Security and internal controls are not technological issues; they are business issues. The security architecture for any organization begins with a clear plan of action: If you do not know what you are supposed to protect and from whom, the latest technological gizmos are of little use. Security procedures and internal controls must embody strategic, cultural, political and technological aspects of an organization.
Security policy is the place where these factors are integrated to develop a comprehensive framework for security. Security policy contains goals and objectives of the security system, defines overall purpose of the security system and provides direction for implementation of the security system. Security policy is generally designed for the entire information system, not only the online component. However, the ensuing discussion focuses on the online component. Questions addressed by the security policy can be simplistically stated as follows:
- Who will use the system?
- What will be the rights and responsibilities of the users?
- How will remote and local users access the system?
- When the system can be accessed?
- Who will decide and grant user rights?
- How is user activity tracked and recorded?
- What disciplinary actions will be taken for errant users?
- What are the procedures for responding to security breaches?
Designing a security policy is a multi-disciplinary process. As the COSO report states, involvement of top management is crucial. Senior management knowledge, operational management knowledge, information technology knowledge and financial knowledge is required to complete the assessment necessary to design a security policy. The process is interdisciplinary and iterative. The designed policy is not set in stone, but changes as the organization changes, and it needs constant updating and maintenance.
The steps in development of the security policy are outlined below:
Identify and classify organizational assets: Information assets of the organization may include hardware, software, network infrastructure, data and information, people, documentation and supplies. These assets should be classified according to importance, more important assets being more stringently protected; for example, the resulting asset protection categories may be public use, confidential, restricted or administration use only.
Assess the risk: Risk refers to probability of loss. Online examples of risk are unauthorized access to the network, stealing of data and information, denial of service, damage to hardware and loss of reputation. In mathematical terms, risk can be defined as the cost of damage to an asset multiplied by probability of an event that can damage the asset. Asset values are generally identified in the identification and classification phase. Then, probability of the undesired events for these assets must be identified. Risk analysis should answer questions such as: what should be protected? From whom? and By what?
Determine acceptable use: Permissible business uses of information assets are identified in the acceptable use policy. These policies will tell users what they can and cannot do, what might be construed as an abuse of privileges, and privacy and confidentiality positions of the organization. In specific terms, these policies may tell the user how to set a password and how often to change it, what kind of backups are the user’s responsibility, which content can and cannot be downloaded from the Internet, and whether e-mail is property of the organization.
Create security awareness: Having a security policy document will not in itself create security awareness among stakeholders of a corporation. These policies should be communicated to new and continuing employees, suppliers, customers and trading partners. Training and education activities should be outlined and provided.
Monitoring and auditing: Security policies are worthless unless monitored for execution and performance. Fortunately, security policies in the networked environment can be monitored using in-built tools or automated auditing tools available in the market. Monitoring and auditing activities are designed to spot intentional and unintentional misuse of the system by users. Such a misuse needs to be detected, preferably in real time, and corrected. The collected information, at least a summary, needs to be forwarded to appropriate managers.
Security breach policies: In a security-related incident, perpetrators can be insiders or outsiders. Security breach policies prescribe actions in case of a discovered security breach. The conduct of the investigation to determine the nature and causes of breach should be outlined. If the perpetrators are identified, then the question is whether to contact authorities and proceed with prosecution or simply fire the employee and plug security loopholes. A large percentage of security violations are not reported to authorities, since prosecution of offenders, collection of evidence, possibility of copycat attacks and loss of reputation are considered too costly. In any case, whatever the course of action, the system must be restored to a safe state by correcting security flaws.
Development and implementation of security policies do not have to start from scratch. Many automated tools can be used to customize canned security policies for an organization. The Security Policy Automation (SPA) market consists of scores of vendors providing SPA solutions. The entire security policy cycle, from development to deployment, monitoring and change can be managed using these tools. As is the trend in the last decade, these tools have a graphical interface and do not need a deep programming knowledge.