The Security Policy

A security policy need not read like "War and Peace", instead it should be a simple and concise set of rules that can easily be understood, implemented and enforced. Your policy should also be accurate (i.e. mirror your actual situation), and acceptable to Auditors, and perhaps legal bodies. Where possible link this document to other existing business policies, as this will avoid you repeating yourself, ease the updating process, and reduce the risk of contradiction. A security policy is a formal statement describing the means by which users can access the organisation's data, and the rules that govern that access. It must clearly define the roles and responsibilities of users and managers. If your company has some "public visibility" it is a good idea to investigate some of the security standards and standards bodies. E.g. Compliance with BS7799-2 requires an organisation to have implemented and documented their Information Security Management System (ISMS) in accordance with the control objectives set out in Clause 4 of the BS7799-2:1999 documentation, thus gaining this certificate tells your customers that you are serious about security!

Start with simple audit of what you have (your physical and information assets), then perform a risk-analysis to decide what needs to be protected, and how? Create a risk/threat matrix and score risks against their probability. Ask yourself some simple questions like:

  • How can an abuse be recorded, and what corrective action be taken to prevent a repeat incident?
  • How will a violation be detected and handled (Do you have an incident response plan)?
  • Will all staff and management be able to follow the policy without it getting in the way too much?
  • Can I identify and control my "Security Perimeter", and do I know which steps I need to take to maintain it? (This is probably the most difficult task).
  • Is the policy consistent and scalable, and does it cover the entire enterprise?
  • Can this policy handle both regular and unexpected events?
  • Who will be responsible for part or all of the policy?
  • How can I measure the business-impact of a security incident?
  • Can those who are responsible also be made accountable?
  • Are security assets identifiable and/or traceable?

Any effective policy must address the following issues:
Administration of :
Vulnerability Assessment This should outline how you intend to measure risks and threats. Remember effective security is not about eliminating ALL risks, but deciding which you can accept, and those that can be mitigated or removed..
Cryptographic usage Check that any use of cryptography is legal in your country, and clearly outline its correct use. Remember that these tools could be used to steal your data and smuggle it out right from under your nose!
Data authentication usage policy Outline acceptable usage of data, and the checks made to ensure that details held are correct. Pay particular attention to national legislation that covers this area.
Access control Who can access what, and how is it controlled. It is always safest to work on the principal of least possible access required to complete a task.
Users and User Accounts This should handle the processes required to add and remove users, and how to define roles.
Security Systems Control of data privacy and hardware such as firewalls
Auditing and Monitoring Monitoring security events and using an audit to ensure compliance. E.g. do you have procedures in place that ensure that security settings are regularly checked for changes?
Responsibilities Who will be responsible (and accountable) for the administration and execution of the security policy. It is also important that you can identify information that belongs to your organisation, or originated from it. You should consider setting-up some kind of tracking system that enables each copy of a sensitive document to be labeled, and uniquely identifiable.This could be as simple as every employee having to sign out marked copies of documents.
Responses

How alerts and intrusions are dealt with
Reporting How are security alerts reported to management, and then acted upon.
Escalation When a serious problem occurs, how will the organisation react, and how will problems be escalated through the management structure. In the event of a serious incident, this could include contacting the police, or an external body such as CERT.
Containment

How can you contain a threat and limit its damage?
After Care How will you close the hole that allowed an attack to succeed. What procedures are in-place that enable forensic examination to discover what actually happened, and what is the extent of the damage.
Disclosure

If a security incident becomes public, how should it be handled? It is vital to educate you staff NOT to talk directly to the press, or to publicly discuss security or policy matters. Where possible appoint a press-officer and channel all corporate communication through this person. California has recently introduced a law that mandates that any company that fails to make a full public disclosure when confidential data could have been compromised, leaves themselves open to a potential civil or class-action for damages.
Accuracy Policy versions should be clearly marked, and regularly reviewed and updated.
Terms of reference All terms used should be precisely defined and explained, also references to laws such be clear but flexible.
Litigation Companies are increasingly facing the threat of litigation, and as a result Security Policies need to be structured that they will not only standup in a court, but able to educate all your employees to behave in a way that could protect them.
Forensics Following an incident preservation of evidence can be vital, as you may have to rely on it in court. Careful procedures need to be created so as to ensure that vital evidence is not destroyed before it can be passed to the authorities. Remember you must ensure that any evidence discovery or data recording complies with laws such as the Human Rights Act and the Data Protection Act.
Purchasing and Disposal Great care must be exercised when purchasing and disposing of equipment. It should be a matter of policy that all hardware and software comes from a reputable source, and is covered by a proper warranty. When equipment becomes obsolete or broken, it should be carefully assessed to ensure that it no longer contains any confidential information.

Take care to check out the laws for all the countries where you are operating. (France and China have their own rules). National laws mostly apply for the country in which the equipment is physically installed, therefore many companies are now choosing to place their servers in offshore locations where there is less legislation to limit their activities. The only problem that arises here is when you are physically distributing goods to a country where there could be a tax liability. Many traders are also turning a blind eye to this by basically not asking, and not collecting information that may later prove to be self-incriminating.