Sample Information Security Global Policies

The next few pages examine sample information security policies and critique them. The written policy should clear up confusion, not generate new problems. When preparing a document for a specific audience, remember that the writer will not have the opportunity to sit down with each reader and explain what each item or sentence means. The writer will not be able to tell every person how the policy will impact the reader’s daily assignments. When writing a policy, know the audience. For a global (Tier 1) policy, the audience is the employee base.

Using the general employee population as a base, let us examine a few policies (see Table 4.4, Table 4.5, Table 4.6, and Table 4.7), and see if they have the four key elements we should be looking for. We will want to see if these policies have:

1. Topic (including a topic and a “hook”)

2. Scope (whether it broadens or narrows the topic or the audience or both)

3. Responsibilities (based on job titles) 4. Compliance or consequences

Table 4.4 (Example 1) addresses the checklist as follows:

1. Topic: “Information is a valuable corporate asset …. As such, steps will be taken to protect information…”

2. Responsibilities: “The protection of these assets is a basic manage- ment responsibility.”

3. Scope: “Ensuring that all employees understand their obligation to protect these assets.”

4. Compliance: “Noting variance from established security practice and for initiating corrective action.”

This policy is a good start. However, the topic is vague and that is not acceptable. The most important goal of any writing is to quickly identify the topic. Without the title, we have only a vague idea of where the document is leading us.

When the policy establishes responsibilities, it will work best if you use an active verb. In this example, the writer diminishes the verb and makes it passive by adding the gerund “ing” to the verbs “identify,” “ensure,” and “note.” Try to avoid the passive tense whenever possible.

When identifying levels of management, most organizations have estab- lished a scheme for how differing levels are referred to in print. Normally, AU1957_book.fm Page 78 Friday, September 10, 2004 5:46 PM

Management with an uppercase M refers to senior management and lowercase management refers to line management or supervision.

In the policy in Table 4.4, the writer referred to the “employing officer.” For many enterprises, an officer is the most senior level of management. Officers may rank up there with the board of directors. The Chief Executive Officer, Chief Financial Officer, etc. are examples of this management level. It is pretty safe to assume that the writer did not intend for such a high-ranking individual to be involved in this policy.

Table 4.5 (Example 2) addresses the checklist as follows:

1. Topic. The policy statement establishes that “company information… that would violate company commitments… or compromise…com- petitive stance…” must be protected.

2. Responsibilities. The policy does establish “Employee responsibili- ties;” however, if there is to be a reference to another document, there are two standards and one guideline that must be followed:

The referenced document must exist.

The reader must be able to easily access the referenced document.

Referencing other documents should be used judiciously.

TABLE 4.4 A Utility Company’s Information Security Policy: Example 1 Information Security Policy

Information is a valuable corporate asset. Business continuity is heavily dependent upon the integrity and continued availability of certain critical information and the means by which that information is gathered, stored, processed, communicated, and reported. As such, steps will be taken to pro- tect information assets from unauthorized use, modification, disclosure, or destruction, whether accidental or intentional. The protection of these assets is a basic management responsibility. Employing officers are responsible for:

Identifying and protecting computer-related information assets within

their assigned area of management control

Ensuring that these assets are used for management-approved purposes

only

Ensuring that all employees understand their obligation to protect these

assets

Implementing security practices and procedures that are consistent with

the Company Information Asset Security Manual and the value of the asset

Noting variance from established security practice and for initiating cor- rective action

3. Scope. Here, the policy makes a mistake in the first section; the policy actually narrows the scope of the material to be protected by stating that “company information…that would violate company commitments…or compromise…competitive stance…..” This state- ment in fact narrows the overall policy direction to only that information which meets this specific criterion.

4. Compliance. Straight out: you violate, you pay the penalty. This may be a bit harsh. Remember that part of policy implementation is acceptance. A better way to state this consequence might be, “Employees found to be in violation of this policy will be subject to the measures described in the Employee Discipline Policy.” Although the policy in Table 4.5 does meet one of the main require- ments of a policy — that it be brief — it appears to be too brief. Some very important elements are omitted, especially what role management will play in this policy and how compliance will be monitored. The policy also seems to exclude information about personnel.

The opening sentence discusses the “policy” of the company. The document was drafted as a policy statement, so it is not necessary to add the term “policy” to the text. Let the words establish what the policy is.

Now let us review the policy statement we used as an example earlier in this chapter (see Table 4.6).

For this critique, we examine the policy (Table 4.6) sentence by sen- tence. Each sentence is numbered, based on where it appears in the policy statement.

1. “Business information is an essential asset of the Company.”

This starts out as a topic sentence but it leaves out the hook.

TABLE 4.5 A Power Company’s Information Security Policy: Example 2 Information Security

Policy Statement

It is the policy of the Power and Light Company to protect all company information from disclosures that would violate company commitments to others or would compromise the competitive stance of the company.

Employee Responsibilities

Employee responsibilities are defined in Company Procedure AUT 15. Viola- tions of these responsibilities are subject to appropriate disciplinary action up to and including discharge, legal action, or having the matter referred to law enforcement agencies.

2. “This is true of all business information within the Company, regardless of how it is created, distributed, or stored and whether it is typed, handwritten, printed, filmed, computer-generated, or spoken.”

This is scope; it addresses all the various types of information that could be included.

3. “All employees are responsible for protecting corporate information from unauthorized access, modification, duplication, destruction, or disclosure, whether accidental or intentional.”

Here, finally is the hook. It also has scope in that it includes all employees.

4. “This responsibility is essential to Company business.”

This is probably additional scope but appears to be part of an explanation. When developing a policy, it is not necessary to include why the policy was created. Explaining the why will be handled in the policy awareness program.

5. “When information is not well protected, the Company can be harmed in various ways, such as significant loss to market share and a damaged reputation.”

TABLE 4.6 A Healthcare Provider’s Information Security Policy: Example 3 Information Security Policy

Business information is an essential asset of the Company. This is true of all business information within the Company, regardless of how it is created, distributed, or stored and whether it is typed, handwritten, printed, filmed, computer-generated, or spoken.

All employees are responsible for protecting corporate information from unauthorized access, modification, duplication, destruction, or disclosure, whether accidental or intentional. This responsibility is essential to Company business. When information is not well protected, the Company can be harmed in various ways, such as significant loss to market share and a damaged repu- tation.

Details of each employee’s responsibilities for protecting Company informa- tion are documented in the Information Protection Policies and Standards Manual. Management is responsible for ensuring that all employees under- stand and adhere to these policies and standards. Management is also respon- sible for noting variances from established security practices and for initiating corrective actions.

Internal auditors will perform periodic reviews to ensure ongoing compli- ance with the Company information protection policy. Violations of this policy will be addressed as prescribed in the Human Resource Policy Guide for Management.

This is definitely why the policy is important. To be clear on this point, the policy needs to be as clear and concise as possible. Try to avoid adding why the policy was created. After the policy has been around for a few years and becomes part of the culture of the organization, it will seem superfluous to have these words in the policy.

6. “Details of each employee’s responsibilities for protecting Company information are documented in the Information Protection Policies and Standards Manual.”

Remember our two standards and one guideline about refer-

encing other works: (1) the document has to exist; (2) it has to be easily accessible to the reader; and (3) use this tactic infrequently. Note in sentence 6 that the author changes infor- mation type from “business” information to “company” informa- tion. This could add confusion for the reader. Strive to be consistent throughout the policy.

7. “Management is responsible for ensuring that all employees under- stand and adhere to these policies and standards.”

Here, the sentence begins with “Management.” Is the uppercase

“M” for the beginning of the sentence or is it to identify a level of management? When writing a sentence like this, it is better to start with an adjective such as “Company Management.” This will reduce the confusion for the reader.

8. “Management is also responsible for noting variances from estab- lished security practices and for initiating corrective actions.”

The same critique as sentence 7. This is a reference to respon- sibilities and also what to do if a business unit is found to be in a noncompliant condition.

9. “Internal auditors will perform periodic reviews to ensure ongoing compliance with the Company information protection policy.”

This sentence causes great concern. This is what auditors do,

so it is not necessary to include a statement such as this in the policy. Additionally, if this sentence remains, then the policy requires that only internal auditors can conduct reviews of this policy. Remember, when writing anything, to be very careful with what you say. The words will be interpreted by each reader in the manner that best meets their needs.

10. “Violations of this policy will be addressed as prescribed in the Human Resource Policy Guide for Management.”

As discussed in the review of sentence 7, the rules on other

documents apply. This is the final compliance issue as it addresses what occurs when employees are in a noncompliant condition.

We now examine one last sample policy (see Table 4.7). This one appears to have all the elements. I recommend that when you critique something that you read in through completely. Then go back and dissect it sentence by sentence. Look for our four key elements: (1) topic, (2) scope, (3) responsibilities, and (4) compliance.

The opening paragraph is captioned “policy”; this should give us the information we need. It does contain some of the topic sentence we discussed earlier. It has half the requirements we would like to see; it lacks the “hook.” The second sentence contains the scope.

Under “Responsibilities” we find the “hook” in the first item. Item numbers two, three, and four seem to be elements that we would normally find in an Asset Classification policy. When I talked to the people who developed this policy, I was told that the company had gone through a paper-reduction process during the past couple of years and had stream- lined its operating documents quite a bit. The new philosophy was that no new policies would be created. After about a year of campaigning and audit comments, the management approval team authorized one new policy. The team took advantage and combined the Information Security Policy and the Asset Classification Policy into the Information Protection Policy. What they did was correct based on the current climate of their organization.

The final section (Compliance) discusses the compliance issues and includes some interesting requirements that management must implement to be compliant with this policy. The Infor mation Protection Group developed a set of policies, standards, and guidelines that could be used by the various departments as a template for their own supporting doc- uments. A sample of this type of document is included in the book under the section “Information Security Reference Guide.”