Policy Document Examples

In general, information security policies should be developed for a specific organization based on its own mission, set of environmental threats, regulation environment, and company culture. Much of the text in this book discusses how to incorporate these aspects into the development or revision of a custom or tailored set of information security policies for a given organization. However, in an effort to provide a concrete example and demonstrate many of the elements discussed in this book, a set of example policies are provided in Appendix A.

It may be useful to the reader to understand the background of these example policies. These example policies are based on the policies cre-ated for the State of Arizona Department of Administration. The Arizona Department of Administration is responsible for providing

information security policies for all the departments within the state.^* The set of security policies provided here are the result of the security and privacy project for the Arizona Department of Administration.

The framework chosen for the project was the National Institute of Standards and Technology’s Special Publication 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations).^† Using the Federal Information Security Management Act (FISMA) (e.g., NIST 800-53 controls) as the framework for the policy set, sev-eral information security regulations and standards were also selected for inclusion in the initial policy set. These regulations and stan-dards included the PCI DSS, the Security Rule of the HIPAA, and Tax Information Security Guidelines for Federal, State, and Local Agencies (Publication 1075).

Within each of these policies are several references or indicators that make the policy statements more useful and easy to apply.

Protected system requirement indicator (P). Each system in the state is determined to be a “standard” system or a “protected” system.

Simply put, if the system stores, processes, or transmits sensitive information, then it is a protected system. All other information systems are standard. Requirements within the policy set that apply only to protected information systems are indicated with a “(P)” at the beginning of the requirement.

Source reference. Each of the policy requirements contains a source reference at the end of the requirement to indicate the source of the requirement. Many requirements have multiple sources as the security requirement is contained in multiple regulations and standards.

The example policy set contains 17 policies based on the FISMA framework. The policies are grouped into security management poli-cies, security technical polipoli-cies, security operational polipoli-cies, and pri-vacy policies, as illustrated in Table 4.3. For the purpose of clarity and brevity, the front matter and back matter, except for the policy purpose and scope, have been omitted from these examples.

* In the state of Arizona, not all state organizations are called departments. They are called budget units, which refers to departments, bureaus, and commissions.

† The original security and privacy policy project selected NIST 800-53 Rev 3. Three months into the project, NIST released Rev 4 and the project was revised to baseline the policy set on the new revision.

Table 4.3 Example Information Security Policy Set

POLICY# DOCUMENT NAME POLICY# DOCUMENT NAME

SECURITY MANAGEMENT POLICIES SECURITY OPERATIONAL POLICIES P8110 Data classification P8210 Security awareness training P8120 Information security program P8220 System security maintenance P8130 System security acquisition P8230 Contingency planning SECURITY TECHNICAL POLICIES P8240 Incident response planning

P8310 Account management P8250 Media protection

P8320 Access control P8260 Physical security protection

P8330 System security audit P8270 Personnel security protection P8340 Identification and authentication P8280 Acceptable use

P8350 System and communication protections PRIVACY POLICIES P8410 System privacy

Note: The information security policy example set consists of 17 information security and privacy policies based on the NIST 800-53 framework. These policies are grouped into security management policies, security technical policies, security operational policies, and security privacy policies.

EXERCISES

1. Using your own organization’s information security policies (or a set given to you by your instructor), identify 10 uses of the terms shall, will, should, or must.

a. Do you believe this is the appropriate and intended use of these terms?

b. In what cases may the use of the term lead to confusion?

c. If applicable, how would you rewrite each of these state-ments using the correct term?

2. Using your own organization or a fictitious company, create a roles and responsibilities matrix to differentiate the responsi-bility of the CIO, CISO, information security manager, and security administrator with respect to the following security controls:

a. Development, review, revision, maintenance, and dissem-ination of information security policies.

b. Performance of vulnerability scanning, creation and review of the scan report, and approval of a “clean” scan.

c. Performance, oversight, and approval of an annual secu-rity risk assessment.

d. Information security incident investigation.

3. Section 4.2.2 describes the information security policy excep-tion process.

a. What are the three exception types described?

b. Give at least two reasons why it is important to document information security policy exceptions.

c. Who should grant these exceptions?

4. This chapter introduces the concept of the “9-Cell” as a means to brainstorm compensating controls. Consider the follow-ing example information systems that require a compensatfollow-ing control-based exception and complete a 9-Cell to brainstorm potential compensating controls. Then write a compensating controls-based exception to the policy statement and excep-tion pairs below:

a. Policy statement. The department shall ensure the informa-tion system enforces password-based authenticainforma-tion with

a minimum strength of eight characters and one number or special character.

Exception: Specialized equipment has no capability of passwords beyond a four-digit PIN, contrary to the pass-word policy statement above.

b. Policy statement. Scan for vulnerabilities in the organiza-tion informaorganiza-tion system and hosted applicaorganiza-tions quarterly from internal and external interfaces.

Exception: Production system is deemed critical and delicate in that the risk of vulnerability scans causing an error or disruption has been deemed too risky.

81

5

I ^nformatIon S ^{ecurIt y}