Professional Documents
Culture Documents
ISSATitle | Article
The Author
Global Voice of Information Security
Microsoft recognizes the importance of information security policies and how, as business rules, they are necessary
for preserving the confidentiality, integrity and availability of
information. The information security policy management
framework described in this article, is part of Microsofts
Prescriptive Guidance and Education effort, helping management meet its fiduciary obligations in addressing information
security. It is technology agnostic and draws upon many industry-accepted standards for managing security risk. It is an
important example of Microsoft's commitment to delivering
quality guidance to help customers secure their Information
Technology (IT) infrastructures. This information incorporates real-world experiences from Microsoft IT, industry
standards and includes input from Microsoft partners.
Information security is dependent on well understood information security policies. A case in point is an incident involving a U.S. government data analyst who took electronic
data from the agency that employed him and stored the data
on his personally-owned laptop computer and external hard
drive. The employee's home was burglarized and the computer equipment, along with various other items, was stolen.
The electronic data stored on this computer included identifying information about millions of beneficiaries served by
30
No identifiable policy prohibited employees or contractors from removing protected information from
the agency work site
No identifiable policy prohibited the use of non-agency computers to process or store protected information
No identifiable policy required safeguards such as
password protection or encryption when protected
information was stored on portable storage media or
non-agency computers
Had the agency instituted a clear policy on the use and protection of beneficiary data, and had it implemented controls
to address the objectives stated in that policy, it is less likely
the data loss incident would have occurred. Operating in the
presence of an established information security policy management framework reflects managements exercise of its fiduciary duty to safeguard sensitive and confidential information.
Compliance Requirement
32
A standard is a detailed form of a policy statement. A standard reflects technical considerations, need not be issued by the same level of
management as the policy it supports, and exists so
as to give meaningful application to a policy. As newer
technologies become available or emerging threats are
identified, a standard may change, but the organization objective as expressed in a policy could remain
the same. Multiple standards may relate to the same
policy where each standard is targeted to a different
group. For example, a high standard for password
selection may apply to network administrators
who have access to critical system functionality.
In contrast, customers with access only to an extranet system and limited privileges assigned
solely to create, modify or delete data, could
be made subject to a substantially lesser standard for their password selection.
Advantages of separating policy from an
implementing standard are identifiable in the
Policy 1
Standard 1.A
Procedure
1.A-1
Standard 1.B
Procedure
1.A-2
Guideline
1.B-1
33
Management support
Information security policy development efforts require
the support of senior management. They are not likely to
yield effective policy implementation without such support.
Therefore, the information security policy development effort should begin with laying the foundation for obtaining
senior managements commitment of resources and approval
for establishing information security policies. Support can be
garnered by presenting information on information security
risks, regulatory and other legal compliance mandates, information security incident histories of the organization and of
others in the industry, and the importance of an information
security policy to consistent and reliable information protection.
free tool is designed to help organizations assess the weaknesses in their IT environment. Sources of information about
organizational information security culture and needs include the following:
Existing information security polices
Lawsuits, employee grievances and other disputes involving data or privacy breaches
Cyber-insurance and network insurance policies
Purpose
The purpose of the information security policy charter is to
identify the endorsement of management for the importance
of information security, to articulate information security
principles and terms, to define the scope of application of
information security policies, to assign responsibilities for
various security functions, and to authorize the means for
enforcement of information security polices.
Applicability or scope
The applicability or scope of the information security policy
charter identifies the persons who are affected by the charter.
This should encompass internal and external users, as well as
external parties who interact with the organizations information system resources.
Description
The description contains the substance of the organizations
information security policy, including but not limited to the
following:
Managements overall objectives, motivation and
goals emphasizing the importance of information
security to the organization
The operating principles for applying information
security in line with the organizations mission and
business strategies
The framework for setting control objectives and controls, including the objectives of risk assessment and
risk management
35
Organization
of
Information
Security
Asset
Management
Human
Resources
Security
Date Issued
5-Feb-05
Assett Inventory
5-Feb-05
none
5-Feb-05
5-Feb-05
5-Feb-05
5-Feb-05
30-May-06
5-Feb-05
Naming Conventions
none
30-May-06
5-Feb-05
Policy exceptions
References
Other documentation may be referenced in support of the
charter description, such as the human resource manual. It
is not uncommon for direct reference to be made to more detailed information security policies, such as those pertaining
to data classification, access control, virus prevention, intrusion detection, internet security, and acceptable use.
36
Next month
Next month in Part 2 we will undertake describing the guidelines for drafting a successful information security policy
and what to consider while maintaining the policy into the
future.