Developing Information Security Policies
Attention should be focused when writing policies to make sure that they are effective and do not conflict. In order to make sure that your policies are effective, keep in mind the following secure design principles:
Mandatory Reading:
Read The Security Principles of Saltzer and Schroeder (link) blog for a greater understanding.
Project Overview
This project includes the following tasks:
- Review and prioritize scenario audit observations
- Develop an information security policy and related procedure
- Develop an implementation and dissemination plan
Objective: Developing Information Security Policies
A security policy is the document developed by an organization that formally states how it plans to protect its information and information systems. Organizations should treat a security policy as a “living document.” This means that the organization continuously reviews and updates the document as technology and employee requirements change.
Organizations use several documents to support its policy infrastructure. In this project, you will be developing the following documents:
Developing Information Security Policies
- An Information Security Policy
- A procedure to support the policy
An effective security policy references the standards and guidelines that exist within an organization. An information security policy contains high-level statements with the intent of protecting information and assets. It is the responsibility of senior management to develop security policies.
Standards are mandatory controls that enforce and support the information security policy. Standards are a collection of properties or rules that an organization formally adopts and recognizes. There are many standards organizations in the information technology field including IEEE, EIA/TIA, NIST and ISO.
Guidelines are recommended, non-mandatory controls that support standards and provide a foundation for the development of best practices.
Procedures are the systematic instructions used by employees within the organization that explain how to implement the controls defined in the policies, standards, and guidelines.
For example, a password policy states the standard for creating strong passwords and protecting passwords. A password construction guideline defines how to create a strong password and provides best practices recommendations. The password procedure provides the instructions on how to implement the strong password requirement. Organizations do not update policies as frequently as they update procedures within the information security policy framework.
Developing Information Security Policies
Supplemental Materials
- Information Security Policy — A Development Guide (link)
- Technical Writing for IT Security Policies in Five Easy Steps (link)
Website Links
- Information Security Policy Template (link)
- Security Awareness Planning Toolkit (link)
- https://youtu.be/ZlKgMUOpMf8
Project Scenario
ACME Healthcare is a healthcare company that runs over 25 medical facilities including patient care, diagnostics, outpatient care and emergency care. The organization has experienced several data breaches over the last five years. These data breaches have cost the organization financially and damaged its reputation.
The executive leadership team recently hired a new Chief Information Security Officer (CISO). The new CISO has brought in one of the top cybersecurity penetration teams to perform a full security audit on the entire organization. This independent contractor conducted the audit, and found the following vulnerabilities:
Developing Information Security Policies
- Several accounts were identified for employees that are no longer employed by ACME.,
- Several user accounts allowed unauthorized and escalated privileges and accessed systems and information without formal authorization.,
- Several devices and systems allowed unsecure remote access.,
- Forty percent of all organization passwords audited were cracked within 6 hours.,
- Password expiration was not standardized.,
- Sensitive files were found unencrypted on user systems and laptops.,
- Several wireless hotspots used WEP for encryption and authentication.,
- Evidence indicates that sensitive e-mail was sent unencrypted to and from employee homes and mobile devices.,
- Intrusion detection logs were infrequently reviewed and analyzed.,
- Systems with sensitive company data were used by employees for private use.,
- Employee systems were left unattended and employees failed to logout of the company network and data systems.
- Inconsistent system updates and configurations were performed.
- Several firewall rules were set to permit all traffic unless specifically denied.
- Company servers were not updated with the latest patches.
- Intranet web server allowed users to change personal information about themselves, including contact information (address, phone number, etc.).
Policies, Procedures, and Guidelines: Overview the Scenario
- Read over the scenario given above. Watch the Information Security Policy (video) . Differentiate the various levels and types of policies. (describe at least 2 types and 2 levels of policies) Make sure you cite your sources.
Developing Information Security Policies
Policies, Procedures, and Guidelines: Review and Prioritize Audit Findings
- Review the security audit findings from the Project Scenario above.
- Research the types of vulnerabilities listed and determine which pose the greatest threat.
- Based on your research, select the top five security audit findings that ACME should address.
- Create a Vulnerabilities Ranking Table, like shown below, and record your rankings in a table which lists the a) Vulnerabilities, b) the Recommended Policy to mitigate this vulnerability, and c) your Justification.
- Remember to cite your justifications using footnotes.
Example: SS IN FILES BELOW Labeled Example 1
RUBRIC:
Security audit findings
Find the top five starting with the greatest vulnerability.
Maximum score
8
Recommended Policies
Identify policies for top five vulnerabilities.
Maximum score
8
Policy Citations
Cite your policy for each vulnerability.
Maximum score
Policies, Procedures, and Guidelines: Develop Policy Documents
Part 1: Create an Information Security Policy
- Select a vulnerability from your submitted table and develop a security policy for one vulnerability. (Should be a policy, NOT a procedure or guideline.)
- Use the SANS templates (see Weblinks above) to develop your specific security policy for ACME Healthcare.
NOTE: Follow the template as a guideline. Address all existing policy elements in the template. No policy should exceed two pages in length.
Developing Information Security Policies
Part 2: Create a Procedure
- Create a separate step-by-step set of instructions (a procedure) that supports your information security policy.
- Include all of the information that a user would need to properly configure or complete the task in accordance with the security policy.
You should be submitting two documents to get full credit!
RUBRIC:
Information Security Policy
Document is an Information Security Policy that contains all sections included in the SANS template, not a procedure or Guideline.
Maximum score
15
Information Security Procedure
Document is a step-by-step set of instructions that contains all of the information that a user would need to properly configure or complete the task (Procedure)
Maximum score
10
Policies, Procedures, and Guidelines: Develop Plan to Disseminate and Evaluate Policies
Research and document the information required to create an information security policy implementation and dissemination plan. (Use the Security Awareness Planning Toolkit above) Include specific tasks and events that ACME Healthcare will use to make sure that all employees involved are aware of the information security policies that pertain to them. The plan should include any specific departments that need to be involved. ACME Healthcare must also be able to assess whether individuals have the proper knowledge of the policies that pertain to their job responsibilities.
EXample: SS In Files Labeled Example 2
RUBRIC:
Tasks and Events
List at least ten tasks or events
Maximum score
10
List of departments that should be involved
List of departments that should be involved
Maximum score
10
Metrics
Method of assessing absorption of information by employees
Maximum score
5