Information Security Policies
E- Mail Guidelines
4.10.3 Application-Specific (Tier 3) Policy
Global-level (Tier 1) and topic-specific (Tier 2) policies address policy on a broad level (see Figure 4.6); they usually encompass the entire enterprise. The application-specific (Tier 3) policy focuses on one specific system or application. As the construction of an organization information security architecture takes shape, the final element will be the translation of Tier 1 and Tier 2 policies down to the application and system level.
Many security issue decisions apply only at the application or system level. Some examples of these issues include:
Who has the authority to read or modify data?
Under what circumstances can data be read or modified?
How will remote access be controlled?
To develop a comprehensive set of Tier 3 policies, use a process that determines security requirements from a business or mission objective. Try to avoid implementing requirements based on security issues and concerns. Remember that the security staff has been empowered to support the business process of the organization. Typically, the Tier 3 policy is more free form than Tier 1 and Tier 2 policies. As you prepare to create Tier 3 policies, keep in mind the following concepts:
Understand the overall business objectives or mission of the enter- prise.
Understand the mission of the application or system.
Establish requirements that support both sets of objectives. Typical Tier 3 policies may be as brief as the sample shown in Table 4.13. This Tier 3 policy is brief and to the point. It establishes what is required, who is responsible, and where to go for additional information and help.
We can use the policy in Table 4.14 to point out a few items that typically make for bad reading in a policy. When writing, try to avoid making words stand out. This is particularly true of words that cause people to react negatively. In this policy the writer likes to use uppercase words for emphasis: “MUST,” “LATE TIMECARDS,” “YOU MUST BE ACCURATE.” I find that when words appear like this, the writer was in an agitated state and was taking out his or her personal frustrations on the policy. While what was said in this policy was fairly good, the tone was very negative. The person who wrote this policy probably has a sign posted
FIGURE 4.6 Tiers 1, 2, and 3
Information Security Tier 1 Personnel Security Tier 2 Job Descriptions User Training Security Incidents Tier 3
in his or her work area that reads “Poor planning on your part does not make it a crisis on my part.”
When I do network vulnerability assessments for companies, I like to do a physical walk-through of the work area. I am on the lookout for what I call the “Dilbert factor.” This comic strip has given us many a great laugh because we realize that it is our working environment that Scott Adams is identifying. However, be on the lookout for areas that have a high number of Dilbert cartoons posted. This is usually an ar ea of employees who are unhappy with someone or something in the work area. These are the people who might write a policy like the one in Table 4.14.
The policy in Table 4.14 was written in a condescending manner and gives the impression that these highly skilled contractors are dummies. Write in a positive tone and instruct the reader as to what is expected. It is important to identify the consequences of noncompliance, but channel that into a specific subsection that identifies “Noncompliance.”
4.11 Summary
In this chapter we discussed that the policy is the cor nerstone of an organization’s information security architecture; and that a policy was important to establish both internally and externally what an organization’s position on a particular topic might be. We define what a policy, standard, procedure, and guideline is and what should be included in each of these documents or statements.
There are three types of policies, and you will use each type at different times in your information security program and throughout the organiza- tion to support the business process or mission. The three types of policies are:
TABLE 4.13 Sample Application-Specific Policy Accounts Payable Policy
Accounts payable checks are issued on Friday only. This will promote efficien- cy in the accounts payable function. To ensure your check is available, please have your check request or invoice to the Financial Affairs office by close of business on Monday.
For access to the online portion of the Accounts Payable System (APS), please contact the APS System Administrator.
The APS Customer Help Desk is available to answer any additional ques- tions.
We appreciate your cooperation.
1. Global (Tier 1) policies are used to create the organization’s overall vision and direction.
2. Topic-specific (Tier 2) policies address particular subjects of con- cern. (We discuss the information security architecture and each category such as the one shown in Table 4.15.)
TABLE 4.14 Sample Timecard Policy and Instructions Timecard Policy and Instructions
An original timecard/sheet MUST be turned in before your hours can be processed. Hours MUST be turned in before 10:00 am on Monday to have your paycheck/direct deposit slip available on Thursday. If your timecard is turned in after noon on Wednesday, you will be paid the following week. We can NOT guarantee paycheck availability for LATE TIMECARDS.
The timecard is our invoice; YOU MUST BE ACCURATE!
As with most BOX Group clients, you must work 40 straight time hours in a week before you can get overtime pay. All hours should be listed in the regular hours column until you reach 40. After you have worked 40, all hours should go in the overtime column. Overtime (premium) rates are based upon the terms of BOX Group’s purchase order and any applicable tax codes. Be- cause of this, policy may vary from company to company or, depending upon your position, pay rate, etc. Specific overtime rates will be discussed and agreed upon prior to starting your assignment. If you have any questions regarding overtime, contact your branch office.
When you do not work a full 40 hours straight time during the week, Saturday’s hours must go toward straight time until you reach the necessary 40 hours.
ONLY write on the timecard the hours you actually work.
When you have a week in which a holiday occurs, you should leave the space blank instead of hours in the regular hours column. The hours for a holiday are not counted toward your total hours worked for that week. If no overtime hours were worked this week, your timecard total would be 32 hours. During a week that a holiday occurs, most BOX Group clients pay overtime over 32 hours in that week.
If you miss a day of work, hours should not be entered for that day. Copies of timecard: (Client timecard copies differ.)
Yellow/White Copies: Payroll/Invoice copies. Return to BOX Group.
Pink Copy: Branch copy. Return to BOX Group.
Blue Copy: Customer copy Company you are working for/Supervisor.
Goldenrod Copy: Employee copy. Keep your copy.
IMPORTANT! Please note that your check will not be generated without the original timecard.
3. Application-specific policies focus on decisions taken by manage- ment to control particular applications (financial reporting, payroll, etc.) or systems (budgeting system).
TABLE 4.15 Sample Information Security Policy Information Security Policy
Policy Statement
Information is a company asset and is the property of the Company. Com- pany information must be protected according to its value, sensitivity, and criticality, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods used to distribute it.
Responsibilities
1. Company officers and senior management are required to make sure that internal controls are adequate to safeguard company assets — including company information.
2. Company line managers are responsible for making sure that all employees are aware of and comply with this information security policy, its supporting policies and standards, and all applicable laws and regulations.
3. All employees, regardless of their status (permanent, part-time, con- tract, etc.), are responsible for protecting information from unautho- rized access, modification, disclosure, and destruction.
Scope
1. Company information includes information that is electronically gener- ated and information that is printed, typed, filmed, or verbally commu- nicated.
Compliance
1. Company management is responsible for monitoring compliance with this information security policy, its supporting policies and standards, and all applicable laws and regulations.
2. Employees, regardless of their status (permanent, part-time, contract, etc.), who fail to comply with this information security policy, its sup- porting policies and standards, or any applicable law or regulation will be considered in violation of their terms of employment and will be subject to appropriate corrective action.