, the PM will prepare an analysis and an estimate of the effort required to satisfy the request. In some cases, the PM may feel that it is either impossible or impractical to satisfy the request. In this case, the PM will discuss with the customer the reasons why the request should not be implemented. If the customer reaffirms the request, the PM and Director of AD will jointly determine whether to appeal the customers decision to the Information Systems Steering Committee for a final ruling on the SSR.

  1. If the project estimate is forty (40) hours or less, the detailed design should be reviewed with the customer. After design concurrence has been reviewed, the PM will project the tentative target date (TTD) for completion of the SSR. In setting the TTD, the PM will take into consideration the resources available and other project commitments. The TTD will be promptly communicated to the requesting customer.
  2. If the project estimate exceeds forty (40) hours, the SSR and any supplemental project documentation will be forwarded to the ISSC for review, priority determination, and authorization to proceed.
     The committee will determine whether the requested change is to be scheduled for immediate implementation, scheduled for future implementation, or disapproved. If the request is disapproved, it is immediately returned to the customer, together with an explanation of the reason(s) for disapproval. If it is approved for implementation, a priority designation is made and the SSR is returned to AD for implementation scheduling.
     After implementation authorization has been received, the detailed design should be reviewed with the customer. After design concurrence has been received, the PM will project a TTD for completion of the project. In setting a TTD, the PM will take into consideration resources available and other project commitments. The TTD will be promptly communicated to the customer.
  1. The PM will coordinate with AD personnel and other IT management and staff personnel (such as Database Administration, User Support Services, Network Administration, etc.) as to the resources that will be required to satisfy this request, or if there will be an operational or procedural impact in the other areas.
  2. The PM will contact the customer to discuss, in detail, the test(s) that are to be conducted.
  3. When Acceptance Testing (AT) has been completed, and the customer has verified the accuracy of the results obtained, the customer will indicate its approval to place the project into production by signing the SSR.
  4. The Production Control Group (PCG) will place the project into production status. The PM will complete the bottom portion of the SSR, documenting that the project has been placed into production. The PM will log the status of the request as "completed" and file a copy of the SSR. The PM will promptly notify the customer that the project has been completed and placed into production.
Retention of Forms and Documentation
All documentation associated with the processing of each SSR will be retained for at least twelve (12) months.

Some organizations issue overall information security policies and standards documents (see Figure 1). These can be a mix of Tier 1, Tier 2, and Tier 3 policies and their supporting standards and guidelines. While it is appropriate to include policies in a document such as this, it is considered impractical to include standards, procedures, or guidelines in Tier 1 policies.


6 POLICY KEY ELEMENTS

To meet the needs of an organization, a good policy should:
  • Be easy to understand. As discussed in Chapter 1, it is important that the material presented meet the requirements of the intended audience. All too often, policies, standards, and procedures are written by subject experts and given to a general-use audience. The material is often written at a college level when the average reading and comprehension level in the workplace is that of a sixth grader (a 12-year-old).
  • Be applicable. When creating policy, the writer may research other organizations and copy that document verbatim. What really must be done is to ensure that whatever is written meets the needs of your specific organization.
  • Be do-able. Can the organization and its employees still meet business objectives if the policy is implemented? I have seen many organizations that have written the ultimate security policy, only to find out that it was so restrictive that the mission of the organization was placed at risk.
  • Be enforceable. Do not write a self-defeating policy such as "Use of the company-provided telephone is for business calls only." For most organizations, this may, in fact, be the policy, but almost every phone in the facility is used daily for personal calls. What might make a better policy is one that says that "Company-provided telephones are to be used for management-approved functions only." This provides some latitude and still meets the business need.
  • Be phased in. It may be necessary to allow the organization to read and digest the policy before it takes effect. Many organizations publish a policy and then require the business units to submit a compliance plan within a specific number of days after publication. This provides the business unit managers a period of time to review the policy, determine where their organization might be deficient, and then submit a timetable for compliance. These compliance letters are normally kept on file and are made available to the audit staff.
  • Be proactive. State what must be done: do not get into the rut of making pronouncements — "Thou shalt not!!!!" Try to state what can be done and what is expected of the employees.
  • Avoid absolutes. Never say never. Be diplomatic and understand the politically correct way to say things. When discussing sanctions for noncompliance, some organizations have stated that "Employees violating this policy will be subject to disciplinary sanctions up to and including dismissal without warning," when the policy could have something like, "Employees found in noncompliance with this policy will be deemed in violation of the Employee Standards of Conduct." The Standards of Conduct state that employees will suffer disciplinary sanctions up to and including dismissal. Use the kindlier, gentler approach.
  • Meet business objectives. Security professionals must learn that the controls must help the organization to an acceptable level of risk. One hundred percent security is zero percent productivity. Whenever controls or policy impact the business objectives or mission of the organization, then the controls and policy will lose. Work to understand that the policy exists to support the business, not the other way round.
The information security policy should cover all forms of information. In 1965 the computer industry introduced the concept of the "paperless office." The advent of the third-generation computers had many in management believing that all information would be stored and secured electronically and that paper would become obsolete. When we talk to management about establishing an information security policy, it will be necessary to discuss with them the need to extend the policy to cover all information wherever it is found and in whatever format it exists. Computer-held information comprises a small percentage of the organizations entire information resources. Make sure the policy meets the needs of your organization.


7 POLICY FORMAT

The actual physical format (layout) of the policy will depend on what policies look like in your own organization. It is very important that any policy developed look like published policies from the organization. Some members of the review panel will be unable to read and critique the new policy if it does not look like a policy.

Policies are generally brief in comparison to procedures and normally consist of one page of text using both sides of the paper. In my classes I stress the concept of brevity. However, it is important to balance brevity with clarity. Use all the words you need to complete the thought, but fight the urge to add more information.

Years ago we had a young priest visit our parish and his homily that weekend included a discussion of the concept of imprinting. This concept is normally covered in a basic psychology class, is an early social behavior among birds, and is a process that causes the newly hatched birds to become rapidly and strongly attached to social objects such as parents or parental surrogates. While many understood what the priest was talking about, the majority of the parish just stared at him blankly. So he continued to add explanation after explanation until his homily lasted about 45 minutes. When writing a policy, balance the attention span time limit with what needs to be addressed. Keep it brief, but make it understandable.

There are three types of policies, and you will use each type at different times in your information security program and throughout the organization to support the business process or mission. The three types of policies include:
  1. Global policies (Tier 1). These are used to create the organizations overall vision and direction.
  2. Topic-specific policies (Tier 2). These address particular subjects of concern. We discuss the information security architecture and each category such as in Figure 2.
  3. Application-specific policies (Tier 3). These focus on decisions taken by management to control particular applications (financial reporting, payroll, etc.) or systems (budgeting system).

7.1 Global Policy (Tier 1)


Under the Standard of Due Care, and charged with the ultimate responsibility for meeting business objectives or mission requirements, senior management must ensure that necessary resources are effectively applied to develop the capabilities to meet the mission requirements. Management must incorporate the results of the risk analysis process into the decision-making process. Senior management is also responsible for issuing global policies to establish the organizations direction in protecting information assets.

An information security policy will define the intent of management and its sponsoring body with regard to protecting the information assets of the organization. It will include the scope of the program; that is, where it will reach and what information is included in this policy. Finally, the policy will establish who is responsible for what.

The components of a global (Tier 1) policy typically include the following four characteristics.

7.1.1 Topic.
The topic portion of the policy defines what the policy is specifically going to address. Because the attention span of readers is limited, the topic must appear quickly, for example, in the opening or topic sentence. I normally suggest (note it is a guideline, not a standard) that the topic sentence also include a "hook." That is, the why me as a reader should continue to read this policy. So, in the opening sentence, we want to convey two important elements: (1) the topic (it should have something to do with the title of the policy), and (2) the hook (why the reader should continue to read the policy).

An opening topic sentence might read as follows: "Information created while employed by the company is the property of the company and must be properly protected."

7.1.2 Scope.
The scope can be used to broaden or narrow either the topic or the audience. In an information security policy statement, we could say that "information is an asset and the property of the company and all employees are responsible for protecting that asset." In this sentence we have broadened the audience to include all employees. We can also say something like, "Business information is an essential asset of the Company. This is true of all business information within the Company, regardless of how it is created, distributed, or stored and whether it is typed, handwritten, printed, filmed, computer generated, or spoken." Here, the writer broadened the topic to include all types of information assets.

Another example of broadening the scope might be as follows: "Information of The Company, its subsidiaries and affiliates in electronic form, whether being transmitted, or stored, is a key asset of the Company and must be protected according to its sensitivity, criticality, and value." Here, topic subject is narrowed to "electronic form." However, the audience is broadened to include "subsidiaries and affiliates."

We can also use the scope concept to narrow the topic or audience. In an Employment Agreement policy, the audience is restricted to a specific group such as the following:
  • The parties to this Agreement dated (specify) are (Name of Company), a (specify State and type of company) (the "Company"), and (Name of Employee) (the "Executive").
  • The Company wishes to employ the Executive, and the Executive wishes to accept employment with the Company, on the terms and subject to the conditions set forth in this Agreement. It is therefore agreed as follows:
  • Here, the policy is restricted to Executives and will then go on to discuss what can and cannot be done by the executives. A sample employment agreement policy is contained in the section entitled "Tier 2 Policy Examples."
7.1.3 Responsibilities.
Typically, this section of the policy identifies who is responsible for what. When writing, it is better to identify the "who" by job title and not by name. Here again, the Office Administrators Reference Guide can be of great assistance. The policy will want to identify what is expected from each of the stakeholders.

7.1.4 Compliance or Consequences.
When business units or employees are found to be in a noncompliant situation, the policy must spell out the consequences of these actions. For business units or departments, if they are found in noncompliance, they are generally subject to an audit item and will have to prepare a formal compliance response.

For an employee, being found in noncompliance with a company policy will mean they are in violation of the organizations Employee Standards of Conduct and will be subject to consequences described in the Employee Discipline Policy.

7.1.5 Sample Information Security Global Policies.
We now examine sample information security policies and then critique them. The written policy should clear up confusion, not generate new problems. When preparing a document for a specific audience, remember that the writer will not have the opportunity to sit down with each reader and explain what each item or sentence means. The writer will not be able to tell every person how the policy will impact the readers daily assignments. When writing a policy, know your audience. For a global (Tier 1) policy, the audience is the employee base.

Using the general employee population as a base, let us examine a few policies and see if they have the four key elements we should be looking for. We want to see if these policies have:
  • A topic (including a topic and a "hook")
  • Scope (whether it broadens or narrows the topic or the audience, or both)
  • Responsibilities (based on job titles)
  • Compliance or consequences
Table 4 addresses the checklist as follows:
  • Topic: "Information is a valuable corporate asset…. As such, steps will be taken to protect information...."
  • Responsibilities: "The protection of these assets is a basic management responsibility."
  • Scope: "Ensuring that all employees understand their obligation to protect these assets."
Compliance: "Noting variance from established security practice and for initiating corrective action." This policy is a good start. However, the topic is vague and that is not acceptable. The most important goal of any writing is to quickly identify the topic. Without the title, we have only a vague idea of where the document is leading us.
When the policy establishes responsibilities, it will work best if you use an active verb. In this example, the writer diminishes the verb and makes it passive by adding the gerund "ing" to the verbs "identify," "ensure," and "note." Try to avoid the passive whenever possible.

When identifying levels of management, most organizations have established a scheme for how differing levels are referred to in print. Normally, Management, with an uppercase M, refers to senior management and lowercase management refers to line management or supervision.

In Table 4, the writer referred to the "employing officer." For many enterprises, an officer is the most senior level of management. Officers may rank up there with the board of directors. The Chief Executive Officer, Chief Financial Officer, etc. are examples of this level of management. It is pretty safe to assume that the writer was not intending for such a high-ranking individual to be involved in this policy.

TABLE 4: A UTILITY COMPANY'S INFORMATION SECURITY POLICY: EXAMPLE 1
Information Security Policy
Information is a valuable corporate asset. Business continuity is heavily dependent upon the integrity and continued availability of certain critical information and the means by which that information is gathered, stored, processed, communicated, and reported. As such, steps will be taken to protect information assets from unauthorized use, modification, disclosure, or destruction, whether accidental or intentional.
     The protection of these assets is a basic management responsibility. Employing officers are responsible for:
  • Identifying and protecting computer-related information assets within their assigned area of management control
  • Ensuring that these assets are used for management-approved purposes only
  • Ensuring that all employees understand their obligation to protect these assets
  • Implementing security practices and procedures that are consistent with the Company Information Asset Security Manual and the value of the asset
  • Noting variance from established security practice and for initiating corrective action

Table 5 addresses the checklist as follows:
  • Topic. The policy statement establishes that "company information… that would violate company commitments... or compromise... competitive stance..." must be protected.
  • Responsibilities. The policy does establish "employee responsibilities;" however, if there is to be a reference to another document, there are two standards and one guideline that must be followed:
    • The referenced document must exist.
    • The reader must be able to easily access the referenced document.
    • Referencing other documents should be used judiciously.
  • Scope. Here, the policy makes a mistake in the first section; the policy actually narrows the scope of the material to be protected by stating that "company information...that would violate company commitments...or compromise...competitive stance...." This statement, in fact, narrows the overall policy direction to only that information that meets this specific criterion.
TABLE 5. A POWER COMPANY'S INFORMATION SECURITY POLICY: EXAMPLE 2
Information Security
Policy Statement
It is the policy of the Power and Light Company to protect all company information from disclosures that would violate company commitments to others or would compromise the competitive stance of the company.

Employee Responsibilities
Employee responsibilities are defined in Company Procedure AUT 15. Violations of these responsibilities are subject to appropriate disciplinary action up to and including discharge, legal action, or having the matter referred to law enforcement agencies.

Compliance. Straight out: you violate, you pay the penalty. This may be a bit harsh. Remember that part of policy implementation is acceptance. A better way to state this consequence might be: "Employees found to be in violation of this policy will be subject to the measures described in the Employee Discipline Policy."

This policy does meet one of the main requirements of a policy: that it be brief. It appears to be too brief. Some very important elements are left out, especially what role management will play in this policy and how compliance will be monitored. The policy also seems to exclude information about personnel.

The opening sentence discusses the "policy" of the company. The document was drafted as a policy statement, so it is not necessary to add the term "policy" to the text. Let the words establish what the policy is.

Now let us take a look at the policy statement we used as an example earlier in this chapter (Table 6).

TABLE 6. INFORMATION SECURITY POLICY FOR A HEALTHCARE PROVIDER: EXAMPLE 3
Information Security Policy
Business information is an essential asset of the Company. This is true of all business information within the Company, regardless of how it is created, distributed, or stored and whether it is typed, handwritten, printed, filmed, computer generated, or spoken.
     All employees are responsible for protecting corporate information from unauthorized access, modification, duplication, destruction, or disclosure, whether accidental or intentional. This responsibility is essential to Company business. When information is not well-protected, the Company can be harmed in various ways, such as significant loss in market share and a damaged reputation.
     Details of each employees responsibilities for protecting Company information are documented in the Information Protection Policies and Standards Manual. Management is responsible for ensuring that all employees understand and adhere to these policies and standards. Management is also responsible for noting variances from established security practices and for initiating corrective actions.
     Internal auditors will perform periodic reviews to ensure ongoing compliance with the Company information protection policy. Violations of this policy will be addressed as prescribed in the Human Resource Policy Guide for Management.

For this critique we will examine the policy line-by-line. The initial line starts out as:
  1. Business information is an essential asset of the Company.
    • This starts out as a topic sentence, but it leaves out the hook.
  2. This is true of all business information within the Company, regardless of how it is created, distributed, or stored and whether it is typed, handwritten, printed, filmed, computer generated, or spoken.
    • This is scope; it addresses all the various types of information that could be included.
  3. All employees are responsible for protecting corporate information from unauthorized access, modification, duplication, destruction, or disclosure, whether accidental or intentional.
    • Here, finally, is the hook. It also has scope in that in includes all employees.
  4. This responsibility is essential to Company business.
    • This is probably additional scope, but appears to be part of an explanation. When developing a policy, it is not necessary to include why the policy was created. Explaining the "why" will be handled in the policy awareness program.
  5. When information is not well protected, the Company can be harmed in various ways, such as significant loss to market share and a damaged reputation.
    • This is definitely why the policy is important. To be clear on this point, the policy needs to be as clear and concise as possible. Try to avoid adding why the policy was created. After the policy has been around for a few years and become part of the culture of the organization, it will seem superfluous to have these words in the policy.
  6. Details of each employees responsibilities for protecting Company information are documented in the Information Protection Policies and Standards Manual.
    • Remember our two standards and one guideline about referencing other works: (1) the document has to exist; (2) it has to be easily accessible to the reader; and (3) use this tactic infrequently. Note in line six that the author changes information type from "business" information to "company" information. This could add confusion for the reader. Strive to be consistent throughout the policy.
  7. Management is responsible for ensuring that all employees understand and adhere to these policies and standards.
    • Here, the sentence begins with "Management." Is the capital "M" for the beginning of the sentence, or is it there to identify a level of management? When writing a sentence like this, it is better to start with an adjective such as "Company Management." This will reduce the confusion for the reader.
  8. Management is also responsible for noting variances from established security practices and for initiating corrective actions.
    • The same critique as sentence seven. This is a reference to responsibilities and also what to do if a business unit is found to be in a noncompliant condition.
  9. Internal auditors will perform periodic reviews to ensure ongoing compliance with the Company information protection policy.
    • This sentence causes me the greatest concern. This is what auditors do, so it is not necessary to include a statement like this in the policy. Additionally, if this sentence remains, then the policy requires that only internal auditors can conduct reviews of this policy. Remember when writing anything, be very careful with what you say. The words will be interpreted by each reader in the manner that best meets their needs.
  10. Violations of this policy will be addressed as prescribed in the Human Resource Policy Guide for Management.
    • As we discussed in the review of sentence seven, the rules on other documents apply. This is the final compliance issue as it addresses what occurs when employees are in a noncompliant condition.
We now examine one last sample policy (Table 7). This one appears to have all of the elements. I recommend that when you critique something you read it through completely. Then go back and dissect it line by line. We will look for our four key elements: (1) topic, (2) scope, (3) responsibilities, and (4) compliance.

TABLE 7. A UTILITY COMPANY'S INFORMATION PROTECTION POLICY: EXAMPLE 4
Information Protection
Policy
Information is a company asset and is the property of Your Company. Your Company information includes information that is electronically generated, printed, filmed, typed, stored, or verbally communicated. Information must be protected according to its sensitivity, criticality, and value, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods by which it is distributed.
Responsibilities
  1. Employees are responsible for protecting corporate information from unauthorized access, modification, duplication, destruction, or disclosure.
  2. Employees responsible for creating, administering, or using corporate information are identified as information owners, custodians, and users with responsibilities to protect information under their control.
    1. Owner : Employees responsible for the creation or use of the information resource. Owners are responsible to define safeguards that assure the confidentiality, availability, and integrity of the information assets. Owners are also responsible to place information in the proper classification so that it can be obtained by those who need the information to perform their assigned duties (see section 4 below).
    2. Custodian : Employees responsible for maintaining the safeguards established by the owner. The custodian is designated by the owner.
    3. Users : Employees responsible for using and safeguarding information under their control according to the directions of the owner. Users are authorized access to information assets by the owner.
  3. Access to information will be granted by the owner to those with an approved business need.
  4. All corporate information shall be classified by the owner into one of three classification categories:
    1. Confidential : Information that, if disclosed, could violate the privacy of individuals, reduces the companys competitive advantage, or could cause damage to the company.
    2. Public : Information that has been made available for public distribution through authorized company channels. (See Corporate Communications Policy.)
    3. Internal Use : Information that is intended for use by employees when conducting company business. Information that does not qualify as Confidential or Public is classified as Internal Use.
Compliance
  1. Each Manager shall:
    1. Develop and administer an information protection program that appropriately classifies and protects corporate information under their control.
    2. Implement an employee awareness program to ensure that all employees are aware of the importance of information and the methods employed for its protection.
    3. Establish an information records retention schedule in compliance with applicable laws and regulations.
  2. Employees who fail to comply with the policies will be considered in violation of Your Company's Employee Standards of Conduct and will be subject to appropriate corrective action.

The opening paragraph is captioned "policy"; this should give us the information we need. It does contain some of the topic sentences we discussed earlier. It has half the requirements we would like to see, and it lacks the "hook." The second sentence contains the scope.

Under "Responsibilities," we find the "hook" in the first item. Item numbers two, three, and four appear to be elements that we would normally find in an Asset Classification policy. When I talked to the people who developed this policy, I was told that the company had gone through a paper-reduction process during the past couple of years and had streamlined its operating documents quite a bit. The new philosophy was that no new policies would be created. After about a year of campaigning and audit comments, the management approval team authorized one new policy. The team took advantage and combined the Information Security Policy and the Asset Classification Policy into the Information Protection Policy. What they did was correct, based on the current climate of their organization.

The final section discusses the compliance issues and includes some interesting requirements that management must implement to be compliant with this policy. The Information Protection Group developed a set of policies, standards, and guidelines that could be used by the various departments as a template for their own supporting documents. A sample of this type of document is included in the book under the section "Information Security Reference Guide."

Page: 1, 2
next page

Rate this:
Recent Comments
There are currently no comments. Be the first to make a comment.
Ads by Google
Sponsored Links
Featured Links
© 2010 Penton Media, Inc.  |  Terms of Use  |  Privacy Statement