This article provides an overview of the benefits, issues and steps involved in developing an organisational security policy.

Introduction

The first step in developing an organisational security system is to design a comprehensive security policy. A security policy is the organisation's "bible" on what resources are protected, how they are protected (that is, the security controls in place), who administers the protection and how the organisation should respond to attempted or actual breaches of security.

Benefits of a Security Policy

A security policy is a document that contains the following details:
· The assets to be protected
· How each asset is to be protected
· Who is responsible for protecting each asset
· How to respond to security breaches

Designing a security policy is a valuable process in itself. This is because it involves carefully thinking through important security issues. Identifying the assets to be protected also involves evaluating the true value and priority of each asset.

Once a given asset has a "value" you can apply a risk factor (probability of a security breach x expected loss from that breach) and then work out how much money you should allocate to protecting that asset. You are then better able to evaluate the costs and benefits of various security controls.

In addition, a security policy is something you can turn to with confidence in the case of a security breach. Instead of scrambling for help in an emergency situation, your policy will already contain practices and procedures and
contact details of important employees and external parties (security consultants, law enforcement agencies).

A security policy should reflect the organisation's "best practice" and accumulated knowledge of security. It negates the need to "reinvent" the wheel every time a new security officer, system administrator or office manager is appointed. It also frees the organisation from reliance on third party consultants for security guidance (although it should "pick their brains" during conception). It facilitates systematic and comprehensive day-to-day security management and clearly outlines what needs to be done in the event of a crisis.

However, it is essential that you regularly revise, update and enhance your security policy! This is especially the case if security audits, tests or incidents bring to light problems that the original policy did not address.

Issues in Developing a Security Policy

Large Organisations

In general, the larger the organisation (200 people or more) the more vulnerable it is to a breach of security. This is because there are an increased number of "security variables" - factors - ranging from people to assets to environments - that are difficult, if not impossible, to control. Hence, the larger the organisation the greater the need for a person whose full-time role is maintaining and administering the security system. In very large organisations (500 people or more), a security team or department is generally needed.

The security officer or manager should not be solely concerned with information technology security - although that will inevitably be a large part of his or her job. He or she should take a holistic approach to organisational security. An organisation is a dynamic network of processes, communication channels and resources. At any given time, certain weaknesses will emerge in one area that
may affect or extend to all or some other areas. Hence, a broad view of the organisational organism is necessary in order to watch for, and eliminate, any weak links.

Of course, those security professionals who report to the security officer may be responsible for specific areas of security. Alternatively, different aspects of security will be kept separate from each other and have different lines of reporting. Site security and safety officers are commonly appointed to deal with physical risks and may not report to the security officer. For instance, in many organisations the system administrator is expected to administer and maintain the security of the information system. However, he or she is generally not expected to ensure the security of non-information system assets or resources. Site security and safety personnel will be appointed to look after physical security and safety respectively.

Small Organisations

Smaller organisations (less than 100 people) may not have a system administrator or information technology department at all. These roles may be sub-contracted to a consulting company on a regular or irregular basis. As more organisations, especially small and medium organisations (100 people or less), become more reliant on computer technology, the greater is the need for someone to take responsibility for information system security. This has become critical since the increased use of the Internet.

This job may be relegated to the Office Manager. If that is the case, it is essential for the Office Manager to undergo a training course that covers the essentials of organisational security. Secondly he or she should be given the authority and support from senior management to undertake security responsibilities. Finally, he or she should establish a "lifeline" with a qualified security consulting firm to assist him or her with developing or maintaining the security system, or at least with dealing with an attempted or actual security breach.

Decentralisation of Security

Whilst a person or group may be responsible for overall organisational and system security, it is critical that individuals manage, and be responsible for, the security of the specific resources or systems they use. The person who is ultimately in charge of a resource - the "owner" of a resource - should be responsible for keeping that resource safe and secure. For example, a sales representative who uses a company car should be responsible for doing everything in his or her power to prevent that car from being stolen or damaged. A marketing manager should be responsible for securing his or her information assets - marketing plans, budgets and other confidential information. Everyone in the organisation should be responsible for keeping those resources he or she uses or manages secure within his or her powers to do so.

The resource owner may or may not be authorised to grant access to, and approve usage of, his or her resource. Someone must be given this responsibility. If it is not the resource owner, then maybe it is his or her superior, the security officer or the system administrator. In each case, access and usage rights should be clearly delineated with corresponding rights and responsibilities. "Proper" use of a particular resource needs to be distinguished from "improper" use.

It follows that there should be a set of procedures for dealing with policy violations and security breaches, such as improper use. These also need to be administered by someone - the security officer, system administrator, personnel manager or senior manager. Depending on the situation, a situation may require the involvement of one or several external parties - security consulting firm, law enforcement agency, public relations agency, media, neighbours, suppliers, customers. A clear set of procedures for dealing with external parties should be included in the security policy.

The policy will need to be interpreted and modified from time to time, so an individual or group of people should be appointed to review, interpret and revise it as needed. Finally, the policy needs to be disseminated to everyone who is subject to it - employees and relevant third parties. This may necessitate training for employees. Also, to underscore the importance of the policy and the rights and responsibilities of employees which it outlines, each employee should sign a legal document stating that he or she has read, understood and agrees to abide by the policy.

Outline of the Security Policy

Following is a suggested template for a security policy:
1. The assets/resources of the organisation to be protected.
2. The security controls applying to assets/resources (including the baseline/minimum controls for the least valuable assets) - practices, procedures, methods, tools.
3. The person or persons who is responsible for the security of assets/resources.
4. An emergency response plan or contingency plan.
Contact details of relevant employees, security consultants, law enforcement agencies, and other third parties.

Implementing the Security Policy

Communication and Education

Everyone in the organisation needs to "buy" into the security policy for it to be effective. Often, achieving this is easier if people - from the grassroots upward - have the opportunity to contribute ideas and participate in the development of the policy. In any case, you will need to educate users on their rights and responsibilities and also reinforce the importance of adhering to the policy on an ongoing basis. The policy needs to "worked" in order for it to work.

Educate Users

Users of organisation resources need be educated about the proper and improper use of those resources. Specific procedures such as password selection, building entrance/exit procedures and others, need to be carefully explained to all relevant employees.

They should understand their own rights and responsibilities in maintaining the security of the resources they use or manage, and what they should do in case they suspect a security breach. Any particular security vulnerabilities that attach to their resources or their jobs should be explained.

It is very important to warn users of attempts to mislead or defraud them by imposters via "social engineering". In so many cases of security breaches, people have been the weakest link in allowing an intruder to attack an organisation. Hence, employees should be thoroughly educated about how to should deal with such circumstances as the following:
· Outsiders phoning them with "urgent requests" to be put through to someone or something.
· Unknown suppliers demanding payment for a mysterious invoice.
· So-called employees from some other office in the organisation wanting access to the computer system.
· "Employees" walking into the office off the street.
· "Students" wanting information about the organisation for an "assignment".
· "Researchers" wanting information for a "survey".
In addition, staff should be aware of the ramifications of failing to assume their own responsibilities or of committing a security breach themselves.

System Administrators (or Network Managers)

In many cases the system administrator will be charged with maintaining security on the network. It is therefore crucial that he or she understands and follows the procedures documented in the Security policy. In most cases the system administrator will be involved in designing the policy anyway. However, if there is a change of personnel it will be necessary to educate the newcomer so that he or she becomes well versed in managing the information system
security controls.

Conclusion

This article has explained some of the benefits, issues and steps involved in designing a security policy. Developing a comprehensive security policy is actually very time consuming and complex, depending on the size and diversity (in terms of geography, assets, systems and personnel) of the organisation.

The time taken to develop such a policy may range from one week to six months. Indeed, the time and difficulty of developing a policy will be exacerbated if there is no one whose full-time job is to develop the security policy. Unfortunately, time is a "killer". Each day that the development of the policy is prolonged is a day that the organisation is without its "bible" for managing security and responding to emergencies. In fact, it may be more cost-effective for the organisation to engage full-time consultants to develop the policy - as long as people at all levels of the organisation are involved and are willing
to "buy" into it.

References:

Frede, S. (1994) "Internet Security", On the Net
Holbrook, P. and Reynolds J. (1991), Site Security Handbook
Lichenstein, S. (1994) Security in Information Systems, Monash University Department of Information Systems