Policies, Standards, Baselines, Guidelines, and Procedures

The risk assessment is done. Let’s call it a day.

Response: Nope, there’s more to do.

Computers and the information processed on them usually have a direct relationship with a company’s critical missions and objectives. Because of this level of importance, senior management should make protecting these items a high priority and provide the necessary support, funds, time, and resources to ensure that systems, networks, and information are protected in the most logical and cost-effective manner possible. A comprehensive management approach must be developed to accomplish these goals successfully. This is because everyone within an organization may have a different set of personal values and experiences they bring to the environment with regards to security, and it is important to make sure everyone is regarding the security of the organization at a level that meets the needs of the organization as determined by laws, regulations, requirements, and the goals and needs for the organization that have been determined by risk assessments of the environment of the organization.

For a company’s security plan to be successful, it must start at the top level and be useful and functional at every single level within the organization. Senior management needs to define the scope of security and identify and decide what must be protected and to what extent. Management must understand the regulations, laws, and liability issues it is responsible for complying with regarding security and ensure that the company as a whole fulfills its obligations. Senior management also must determine what is expected from employees and what the consequences of noncompliance will be. These decisions should be made by the individuals who will be held ultimately responsible if something goes wrong. But it is a common practice to bring in the expertise of the security officers to collaborate in ensuring that sufficient policies and controls are being implemented to achieve the goals being set and determined by senior management.

A security program contains all the pieces necessary to provide overall protection to a corporation and lays out a long-term security strategy. A security program should have security policies, procedures, standards, guidelines, baselines, security-awareness training, an incident response plan, and a compliance program. The human resources and legal departments must be involved in the development and enforcement of some of these elements.

The language, level of detail, formality of the policy, and supporting mechanisms should be examined by the policy developers. Security policies, standards, guidelines, and procedures must be developed with a realistic view to be most effective. Highly structured organizations usually follow guidelines in a more uniform way. Less structured organizations may need more explanation and emphasis to promote compliance. The more detailed the rules are, the easier it is to know when one has been violated. However, overly detailed documentation and rules can prove to be more burdensome than helpful. On the other hand, many times, the more formal the rules, the easier they are to enforce. The business type, its culture, and its goals must be evaluated to make sure the proper language is used when writing security documentation.

Security Policy

Oh look, this paper tells us what we need to do. I am going to put smiley-face stickers all over it.

A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-specific policy, or a system-specific policy. In an organizational security policy, management establishes how a security program will be set up, lays out the program’s goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. This policy must address relative laws, regulations, and liability issues, and how they are to be satisfied. The organizational security policy provides scope and direction for all future security activities within the organization. It also describes the amount of risk senior management is willing to accept.

The organizational security policy has several important characteristics that must be understood and implemented:

• Business objectives should drive the policy’s creation, implementation, and enforcement. The policy should not dictate business objectives.

• It should be an easily understood document that is used as a reference point for all employees and management.

• It should be developed and used to integrate security into all business functions and processes.

• It should be derived from and support all legislation and regulations applicable to the company.

• It should be reviewed and modified as a company changes, such as through adoption of a new business model, a merger with another company, or change of ownership.

• Each iteration of the policy should be dated and under version control.

• The units and individuals who are governed by the policy must have access to the applicable portions and not be expected to have to read all policy material to find direction and answers.

• It should be created with the intention of having the policies in place for several years at a time. This will help ensure policies are forward thinking enough to deal with potential changes in any near-future security environments that may arise.

• It should use language that is direct and commanding and avoid weaker tones and directives. Words like should or may need to be replaced with shall or must.

• The level of professionalism in the presentation of the policies reinforces their importance as well as the need to adhere to them.

• It should not contain language that isn’t readily understood by everyone. Use clear and declarative statements that are easy to understand and adopt.

• It should be reviewed on a regular basis and adapted to correct incidents that have occurred since the last review and revision of the policies.

A process for dealing with those that choose not to comply with the security policies must be developed and enforced so there is a structured method of response to noncompliance. This establishes a process that others can understand and thus recognize not only what is expected of them, but also what they can expect as a response to their noncompliance.

Why Have Policies in Place? The following is a good summary of the importance of a security policy: Identifies assets the company considers valuable Provides authority to the security team and its activities Provides a reference to review when conflicts pertaining to security arise States the company’s goal and objectives pertaining to security Outlines personal responsibility Helps to prevent unaccounted-for events (surprises) Defines the scope for the security team and its functions Outlines incident response responsibilities Outlines the company’s response to legal, regulatory, and standards of due care

It is through these policies that security programs can be set up with a strong foundation and an organized method of response to security issues, as well as expectations for personnel within the organization as to who is in charge during certain kinds of incidents.

Different types of security polices can be implemented in an organization. These policies can be adapted to fit the specific needs of their environment.

An issue-specific policy, also called a functional implementing policy, addresses specific security issues that management feels need more detailed explanation and attention to make sure a comprehensive structure is built and all employees understand how they are to comply with these security issues. For example, an organization may choose to have an e-mail security policy that outlines what management can and cannot do with employees’ e-mail messages for monitoring purposes, that specifies which e-mail functionality employees can or cannot use, and that addresses specific privacy issues.

As a more specific example, an e-mail policy might state that management can read any employee’s e-mail messages that reside on the mail server, but not when they reside on the user’s workstation. The e-mail policy might also state that employees cannot use e-mail to share confidential information or pass inappropriate material, and that they may be subject to monitoring of these actions. Before they use their e-mail clients, employees should be asked to confirm that they have read and understand the e-mail policy, either by signing a confirmation document or clicking Yes in a confirmation dialog box. The policy provides direction and structure for the staff by indicating what they can and cannot do. It informs the users of the expectations of their actions, and it provides liability protection in case an employee cries “foul” for any reason dealing with e-mail use.

A system-specific policy presents the management’s decisions that are specific to the actual computers, networks, applications, and data. This type of policy may provide an approved software list, which contains a list of applications that may be installed on individual workstations. This policy may describe how databases are to be used and protected, how computers are to be locked down, and how firewalls, IDSs, and scanners are to be employed.

Policies are written in broad terms to cover many subjects in a general fashion. Much more granularity is needed to actually support the policy, and this happens with the use of procedures, standards, and guidelines. The policy provides the foundation. The procedures, standards, and guidelines provide the security framework. And the necessary security components, implementations, and mechanisms are used to fill in the framework to provide a full security program and secure infrastructure.

Types of Policies Policies generally fall into one of the following categories: Regulatory This type of policy ensures that the organization is following standards set by specific industry regulations. It is very detailed and specific to a type of industry. It is used in financial institutions, health care facilities, public utilities, and other government-regulated industries. Advisory This type of policy strongly advises employees as to which types of behaviors and activities should and should not take place within the organization. It also outlines possible ramifications if employees do not comply with the established behaviors and activities. This policy type can be used, for example, to describe how to handle medical information, financial transactions, or how to process confidential information. Informative This type of policy informs employees of certain topics. It is not an enforceable policy, but rather one that teaches individuals about specific issues relevant to the company. It could explain how the company interacts with partners, the company’s goals and mission, and a general reporting structure in different situations.

Standards

Some things you just gotta do.

Standards refer to mandatory activities, actions, or rules. Standards can give a policy its support and reinforcement in direction. Standards could be internal, or be externally mandated (government laws and regulations).

Organizational security standards may specify how hardware and software products are to be used. They can also be used to indicate expected user behavior. They provide a means to ensure that specific technologies, applications, parameters, and procedures are implemented in a uniform manner across the organization. An organizational standard may require that all employees wear their company identification badges at all times, that they challenge unknown individuals about their identity and purpose for being in a specific area, or that they encrypt confidential information. These rules are usually compulsory within a company, and if they are going to be effective, they must be enforced.

As stated in an earlier section, tactical and strategic goals are different. A strategic goal can be viewed as the ultimate endpoint, while tactical goals are the steps necessary to achieve it. As shown in Figure 3-11, standards, guidelines, and procedures are the tactical tools used to achieve and support the directives in the security policy, which is considered the strategic goal.

Baselines

The term baseline has a couple of definitions. A baseline can refer to a point in time that is used as a comparison for future changes. Once risks have been mitigated, and security put in place, a baseline is formally reviewed and agreed upon, after which, all further comparisons and development are measured against it. A baseline results in a consistent reference point.

Let’s say that your doctor has told you that you weigh 400 pounds due to your diet of donuts, pizza, and soda. (This is very frustrating to you because the TV commercial said you could eat whatever you wanted and just take their very expensive pills every day and lose weight.) The doctor tells you that you need to exercise each day and elevate your heart rate to double its normal rate for 30 minutes twice a day. How do you know when you are at double your heart rate? You find out your baseline (regular heart rate) by using one of those arm thingies with a little ball attached. So you start at your baseline and continue to exercise until you have doubled it or die, whichever comes first.

Baselines are also used to define the minimum level of protection required. In security, specific baselines can be defined per system type, which indicates the necessary settings and the level of protection being provided. For example, a company may stipulate that all accounting systems must meet an Evaluation Assurance Level (EAL) 4 baseline. This means that only systems that have gone through the Common Criteria process and achieved this rating can be used in this department evaluation. Once the systems are properly configured, this is the necessary baseline. When new software is installed, when patches or upgrades are applied to existing software, or when other changes take place to the system, there is a good chance the system may no longer be providing its necessary minimum level of protection (its baseline). Security personnel must assess the systems as changes take place and ensure that the baseline level of security is always being met. If a technician installs a patch on a system and does not ensure the baseline is still being met, there could be new vulnerabilities introduced into the system that will allow attackers easy access to the network.

Guidelines

Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Guidelines can deal with the methodologies of technology, personnel, or physical security. Life is full of gray areas, and guidelines can be used as a reference during those times. Whereas standards are specific mandatory rules, guidelines are general approaches that provide the necessary flexibility for unforeseen circumstances.

A policy might state that access to confidential data must be audited. A supporting guideline could further explain that audits should contain sufficient information to allow for reconciliation with prior reviews. Supporting procedures would outline the necessary steps to configure, implement, and maintain this type of auditing.

Procedures

Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out specific tasks. Many organizations have written procedures on how to install operating systems, configure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more.

Procedures are considered the lowest level in the policy chain because they are closest to the computers and users (compared to policies) and provide detailed steps for configuration and installation issues.

Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating environment. If a policy states that all individuals who access confidential information must be properly authenticated, the supporting procedures will explain the steps for this to happen by defining the access criteria for authorization, how access control mechanisms are implemented and configured, and how access activities are audited. If a standard states that backups should be performed, then the procedures will define the detailed steps necessary to perform the backup, the timelines of backups, the storage of backup media, and so on. Procedures should be detailed enough to be both understandable and useful to a diverse group of individuals.

Modular Elements Standards, guidelines, and baselines should not be in one large document. Each has a specific purpose and a different audience. A document describing how to be in compliance with a specific regulation may go to the management staff, whereas a detailed procedure on how to properly secure a specific operating system would be directed toward an IT member. Keeping standards, guidelines, and baselines separate and modular in nature helps for proper distribution and updating when necessary.

To tie these items together, let’s walk through an example. A corporation’s security policy indicates that confidential information should be properly protected. It states the issue in very broad and general terms. A supporting standard mandates that all customer information held in databases must be encrypted with the Advanced Encryption Standard (AES) algorithm while it is stored and that it cannot be transmitted over the Internet unless IPSec encryption technology is used. The standard indicates what type of protection is required and provides another level of granularity and explanation. The supporting procedures explain exactly how to implement the AES and IPSec technologies, and the guidelines cover how to handle cases when data is accidentally corrupted or compromised during transmission. All of these work together to provide a company with a security structure.

Implementation

Where are the policies that we spent $100,000 to develop?

Response: What is a policy again?

Unfortunately, security policies, standards, procedures, baselines, and guidelines often are written because an auditor instructed a company to document these items, but then they are placed on a file server and are not shared, explained, or used. To be useful, they must be put into action. No one is going to follow the rules if people don’t know the rules exist. Security policies and the items that support them not only must be developed, but must also be implemented and enforced.

To be effective, employees need to know about security issues within these documents; therefore, the policies and their supporting counterparts need visibility. Awareness training, manuals, presentations, newsletters, and legal banners can achieve this visibility. It must be clear that the directives came from senior management and that the full management staff supports these policies. Employees must understand what is expected of them in their actions, behaviors, accountability, and performance.

Implementing security policies and the items that support them shows due care by the company and its management staff. Informing employees of what is expected of them and the consequences of noncompliance can come down to a liability issue. If a company fires an employee because he was downloading pornographic material to the company’s computer, the employee may take the company to court and win if the employee can prove he was not properly informed of what was considered acceptable and unacceptable use of company property and what the consequences were. Security-awareness training is covered in later sections, but understand that companies that do not supply this to their employees are not practicing due care and can be held negligent and liable in the eyes of the law.

Due Care and Due Diligence Due care and due diligence are terms used throughout this book. Due diligence is the act of investigating and understanding the risks the company faces. A company practices due care by developing and implementing security policies, procedures, and standards. Due care shows that a company has taken responsibility for the activities that take place within the corporation and has taken the necessary steps to help protect the company, its resources, and employees from possible threats. So, due diligence is understanding the current threats and risks, and due care is implementing countermeasures to provide protection from those threats. If a company does not practice due care and due diligence pertaining to the security of its assets, it can be legally charged with negligence and held accountable for any ramifications of that negligence. The following are some tricks to remember the difference between these two concepts. Due Diligence = Do Detect. Due diligence maps with Do Detect. It is the steps you take to identify the risks using best practices, published standards, and other tools. Due Care = Do Correct. This is what you do to correct the threat identified or to minimize it to an acceptable level of risk.

References

• NCSA Security Policies and Procedures www.ncsa.uiuc.edu/UserInfo/Security/policy/

• SANS Institute Security Policy Project www.sans.org/resources/policies

• Information Security Policy World www.information-security-policies-andstandards.com