Browsing for Security Policies
In the aftermath of September 11, organizations everywhere are shoring up their security defenses. If you're a network manager, chances are good that you'll be called upon to either set up security policies, or to update existing policies. Luckily, though, there are some free resources now available on the Web to help you out.
This month, the Computer Science and Telecommunications Board (CSTB) of the National Research Council (NRC) shone a national spotlight on the need for security policies by issuing a report called Cybersecurity Today and Tomorrow: Pay Now or Pay Later.
Meanwhile, though, in Internet news groups and chat rooms many systems administrators say they are stumped by the policy preparation task.. One administrator asks, for example, "I'm preparing to write a security policy (from scratch) and I'm trying to gather as much information as possible. Where should I begin?"
Even if your company already has security policies in place, bear in mind that these policies need to stay up-to-date. In an earlier report, issued in 1991, the CSTB pointed to viruses as a then-emerging security threat that ought to be rolled into organizational policies.
In 2002, many experts are recommending the integration of physical security into policy statements. Organizations are pulling together information system (IS) security policies with policies for physical access rights, smart-card readers, and CCTV digital cameras, for instance.
In the health care arena, organizations are now updating their policies to comply with the 68 different security conditions mandated by the Health Insurance Portability and Accountability Act (HIPAA).
Ideally, you won't be called upon to set up security policies until your company has done a risk assessment. Typically involving top-ranking company personnel, the risk assessment process weighs various security threats, assigns a level of concern to each, and articulates policies about which threats are serious enough to be worth resisting.
If you are assigned to write the security policies for your company, where should you start? One popular book on the subject is Information Security Policies Made Easy, by Charles Cresson Wood.
However, there are free resources on the Web that include backgrounders and white papers as well as sample security policies and modifiable software templates.
Another good place to start is the National Security Information site. Offerings there range from "What Do I Put in a Security Policy?" -- a white paper with sample security policy outline included -- to "Real World Problem Cases Caused By Missing Policies," a set of "funny stories."
Additionally, you can access the Internet Engineering Task Force's Site Security Policies Procedure Handbook.Another document that can come in handy is the draft edition of a chapter on Computer and Information Security Policy, aimed at eventual inclusion in the NIST Computer Security Handbook.
Searching for Security
After getting an overview, you can then glom on to an Internet search engine to catch a gander of other companies' real world security policies. If you plan to adapt someone else's policies, though, you should keep copyright issues in mind. Also, it's quite likely that the policies needed by your organizations will be different from those already in place somewhere else.
A company that uses electronic funds transfer (EFT) systems is defintely going to need integrity policies, for instance. Meanwhile, another company, across the street, might be more worried leakage of confidential information from a database.
Topics covered in security policies cover a huge gamut, ranging from passwords and authentication to copyright, backup, and disaster recovery procedures. Many larger companies institute different policies for different facilities, departments, or groups of users.
Depending on the needs of your organization, and your own inclinations, it might make more sense to use ready-made software templates. The SANS Institute is now offering 25 of these for free download in Word format. Topics range from anti-virus process and acceptable encryption to analog/ISDN line and VPN policies.
In the commercial space, RUsecure now offers a couple of template-based software products: RUsecure Information Security Policies, and Policy Delivery -- The Online Interactive Version. Trial downloads of both are free.
The trial version of Information Security Policies includes a "full policy set," plus explanatory notes. Licensing fees for the commercial product are $595 for unlimited use within an organization.
Priced at $745, the Online Interactive Version incorporates Security Online Support (SOS). SOS adds "specific and focused guidance," along with a large database of user-modifiable security policies; diagrams, forms; procedures, and registers. The trial edition of the online version contains only about one-fourth of the policies in the commercial product, though.
If you're still perplexed by security policies, however, outsourcing might be the best answer. Most security consulting firms are willing to help out with both risk assessment and policy set-up, albeit for a hefty price.
Jacqueline Emigh (pronounced "Amy") is a 12-year veteran of computer journalism. She is currently freelancing for several leading technology and business publications. She was previously a senior editor for Sm@rt Partner Magazine, and before that, a bureau chief for Newsbytes News Network.