Users login

Create an account »


Users login

Home » Hacking News » Security Policy in the Real World

Security Policy in the Real World

by phiber on July 16th, 2001 This paper examines some of the ground rules needed to ensure that relevant InfoSec information is gathered, presented and acted upon in an effective manner under typical business constraints.

At last, Information Security policy, ("InfoSec") is getting more attention and more companies are beginning to take seriously the threat that security breaches may have a serious impact on the well-being - or, indeed, the very existence - of their business. This awareness brings with it increasing pressure on InfoSec professionals - many of whom may have reached their position as "the company security expert" by default or without the benefit of specialised technical knowledge or traditional management training. This situation creates pressure from both ends: the need to keep up to date with the latest technical trends and vulnerabilities, as well as a need to present highly complex technical issues to lay management in order to secure the necessary funding and/or actions. This paper examines some of the ground rules needed to ensure that relevant InfoSec information is gathered, presented and acted upon in an effective manner under typical business constraints.

Why is a Security Policy Important?

A company's Security Policy is the central repository where intangibles such as corporate philosophy, mission statements, culture, attitude to risk and other "hard to define" parameters can finally be crystallised into enforceable, measurable, action statements, procedures and ways of working. By focusing on a company's Security Policy, the InfoSec professional can finally begin to have a meaningful impact on the actual fabric of everyday business activities within an Information Security context.

"All organizations need a security policy" . As well as including the obvious examples such as medium or large corporations, this statement also extends to include small "SOHO" type businesses, or even, in the extreme, to personal laptop computers which may, at times, be connected to the corporate network. The threats to the integrity and therefore usefulness of any computer system are increasing daily from the increasing sophistication and proliferation of intruder attacks and "malware", and therefore no matter what the mission or purpose of a system, it is essential that to avoid such capability being compromised an effective security policy must be in place. Clearly the sophistication and scope of such a policy will be influenced by the size and nature of the organisation itself, but the underlying need for a security policy is nevertheless irrefutable. The scope and content of an effective Security Policy will vary greatly according to the nature of the organisation for which it is prepared, but for the purpose of this discussion we will constrain ourselves to a few general principles which will remain effective regardless of the size of the organisation into which they are applied.

In many business organisations of more than a few individuals, the responsibility for forming and, ultimately, implementing and maintaining a security policy will fall to a "specialist" (who may be either a single individual or small team) whose prior knowledge and understanding of security issues may only have come about as a by-product of their more general association with IT activities. Typically, such a task falls within the remit of the IT department and frequently, security becomes tacked on to the general duties of whoever is responsible for system or network administration.

Regardless, whether we are talking about a small business, or a multinational corporation, security is an issue which (deservedly if somewhat belatedly) is gaining greater attention, and a cohesive and structured approach is necessary to ensure that an effective policy is put into place and maintained within an appropriate timescale and using appropriate resources.

A security policy should reflect the philosophy and culture of the organisation itself - in many ways the security policy is the formal embodiment of the "ways of working" and informal culture which would otherwise remain qualitative as opposed to quantitative. Defining a security policy is an opportunity for an organisation to simultaneously define and refine its collective attitude to both its internal operations and external relationships, and, as such, embraces all aspects of the organisation's operations, not just those directly impinged by "IT". In the extreme, some have used this mechanism to actually enforce a company's otherwise implicit security policy by coding such rules into (for example) a perimeter firewall, thereby enforcing hitherto "unspoken" (and probably, therefore, unenforced) policy.

One of the early steps in defining a security policy is to undertake a "state of the nation" review, in which the company's current approach to security-related matters needs to be examined. In a small company (e.g. SOHO company), existing arrangements might comprise solely of the use of an antivirus package, or, increasingly, the use of personal firewalls on individual hosts. Larger, more "internet-active" companies with "always on" (increasingly, ADSL or cable modem connected systems) Internet access might well already have a firewall in place at the Internet threshold providing some limited intrusion detection via simple packet filtering. A company whose livelihood depends on the Internet (increasingly including banks and similar financial institutions as well as predominately B2B, B2C or "bricks and clicks" traders) might already have sophisticated trading protection protocols in place (e.g. SSL or SET) but might nevertheless be vulnerable to "back door" intrusion via unprotected PC modems or malware introduced into the company environment by any number of other indirect mechanisms . Or a company with an already established security policy might nevertheless need to consider system-wide upgrades, such as the need for centralised logging of distributed host-based intrusion detection systems to minimise time spent analysing and correlating logs from many different systems. Security Policy is a continuous process of evaluation and monitoring and what may have been sufficient or appropriate yesterday may well be inadequate and unprepared today. Whatever the size of an organisation, and whatever its current state of information security policy, there is always scope for a useful review of current policies and procedures. Just as security itself is not a product but a process, so it is necessary to constantly ensure that an organisation's security policy continues to meet the changing and evolving needs of the underlying business. A security policy is just a snapshot in an ever-evolving movie.

Too often, the task of information security is "tacked on" to an existing role or to the responsibilities of an existing staff member, frequently a system or network admin. functionary. This can have the effect, in priority terms, of downgrading the vital task of InfoSec to a "when you have time" or "while you're looking at the network, look at this too" kind of activity. Such practice is increasingly dangerous and every organisation should take a step back to assess the real needs and level of importance of its InfoSec policy. And there is no hard rule which says that the Information Security Office should be part of the IT function. InfoSec spans every aspect of a businesses' operations and while much interaction between the IT function and the InfoSec office will be necessary, it is by no means a corollary that the InfoSec office will report through the IT function. The role of Chief InfoSec Officer should be carefully thought out, together with the scope of duties, responsibilities and reporting lineage. The fundamental support and co-operation of every corporate department is a prerequisite.
A key attribute of an InfoSec officer (as well as having appropriate technical knowledge and relevant, current experience) is an ability to communicate at all levels of the company. For InfoSec is not a "stand alone" activity but one which depends heavily on the commitment, co-operation and understanding of everyone within the organisation, from the chief executive through to the office cleaner. The InfoSec initiative must be sponsored and approved at the top level of management and its objectives and procedures effectively communicated through every level of the organisation. Too often, many company members view the consequences of an effective security policy as being restrictive or preventing them from doing their job as a result of outside "unnecessary" interference. Some individuals may even react negatively to any restriction by deploying their own intuitive "rules were made to be broken" principle. If it is to be effective, everyone in the organisation will at some point be touched by a properly enforced security policy and it is therefore essential to its continued effectiveness that any such contact should be viewed in a constructive, rather than restrictive sense. Even the best security policy can be compromised by non or reluctant compliance by a company's employees and any more extreme response on the part of internal personal can be potentially more dangerous than deliberately vindictive external attacks. So communication, training, regular briefings, and involvement are all crucial factors in ensuring that a company's security policy is effective.

Another key skill in the InfoSec officer's armoury is the ability to gather and present information in an effective and constructive manner. For example, a key step in the security policy process is to conduct a risk assessment or threat analysis. A good place to start this process is by examining the traditional threat vectors and assessing their relevance, vulnerability and impact on your particular business. This information must then be presented to an internal decision-making body in such a way as to make the risks and consequences very clear, as well as presenting a portfolio of options and actions available. Remember that decisions on InfoSec policy, while being of the utmost importance and relevance to the InfoSec officer himself, are only one of the many (often conflicting) areas of activity competing for the attention and spending power of the manager responsible. It is therefore crucial that the InfoSec officer is able to compose a comprehensive view of the situation for presentation.

No matter what stage your company's InfoSec policy has reached, there is always scope for improvement and refinement. Before embarking on any research, training course, demonstration, presentation or report, it is important to know where such a step lies in the overall context of improving the company's security infrastructure. Every activity should have an ultimate objective, whether it be to "upgrade our packet filtering firewall to an application gateway proxy server" or to "implement a configuration change management policy to monitor software upgrades, patches and tripwire-protected binaries and system files". Be aware, however, that, generally speaking, an objective such as "showing how many new TLA's I can use to simultaneously impress and confuse my audience" should be avoided.

Any basic report or presentation should cover at least the following, in clear, understandable language, with all purely technical terms included only as of necessity :

  • The current situation

  • The threats faced, together with an assessment of vulnerability

  • The value or impact of these risks in business terms (remember: risk = threat x vulnerability)

  • How these risks may be reduced, mitigated, transferred or eliminated

  • Why action needs to be taken

  • What actions are available and the consequences & cost/benefits of each

While it is always dangerous to assume the outcome of any meeting or presentation, it is always worth having a number of solutions or action plans available. It is not unknown for suitably dynamic management to listen to a concise, comprehensive and informative presentation and then say" OK, we now understand the dangers we face. Now tell us what should we do about it." At this point, it is essential to be able to offer several options, ranging from "let's make a more detailed study" through to "I happen to have here a comprehensive 2 year plan detailing every step of a new InfoSec policy which addresses every one of the issues just raised. Please sign here."

The right response will depend on the current state of readiness of your particular organisation, the budget available and the predisposition of management to take appropriate and speedy decisions. At the very least, you must be in a position to capitalise on the interest which your risk assessment work has raised and to transform this into agreed and confirmed actions. Remember, your aim is always to continue to move the company's security policy one step closer to its objective - an objective which itself is a moving target as technology and the increased sophistication of potential security threats continue to expand. The trick is to move closer to the objective faster than it is moving away from you. Remember also that you are competing for management time, attention and spending power along with several other departments or functions, all of whom see their own pet project as being the most important. Only you know that ensuring good information security is the determining factor as to whether they, or, indeed, the company as a whole will still be around to be able to make such decisions in a couple of years time!

By Derek Lightfoot for Securitypotal

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »