Article

ISSATitle | Article
The Author
Global Voice of Information Security

ISSA Journal | February 2008

Need a Security Policy?

An Enterprise Security Policy

Management Framework Part 1
By Mark Simon in Collaboration with Microsofts Trustworthy Computing Group
This is the first of a two-part series on developing an enterprise security policy utilizing
Microsofts Prescriptive Guidance and Education tools and procedures.

his is the first of a two-part series addressing (a) the

function security policies serve in an information
security management system, (b) elements of an effective information security policy development program,
(c) guidelines for drafting successful information security
policies, (d) post-development considerations, and (e) enterprise-level information security policy topics that warrant
attention.

the agency. The agencys inspector general found that agency

policies and procedures for safeguarding against the disclosure of identifying personal information were not adequate
to prevent the data loss incident. In pertinent part, the inspector general reported:

Microsoft recognizes the importance of information security policies and how, as business rules, they are necessary
for preserving the confidentiality, integrity and availability of
information. The information security policy management
framework described in this article, is part of Microsofts
Prescriptive Guidance and Education effort, helping management meet its fiduciary obligations in addressing information
security. It is technology agnostic and draws upon many industry-accepted standards for managing security risk. It is an
important example of Microsoft's commitment to delivering
quality guidance to help customers secure their Information
Technology (IT) infrastructures. This information incorporates real-world experiences from Microsoft IT, industry
standards and includes input from Microsoft partners.

No identifiable policy required employees or contract

employees to obtain authorization before removing
protected information

Information security is dependent on well understood information security policies. A case in point is an incident involving a U.S. government data analyst who took electronic
data from the agency that employed him and stored the data
on his personally-owned laptop computer and external hard
drive. The employee's home was burglarized and the computer equipment, along with various other items, was stolen.
The electronic data stored on this computer included identifying information about millions of beneficiaries served by
30

No identifiable policy prohibited employees or contractors from removing protected information from
the agency work site

No identifiable policy prohibited the use of non-agency computers to process or store protected information
No identifiable policy required safeguards such as
password protection or encryption when protected
information was stored on portable storage media or
non-agency computers
Had the agency instituted a clear policy on the use and protection of beneficiary data, and had it implemented controls
to address the objectives stated in that policy, it is less likely
the data loss incident would have occurred. Operating in the
presence of an established information security policy management framework reflects managements exercise of its fiduciary duty to safeguard sensitive and confidential information.

The function of security policies

An information security management system (ISMS) is part
of the organizations overall management system. ISMS in-

An Enterprise Security Policy Management Framework | Mark Simon

ISSA Journal | February 2008

Laws and Standards Requiring Security Policies

Reference

Compliance Requirement

HIPAA Security Standards: Final Rule. 45 CFR

Parts 160, 162, and 164

Section 164.316 Policies and Procedures and Documentation

Requirements.
A covered entity must, in accordance with 164.306: (a) Standard:
Policies and procedures. Implement reasonable and appropriate
policies and procedures to comply with the standards, implementation
specifications, or other requirements of this subpart A covered entity
may change its policies and procedures at any time, provided that the
changes are documented and are implemented in accordance with this
subpart.

Section 501(b) of the Gramm-Leach-Bliley

Act, Federal Trade Commission Standards for
Safeguarding Customer Information; Final
Rule. 16 CFR Part 314

314.3 Standards for safeguarding customer information.

(a) Information security program. You shall develop, implement, and
maintain a comprehensive information security program that is written
in one or more readily accessible parts and contains administrative,
technical, and physical safeguards that are appropriate to your size and
complexity, the nature and scope of your activities, and the sensitivity
of any customer information at issue

Section 404 of the Sarbanes-Oxley Act. SEC

Guidance Regarding Managements Report
on Internal Control Over Financial Reporting
Under Section 13(a) or 15(d) of the Securities
Exchange Act of 1934; Final Rule. 17 CFR Part
241

Under the Commissions rules, managements annual assessment of

the effectiveness of ICFR must be made in accordance with a suitable
control frameworks definition of effective internal control. These
control frameworks define elements of internal control that are
expected to be present and functioning in an effective internal control
system. In assessing effectiveness, management evaluates whether
its ICFR includes policies, procedures and activities that address the
elements of internal control that the applicable control framework
describes as necessary for an internal control system to be effective.

Basel II - International Convergence of Capital

Measurement and Capital Standards. A
Revised Framework, November 2005.

663. As some internationally active banks will wish to use the

Standardized Approach, it is important that such banks have adequate
operational risk management systems.
(a) The bank must have an operational risk management system with
clear responsibilities assigned to an operational risk management
function. The operational risk management function is responsible for
developing strategies to identify, assess, monitor and control/mitigate
operational risk; for codifying firm-level policies and procedures
concerning operational risk management and controls; for the
design and implementation of the firms operational risk assessment
methodology; and for the design and implementation of a riskreporting system for operational risk.

ISO/IEC 27002:2005. Information technology

Security techniques Code of practice for
information security management.

5. Security Policy. Management should set a clear policy direction

in line with business objectives and demonstrate support for,
and commitment to, information security through the issue and
maintenance of an information security policy across the organization.

Table 1 Laws and standards requiring security policies.

volves the establishment, implementation, monitoring,

maintenance and improvement of information security in the
context of an organizations overall policies and risk management objectives. Information security policies support ISMS
by providing objectives and establishing an overall sense of
direction and principles for action with respect to information security.

Importance of information security policies

Information security policies are managements high-level
statements prescribing how an organization protects its information assets. They reflect business rules that:
Define information security roles and responsibilities
31

An Enterprise Security Policy Management Framework | Mark Simon

Establish baseline controls and rules for overriding

those controls
Specify rules of behavior that users are expected to
follow and repercussions for noncompliance
Reduce a specific set of security risks to a level acceptable to management
Information security policies reflect managements direction
and support for a consistent application of information security across the organization.
Information security policies also demonstrate managements
support for and commitment to the organizations adherence
to legal requirements and information security management
standards. Compliance with statutes, regulations, contractual agreements and information security standards set by national or international standard-setting organizations cannot
be achieved without information security policies. Table 1 on
the previous page lists some of the commonly recognized
sources which drive compliance requirements involving the
establishment and use of information security policies.

Information security policies distinguished

from standards, guidelines and procedures
Differentiation between policies, standards, guidelines and
procedures is recommended by the International Organization for Standardization (ISO) 9000 series of standards. The
principal advantages that may be derived by pursuing this
differentiation are so each component may (a) be aimed at
different audiences, (b) allow for varying levels of management involvement, (c) facilitate location of relevant information, and (d) provide for easier maintenance.
A policy reflects senior managements direction and high-level statement prescribing how
an organization should behave.

32

example above. In the example, the implementing standard

aimed at network administrators is of no interest to customers. Providing customers with their own password selection
standard avoids having a customer wade through a complicated document describing multiple standards. The separate,
shorter document containing a standard applicable only to
customers facilitates customer comprehension and the task
of locating relevant information. Furthermore, senior management need not be involved in approving the two technical
standards for password selection. Since password selection
policy is described in a document separate from its implementing standards, standard setting can be delegated to those
who have the expertise to develop and apply standards most
effectively for the targeted group involved.
A procedure describes the method by which a policy or standard is accomplished. Procedures consist of actions or steps.
The advantages of separating a policy or standard from an
implementing procedure are similar to the advantages of separating a policy from its implementing standards; separation
facilitates enhanced comprehension, information location,
development and maintenance.
Guidelines are best thought of as best practices for accomplishing a certain task. A guide for collecting digital evidence
might describe how to collect evidence from a computer, but
adherence to the guide would properly vary according to the
investigators level of experience, the conditions at the scene,
and availability of equipment or personnel. Overarching the
guidelines could be a standard that no action to secure and
collect digital evidence should change or compromise the integrity of that evidence. The standard may in turn support
a governing policy providing that evidence of information

Hierarchy of Information Security Policies,

Standards, Guidelines & Procedures

A standard is a detailed form of a policy statement. A standard reflects technical considerations, need not be issued by the same level of
management as the policy it supports, and exists so
as to give meaningful application to a policy. As newer
technologies become available or emerging threats are
identified, a standard may change, but the organization objective as expressed in a policy could remain
the same. Multiple standards may relate to the same
policy where each standard is targeted to a different
group. For example, a high standard for password
selection may apply to network administrators
who have access to critical system functionality.
In contrast, customers with access only to an extranet system and limited privileges assigned
solely to create, modify or delete data, could
be made subject to a substantially lesser standard for their password selection.
Advantages of separating policy from an
implementing standard are identifiable in the

ISSA Journal | February 2008

Policy 1

Standard 1.A

Procedure
1.A-1

Standard 1.B

Procedure
1.A-2

Guideline
1.B-1

Figure 1 Hierarchy of information security elements

An Enterprise Security Policy Management Framework | Mark Simon

ISSA Journal | February 2008

Figure 2 Examples of information security policy, standards, guidelines and procedures.

security incidents shall be captured and preserved until such

time as evidence of the incident can no longer serve any useful purpose.
Figure 1 shows how policy, standard, procedure and guideline relate to one another.
Figure 2 demonstrates how a policy, standard, guideline and
procedure may be differentiated in the context of password
management.
In summary, separating information security policies, standards, guidelines and procedures is a best practice, designed
to maximize their development, effectiveness and ease of administration.

Types of information security policies

NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, published by the National Institute of Standards and
Technology (NIST), identifies three types of information security policies. Insight into the meaning of these three types
of policies helps with understanding the functions that information security policies fulfill. The three types of policies
described are the following:

Information security program policy

Issue-specific security policies

Systems-specific security policies

The information security program policy, or information security policy charter, is a high-level statement of policy that
shapes the organizations approach to information security.
This document defines information security program goals,
resources that the information security program policy covers, organizational strategic objectives for protecting information assets, responsibilities under the information security program policy, and penalties for non-compliance.
Issue-specific policies focus on particular behaviors or workplace concerns. Examples are policies on privacy, email, appropriate use of computer resources, and password management.
System-specific policies recognize that certain controls, such
as access controls and configuration rules, vary from system
to system based on operational requirements and risk involved. System-specific policies express rules regarding who
can do what to specific systems or classes of data and under
what conditions.

33

An Enterprise Security Policy Management Framework | Mark Simon

Elements of an effective security policy

Centralizing information security policy development for information security topics that span across all organizational
units helps an organization achieve a greater level of consistent application of information security. The development
process for policies should blend problem recognition, fact
finding, consensus building, and management approval. By
using a well-structured process for the development of information security policies, an organization helps ensure reliable and comprehensive protection of its information assets.
The foundational elements of an information security policy
development program are managements support, an information security policy development project leader, an information security policy development team, an information
gathering process, a coverage framework, an information security charter and a policy development process.

Management support
Information security policy development efforts require
the support of senior management. They are not likely to
yield effective policy implementation without such support.
Therefore, the information security policy development effort should begin with laying the foundation for obtaining
senior managements commitment of resources and approval
for establishing information security policies. Support can be
garnered by presenting information on information security
risks, regulatory and other legal compliance mandates, information security incident histories of the organization and of
others in the industry, and the importance of an information
security policy to consistent and reliable information protection.

Policy development project leader

An information security policy development project leader
should have a sufficient understanding of the security objectives and goals of the organization. The policy development
project leader is charged with coordinating and facilitating
information security policy development. This effort includes
but is not limited to the following:
Ensuring all appropriate personnel are involved in
the information security policy development process,
and that corresponding roles and responsibilities are
clearly defined and documented
Obtaining management approval for specific policies
and managements support for policy development
and implementation resources
Quality control - coordinating policies so they are
consistent with the organizations mission, management directives, and applicable laws and other legal
obligations
Policy maintenance

Ensuring policies are communicated to internal and

external users as required
34

ISSA Journal | February 2008

The role of the information security policy development

project leader is often filled by the organizations Information Security Officer (ISO).

Policy development group

Benefits of an information security policy development program cannot be achieved if the program is not recognized
within an organization as having the requisite degree of expertise and authority, which may be provided by an information security policy development group. Those most affected
by information security policies should be represented in the
policy development group, especially data owners and data
custodians. Data owners are charged with responsibility for
protecting data and the business results derived from use of
that data. Data custodians are responsible for caring for the
data and information systems that store, process and transmit the data. Other group members may include representatives from organizational support functions, such as the following:
Legal Counsel Provide advice on legal aspects of the
policies and the organizations information assurance
legal requirements.
Human resources Address personnel management
issues such as identity and role-based management,
and disciplinary procedures for user-behavior policy
violations
Physical security and environmental operations
Provide insight regarding risks and controls relating to physical access and environmental threats to
information system assets
Risk management Contribute its expertise regarding insurance coverage, business priorities, compliance requirements, and prevailing threats
Internal audit Provide input regarding required internal controls over financial reporting and compliance issues
Employee communication and training Involved
in policy dissemination and awareness issues

Policy requirement information

Information security policies should not be created in a vacuum. Each organization has its own culture of information
security and is reflected in the attitudes of management, the
manner in which systems already operate, and common practices and procedures of users and administrators. One of the
key challenges in information security policy development
is defining the level of protection that fits the organizations
culture and the organizations information security needs.
These two factors often create fragmented and inconsistent
information protection efforts.
A useful tool for gathering information security policy requirements is the Microsoft Security Assessment Tool. This
 www.microsoft.com/security/msat

An Enterprise Security Policy Management Framework | Mark Simon

free tool is designed to help organizations assess the weaknesses in their IT environment. Sources of information about
organizational information security culture and needs include the following:
Existing information security polices

Interviews of data owners and data custodians

Risk assessments and information security audits

An information security incident response history

Information security awareness training materials

Lawsuits, employee grievances and other disputes involving data or privacy breaches
Cyber-insurance and network insurance policies

Pertinent statutes and regulations describing data or

privacy protection requirements
Current organizational policies relating to employee
discipline, applications systems development, change
management, equipment acquisition, information
system quality control, and physical security
Security policies and agreements relating to information outsourcing, electronic data exchanges, and
communications service providers
If thorough effort is not made to gather information about
the organizations information security culture and needs,
the policy development effort is unlikely to meet the organizations objectives for protecting its information assets.

Policy coverage framework

Armed with sufficient background information, the next step
is to compile a list of topics to be addressed by the information security policy development program. In the case of an
organization just beginning a formal information security
program, it is best to prioritize policy development in accordance with risk assessments. Policies that address the greatest
levels of risk may be designated for immediate development
and adoption whereas policies that address lesser levels of risk
may be deferred. As the information security policies proceed
through the development process, are rolled out to organizational units, and feedback is obtained on levels of acceptance
and effectiveness, additional policies may be developed and
issued. A mature information security policy development
program should be reviewed for coverage gaps.
One technique to review for information security policy gaps
is to create a policy coverage matrix that relates policy topics to an information security management framework. The
cells in this two-dimensional table may be color coded to reflect information security policy priorities or levels of importance. Other policy meta-data can be added to the cells such
as the last policy review date. Figure 3 on the next page is an
example of an information security policy coverage matrix.

ISSA Journal | February 2008

Information security policy charter

The information security policy charter describes managements commitment to information security and the organizations approach for managing information security. The
charter governs all information security policies in the organization. The charter document, which many organizations
simply refer to as their Information Security Policy, generally contains the following elements:

Purpose
The purpose of the information security policy charter is to
identify the endorsement of management for the importance
of information security, to articulate information security
principles and terms, to define the scope of application of
information security policies, to assign responsibilities for
various security functions, and to authorize the means for
enforcement of information security polices.

Applicability or scope
The applicability or scope of the information security policy
charter identifies the persons who are affected by the charter.
This should encompass internal and external users, as well as
external parties who interact with the organizations information system resources.

Roles and responsibilities

The roles typically identified are those belonging to information or data owners, ISO, IT management, employees
and non-employees. Information owners are responsible for
determining who should have access to protected resources
within their jurisdiction and what those access privileges
should be. The ISO has responsibility for information security direction and leadership through recommendation of
security policies, standards, guidelines and procedures, and
investigating information security incidents. IT management
are the information custodians who support the data information owners role in ensuring proper controls are implemented and applied accordingly. Employees and non-employees are accountable for their use of information assets.

Description
The description contains the substance of the organizations
information security policy, including but not limited to the
following:
Managements overall objectives, motivation and
goals emphasizing the importance of information
security to the organization
The operating principles for applying information
security in line with the organizations mission and
business strategies
The framework for setting control objectives and controls, including the objectives of risk assessment and
risk management

35

An Enterprise Security Policy Management Framework | Mark Simon

ISSA Journal | February 2008

Policy Coverage Matrix Showing Policy Development Priority

and Last Policy Revision Date
Policy Development
HighPriority
Medium Priority
Low Priority

Organization
of
Information
Security

Asset
Management

Human
Resources
Security

Date Issued

Policy Topics (not exhaustive)

Software and System Classification

5-Feb-05

Assett Inventory

5-Feb-05
none

Corporate Data Dictionary

Information Ownership

5-Feb-05

Information Asset Control

5-Feb-05

Designated Security Administrator

5-Feb-05

Data Classification and Declassification

5-Feb-05
30-May-06

Data Classification Labeling

5-Feb-05

Naming Conventions

none

Labeling Non-Production Business Transactions

30-May-06

Accountability for Confidential Information

5-Feb-05

Trade Secret Protection

Figure 3 Policy coverage matrix

An explanation of the security policies, principles,

standards, and compliance requirements of particular importance to the organization, including:
Compliance with legislative, regulatory and contractual requirements
Security education and awareness training
Business continuity management

Consequences of information security policy

violations
Enforcement

Policy exceptions

References
Other documentation may be referenced in support of the
charter description, such as the human resource manual. It
is not uncommon for direct reference to be made to more detailed information security policies, such as those pertaining
to data classification, access control, virus prevention, intrusion detection, internet security, and acceptable use.
36

Next month
Next month in Part 2 we will undertake describing the guidelines for drafting a successful information security policy
and what to consider while maintaining the policy into the
future.

About the Author

Mark S. Simon is an attorney in Chicago, Illinois, Director of
Regulatory Compliance Consulting at Eclipsecurity, LLC, and
adjunct faculty at DePaul University School of Computer Science, Telecommunications and Information Systems. At Eclipsecurity he specializes in incident response planning, privacy assessments, and regulatory compliance. At DePaul University he
instructs a graduate level course on legal aspects of information
assurance, and at the undergraduate level he has taught incident
response and computer forensics. He holds the Certified Public
Accountant certificate, obtained his Juris Doctor and Masters in
E-Commerce Technology degrees from DePaul University. He
may be reached at msimon@eclipsec.com.