In the last Security Notes, we covered the second of the "3 P's," of information security: people. This month we will introduce the last "P" - policies.
Blueprints are used in the construction industry as detailed plans, containing the structural, electrical, foundational, and floor plan elements of a future building or home. By most, it would be considered foolish for a builder to begin construction without creating a blueprint. How would the electrician know where to run the wiring? How would the plumber know where to install the toilets?
Without a blueprint ? no planning or documentation of the objectives ? the construction site would become a chaotic scene full of confusion and frustration between contractors. This type of environment would cause some to make ad hoc decisions that could potentially impact the finished product in unpredictable and undesirable ways.
Similarly, in information security, a policy is, in the very simplest definition, a plan or course of action intended to influence and define future decisions and actions. Security policies are the business "blueprint" that states how security should be practiced within an organization, what actions are acceptable, and what level of risk the organization is willing to accept. This policy is derived from the laws, regulations, and business objectives that shape and restrict the organization. So, the security policies of a large retail chain, a top secret government agency, and a local advertising firm would (or should) all differ based on varying business objectives and security needs.
Sadly, the creation of this documentation is often disregarded or given low priority due to a lack of understanding of its value. It seems easier to purchase the latest technology solution promising to secure your network than it does to undertake the painful and tedious task of putting your organization's security strategy on paper. However, there are benefits policies can provide that you'll struggle to accomplish with technology alone. I will highlight a few of these benefits here.
Development and approval of policies require the support of upper management. Benefits of this support include awareness, involvement, and an increased organizational priority for information security. Additionally, policies empower security staff to do their job even when this involves making decisions the user base may oppose (e.g. blocking IM programs, music downloads). Finally, from appropriate spending of the IT security budget to determining discipline for an employee who has violated the policy, an information security policy provides a benchmark against which responsible behavior can be evaluated.
Be proactive. Document your organization's plan for protecting its vital resources. Dedicate the time and resources now; don't continue construction without a blueprint any longer. If you have any questions about the development or improvement of your organization's security policies, please contact us.
Dawn Schulte, CISSP Senior Security Consultant