I’m Sorry Sir, But That’s Our (Security) Policy
Policy is such a strange word. It can mean so many things in different contexts. Doing a Google search for “What is a security policy?”, I got some interesting results… including “A set of rules that says who can do what to whom”… really? The vast majority of search results I obtained relate to IT Security Policies. That’s not a bad thing, necessarily. But suppose you’re a Chief Security Officer. There’s more to your world than IT Security. Doesn’t a Security Policy deal with other things in “meatspace” (see my “Vernacular” section)?Given that there are so many different views, I thought I would spend a moment to discuss Security Policies.
What is a Security Policy? In my view, a Security Policy is “A clear, over-arching statement of an organization’s objectives with respect to protecting its facilities, assets, personnel, systems, resources, information etc.” It doesn’t (and shouldn’t) go into great detail about what specific safeguards are used. The policy should not have to change as technology changes, unless there are new risks to deal with.
A security policy may defined at more than one level, with subordinate policies such as IT Security, Physical Security, Personnel Security, etc. that go into somewhat more detail. The subordinate policies still should not require frequent changes. Usually, the top level roles are defined for individuals responsible for the policies, so that people in the organization know who to bring issues to for clarification or changes to policy.
A Security Policy will also address universally applicable rules in the form of:
- What must be done (at a high level)
- What must not be done (at a high level)
- How deviations must be handled
- What sanctions are applicable when policy is not followed
Once a good policy framework is in place, there should be Security Procedures that support each policy directive. They should be traceable from one document to another so that audits can easily verify that policies are being enforced.
Security Procedures detail the implementation and maintenance of safeguards that support the policies. They also specify which personnel roles are responsible for which activities, what activities need to be logged, and how often inspections and reviews are done either internally, or by third parties.
This is by no means a comprehensive lesson on Security Policy, but it may help you to recognize the difference between a policy, a procedure and a safeguard.
One more thing. A good Security Policy is usually readable and comprehensible to everyone in the organization. It can and should, therefore, be made available to the entire organization. This helps with Security Awareness and lets people understand why the safeguards are in place.
For a good discussion of IT Security Policies, visit the SANS security education site. If you have comments or know of other good policy resources, please post a comment.
mroonie on 20 Feb 2007 at 1:34 pm #
Great topic to write about. I think a lot of people are lost when it comes to company security and you broke it down really nicely. I’ll have to write an article on this topic. Thanks for the inspiration! Is it okay if I pull some quotes from this post for my article?
Simone D. on 25 Mar 2007 at 4:42 am #
Really interesting topic!
I’m not sure about the 4th rule “What sanctions are applicable when policy is not followed” (i’m thinking about IT security).
Sanctions are applicable when a policy is not followed … but if i decide for a policy don’t i force it?
If there is a policy “this is not allowed” it is NOT allowed … if you try to do it simply doesn’t work.
Or do you think that is enought create policy and check constantly that people respect it?
I’m interested
Scott on 25 Mar 2007 at 10:21 pm #
@Simone - From your comments, I gather that you are primarily concerned with “automated policy enforcement”, such as those found in many products. Often you can set what users, roles and groups of users can do. You are correct, as usually you can prevent abuse of these policies if you have them set properly.
But what this view misses is the “non-automated policies”. Automated policy enforcement are a very small subset of what should be an organization’s IT Security Policies, and its global “Security Policies”.
The top level Security Policy could cover things like having a printed “Access Control List” for entry into the Operations area. While this might be handled by access control systems, it may be a security officer checking badges against the lists.
An IT Security Policy should also cover many policies that can’t always be enforced by software control. Things like “Acceptable Use Policies” for a whole organization define how the computer systems may be used, and how they may not be used. This is where the idea of “Sanctions” come in. If there is evidence that someone is operating a part time business on eBay from their workstation, the IT Security Policy should say that this is grounds for revoking their computer system access, or even more likely, for dismissal.
Sanctions for an employee breaking a policy should act as a strong deterrent from abusing the privilege granted to them by the organization.
Simone D. on 26 Mar 2007 at 4:00 am #
You are right … maybe i don’t trust very much people … but i think that all i can ‘force’ is more secure than any sanction
For what i can’t check i have to create a policy, but sincerely i think it can’t consider ’secure’.
3 Steps to Planning a Security Policy | Anti Best Software Spyware Virus on 22 Nov 2007 at 8:58 am #
[…] 1) Wright, Scott. “I’m Sorry Sir, But That’s Our (Security) Policy.” Security Views. 20 Feb. 2007. http://securityviews.com/blog/2007/02/20/im-sorry-sir-but-thats-our-security-policy […]