Steve Johns
Organizational security policy is a paramount subject in today’s organization. Since the advent of electronic communications and networks, private, public, government or non-profit organizations need firm information security practices to maintain a high level of continuity for business processes and information systems. Business continuity involves protecting information systems from usual hardware and software instances and, vitally, ensuring those systems are secure from inside and outside hazard.
Organizations must examine liability within electronic systems, and recognize the call for legal advocacy. The variable that is often the greatest risk to security is the end user. All users of electronic systems within an organization must complete training in proper use and liability within technology. At the conclusion of that end user’s training, he or she is to sign off on a statement of completion which acknowledges that employee’s participation, comprehension, and desire to comply with policy. Organizational policy will dictate, according to the business model, the type and frequency of training to comply with relevant law. If an employee should violate the security policy, the organization can be liable to relevant law; however with employee policy training in completion, the employee is liable and can be terminated or disciplined according to organizational rules. This process of mandating employee participation in policy training is recognized as due care on behalf of the organization, and due diligence as the organization has made “…a valid effort to protect others and continually maintain this level of effort” (Bowles, 2009).
Policy that defines security parameters within information systems must be implemented at the start of systems and network design and “…should extend from the core to all valid remote access sites” (Massiglia & Marcus, 2002). Effective security policy not only spans across hardware and software interfaces, but among every entity within the organization:
Software
This is to be of the latest revision to ensure system compatibility and vulnerability resolution. All software (operating systems especially) are to be on a regular patching schedule and monitored with an enterprise suite; for example, Microsoft Systems Management Server (SMS). Anti-virus servers that control and distribute antivirus updates to all client nodes within the enterprise will ensure that each client node is compliant with the latest antivirus definitions to protect against any virus, worms, or other malware on both servers and end user nodes.
Hardware
At the core network level, it is essential to implement a hardware-based firewall that contains network address translation (NAT) and port forwarding to ensure the discretion of internal IP addresses. VLAN tagging should be implemented on a number of switches to segregate IP traffic on the LAN and zoning security configuration within fiber channel storage networks.
Data
At this level, security can be realized through policy that defines the type of data end users can access and install. This is often done through departmental policy, user organizational unit policy definitions, and VLAN tagging.
People
Often the greatest security risk, all end users are to be educated on organizational security policy, usually on a semi-annual or annual basis, with a sign-off at the completion of training. The training is to be simple for all end users to understand. Human resources will record user attendance within training.
Procedures
Means of data access is to be controlled. For example, for remote telecommuters to access internal resources, one means of access is to be utilized such as Citrix or via VPN client, and all remote access is to be logged.
Networks
Routing can be used to segregate internal networks into subnets, and access lists can be used to filter traffic from specific networks, weather internal or external.
Organization security policy should be constructed in the manner of the security systems development life cycle, or SSDLC. Following the same methodology as the SDLC, the SSDLC focuses on the security of systems within the organization. It must be stressed that “implementing information security involves identifying specific threats and creating specific controls to counter those threats” (Whitman & Mattord, 2005). The SSDLC is designed to do this within the planning, design, installation, and administration of information systems. In effect, the SSDLC is to be part of the overall enterprise architecture and business plan from inception. The SSDLC is to be constructed of multiple steps:
Investigation
Directed from upper management, this phase consists of an initial feasibility analysis to determine the need for security policy, and if the organization has the resources to conduct the project. After this assessment, problems, needs, and goals are examined.
Analysis
Upon acquiring data from the investigation phase, a study of the data is undertaken. Existing security procedures are examined and legal issues and law is reviewed by the organization’s legal counsel to determine the plan’s compliance with law, and how this will affect the design of the developing security policy. Risk management is a large part of this stage, where an assessment of risk facing the organization is put into action.
Logical design
Based upon the previously acquired artifacts, the logical design is a blueprint of the security regulations and implementation of “key policies that influence later decisions” (Whitman & Mattord, 2005). Response to incidents is also planned at this stage for continuity and disaster recovery. The decision to outsource is usually decided at this stage.
Physical design
The implementation of the physical information systems and appliances is based upon the previously-architected logical design. Many system architectures can be presented at this stage and a final architecture agreed upon. Outside vendor support and consulting can be a positive element to determining the right systems to fit the desired security policy.
Implementation
As with the traditional SDLC, this stage includes purchasing the information systems, installation, configuration, and testing of those systems as well as administrator and operator training.
Maintenance and change
Within an environment where threats are continuous and new threats happen frequently, it is essential that security systems are diligently updated and monitored. Updates should include anti-virus, router and switch firmware updates, storage system firmware updates, wireless access point monitoring, and all access log auditing. This is an endless process that will ensure organizational security of information systems and data. Disaster recovery testing can be a part of this phase, and should be executed on a regular schedule.
Conclusion
Security policy is the means of ensuring organizational compliance to local, state, and federal law. It also is due diligence on behalf of the organization in preventing breach of security-related practices by employees and contractors. With globalization of business and electronic commerce and ever-present threat to data, a well planned and rigorously executed security policy will enable an organization to remain compliant within law, and ensure business continuity.
References:
Massiglia, P., Marcus, E. (2002). Information Techologies for Disaster Recovery. The Resilient Enterprise. p.229. Veritas.
Whitman, M., Mattord, H. (2005). The Security Systems Development Life Cycle. Principles of Information Security. p.23. Thomson.
Bowles, B. (2009). Legal, Ethical, & Professional Issues in Information Security. Chapter 3. [Lecture notes] [PowerPoint]. Denver, Colorado: Regis University. Enterprise Information Assurance.