Chapter 5: Policy
...The policy should also require updates of the signatures for such security programs on a periodic basis. For example, the policy might specify that the signatures be updated on a monthly basis.
The security policy should define acceptable encryption algorithms for use within the organization and point back to the Information Policy to show the appropriate algorithms to protect sensitive information. There is no reason for the security policy to specify only one algorithm. The security policy should also specify the required procedures for key management.
Despite the best intentions of security staff, management, and system administrators, there will be times when systems must be put into production that do not meet the security requirements defined in the security policy. The systems in question will be required to fulfill some business need, and the business need will be more important than making the systems comply with the security policy. When this happens, the security policy should provide a mechanism to assess the risk to the organization and to develop a contingency plan.
This is where the waiver process comes in. For each such situation, the system designer or project manager should fill out a waiver form where the following information is defined:
- The system in question
- The section of the security policy that will not be met
- The ramifications to the organization (that is, the increased risk)
- The steps being taken to reduce or manage the risk
- The plan for bringing the system into compliance with the security policy
The security department should then review the waiver request and provide its assessment of the risk and recommendations to reduce and manage the risk. In practice, the project manager and the security staff should work together to address each of these areas so that when the waiver request is complete, both are in agreement.
Finally, the waiver should be signed by the organization's officer who is in charge of the project. This shows that the officer understands the risk to the organization and agrees that the business need overcomes the security requirements. In addition, the officer's signature agrees that the steps to manage the risk are appropriate and will be followed.
Detailed security configurations for various operating systems should be placed in appendices or in separate configuration procedures. This allows these detailed documents to be modified as necessary without changing the organization's security policy.
Computer Use Policy
The computer use policy lays out the law when it comes to who may use computer systems and how they may be used. Much of the information in this policy seems like common sense but if the organization does not specifically define a policy of computer ownership and use, the organization leaves itself open to lawsuits from employees.
Ownership of Computers
The policy should clearly state that all computers are owned by the organization and that they are provided to employees for use in accordance with their jobs within the organization. The policy may also prohibit the use of non-organization computers for organization business. For example, if employees are expected to perform some work at home, the organization will provide a suitable computer. It may also be appropriate to state that only organization-provided computers can be used to connect to the organization's internal computer systems via a remote access system.
Ownership of Information
The policy should state that all information stored on or used by organization computers belongs to the organization. Some employees may use organization computers to store personal information. If this policy is not specifically stated and understood by employees, there may be an expectation that personal information will remain so if it is stored in private directories. This may lead to lawsuits if this information is disclosed.
Acceptable Use of Computers
Most organizations expect that employees will only use organization-provided computers for work-related purposes. This is not always a good assumption. Therefore, it must be stated in the policy. It may be appropriate to simply state "organization computers are to be used for business purposes only." Other organizations may define business purposes in detail.
Occasionally, organizations allow employees to use organization computers for other purposes. For example, an organization may allow employees to play games across the internal network at night. If this is to be allowed, it should be stated clearly in the policy.
The use of the computers provided by the organization will also impact what software is loaded on the systems. It may be appropriate for the organization to state that no unauthorized software may be loaded on the computer systems. The policy should then define who may load authorized software and how software becomes authorized.
No Expectation of Privacy
Perhaps the most important part of the computer use policy is the statement that the employee should have no expectation of privacy for any information stored, sent, or received on any organization computers. It is very important for the employee to understand that any information may be examined by administrators and that this includes electronic mail. Also, the employee should understand that administrators or security staff may monitor all computer-related activity to include the monitoring of Web sites.
Internet Use Policy
The Internet use policy is often included in the more general computer use policy. However, it is sometimes broken out as a separate policy due to the specific nature of Internet use. Connectivity to the Internet is provided by organizations so that employees may perform their jobs more efficiently and thus benefit the organization. Unfortunately, the Internet provides a mechanism for employees to misuse computer resources.
The Internet use policy defines appropriate uses (such as business-related research, purchasing, or communications using electronic mail) of the Internet. It may also define inappropriate uses (such as visiting non-business-related Web sites, downloading copyrighted software, trading music files, or sending chain letters).
If the policy is separate from the computer use policy, it should state that the organization may monitor employee use of the Internet and that employees should have no expectation of privacy when using the Internet.
Some organizations may choose to develop a specific policy for the use of electronic mail (this policy may also be included in the computer use policy). Electronic mail is being used by more and more organizations to conduct business. Electronic mail is another way for organizations to leek sensitive information as well. If an organization chooses to define a specific mail policy it should take into account internal issues as well as external issues.
Internal Mail Issues
The electronic mail policy should not be in conflict with other human resources policies. For example, the mail policy should point to any organization policies on sexual harassment. If the organization wants to make a point that off-color jokes should not be sent to coworkers using electronic mail, the existing definitions of off-color or inappropriate comments should be reproduced or identified within the policy.
If the organization will be monitoring electronic mail for certain key words or for file attachments, the policy should state that this type of monitoring may occur. It should also state that the employee has no expectation of privacy in electronic mail.
External Mail Issues
Electronic mail leaving an organization may contain sensitive information. The mail policy should state under what conditions this is acceptable and point back to the information policy for how this information should be protected. It may also be appropriate for the organization to place a disclaimer or signature at the bottoms of outgoing electronic mail to indicate that proprietary information must be protected.
The mail policy should also identify issues around inbound electronic mail. For example, many organizations are testing inbound file attachments for viruses. The policy should point back to the organization's security policy for the appropriate virus configuration issues.
User Management Procedures
User management procedures are the security procedures that are most overlooked by organizations and yet provide the potential for the greatest risk. Security mechanisms to protect systems from unauthorized individuals are wonderful things but can be rendered completely useless if the users of computer systems are not properly managed.
New Employee Procedure
A procedure should be developed to provide new employees with the proper access to computer resources. Security should work with the Human Resources Department and with system administrators on this procedure. Ideally, the request for computer resources will be generated by the new employee's supervisor and signed off by this person as well. Based on the department the new employee is in and the access request made by the supervisor, the system administrators will provide the proper access to files and systems. This procedure should also be used for new consultants and temporary employees with the addition of an expiration date set on these accounts to correspond with the expected last day of employment.
Transferred Employee Procedure
Every organization should develop a procedure for reviewing employees' computer access when they transfer within the organization. This procedure should be developed with the assistance of Human Resources and System Administration. Ideally, both the employee's new and old supervisors will identify the fact that the employee is moving to a new position and the access that is no longer needed or the new access that is needed. The appropriate systems administrator will then make the change.
Employee Termination Procedure
Perhaps the most important user management procedure is the removal of users who no longer work for the organization. This procedure should be developed with the assistance of Human Resources and System Administration. When Human Resources identifies an employee who is leaving, the appropriate system administrator should be notified ahead of time so that the employee's accounts can be disabled on the last day of employment.
In some cases, it may be necessary for the employee's accounts to be disabled prior to the employee being notified that he is being terminated. This situation should also be covered in the termination procedure.
The termination procedure should also cover temporary employees and consultants who have accounts on the systems. These users may not be known to the Human Resources department. The organization should identify who will know about such employees and make them a part of the procedure as well...