What security issues keep major regional CIOs up at night? Apparently, a lot. “The security of business IT systems has never been as important as it is today. IT underpins virtually all the activity conducted by businesses making them increasingly vulnerable to threats from hackers, viruses and even their own staff. Effective security can mean your business is safe from malicious activity or accidental introduction of malware. Failing to secure systems, websites and manage employee usage of the internet exposes the company to great risk – risk of a damaged reputation, risk of system damage, loss of business and the cost of remedial work,” says Ihab Hawari, IT manager at Sahara Petrochemicals in KSA.
“Social engineering and social networking is going to be one of the biggest security issues facing organisations in 2011. There is a growing demand on these sites and employees could say or post things that may jeopardise their organisations without realising it,” says Emad Khatib, CIO of Emcredit.
Arun Tewary, IT head of Emirates Flight Catering says, “Many of the threats of this year would evolve from the threats of 2010. This includes the necessity to secure mobile phones from malware attacks, managing data leakage, vulnerabilities associated with Web 2.0 technology and cloud computing, integrating applications with vendors and partners, issues that rise due to IT infrastructure virtualisation, the possibility of sophisticated targeted attacks and regulatory compliance.”
Mohammed Alam, director of information and education technology at Effat University in KSA agrees with his peers, stating, “Malware, malicious insiders, exploited vulnerabilities, careless employees, mobile devices, social engineering and social networking are the main concerns of 2011.”
Even as the threats change face or grow stronger, IT heads are gearing up internal structures in order to combat them better, keeping in mind the specific needs and nature of their business.
“We are putting a strategy that will work for our environment and type of business. When it comes to security, we have to be very careful on how to share information. However, one way of combating this issue is through internal sessions and education for our staff to make them more aware of what can be and cannot be said on these sites. We can’t ignore the fact that these sites also provide a great way for us to connect with our customers and our community and should be utilised as such,” says Khatib.
Tewary states, “To combat the security issues of 2011, we will be reviewing the existing security policies and amending them to mitigate the possibility of the new. We are also working to increase the security awareness among users and to encourage them to follow industry best practices. We are also looking into modifying or upgrading the IT infrastructure to manage security better and implementing data leakage preventing solutions.”
Many other regional end-users are working on the hardware front to control uncontrolled access, and therefore security breaches.
Alam states that Effat University is planning to create an inventory of authorised and unauthorised devices, secure configuration for software on workstations, servers and network devices, such as firewalls, routers and switches, ensure application software security, control administrative privileges, establish malware defences, limit network ports, protocols and services, establish wireless device control and work to prevent data loss.
Some regional organisations, like Emcredit and Emirates Flight Catering, also have effective security policies in place in order to combat emerging security threats. Others are either in the process of setting up their own policies or are following certain established IT norms for ensuring better defences, though they might not be in a policy form.
Whatever the scenario though, organisations across the region are putting in place multiple measures in order to improve internal security.
“We do security skills assessment and provide appropriate training to fill the gap. We also train our employees by explaining the benefits of security, their responsibility in protecting data, common sense practices such as deleting suspicious e-mails, avoiding unreliable websites, having complex passwords, doing regular back-ups and locking the workstation when leaving it,” says Alam.
Hawari places a lot of stock by certificates, vendor workshops and seminars to keep his team on their toes, while Khatib encourages research and reading.
“We associate with information security consortiums, attend seminars, discuss global security issues internally, subscribe to security magazines, access information from security Web sites and other updates from vendors in the market and read local news regularly. For our employees we conduct security awareness programmes, introduce them to best practices with simple mechanisms such as screen savers and regular announcements through e-mails on basic dos and don’ts,” says Tewary.
With all these efforts in place, most regional CIOs and their security counterparts believe that they are ready or well on the process to being ready to face the future of the changing threat landscape.
WRITING A SECURITY POLICY – STEPS TO FOLLOW
Any information security policy is the cornerstone of an information security program (ISP). It should reflect the organisation’s objectives for security and the agreed upon management strategy for securing information.
In order to be useful in providing authority to execute an ISP, it must also be formally agreed upon by executive management. This means that, in order to compose a security policy document, an organisation has to have well-defined objectives for security and an agreed-upon management strategy for securing information. Therefore, the first step in composing a security policy is to find out how management views security. As a security policy is, by definition, a set of management mandates with respect to information security, these mandates provide the marching orders for the security professional.
A security professional whose job it is to compose security policy must therefore assume the role of sponge and scribe for executive management. A good sponge and scribe will be able to capture common themes from management interviews and prepare a positive statement about how the organisation as a whole wants its information protected. The time and effort spent to gain executive consensus on policy will pay off in the authority it lends to the policy enforcement process.
A seasoned security professional will also have advice on how to mold the management opinions with respect to security into a comprehensive organisational strategy. Once it is clear that the security professional completely understands management’s opinions, it should be possible to introduce a security framework that is consistent with it. The framework will be the foundation of the organisation’s ISP, and thus will service as a guide for creating an outline of the information security policy.
Often, a security industry standards document is used as the baseline framework. For example, the Security Forum’s Standard of Good Practice, the ISO’s Security Management series (27001, 27002, 27005, and the Information Systems Audit and Control Association’s Control Objectives for Information Technology (CoBIT). This is a reasonable approach, as it helps to ensure that the policy will be accepted as adequate.
However, these documents are inherently generic and do not state specific management objectives for security. So they must be combined with management input to produce the policy outline.
It is important that security policy always reflect actual practice. Otherwise, the moment the policy is published, the organisation is not compliant. It is better to keep policy as a very small set of mandates to which everyone agrees and can comply than to have a very far-reaching policy that few in the organisation observe.
Another reason that it is better to keep policy as a very small set of mandates to which everyone agrees is that, where people are aware that there are no exceptions to policy, they will generally be more willing to assist in getting it right up front to ensure that they will be able to comply going forward. A security professional should strive to ensure that a security policy is observed at the same level as other policies enforced within the organisation. Policy language should be crafted in such a way that guarantees complete consensus among executive management.
For example, suppose there is debate about whether users should have access to removable media such as USB storage devices. A security professional may believe that such access should never be required while a technology executive may believe that technology operations departments responsible for data manipulation must have the ability to move data around on any type of media. At the policy level, the consensus-driven approach would produce a general statement that “all access to removable media devices is approved via a process supported by an accountable executive.”
In very large organisations, details on policy compliance alternatives may differ considerably. In these cases, it may be appropriate to segregate policies by intended audience. The organisation-wide policy then becomes a global policy, including only the least common denominator of security mandates. Different sub-organisations may then publish their own policies. Such distributed policies are most effective where the audience of sub-policy documents is a well-defined subset of the organisation. In this case, the same high level of management commitment need not be sought in order to update these documents.
For example, information technology operations policy should require only information technology department head approval as long as it is consistent with the global security policy, and only increases the management commitment to consistent security strategy overall. It would presumably include such directives as “only authorised administrators should be provided access capable of implementing operating system configuration changes” and “passwords for generic IDs should be accessed only in the context of authorised change control processes.” Another type of sub-policy may involve people in different departments engaged in some unusual activity that is nevertheless subject to similar security controls, such as outsourcing information processing, or encrypting email communications.
On the other hand, subject-specific policies that apply to all users should not be cause to draft new policies, but should be added as sections in the global policy. Multiple policies containing organisation-wide mandates should be discouraged because multiple policy sources make it more difficult to accomplish a consistent level of security awareness for the any given individual user. It is hard enough to establish policy-awareness programs that reach all in the intended community, without having to clarify why multiple policy documents were created when one would do.
For example, new organisation-wide restrictions on Internet access need not cause to create a new “internet access” policy. Rather, an “Internet Access” section can be added to the global security policy. Another caveat for the security professional using the sub-policy approach is to make sure sub-policies do not repeat what is in the global policy, and at the same time are consistent with it. Repetition must be prohibited as it would allow policy documents to get out of sync as they individually evolve. Rather, the sub-documents should refer back to the global document and the two documents should be linked in a manner convenient for the reader.
Even while giving sub-policies due respect, wherever there is an information security directive that can be interpreted in multiple ways without jeopardising the organisation’s commitment to information security goals, a security professional should hesitate to include it in any policy. Policy should be reserved for mandates. Alternative implementation strategies can be stated as a responsibility, standard, process, procedure, or guideline. This allows for innovation and flexibility at the department level while still maintaining firm security objectives at the policy level.
This does not mean that the associated information protection goals should be removed from the Information Security Program. It just means that not all security strategy can be documented at the policy level of executive mandate. As the Information Security Program matures, the policy can be updated, but policy updates should not be necessary to gain incremental improvements in security. Additional consensus may be continuously improved using other types of Information Security Program documents.
Supplementary documents to consider are:
Roles and responsibilities — Descriptions of security responsibilities executed by departments other than the security group. For example, technology development departments may be tasked with testing for security vulnerabilities prior to deploying code and human resources departments may be tasked with keeping accurate lists of current employees and contractors.
Technology standards — Descriptions of technical configuration parameters and associated values that have been determined to ensure that management can control access to electronic information assets.
Process – Workflows demonstrating how security functions performed by different departments combine to ensure secure information-handling.
Procedures — Step by step instructions for untrained staff to perform routine security tasks in ways that ensure that the associated preventive, detective, and/or response mechanisms work as planned. Guidelines — Advice on the easiest way to comply with security policy, usually written for non-technical users who have multiple options for secure information-handling processes.
WHAT AN INFORMATION SECURITY POLICY INCLUDES
This leaves the question: what is the minimum information required to be included in a security policy? It must be at least enough to communicate management aims and direction with respect to security. It should include:
Scope — should address all information, systems, facilities, programs, data, networks and all users of technology in the organisation, without exception
Information classification – should provide content-specific definitions rather than generic “confidential” or “restricted”
Management goals for secure handling of information in each classification category (e.g. legal, regulatory, and contractual obligations for security, may be combined and phrased as generic objectives such as “customer privacy entails no authorised cleartext access to customer data for anyone but customer representatives and only for purposes of communicating with customer,” “information integrity entails no write access outside accountable job functions,” and “prevent loss of assets”.
Placement of the policy in the context of other management directives and supplementary documents (e.g., is agreed by all at executive level, all other information handling documents must be consistent with it).
References to supporting documents (e.g. roles and responsibilities, process, technology standards, procedures, guidelines)
Specific instruction on well-established organisation-wide security mandates (e.g. all access to any computer system requires identity verification and authentication, no sharing of individual authentication mechanisms)
Specific designation of well-established responsibilities (eg the technology department is the sole provider of telecommunications lines)
Consequences for non-compliance (e.g. up to and including dismissal or termination of contract)