Developing Information Security Policy


Every organization is required to have an effective information security program which maps to its business drivers,  regulatory requirements and threat profile. Although organizations across the globe are increasingly recognizing the importance of information security for businesses, the complexity of issues involved in formulating an appropriate information security policy greatly vary from company to company.

 This may depend on multiple factors including the importance of business information, size of the company, type of operations and businesses the company involved in and the numbers and types of information and information systems they use. Developing a robust Information Security Policy is a crucial first step in the program.

While small organizations can quickly deploy information security policy to address their needs, for large organizations, developing a single policy document encompassing all users and resources and addressing the entire gamut of information security issues is a herculean task. Rather, a more effective approach would be to develop a suite of policy documents to cover all information security assets; each targeting specific audience and address relevant information security concerns. This approach would ensure easy maintainability of the policy and focus on specific requirements in terms of emerging threats and risk assessments.

 Why do we need Policy?

A security policy should fulfil many purposes. According to http://www.sans.org, it should: 

  • Protect people and information 
  • Set the rules for expected behaviour by users, system administrators, management, and security personnel 
  • Authorize security personnel to monitor, probe, and investigate 
  • Define and authorize the consequences of violation
  • Define the company consensus baseline stance on security 
  • Help minimize risk 
  • Help track compliance with regulations and legislation 

Basic steps in Developing Information Security Policy

  • Identify all assets that are required to be protected
  • Identify all threats and vulnerabilities and likeliness of threats happening
  • Identify the measures to safeguard the assets in a cost-effective manner
  • Identify the roles and responsibilities of various parties and communicate them
  • Monitor and review the process continuously for improvement.

ISO 27002 provides a comprehensive set of guidelines and controls comprising best practices in information security whereby it can be used as a basis to develop security policy.  ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad:

the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access), integrity (safeguarding the accuracy and completeness of 
information and processing methods) and availability (ensuring that authorized users have access to information and associated assets when required).

Who is Responsible?

Today, many organizations have multiple pieces of  a security program in terms of policies, standards, firewalls, security team, IDS and so on  but the top management is not truly involved nor security has permeated throughout the organization. Rather all the responsibility has been delegated to a small security team responsible for securing the entire organization. This practice is because of a belief that security was just a technology issue.Information security governance is the responsibility of the board of directors and senior executives. It must be an integral and transparent part of enterprise governance and be aligned with the IT governance framework. To exercise effective enterprise and information security governance, boards and senior executives must have a clear understanding of what to expect from their enterprise’s information security programme. They need to know how to direct the implementation of an information security programme, how to evaluate their own status with regard to an existing security programme and how to decide the strategy and objectives of an effective security programme. (http://www.isaca.org)

Advertisements

Lack of Security Policy behind Columbia’s BIGGEST breach

The reasons behind South Carolina Department of Revenue (DoR) data breach are more than shocking . All state agencies have some type of computer security system in place, but there is NO mandatory policy, standards, monitoring or enforcement for each of the approximately 100 state agencies, boards, commissions, colleges and universities that operate computers, the state’s inspector general says.


The Breach

The DOR breach, the biggest in the state’s history, exposed 3.6 million Social Security numbers, 387,000 mostly encrypted credit or debit card numbers and information belonging to more than 650,000 businesses. The agency’s computer system was breached four times, officials have said, and the data was exposed in September. The later reports push the numbers even high.
Impact

A former top official with the FBI said that if just 1 percent of the taxpayers and businesses whose information was hacked in September at the Revenue Department have their information misused it could cost them more than $350 million, based upon past FBI experience.


What caused it?

Apparently, they do NOT have an effective data security policy which is more than clear from the statement made by Senator Vincent Sheheen, who narrated the entire episode a week ago – “when a group of us simply asked the Administration and the Department for a copy of the DOR data security policy so we could better understand what went so terribly wrong, we got this – an answer you would expect in a third world banana republic- we were essentially told that they couldn’t tell us the policy that had failed so badly because it might “further compromise” security. I would have laughed if it hadn’t made me want to cry”
The state had two main vulnerabilities. There was no dual verification required to get into the system and the social security data had no encryption. Interestingly, Internal Revenue Service (IRS), does not mandate the data encryption.The IRS is the revenue service of the United States federal government. The agency is a bureau of the Department of the Treasury, and is under the immediate direction of the Commissioner of Internal Revenue. The IRS is responsible for collecting taxes and the interpretation and enforcement of the Internal Revenue Code.

Two simple concepts of information security were ignored here:

1. ‘Need based access’ – violated and no additional authentication !! All users have access to all stuff kind of access controls was implemented.

2. ‘No data encryption’ rules were enforced for critical data as it is not mandated. Compliance took front seat and not a risk based threat assessment.


Few questions?

  1. Why the top management view of information technology is so inadequate? 
  2. What happened to the IT Governance, in the US Government? 
  3. Why the compliance standards could not be applied to a public body? 
  4. What happened to the concurrent or statutory IT Audit? 
  5. Why risk assessments could not prevent this, if conducted?and many more questions .. that remain unanswered !


Top IT Challenges & Audit: Protiviti Survey 2012

Information Security (including data privacy, storage and management) ranked #1 among the top technology challenges faced by organisations, according to 2012 IT Audit Benchmarking Survey conducted by Protiviti, a global consulting firm operating in over 20 countries. Protiviti conducted the survey at the end of September 2012 with 1,000 people from companies with 100+ employees.

Cloud computing, social media, risk management & governance and regulatory compliance followed the list of top technology challenges.

IT Audit

The survey hints that a large of number of organizations may be understaffed in terms of IT Audit capabilities in their internal audit functions. Organizations are meeting this gap with guest auditors, co-source providers and outsource IT audit function. 


While the survey indicates a significant gap in the IT audit capabilities of many organizations, 48% of small companies are  not using any outside resources, clearly indicating  that these organizations lack necessary skills and resources to manage IT risk. 

 
In-house internal audit department lacking the specific skill sets seems to be the major reason for organizations using external resources to meet the IT audit requirements. 67% of the participants expressed this opinion, which stood at 62%  in 2011. This clearly indicates, the organizations are increasingly looking forward to avail the services of experienced and qualified IT auditors, while keeping the costs low.
 
Considering the fact that a significant number of companies have limited or no resources devoted to IT Audit,   the survey concludes that a number of  organizations are not in compliance with Standard 1210.A3 stipulated by the IIA. 

IIA Standard 1210.A3  Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

 IT Audit Risk Assessment

Considering the pace of technology proliferation in organizations IT implementation and business models as well as the changing threat scope in general, IT audit risk assessment needs to be carried out on an ongoing process and at least in a quarter. Interestingly, only 13% of the organizations are conducting the risk assessment at this frequency and as many as 65% of the organizations conduct at annual intervals !! This clearly indicates,  majority of organizations are NOT keeping pace with the rate of technology change, emerging new threats and innovations in the organizations.

Frameworks

On a positive note, 86% of the organizations adopted a framework to based their IT Audit Risk Assessments with COBIT (63%) and COSO (43%) leading the list.

IT Governance

The survey tested the organizations’ IT Governance processes as against the IIA standard to ensure the internal audit function assesses whether the IT Governance sustains and supports organization’s business strategy and objectives.

IIA Standard 2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.

Unfortunately, responses from about three fourths of the organizations indicate that IT Governance process is NOT a priority.

The survey also covered other aspects like training, gaps in audit plan and can be accessed  from http://www.protiviti.com/en-US/Documents/Surveys/2012-IT-Audit-Benchmarking-Survey-Protiviti.pdf