Information Security Policy and Standards
The Information Security Policy is the core statement from the business owners/management that conveys the intent and the desire of the organization. It effectively sets the tone for how information security will align and assimilate within the business. The subject of information security policies and standards is a critical domain and forms the cornerstone of any effective Information Security Management System's implementation within a corporate organization. It is also one of the most overlooked areas in every organization.
Organizations believe that writing information security policies and standards is a cut and paste job that can be done by an information security intern using GOOGLE as a ready and useful tool. This chapter helps in understanding the challenges in writing effective policies and addresses how organizations should tackle the subject.
During the course of our work, we come across various terms and definitions that leave us wondering at times what they mean. Can they be used interchangeably? Is a policy the same as a standard? Or wait, is policy a framework? Confused?
In this section, let us try to unravel what all this different nomenclature means and how the terms relate to each other. For the sake of simplicity, this section will use references from the British Dictionary and Wikipedia to come up with an acceptable definition.
British Dictionary: A law or a set of laws.
Wikipedia: Legislation (or "statutory law") is a law which has been promulgated (or "enacted") by a legislature or other governing body or the process of making it.
British Dictionary: An official rule that controls how something is done.
Wikipedia: In government, typically regulation means stipulations of the delegated legislation which is drafted by subject-matter experts to enforce primary legislation.
British Dictionary: In the United States, an official instruction given by the president or by a state's governor.
Wikipedia: In the United States, an executive order is a directive issued by the president of the United States that manages operations of the federal government.
British Dictionary: A set of ideas or a plan for action followed by a business, a government, a political party, or a group of people.
Wikipedia: A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent and is implemented as a procedure or protocol.
British Dictionary: An official rule, unit of measurement, or way of operating that is used in a particular area of manufacturing or sendees.
Wikipedia: Techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organization.
An established norm or requirement about a technical system.
British Dictionary: Information intended to advise people on how something should be done or what something should be.
Wikipedia: A guideline is a statement by which to determine a course of action. A guideline aims to streamline particular processes according to a set routine or sound practice.
British Dictionary: A detailed plan for achieving success in situations such as war, politics, business, industry, and so on, or the skill of planning for such situations.
Wikipedia: A high-level plan to achieve one or more goals under conditions of uncertainty (Henry Mintzberg, 1978).
British Dictionary: A system of rules, ideas, or beliefs that are used to plan or decide something.
Wikipedia: A document that lays out a set of procedures or goals, which might be used in negotiation or decision-making to guide a more detailed set of policies, or to guide ongoing maintenance of an organization's policies.
Both British Dictionary and Wikipedia: A book that gives you practical instructions on how to do something or how to use something. A policy manual is generally referred to as a collection of policies in an organization.
Structure of Policy Documents
Before we discuss the policy structure, let us quickly understand the national context. To build a context, let us use a fictitious organization, named S3 Inc. This particular organization is based in a country called Utopia and has recently hired Mr. ISM as the Head of Information Security.
The organization works in the financial sector and is regulated by a sector regulator.
Typically, any country would have laws that may have an impact on the organization and the business it does. Some legislation may be sector-specific and some general, for example, cybercrime law, information technology related law, etc. The country may also issue specific national policies, standards, or guidelines in line with this legislation.
Further, the sector that an organization operates in may be regulated and have its own sector-specific regulations. For example, sectors like Telecommunications, Internet Services, Finance, and Insurance are usually regulated sectors around the world. In this case, the sector regulators may enforce specific regulations or standards on organizations that operate within the industry. Finally, if an organization is part of a conglomerate or multinational empire, it may have its own policies and standards at a group/conglomerate or parent company level.
As the Head of Information Security, Mr. ISM will have to take into consideration all the relevant legislation, policies and standards (at all levels) that are in play to ensure that his internal policies and procedures are in sync and consistent when he starts drafting organization-specific policies, procedures, and guidelines.
In the following sections, the concepts will be discussed from an organization's perspective, but it is important to take a step back and understand the national context.
In terms of priority and hierarchy, the national legislation would be at the top, since non-compliance with a law could possibly be a crime or punishable offense, followed by the national policies and standards (if they are enforced). At the next level are the sectoral regulations (non-compliance with these regulations could possibly be a punishable offense or incur possible fines), followed by sectoral policies and standards (if enforced). These will be followed by policies and standards defined at the company's group level, at the parent company level, or at a conglomerate level (see Figure 1.1 to understand a typical corporate policy structure (JS OP DE BEECK, 2009)).
From Mr. ISM's perspective, all of these would qualify as legislation (in a nutshell) and need to be considered while drafting the organization's corporate policies and procedures. Within the corporate structure, the policy would be at the top, followed by procedures based on standards and best practices, and supported by guidelines and work instructions (WI).
So how does it work? Typically the policy sets the tone at the highest level, indicates the direction an organization would like to move in, and the objectives it wants to achieve. Once the policy is agreed, an organization would align its business processes with the corporate policy. The processes would be documented through process maps (visual work- flows/information flows) and procedures. The procedures would specify in detail how the process would work. The organization may further develop guidelines or WI (at a micro level) to further clarify how the process would work at a micro level. This may especially happen for large or complex processes.
Let us try to understand this with our example.
Utopia has announced an update to its Information Technology Act (2010). As per the new amendments, it has identified Government, Finance, Transport, and Energy as critical sectors for the state of Utopia. Critical organizations operating within these sectors would need to have a formal Information Security Management System (ISMS) in place. The sector regulators for each of these sectors would draw up the criteria for identifying critical organizations within their sectors.
The Utopian Central Bank had issued the Utopian Financial Sector Information Security Standard in 2016. Further, in line with the new amendments to the information technology (IT) law, the Utopian Central Bank has issued a directive amending its licensing regulations that regulate the banking and non-banking financial institutions in Utopia.
The directive, among other things, states that any banking or non-banking financial institutions making an annual business turnover of over 100 million Utopian Dollars for the last two consecutive years would be classified as a Critical Sector Organization. All such organizations will have to implement an ISMS as mandated by the new Information Technology Act. In light of these changes, the management of S3 Inc. met and decided to abide by the new laws and regulations. They hired Mr. ISM as the Head of Information Security and tasked him with implementing the ISMS as required by the new laws and regulations.
Mr. ISM has started the work in earnest and has done a GAP analysis within the organization. One of the first things to be done is creating an Information Security Policy and the policy manual for the organization.
Before writing the Information Security Policy and the policy manual for the organization, Mr. ISM needs to understand the regulatory environment, the IT Law, any other relevant legislation that may be binding upon S3 Inc., its business, any relevant or binding regulations imposed by the sector regulator as part of their licensing, and any standards or policies from the parent/group company. Having understood the legal context, Mr. ISM needs to understand the business of S3 Inc. and its objectives (vision and mission), as this is critical for building an effective policy and procedures.
The most important document will be the Corporate Information Security Policy (CISP), which will set the tone for the information security program within S3 Inc. It will also establish the high-level objectives, program ownership, and accountabilities within S3 Inc. Further, a policy manual will be developed to support the CISP and the information security program. The policy manual will include sub-policies and procedures that will define in detail the various processes developed to support the information security program. For complex or technical processes, it may be helpful to issue additional guidelines to explain and clarify the process to the end-user. In some cases, the complex process may be broken down into tasks, and appropriate WI may be issued to execute these tasks.