It’s an exhilarating feeling to be back at the blog again after a long hiatus owing to strict consulting project deadlines. As a security consultant, I’ve been very fortunate to have worked with many clients across various verticals. One of the projects that I was recently working included “security policies review” for a large conglomerate based in the states with offices all over the Middle East and Europe.
Well, at the outset the project seemed very daunting to start with. Not that I was not well versed with the topic but the sheer volume of policies that needed to be reviewed. On my very first day at the client’s office, I was handed over a huge thick binder that contained their so-called “security policies”. I was told more policies were on my way from all over their corporate offices worldwide, and I had to review each one of them. As I sheepishly leafed through the huge thick binder containing the security policies, I was appalled to notice that the binder contained more than a hundred odd policies and each policy (if it could be called that) was around thirty pages long. These policies to me looked like a mixture of policies, standards, guidelines, procedures all combined together into big and fat policies. The very sight of the policies themselves was unnerving, let alone reviewing them.
So here it is the review process in all its gory details….
The first step in the review process was to assess the existing security policies in order to analyze whether the policies were designed with adequate controls that were needed to meet our client’s business or security objectives. Every policy in an organization should relate to a business or organizational objective and explicitly spell out the controls that are needed to meet the objectives, albeit either business or security objectives. Additionally, well written and implemented policies contain sufficient information on what must be done to protect information and people in the organization.
Our approach to reviewing the policies was based on measuring the policies against best practices guidelines for developing security policies. Specifically, our review framework tried to analyze whether the existing policies contained the following policy characteristics:
• Clear and concise
• Met SMART objectives. The acronym SMART stands for “specific, measurable, achievable, realistic and time-based”.
• Contained the 5 W's (who, what, where, when, why)
• Specified responsibility and compliance
• Designated the actions required
• Provided sufficient guidance from which a specific procedure could be developed.
The second step consisted of identifying the core security policies that needed to be realigned with client’s business objectives. This phase of the policy review project involved data collection, and creating a needs assessment in order to create a baseline. A needs assessment is a process that can be used to determine an organization's security policy needs. The results of a needs assessment will provide justification to convince management to allocate adequate resources to meet the identified security policy needs.
A baseline is the foundation for evaluating existing policies and it is made up of several components. At the top of it is the “mission statement” which will point to what the expected overall security posture of an organization will probably look like. Specifically, the mission statement defines what customers, suppliers and employees will be able to expect from the client as an organization.
Then an assessment of the organization's security posture was initiated - which is a bit like looking in the mirror. A security posture is the amount of progress an organization has made toward implementing a culture of security. In other words, the mission statement is the way we hope people view us; our security posture is what we actually look like.
Security Posture:
Therefore the pragmatic next step forward in the review process was to assess our client’s security posture i.e the culture of security or the degree to which security is considered a part of business operations at our client’s organization. Understanding the true security posture of our client will immensely help in reviewing the existing policies and identify the need for missing policies.
Following is a sample of the detailed questionnaire that was circulated to our client’s senior management in order to gauge their organization’s security posture:
• Please indicate the level of commitment of senior management to physical, information and intellectual property security.
• The level of risk senior management is willing to accept. (If there is no commitment from senior management, there cannot be a culture of security).
• The presumption of privacy, including phone and network monitoring.
• Do employees have a reasonable expectation that the files on their computers and their phone and Internet communications are protected?
• Does company policy allow random physical searches, and is there an active search program?
• Is the perimeter configured to allow all connections initiated inside the organization?
• What is the level of employee awareness of security practice?
• Do employees know procedures for developing and protecting information systems?
• Is the employee able to add software or modify settings on the desktop system?
• Are administrators able to make changes without going through a formal configuration-management approval program?
• Preferred security policy stance i.e. mild, medium, or strong policy. Strong policy is where you have automated controls and complete policy enforcement. Medium policy may have some automated controls and some audit controls. Mild policy is where you spot check for compliance.
• Additional clarification points:
o Management style: collaborative, consultative, directive/military, coercive, charismatic
o Formal vs. Casual
o Time clock enforcement
o Freedom to work from home
o Team vs. Individual effort
o Creativity is encouraged or discouraged
o Commitment to ethics, law, culture, morals
The above questions would help us to define the importance and degree of implementation of security. These questions would help us understand where our client is in its journey towards a culture of security. Knowing this will be necessary to try to establish a baseline to be able to evaluate our client’s security policies.
The review process revealed that our client’s existing policies did not satisfy the best practices policy traits and the policies had to be revamped in order to align them with our client’s mission statement and business objectives. Policies must be uniquely tailored to the needs of each organization. This is because the factors that drive information security policies vary considerably from organization to organization. These factors include business objectives, legal requirements, organizational design, organizational culture, prevailing ethics and morals, the extent of worker education, and the information systems technology deployed.
Well, that’s about it for this post, will try to post again soon (time permitting) on writing effective security policies with business impetus. Till then Adios!