Security Policies
Jun 2nd, 2007 by John Gerber
“It will not do to leave a live dragon out of your plans if you live near one.”
– The Hobbit, J. R. R. Tolkien
Way back, before blogs existed, when there was only the cartoon version of The Hobbit, J. R. R. Tolkien was teaching children of my generation how to write good security plans. Many resources are available, to the point where it can be a bit overwhelming. What gets included in a security plan will depend on your organization. Fortunately, most organizations provide guidelines. Security policies will differ depending on the business of the organization. Different laws will be applicable depending on many considerations, such as does the organization having to do with government, medical, business, the European Union, Germany, etc.
There is no “one plan fits all.” Just as in life, everything depends. Having provided myself that disclaimer, I wanted to provide a few sites/documents that I find useful.
COBIT Security Baseline
This is a document put out by the Information Systems Audit and Control Association (ISACA). There will be a revised version coming out in July which will update the baseline to COBIT 4.1. The structure will otherwise remain the same. Here is a basic description:
COBIT Security Baseline is based on Control Objectives for Information and related Technology (COBIT), issued by the IT Governance Institute and now in its third edition. COBIT is a comprehensive set of resources that contains the information organizations need to adopt an IT governance and control framework. COBIT covers security in addition to other risks that can occur with the use of IT. This publication helps an organization focus on the essential steps to take by extracting the most important security-related objectives from the COBIT framework. It then presents key control objectives and suggested minimum control steps for each, cross-referenced to the COBIT processes and detailed COBIT control objectives. A mapping to related control objectives in ISO 17799 is included as well.
Normally, I deal with open source software and documents. In this case, registration is required. Anyone can buy the book, but if you become a member you can get access to this and many other books for free.
NIST SP Guides
NIST documents reference each other. A good overview of how everything fits together is found in the Guide to NIST Information Documents. In relation to security policies, the following documents are particularly helpful:
- 800-100: Information Security Handbook: A Guide for Managers. To quote the document, “This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.” This document helps define what elements should be part of the security program.
- 800-53A: Recommended Security Controls for Federal Information Systems. To quote the document, “The purpose of this publication is to provide guidelines for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government.” This documents helps evaluate the controls that are in place.
- 800-12: An Introduction to Computer Security: The NIST Handbook. This document is a little older. To quote the document, it “provides assistance in securing computer-based resources (including hardware,
software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.” This document is good to review in order to make sure everyone is on the same page in terms of concepts and terminology. - 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems. This document is more of a reference document. Like NIST SP 800-12, it is a foundation document meant to make sure concepts and elements of security are understood.
Other NIST documents will be applicable depending on what technologies are used within your organization.
The SANS Security Policy Project
This SANS security project site contains alot of information, including primers and templates, to help one with security policies. To quote SANS, “The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies.”
The Information Security Forum’s (ISF’s) Standard of Good Practice
You do have to register, but it is free. ISF describes the document as addressing “information security from a business perspective, providing a practical basis for assessing an organization’s information security arrangements. It focuses on the arrangements that should be made by leading organizations to keep the business risks associated with critical information systems under control in today’s dynamic and competitive environment.”
Open Compliance & Ethics Group (OCEG)
OCEG is a great organization, focusing on “integrating governance, risk management, compliance and culture.” They have collaborated with Compliance Week to produce the GRC Illustrated Series. OCEG produces the Foundation “Red book”. To quote OCEG, it “provides guidance about the core processes and capability to enhance culture and address governance, risk management and compliance requirements. It incorporates the common practices that stand behind some of the most robust programs in the world.”
Federal Agency Security Practices (FASP) Site
The FASP site contains agency policies, procedures and practices; the CIO pilot Best Security Practices (BSPs); and, a Frequently-Asked-Questions (FAQ) section. Below are two documents specifically of interest:
- Sample Security Policies and Procedure document
- Sample Information Systems Security Program (ISSP) Handbook
State of Texas Department of Information Resources
This site provides policies, standards and guidelines along with examples of policies, standards, and guidelines. Of particular interest is the security policy template overview.
The Open Web Application Security Project (OWASP)
OWAPS can provide information on application security. They have been developing a guide, whose latest version unfortunately is not available to the public. You can still view version 3’s table of content. The public can pull down version 2.0.1 of the guide.
Institute for Security and Open Methodologies (ISECOM)
ISECOM is an open,collaborative, security research community that produces the Open Source Security Testing Methodology Manual (OSSTMM). The document is a peer-reviewed methodology for performing security tests and metrics. ISECOM is about to come out with version 3 of OSSTMM. Currently, version 3 is only available to gold or silver membership. Version 2 is available to the public.
The Security Portal for Information System Security Professionals
This site contains a large number of links on all topics on information security. Good for filling in areas.
Samples
There are plenty of samples, but these two looked interesting.
- Business and Financial Bulletin IS-3: Electronic Information Security
- The University of Auckland, New Zealand
Final Remarks
Lacking information on how to do things is not the problem. It is how to organize it. I tend to favor NIST publications because there is plenty of supporting NIST document being actively developed. When you come down to it, the most important thing is to follow any guidelines or directives your organization may have. Your security policies will be reviewed by auditors. Understand what the auditors will be expecting so you can provide the information in a clear and concise manner. Finally, make sure your policies deal with the dragons in your kingdom. Wise words from a wise man.
