Writing Information Security Policies
Author: Scott Barman
Publisher: New Riders
Available for download is chapter 7 entitled “Email Security Policies”.
“A client called me up one day and asked me to come to his office. Once I arrived, he asked me to install a firewall so that his network would be secure. I asked him for his company’s security policy so I could configure the firewall. He gave me a curious look and asked – What do I need that for?”. What a perfect opening for the book covering the means and ways for writing and enforcing security policies within organizations.
About the author
Scott Barman is currently an information security and systems architecture analyst for The MITRE Corporation working with the MITRE team to help the IRS modernize their IT infrastructure. He has been involved with information security for almost 20 years, nurturing the evolution of systems and their security requirements for commercial organizations and government agencies. Since the explosion of the Internet, and prior to joining MITRE, he has focused on various areas of security and policy development for many organizations in the Washington, D.C. area.
An interview with Scott Barman is available here.
Inside the book
New Riders’ publication “Writing Information Security Policies” is a handy, 200 pages long guide that is intended for both technical information security personnel and non technical policy writers and members of decision making management. Barman divides his book into four parts, describing the vital steps from starting the policy process, over writing the policies to maintaining them. The last section of the book contains appendixes that present several samples of security policies and guides the reader to both electronic and paper information security resources.
Information policies are sets of high-level plans that describe the overall security in general terms. The author notes that altought policies do not discuss how, properly defining what is being protected assures that proper control is implemented. As security policies should be a starting ground while developing the organization’s internal infrastructure, the first part starts with the introduction on security policies and there importance in the productive company environment. As computers and information technology has a big role in today’s economy, there is strong need for insuring your assets. If talking about insuring your assets via an insurance company, developing new software solutions or trying to make your company environment virus-free, security policies can help a lot as they can focus on every operating segment within your organization.
By starting the security policy process you will sure need to identify what assets should be protected and therefore covered within the security policy. Hardware and software objects such as computer equipment, operating systems, applications and source code should be covered. As the policies must go beyond mentioned categories, any aspect of the technical business process should also get documented. Some maybe unimportant items as blank invoices, letterhead papers and similar inventory, should also get a reference from the security policy as they can be used for impersonating the company. Basically the important things while determining the policy needs are: identifying what will be protected, from whom it will be protected and how it will be protected. Last chapter of the first part introduces the responsibilities, especially the management’s role.
The second part of the book covers the methods and tips for writing the security policies. This section is divided into seven thematic chapters, each one covering one aspect of the overall security aspect. The chapter on physical security discusses several perspectives of a secure physical installation with a focus on the quality of the working environment, computer location and facility construction and creation of facility access controls. I should note that this part of the book also hosts a collection of very interesting snippets containing paragraphs from example security policies. They are placed after each subsection, providing the readers in-depth information on the actual security policy structures.
The next covered topic are sets of policies regarding authentication and network security. Here the author talks about how to take care of the state of network security, mainly focuses on network addressing, issuing IP addresses while expanding the network and login security. If you ever wanted to know why someone has an email like firstname.lastname@example.org, the book will show you that it is probably because of enforced security policy protecting the privacy of the system’s users.
The Internet, as the most used information highway, should also be covered within a productive set of security policies. Services to be considered include Inbound Services (DNS, HTTP, FTP, SMTP, VPN, POP etc), Outbound Services (DNS, HTTP, SSH, Streaming Audio, NNTP, NTP etc) and ICMP Types (Echo, Host Unreachable, Need to Frag etc). Barman notes that Internet security policies can be difficult to write because the technology changes rapidly and because of that writer can approach this kind of policies by dividing the technologies into logical groups. Some of the examples are: User responsibilities, Administrative responsibilities, WWW policies, VPN’s and other tunnels, modems and other backdoors, PKI and electronic commerce.
Huge numbers of electronic messages travel through the Internet every second. While the e-mail has lot of bright sides, there are also some negative sides that are more and more influencing organizations. Spreading of Internet worms, viruses, trojans, sending massive amount of unsolicited commercial e-mails, are just some of the Internet messaging hot topics. Because of that E-mail Security Policies must have a notable section in the family of Internet related policies.
Also noted in this part of the book, are security policies that deal with malware activities (already mentioned worms, trojans and viruses), managing digital encryption and taking care of the possible misuse and software development policies as the means of stopping the creation of potential vulnerabilities.
After reading the first two parts of the book, you are given a detailed overview of what security policies are and how to approach the job of writing and categorizing them. Author now introduces AUP – Acceptable Use Policy – a document that summarizes the overall policy for the users. This important document should be short and deal with the most important things users could come across. Two page reprint of an actual AUP can be seen in the last, appendixes containing, part of the book. Also covered in the appendixes are sample policies covering email security, as well as several administrative policies.
What I think of it
As I expected from an author experienced in this field, security policies are covered in a way easily readable and understandable for every interested party. If you are planning on starting or enforcing the security policies in your organization and don’t know much about their structure and usage, this book will serve as a wonderful guide.
Personal note: If you are interested into buying this publication, buy it from the author’s homepage, because by doing that you are supporting cancer research.