Existence of Security Policy to Install/Update Equipment/Software

Security Policy Overview, Objectives

Security policy refers to “a written document in an organization outlining how to protect the organization from threats, including computer security threats, and how to handle situations when they do occur" [88]. For an organization to determine potential threats, it will need to keep an updated list of all its assets and define how they could possibly be linked to malicious activity. After successfully identifying assets and threats, the next step in the security policy is to describe the right measures that protect systems and/or avoid exposure to those threats [19, 88]. In general, a security policy may include different aspects of the organization, such as software, network, equipment, the physical building, as well as potential malicious activity coming from organization members (with privileged information or access to physical systems) or people outside the company environment, such as hackers, competitors, activists, etc [89].

After extensive analysis of the above, security policies should also include the likelihood that these threats appear. Basically, a security policy needs to satisfy several requirements. More specifically, it should:

• • Appropriately protect the confidentiality and integrity of people and information assets.
• • Set the rules for expected behavior by employees, customers and other users, system administrators, management, and security personnel.
• • Provide adequate authorization that enables security personnel and network administrators to monitor, probe, and investigate incidents.
• • Define and authorize actions associated with the consequences of a violation
• • Define the organizational consensus baseline stance on security and helps make staff aware of the views of the organization and senior management.
• • Aid in creating an environment that minimizes risk, and aid in remaining compliant to the regulations and legislation that applies to the organization [89].

In addition, because of the policy’s impact in future decisions, it is important that the policy reflects the company’s existing environment, goals, and personnel to act as an advancement factor rather than an impediment [89].

Security Policy & General Good Practices for New Software Installation

Installation of new software (i.e., operating systems, office applications, financial applications, applications development, etc.) is a basic task in all companies around the world. However, if this task is not sufficiently controlled, it can lead to potential security risks and legal issues for the company. For instance, the company may support additional costs for unwanted software/equipment. In addition, installation of nonapproved software can increase the number critical security vulnerabilities that are added to a system by allowing the installation of malware, such as rootkits and Trojan horses, without the user knowledge [90]. Thus, it is crucial for companies to set up a security policy to address all security issues relevant to new software installation and deployment on a computer system. In this context, the ISO 27001 control A.12.6.2 [90] has been proposed the following good practices that can be included in a typical security policy regarding new software installation and deployment:

• • Employees are not allowed to download software from the Internet or bring software from home without authorization. This can help to prevent using of nonapproved software by employees and limit the number of vulnerabilities on the network.
• • When an employee detects the need for using a specific software application, a request needs to be transmitted to the IT department. This request can be stored by the IT department as a record or as evidence.
• • The IT department shall determine if the organization has a license of the software requested in order to ensure legal use of the software and guarantee that it is always patched and up to date.
• • If there is license, the IT department notifies the employee and will proceed to install the software on the computer of the user who requested it.
• • If there is no license, a responsible party must assess whether the requested software is necessary for the performance of the duties of the employee. For the evaluation, the financial feasibility of the software purchase must also be analyzed when the software costs money.
• • If the software costs money, an analysis should be made as to whether there is another similar tool on the market that is cheaper or even free (Total Cost of Ownership must be calculated). In this context, top management should participate in the decision on the acquisition of new software
• • Once the decision has been made, the IT department will proceed to include the software in their inventory and will install the software [90].