Slashdot Mirror
Building an Effective Information Security Policy Architecture
Ben Rothke writes "Security
policies are like fiber, that is, the kind you
eat. Everyone agrees that
fiber is good for you, but no one really wants to eat
it. So too with information
security policies. They are
sorely needed, but most users don't go out of their way to comply with
them. And in many firms, they
are not even trained in what they have to do.
But
failure to
have adequate information security policies can lead to myriad risks for an
organization." Keep reading for the rest of Ben's review.
Building an Effective Information Security Policy Architecture
author
Sandy Bacik
pages
340
publisher
CRC
rating
8
reviewer
Ben Rothke
ISBN
978-1420059052
summary
Good book for information security policy development
For
the sake of a basic definition, a policy is a formal, brief, and high-level
statement or plan that embraces an organization's general beliefs, goals,
objectives, and acceptable procedures for a specified subject
area. The purpose of
information security is to protect an organization's resources. The
cornerstone of any information security strategy is a robust set of policies,
procedures, standards and guidelines.
There are many reasons what information security policies are needed. Some of the most imperative reasons are:
Building an Effective Information Security Policy Architecture does a good job of showing the reader how to start from scratch and build their security policy infrastructure. The book starts off at a high-level about the need for policies, and then goes into details on how to develop, write and sell these policies to management.
The book is a good guide to the entire policy lifecycle, and how to use various means to get to the ultimate goal. At 340 pages, the first ten chapters comprise 155 pages and deal with creating the policy infrastructure, communicating with management, and putting the entire policy puzzle together. The final 185 pages comprise 21 appendices of various examples of different policies.
A most significant downside and frustrating part to the book is that there is no CD-ROM with it, or companion website in which to download and use the numerous policy and process examples. At $80.00, such an option should be de rigueur. The lack of electronic versions of the policies in a book such as this is senseless.
Also, this is the first technology book that I have ever seen that did not cite a single reference. It is hard to imagine writing a book on this topic without using some sort of external reference. While the author may not want to quote sources, she should at least point the reader to other sources of information about security policies. Two notable and essential sources in the information security policy space are the SANS Institute — SANS Security Policy Project, which is free, and Information Security Policies Made Easy from Information Shield, Inc., which is $795.00, but worth every penny for a serious security policy effort. Full disclosure: I am on the Information Shield Expert Panel, but get no financial incentives or compensation.
Overall, Building an Effective Information Security Policy Architecture is a good resource to use if you are tasked to create or modify your organizations set of information security policies. The book will likely find itself on the desk of many information security professionals.
While it is frustrating that the book makes you reinvent the wheel by not having electronic versions of the polices, its value still can't be underestimated. Let's hope future versions of the book will fix that anomaly.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Building an Effective Information Security Policy Architecture from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
There are many reasons what information security policies are needed. Some of the most imperative reasons are:
- To inform users of their information protection duties
- Advise them what they can and cannot do with respect to sensitive information.
- Define how users are permitted to represent the organization, what they may disclose publicly, and how they may use organizational computer resources for personal purposes.
- To clearly define protective measures for these special information assets. The existence of a policy may be a decisive factor in a court of law, showing that the organization took steps to protect its intellectual property.
- Define both acceptable and unacceptable behavior. For example, spending a lot of time surfing the web and downloading videos off the net are both generally unacceptable.
- Policies are needed to establish the basis for disciplinary action, up to and including termination.
Building an Effective Information Security Policy Architecture does a good job of showing the reader how to start from scratch and build their security policy infrastructure. The book starts off at a high-level about the need for policies, and then goes into details on how to develop, write and sell these policies to management.
The book is a good guide to the entire policy lifecycle, and how to use various means to get to the ultimate goal. At 340 pages, the first ten chapters comprise 155 pages and deal with creating the policy infrastructure, communicating with management, and putting the entire policy puzzle together. The final 185 pages comprise 21 appendices of various examples of different policies.
A most significant downside and frustrating part to the book is that there is no CD-ROM with it, or companion website in which to download and use the numerous policy and process examples. At $80.00, such an option should be de rigueur. The lack of electronic versions of the policies in a book such as this is senseless.
Also, this is the first technology book that I have ever seen that did not cite a single reference. It is hard to imagine writing a book on this topic without using some sort of external reference. While the author may not want to quote sources, she should at least point the reader to other sources of information about security policies. Two notable and essential sources in the information security policy space are the SANS Institute — SANS Security Policy Project, which is free, and Information Security Policies Made Easy from Information Shield, Inc., which is $795.00, but worth every penny for a serious security policy effort. Full disclosure: I am on the Information Shield Expert Panel, but get no financial incentives or compensation.
Overall, Building an Effective Information Security Policy Architecture is a good resource to use if you are tasked to create or modify your organizations set of information security policies. The book will likely find itself on the desk of many information security professionals.
While it is frustrating that the book makes you reinvent the wheel by not having electronic versions of the polices, its value still can't be underestimated. Let's hope future versions of the book will fix that anomaly.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase Building an Effective Information Security Policy Architecture from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
What, do they pass chapters by value?
If you can read this, I forgot to post anonymously.
1. Open only as necessary per app.
2. Deny everything else.
Rule #1 -- Politics always trumps technology.
"LAX"ative, as in digital Feen-a-mint and digital Ex-Lax....
Big dirty mess at the end, butt no.body wants to clean up the mess...
Now, IT are looking at "data retention" policies to wipe up the mess before it sticks around too long..., and avoiding legal anu-tubal ligat... umm, litigation...
(see InformationWeek June 9, 2008, p 27...)
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Never, ever do this yourself. Hire an consulting firm to come in and give you an outsider's view of your dirty laundry. More often than not when you're just used to how "things work around here" you end up overlooking an amazing amount of stuff that happens around you, which in turn leads to all the effort, time and money being wasted.
Trust me on this one, my company tried to hot dog this ourselves twice and we failed both times. It wasn't until we brought someone else in that we ended up with a good working policy that really worked.
Some people will get their egos dinged and feelings hurt in the process (including some near the top), but a VP's indigestion is far more manageable than a massive level I breach. This is especially true if your company handles anyone else's financial or personal data for a living.
The twitter monologues. Click on my homepage and be amazed.
Sounds delicious, but does it really have more fiber?
...reflect the risk tolerance of the business?
You can't identify sensitive information assets because there's just too much data and no one can agree on what's sensitive and what's not. You shouldn't bother telling uses what they can and can't do because they aren't paying attention and even if they are, when a situation comes up where they should actually be using that info, they've forgotten it. And users who can't figure out on their own that surfing the net for pr0n on company time is unacceptable will probably do it anyway.
The only thing he got right is "Policies are needed to establish the basis for disciplinary action, up to and including termination." But it's an excuse for firing someone you probably didn't like anyway. If they're actually a valuable employee, you'll probably have to overlook whatever they did.
I'm a kiddie porn cop and author of books about kiddie porn! You insensitive clod!
Comment removed based on user account deletion
That book may be nice, but what about using ISO standards when it comes to information security ?
:/
Standards have been made after a long process of elaboration to be able to cope with every possible situations.
More informations on wikipedia : http://en.wikipedia.org/wiki/ISO_27001
And here : http://www.27000.org/index.htm
NB : allas, the documention don't seem free
Comment removed based on user account deletion
I can see that there will be a new job in future for "Chief Security Officer" in addition to "Chief Information Officer" in every organization. The penguins of the board room will all get together and decide how best to separate information-tech from security because CIOs today don't know sh** about security, but they pretend and talk like they do. Of course there must be a few good ones, but the majority are a waste of cash and stock options. If they had been doing their job well, we wouldn't need these kind of books such as "Information Security Policy made easy" or "IS for Idiots"..
"So too with information security policies. They are sorely needed, but most users don't go out of their way to comply with them. And in many firms, they are not even trained in what they have to do. But failure to have adequate information security policies can lead to myriad risks for an organization"
No amount of security policies is going to protect the 'computer', unless and until they can come up with a design that don't get 'infected' merely by clicking on a URL or opening an email attachment.
davecb5620@gmail.com
As part of a general security program, an information security policy can help to reduce exposure to legal liability for break-ins. . . . However, FTC did punish TJX (unfairly) even though it had a good faith security program. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html
Benjamin Wright, Dallas, Texas, benjaminwright.us
From the Back Cover
.. :)
* Phishing and spyware
* Identity theft
* Workplace access
* Passwords
* Viruses and malware
* Remote access
* E-mail
* Web surfing and Internet use
* Instant messaging
* Personal firewalls and patches
* Hand-held devices
* Data backup
* Management of sensitive information
* Social engineering tactics
* Use of corporate resources
- unquote -
If they let their own IT staff get on with the job, instead of ordeing in the latest innovative fad, then we wouldn't even need a security policy architecture, what ever that is
davecb5620@gmail.com
From the summary:
"Define both acceptable and unacceptable behavior. For example, spending a lot of time surfing the web and downloading videos off the net are both generally unacceptable."
Acceptable behavior in the workplace should certainly be codified but by and large it is not a security issue. Gawking at YouTube videos all day is counter productive and probably not what your employers had in mind when they hired you. But it is not a security issue, it's a peformance issue and should be dealt with accordingly.
Easy solution. Work at a company and ... have a backup of their security policy ready. Think of it as a template.
When you leave that company do a replace on the company name and make it the official policy of the new company.
In case you get an audit match the auditors requirements with your security policy and enhance it where it lacks using the format of the template you brought along.
During the time of the audit have signs up in the office, revoke the CEO's and any other big shots/pain in the ass user's special privileges like having no password complexity, automatic timeout, etc.
When the auditors leave relax and congratulate yourself on how you played your part in the whole accreditation/compliance/certification placebo crap.
On the other hand if you really dislike a user point out a random clause in the policy and have them fired for violating it.
I wouldn't buy a book from CRC personally: CRC Lawsuit Frequently Asked Questions
--- These are not words: wierd, genious, rediculous
This book names policy. The problem with hacks today is that they are not always seen, and really can't be taken out. There are dirty hacks everywhere, and information is far too valuble for that. I think that they need information policies, because the usage is what the problem is.
You cannot hack a Travan tape.
You are for more right than Bishop is wrong ... or something like that.
...) content & systems from the daily office/public traffic. Security policy fails when you rely on people (the general office/public) keeping all the SecBS as ITgods-laws. Pay for a quality IT staff, retain them, keep them trained, outside-audit and stress-test your NetSec (OEM/OSD/OSP products/services updates, methods, edge-test/eval ...). Secure your network, systems, servers/services, content ... and be ready to share as much as possible or collaboration synergy without letting the evil ones know everything. Security is not a job for fools or dictators.
... GetSmartStaySharp and it will always be about Information Management and Sharing IMS with the best possible NetSec invisible to your staff, customers, and public. Never TripUp your users, layer your security, one level never fits all and is never effective from ... use PKI, Biometrics, monitoring, forensics ....
THE MISSION IS ALL! Security that prevents mission/CoreBiz+ performance is more harmful than valuable to the mission. However, probable mission success without some respectable and reasonable degree of security can be problematic.
Don't let security stop reality. Keep security in perspective and segment the critical (plans, G2, accounts
Best NetSec advice
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Wrong. Outsiders are an untouchable extension of the party or interest that called them in. They're more often than not used as a tool or weapon against opponents or to rent loyalty. As long as the outsider is fully dependent, they'll be loyal. So stocking a project or team with rented outsiders is a way of buying control.
Case in point: I've seen several occasions where teams spent a few months investigating and making detailed recommendations, only to be called on it and asked by those paying the bills to re-write from scratch and provide a 180-degree change in recommendations.
I've also seen occasions where the outsiders will play the different factions off against each other to generate more work for their firm: either the outsider is (wrongly) seen as neutral or the in-fighting uses too much time / mindshare to get real work done.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
You always have a policy. It may be implicit, relying on the experience and intuition of the technical people. It may be dysfunctional, like "everything goes". Or it may be written down, which I gather is the sort you find useless.
Written security policies are just plain indispensable if you're covered by PCI/DSS or HIPAA, since both standards require them. They also give you a way to do knowledge transfer: before a written policy, the technogeeks know not to download free toolbars, after a written policy everyone does.
Anything good has a policy underpinning it. Are the backup tapes encrypted? If so, it's because there was a policy decision to encrypt them, even if that decision was made by an empowered IT person rather than a suit or a consultant.
>You can't identify sensitive information assets because there's just too much data and no one can agree on what's sensitive and what's not.
You can identify enough to be useful. Customer credit card information and health records are things people can agree on, especially when external forces require them to. Protect the things you know are sensitive, and you can reduce the risk of something damaging or embarrassing happening, and reducing the risk is all you can hope for anyway.
Well-defined and documented security policies are practically useless if they are not technically enforced.
IT departments need to stop faulting the user as "They forgot X when handling information of Y type" because not every user who will be handling sensitive data will be capable of remembering and understanding how sensitive data should be handled. For example, do you think every person you talk to at a call-center at an health insurance company or hospital is a technical person, or are they a low-income, low-skill level employee? They are often handling sensitive information due to the nature of their job, but they are often not technically skilled and may not even be capable of learning technical skills.
IT departments are in place to make companies operate more efficiently while protecting the business. The IT department should be allowing the business to use a low-income/low-skill level employee to perform entry-level jobs like 'call-center operator', while minimizing business risk, because it is more efficient for the business to use the low-income/low-skill level employee as oppose to a high-income/high-skill level employee.
In order for the IT department to accomplish the goals defined by it's business role it needs to ensure that it's security policies are enforced automatically and with minimal impact to the end-user. The IT department has to make handling data the right way the easiest way.
Example Scenario:
If you know that an employee in X role is going to be handling sensitive information, define a policy that specifies various ways to protect the data. For example, in a policy you could state that transferring information via unencrypted protocals like FTP, SMTP (E-Mail), etc.. is not allowed. Once you have done this, ensure that you block outbound FTP access via the firewall and host a SSL encrypted FTP server at your site as an acceptable alternative for your end-user. Encrypt all outbound employee email using things like TLS, and force messages that are not destined for a pre-configured TLS partner to be forwarded via a TLS encrypted SMTP session to an independant service provider w/ a NDA that will host the messages for retrieval via a SSL secured web site while forwarding a non-sensitive email to notify the recipient that they need to login using their email address as a username and the previously agreed upon password. (One example of a service provider that will do this is Postini)
There are lots of ways to protect data to enforce policies with minimal user impact, but they require a creative IT department and a budget that allows them to be effective.
If a business is handling sensitive customer information, they have a responsibility to handle it well. IT departments should be tasked to implement things like Encrypting File System(EFS) for encrypting data on fileservers, backup tape encryption, 802.1x authentication for wired and wireless clients, two-factor authentication for network resources, segmented VLAN structure for various parts of networks (user, server, management, printers, etc..), OS and application deployment standardization, regular audits, IPSEC encryption of all network data, policy outlined and pre-defined patching cycles, etc...