Interview with Scott Barman, author of “Writing Information Security Policies”

Who is Scott Barman? Introduce yourself to our readers.

I am the author of “Writing Information Security Policies,” a book about the basis of any information security program. I am currently an information security and systems architecture analyst for The MITRE Corporation working to help the United States Internal Revenue Service modernize their IT infrastructure.

I have been involved with systems architecture information security for more than 20 years, nurturing the evolution of systems and their security requirements for commercial organizations and government agencies. Since the explosion of the Internet, and prior to joining MITRE, my focus has been on various areas of security and policy development for many organizations in the Washington, D.C. area. I have a Bachelor of Science degree from the University of Georgia and a Master of Information Systems Management with a concentration in Information Security Management from Carnegie Mellon University.

How did you get interested in computer security?

After the Internet Worm in 1988, where Robert Morris Jr. unleashed a worm that affected Sun and Digital systems running sendmail, I found myself curious as to why something like that could happen. I then started to study the writings of those who figured out how and why it worked and it intrigued me further. The more I read, the more I became interested in various areas of security. It was after reading the paper from Dr. Robert Morris Sr about the insecurity if TCP/IP was when I decided to shift my career.

What operating system(s) do you use and why?

At work, I have a company issued laptop running Windows 2000 Professional. At home I have a Macintosh PowerBook G3 running Mac OS X. It is a great little machine. In fact, I am writing this now on the Mac. I bought this machine from my company’s surplus auction to see if I would like it. I love it! Now I want the new 17-inch Titanium PowerBook. And the fact that it is UNIX under the hood helps–I am an unapologetic UNIX bigot!

I also have a Dell that runs Windows 2000 and SuSE Linux. I keep the Windows partition for some legacy applications.

How long did it take you to write “Writing Information Security Policies ” and what was it like? Any major difficulties?

That is a harder question than it would appear. I started writing the book in the Summer of 2000 while finishing graduate school at Carnegie Mellon. My wife, Elisa, and I moved back to the Washington, DC area only to have disaster strike. In November, Elisa was diagnosed with cancer. She died the following April.

After taking a month off to recover, I restarted writing and spent the next four months finishing the last 75 percent of the book. Finishing the book was one of my last promises to Elisa. I never broke a promise to her and I was not going to start at that time. She would have been proud of me.

Since Elisa died, I am committed to finding a cure for cancer. I have teamed up with the National Foundation for Cancer Research (NFCR) to look for that cure. All the money earned from buying my book is donated to NFCR. I am also a member of the Associates Program. All commissions earned from any sales through my website is also donated to NFCR. If you buy from, please do so by clicking through my site first. That way we can raise more money for cancer research!

If you could start writing the book all over again, would you change anything?

Other than my personal situation, I would add a chapter on mobile code policies and one on how to write policies for portable devices like PDAs, notebooks, cell phones, etc.

How important are, in your opinion, security policies when it comes to the overall security architecture?

I think that security policies are the most underrated aspect of any information security program. In chapter 1 I write “They provide the blueprints for an overall security program just as a specification defines your next product.” How do you tell your administrators to configure a firewall if you don’t have a policy to specify what you are protecting? Policies are the foundation for a sound infosec program.

Handheld devices are now owned by many people who use them for business purposes, which makes companies more susceptible to wireless security problems. In your opinion, what is a good approach in writing a wireless and handheld device usage policy to safeguard the corporate network?

Handheld devices, like any new technology, come with a lot of security issues. The first thing I would do is a risk assessment of the device. The risk assessment would look at how the device is used, what its capabilities are, and what are the risks being added to the environment. Once I have that information, I would then look at the proposed mitigations and write a policy that would allow me to mitigate the risks I am unwilling to accept.

For any technology, old or new, this is a good approach to devise a policy. It also allows you to better understand the technology and how it is being used and its effect on information security.

What is, in your opinion, the biggest challenge in protecting information at the enterprise level?

Watching the threat from the insider. Everyone focuses on the attacker from the Internet or what can happen outside of the enterprise. However, statistics continue to show that the biggest threat continues to come from insiders. And sometimes it is a challenge to determine who the insiders are that could cause problems.

The first failure is to not have a proper security awareness program. If the users do not know what is in the infosec policies or what is expected of them as part of that policy, how does the organization expect these users to follow the policy? Unfortunately, most organizations either do not have a security awareness program or have one as part of employee orientation and they do not follow it up with refresher courses.

Having sound policies that understand that the insider is the greater threat, a solid security awareness program, a proactive security enforcement program, and a commitment from management are the keys in meeting this challenge.

What are your future plans? Any exciting new projects?

Not long ago, I contributed a chapter to Que Certification’s “CISSP Training Guide.” I wrote Chapter 3, Security Management and Practices. I have also been working with the SANS Institute to review some exciting new courses they will be offering. I am also working on a book proposal with a colleague. This should be fun!