An enterprise information security policy (EISP) is also known as a general security policy, organizational security policy, IT security policy, or information security policy. The EISP is an executive-level document, usually drafted by or in cooperation with the organization’s chief information officer. This policy is usually two to 10 pages long and shapes the philosophy of security in the IT environment. The EISP usually needs to be modified only when there is a change in the strategic direction of the organization.
The EISP guides the development, implementation, and management of the security program. It sets out the requirements that must be met by the information security blueprint. It defines the purpose, scope, constraints, and applicability of the security program. It also assigns responsibilities for the various areas of security, including systems administration, maintenance of the information security policies, and the practices and responsibilities of users. Finally, it addresses legal compliance. According to NIST, the EISP typically addresses compliance in two areas:
General compliance to ensure that an organization meets the requirements for establishing a program and assigning responsibilities therein to various organizational components.
The use of specified penalties and disciplinary action
When the EISP has been developed, the CISO begins forming the security team and initiating necessary changes to the information security program.
Although the specifics of EISP vary among organizations, most EISP documents should include the following elements.
- An overview of the corporate philosophy on security
- Information on the structure of the information security organization and people who fulfill the information security role
- Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors)
- Fully articulated responsibilities for security that are unique to each role within the organization
The components of a good EISP are shown in Table 3-2. For examples of EISP documents and recommendations for how to prepare them, we recommend using Information Security Policies Made Easy by Charles Cresson Wood, published by Information Shield. While the current version is relatively expensive, prior editions are widely available as used books and in libraries around the world.
An ISSP may cover the following topics, among others,
- E-mail
- Use of the Internet and World Wide Web
- Specific minimum configurations of computers to defend against worms and viruses
- Prohibitions against hacking or testing organization security controls
- Home use of company-owned computer equipment
- Use of personal equipment on company networks (BYOD. bring your own device)
- Use of telecommunications technologies, such as fax, and phone
- Use of photocopy equipment
- Use of portable storage devices such as USB memory sticks, backpack drives, game players, music players, and any other device capable of storing digital files
- Use of cloud-based storage services that are not self-hosted by the organization or engaged under contract; such services include Google Drive, Dropbox, and Microsoft OneDrive
- Use of networked infrastructure devices, “intelligent assistants” such as Google Assistant and Amazon Echo, and accompanying devices usually classified as the Internet of Things (IoT)
- Use of programmable logic controller (PLC) devices and associated control protocols with corporate data networks and production-focused industrial networks
For examples of ISSP policies and recommendations for how to prepare them, we recommend using Information Security Policies Made Easy by Charles Cresson Wood, published by Information Shield. The book includes a wide variety of working policy documents and can assist in defining which are needed and how to create them.
Several approaches are used to create and manage ISSPs within an organization. Three of the most common are as follows;
- Independent ISSP documents, each tailored to a specific issue.
- A single comprehensive ISSP document that covers all issues.
- A modular ISSP document that unifies policy creation and administration while maintaining each specific issue’s requirements.
The independent ISSP document typically has a scattershot effect. Each department responsible for an application of technology creates a policy governing its use, management, and control. This approach may fail to cover all necessary issues and can lead to poor policy distribution, management, and enforcement.
The single comprehensive ISSP is centrally managed and controlled. With formal procedures for the management of ISSP in place, the comprehensive policy approach establishes guidelines for overall coverage of necessary issues and clearly identifies processes for the dissemination, enforcement, and review of these guidelines. Usually, these policies are developed by the people responsible for managing the information technology resources. Unfortunately, these policies tend to overgeneralize the issues and skip over vulnerabilities.
The optimal balance between the independent and comprehensive ISSP is the modular ISSP. It is also centrally managed and controlled, but it is tailored to individual technology issues. The modular approach provides a balance between issue orientation and policy management. The policies created with this approach comprise individual modules, each created and updated by people responsible for the issues addressed. These people report to a central policy administration group that incorporates specific issues into an overall comprehensive policy.
Table 3-3 is an outline of a sample ISSP, which can be used as a model. An organization should start with this structure and add specific details that dictate security procedures not covered by these general guidelines.
The components of each major category of a typical ISSP are discussed in the following sections. Even though the details may vary from policy to policy and some sections of a modular policy may be combined, it is essential for management to address and complete each section.
Statement of Policy
The policy should begin with a clear statement of purpose—in other words, what exactly is this policy supposed to accomplish? Consider a policy that covers the issue of fair and responsible Internet use. The introductory section of this policy should address the following questions: What is the scope of this policy? Who does this policy apply to? Who is responsible and accountable for policy implementation? What technologies and issues does it address?
Authorized Access and Usage of Equipment
This section of the policy statement addresses who can use the technology governed by the policy and what it can be used for. Remember that an organization’s information systems are its exclusive property, and users have no rights of use. Each technology and process is provided for business operations. Use for any other purpose constitutes misuse of equipment. This section defines “fair and responsible use” of equipment and other organizational assets and should address key legal issues, such as protection of personal information and privacy
Prohibited Use of Equipment
Unless a particular use is clearly prohibited, the organization cannot penalize its employees for misuse. For example, the following can be prohibited: personal use, disruptive use or misuse, criminal use, offensive or harassing materials, and infringement of copyrighted, licensed, or other intellectual property. As an alternative approach, sections 2 and 3 of Table 3-3 can be collapsed into a single category called “Appropriate Use.” Many organizations use such an ISSP section to cover both categories.
Systems Management
The systems management section of the ISSP policy statement focuses on the users’ relationship to systems management. Specific rules from management include regulating the use of e-mail, the storage of materials, the authorized monitoring of employees, and the physical and electronic scrutiny of e-mail and other electronic documents. It is important that all such responsibilities are assigned either to the systems administrator or the users; otherwise, both parties may infer that the responsibility belongs to the other.
Violations of Policy
The people to whom the policy applies must understand the penalties and repercussions of violating it. Violations of policy should carry penalties that are appropriate—neither draconian nor overly lenient. This section of the policy statement should contain not only specific penalties for each category of violation, but instructions for how people in the organization can report observed or suspected violations. Many people think that powerful employees in an organization can retaliate against someone who reports violations. Allowing anonymous submissions is often the only way to convince users to report the unauthorized activities of more influential employees.
Policy Review and Modification
Because any document is only useful if it is up to date, each policy should contain procedures and a timetable for periodic review. As the organization’s needs and technologies change, so must the policies that govern their use. This section should specify a methodology for reviewing and modifying the policy to ensure that users do not begin circumventing it as it grows obsolete.
Limitations of Liability
If an employee is caught conducting illegal activities with the organization’s equipment or assets, management does not want the organization held liable. The policy should state that if employees violate a company policy or any law using company technologies, the company will not protect them, and the company is not liable for their actions. In fact, many organizations assist in the prosecution of employees who violate laws when their actions violate policies. It is assumed that such violations occur without knowledge or authorization by the organization.
0 comments:
Post a Comment