Information Security Policy 15 Point Checkup

Introduction

Many organizations struggle with the question: What should be in our information
security policies? While specific details will vary from organization to organization
and even within industries, there are certainly core areas or “leading practices” that
should be part of any information security policy program.

This questionnaire will allow you to assess your organization’s information security
policy program in fifteen core areas. These areas are not intended to represent a
complete list, but a compilation of topics established by leading-practices, common
security frameworks (such as ISO 17799:2005), and security-related regulatory
requirements across various industries and throughout the world. (See the
References section for a list of regulations and frameworks used to establish the core
areas.) Organizations can use this scoring system to identify gaps in their
information security policy programs.

Following the questions, the “Scoring and Analysis” section describes the various
elements, their regulatory or framework references, and the corresponding risk of
not addressing these items.

Assessment Questions

Score each question according to the following scale, where your answer best
represents the current state of your security policies.

[1-Strongly Disagree, 2–Disagree, 3–Somewhat agree, 4–Agree, 5–Strongly

agree]

1. Our organization has written information security policy documents that are
easily available to all employees. [__]

2. Our information security policies clearly define the security responsibilities of

various organizational roles (executive, management, information security,
everyone.) [__]
 3. Our information security policies require annual risk assessments, including a
formal risk assessment process and management reporting of risk results.
[__]

4. Our information security policies cover data classification and ownership,

including roles of Owner, Custodian and User. [__]

5. Our information security policies contain requirements for security awareness

training. [__]

6. Our information security policies cover personnel security, including

background checks, acceptable use, and sanctions for non-compliance. [__]

7. Our security policy documents specify requirements for logical access

controls, including userid and password management for applications and
operating systems. [__]

8. Our information security policies address physical and environmental

security, including building access controls and unescorted visitors. [__]

9. Our information security policies define the protection requirements of data

during creation, storage, transit and eventual destruction. [__]

10. Our information security policies address systems acquisition and

maintenance, including accreditation of new systems, security baselines,
patch management, and change control. [__]

11. Our information security policies address privacy of both customer and
employee data, including support for customer inquiries about their data. [__]

12. Our information security policies address logging and continuous monitoring
for possible security events. [__]

13. Our information security policies cover incident reporting and response,
including collection of evidence. [__]

14. Our information security policies address the requirements for business
continuity, including development and testing of disaster plans. [__]

15. Our information security policies address compliance with legal requirements,
including auditing and periodic review of the information security program.
[__]

Reference frameworks and regulations

The common information security areas used in this assessment are gleaned from
many sources (included in the references.) The following specific frameworks are
referenced in this discussion:
 [2]
ISO/EIC 17799:2005 – Code of Practice for Information Security

This is the international standard for information security controls, representing a

consensus of approach of member organizations.
[7]
Health Insurance Portability and Accountability Act of 1996 (HIPPA)

HIPAA is a good example of an industry-specific regulation with defined information

security and data privacy controls.
[1]
Control Objectives for Information Technology, 4th Edition (COBIT)

COBIT is a recognized standard for auditing information systems and is used by

many organizations as the baseline for assessing compliance with the corporate
governance requirements of Sarbanes-Oxley.

National Institute of Standards (NIST)

According to the Federal Information Security Management Act (FISMA), NIST is

required to establish standards for the protection of federal information systems. In
the process, NIST has created and published many publicly-available guidelines for
assessing the security of information systems. In this document, we refer to NIST
SP 800-26 Security Self-Assessment Guide for Information Technology Systems. [5]

Scoring System

While the absolute score on this assessment is somewhat subjective, organizations

can use the score to measure relative improvements in their information security
policy program over time. Scoring methods and other metrics are excellent ways to
demonstrate an overall risk reduction in your organization.

Score: 0-30 Low Information Security Policy Maturity

Each element of this assessment should be addressed in your security policy

program. A score below 30 implies that there are significant gaps in your program.

Score: 31-60 Average Information Security Policy Maturity

Most organizations cover some of these assessment areas quite well, while others
may be lacking or missing altogether. A score in this range reflects a program that
is mature in some topic areas, with gaps in some of the areas that perhaps have not
been a high priority for your business.

Score: 61-75 Advanced Information Security Policy Maturity

A score in this range indicates a relatively mature security policy program, with only
a few gaps. Organizations that base their security programs on ISO 17799 or other
frameworks can typically achieve this level of coverage.
Fixing the gaps

Organizations that wish to perform a more detailed analysis of their information

security policy program can perform a gap-analysis against any of the frameworks
mentioned in the references, including ISO 17799:2005 and COBIT™. Organizations
that discover policy gaps in their information security program can use any of the
following resource from Information Shield:

Information Security Policies Made Easy, Version 10 – Provides over 1300 pre-
written information security policies covering all aspects of the ISO 17799:2005
information security framework.

Information Security Roles and Responsibilities Made Easy, Version 2 – Provides pre-
written job descriptions for various organization roles, including expert advice on
building, staffing and managing and information security organization.

The Privacy Management Toolkit, Version 1 – Contains pre-written policies, advice,

templates and important tools to help protect the privacy of customer data and stay
in compliance with international privacy regulations. Provides guidance based on
O.E.C.D. Fair Information Principles.

Scoring and Analysis

The following sections discuss the various questions, including the rationale for each
topic, the risks associated with gaps in each area, and references to information
security frameworks and legislation that covers each topic area.

1. Our organization has written information security policy documents that are
easily available to all employees. [__]

Even though it seems obvious, nearly every security standard or regulation requires
policies to be written. Producing written documentation is critical to performing
both internal and external audits. Having a “written policy document” is one of the
key controls established within the international standard ISO/IEC 17799. The Final
Security Rule within HIPAA requires written policy documents as a required control.

In addition to being written, policies should have a standard format so that they
can be effectively managed and updated. The standard format ensures that each
document contains key elements that facilitate the overall management of the
information security policies. Written policies should have a defined “effective date”
and “expiration date.” This is critical so that individuals and organizations know
when they are subject to the rules outlined in the policy, and when they can expect
updates.

To be effective, information security policies must be periodically reviewed and

updated. This requirement is detailed in several information security regulations
(such as HIPAA) and frameworks (ISO 17799:2005). In addition, the company
should know which versions of a particular policy were published or active on any
particular date. (For example, if an organization claims that an employee action was
a violation of company policy, and valid question would be when the policy was
posted to make sure that the given policy was in effect on the date in question.)
Having these policy ownership, review and approval processes in place demonstrates
that the organization has management sponsorship for policies, and that the
organization is serious about policy version control.

ISO 17799: Section 5.1.1 Information security policy document

COBIT: PO6.1 IT Policy and Control Environment

PO6.3 IT Policies Management
PO6.4 Policy Rollout
HIPAA: Policies and Procedures 164.316 (a)
(R) Implement reasonable and appropriate policies and
procedures to comply with the standards, implementation
specifications, or other requirements of this subpart…
Policies and Procedures Documentation (Maintain the policies and
procedures in written form) 164.316 (b) (Requires maintenance
of the policies in written form, including availability to employees,
periodic updates, and version history for up to six years.)
NIST: 13.1.5 Have employees received a copy of or have easy access to
agency security procedures and policies? NIST SP 800-18
12.2. Critical Element: Are there formal security and operational
procedures documented?

2. Our information security policies clearly define the security responsibilities of

various organizational roles (executive, management, information security,
everyone.) [__]

Information security policies should define not only what the organization must do,
but who is responsible for carrying out these duties. The requirement to properly
define information security roles and responsibilities is part of all leading information
security and privacy frameworks. Since all employees should be educated on the
policies that apply to them, it is very effective for organizations to label policies
based on the security role that the policies target. For example, the Internet
Acceptable Use Policy should be read and understood by all employees in the
organization. A more technically-oriented policy, such as a Firewall Policy, would
only need to be read and understood by those responsible for firewall maintenance.

ISO 17799: 6.1.1 Management commitment to information security

6.1.3 Allocation of information security responsibilities.

COBIT: P04 Define the IT Processes, Organization and Relationships

4.5 IT Organisational Structure
4.6 Roles and Responsibilities
4.9 Data and System Ownership

HIPAA: Assigned Security Responsibility 164.308(a)(2)

 “Identify the security official who is responsible for the
development and implementation of the policies and procedures
required by this subpart for the entity.”
NIST: 6.1.2 Are there documented job descriptions that accurately
reflect assigned duties and responsibilities and that segregate
duties? FISCAM SD-1.2

9.3.2 Are employees trained in their roles and responsibilities?

FISCAM SC-2.3 NIST SP 800-18

3. Our information security policies require annual risk assessments, including a

formal risk assessment process and management reporting of risk results.
[__]

Very few organizations can operate where one policy fits all business situations. The
organization’s commitment to risk assessments should be documented within
information security policies. Performing periodic risk assessments is critical to
identifying assets that should be protected and deciding which information security
controls should be applied. To accommodate exceptions, an organization should
have a formal policy exception process, tied directly into the overall risk
management process, where exceptions to policy are recorded and documented, and
someone in management has “signed off” that the added risk of a policy exception is
approved. Few small organizations have a formal risk acceptance process. Even
large organizations often have ad-hoc or paper-based risk acceptance procedures
that are not well documented or maintained.

ISO 17799: Section 14.1.2 Business continuity and risk assessment

COBIT: P09 Assess and Manage IT Risks
HIPAA: Security Management Process 164.308(a)(1)
Risk Analysis (R)
Risk Management (R)
NIST: 1.1.2 Are risk assessments performed and documented on a
regular basis or whenever the system, facilities, or other
conditions change? FISCAM SP-1 1.1.3
Has data sensitivity and integrity of the data been considered?
FISCAM SP-1
12.2.4 Are there risk assessment reports? NIST SP 800-18

• Periodic assessments of risk, including the magnitude of harm

that could result from the unauthorized access, use, disclosure,
disruption, modification, or destruction of information and
information systems that support the operations and assets of the
agency;

4. Our information security policies cover data classification and ownership,

including roles of Owner, Custodian and User. [__]
Risk analysis requires an inventory and understanding of what assets are most
valuable to the organization. For data assets, information security controls are
established based on the sensitivity classification of the data. Most organizations use
either a 3-Category or 4-Category data classification scheme. It is impossible to
apply information security controls to appropriate levels without proper data
classification policies. In addition to simply having the policies, members or the
organization must be training to properly identify, label and handle this data based in
their organizational role. Organizations without a proper set of data classification
and related policies will have significant vulnerability of confidential information
accidentally leaving the organization.

ISO 17799: 7.2 INFORMATION CLASSIFICATION

7.2.1 Classification guidelines
COBIT: PO2.3 Data Classification Scheme
HIPAA: Security Management Process 164.308(a)(1) – Risk Assessment
Data classification is required to properly identify PII as defined
within HIPAA.
NIST: 9.1. Critical Element: Have the most critical and sensitive
operations and their supporting computer resources been
identified?

5. Our information security policies contain requirements for security awareness

training. [__]

Evidence suggests that people are still the weakest link in security. This implies that
any information security program will be inadequate unless personnel are training on
information security in general, and more specifically on the policies of the
organization.

Policies will not be effective unless they are read and understood by each member of
the organization. Is it important for organizations to record the acknowledgement
that employees have read and understood corporate policies. This is not only critical
for enforcement or sanctions, but it helps document the policy education process.

Almost all security and privacy regulations require education of employees in

corporate policy as a critical component of any security program.

ISO 17799: 8.2.2 Information security awareness, education, and training

COBIT: PO6 Communicate Management Aims and Direction
PO7.4 Personnel Training
DS7 Educate and Train Users
HIPAA: Security Awareness and Training 164.308(a)(5)
“Implement a security awareness and training program for all
members of its workforce (including management).”
NIST: Security Awareness, Training, and Education OMB Circular A-130,
III
13.1. Critical Element: Have employees received adequate
training to fulfill their security responsibilities?
13.1.2 Are employee training and professional development
 documented and monitored? FISCAM SP-4.2
13.1.3 Is there mandatory annual refresher training? OMB Circular
A-130, III

6. Our information security policies cover personnel security, including

background checks, acceptable use, and sanctions for non-compliance. [__]

An effective policy program assumes that policies will not be followed perfectly. A
“sanctions” policy should include the consequences of not following the rules outlined
in corporate policies. Sanctions are required in many security and privacy
frameworks, and should be considered “best practice” for information security
policies.

ISO 17799: 8.0 Human Resources Security

8.1 Prior to Employment
8.2 During Employment
8.2.3 Disciplinary process
COBIT: P07 Manage IT Human Resources
7.1 Personnel Recruitment and Promotion
7.6 Personnel Clearance Procedures
HIPAA: Workforce Security 164.308(a)(3)
Authorization and/or Supervision (A)
Workforce Clearance Procedure (A)
Termination Procedures (A)
Security Management Process 164.308(a)(1)
Sanction Policy (R)
NIST: 6.1.5 Are mechanisms in place for holding users responsible for
their actions? OMB Circular A-130, III FISCAM SD-2 & 3.2

7. Our security policy documents specify requirements for logical access

controls, including userid and password management for applications and
operating systems. [__]

Logical access controls are usually among the first policies that an organization
adopts. Without proper logical access control, operating systems, networks and
applications are vulnerable to a variety of attacks. Critical areas to cover include
userid creation, management and removal, and password creation and management.
Most information security standards specifically mention the changing of default
vendor passwords for all information technology tools and software.

By definition, logical access controls involve more human interaction that most other
security controls, requiring users to create and maintain secure passwords. These
are often a focus of security awareness training. Information Security Policies Made
Easy, Version 10 [3] contains over fifty different logical access controls for operation
systems, networks and applications.

ISO 17799: 11.0 Access Control.

11.2 User Access Management
 11.3 User Responsibilities
11.4 Network Access Control
11.5 Operating System Access Control
COBIT: DS5.3 Identity Management
HIPAA: Technical Safeguards - Access Control 164.312(a)(1)
NIST: 15.1. Critical Element: Are users individually authenticated via
passwords, tokens, or other devices?
16.1. Critical Element: Do the logical access controls restrict users
to authorized transactions and functions?

8. Our information security policies address physical and environmental

security, including building access controls and unescorted visitors. [__]

Physical security is a fundamental part of information security. One major area is

environmental protection of critical information systems, including contingency
planning in case of physical disaster. Another major area involves the social
engineering risk of not having information systems or data protected from intruders.

ISO 17799: 9 PHYSICAL AND ENVIRONMENTAL SECURITY

9.1 SECURE AREAS
9.1.4 Protecting against external and environmental threats
9.2 EQUIPMENT SECURITY
COBIT: DS12 Manage the Physical Environment
HIPAA: Physical Safeguards: Facility Access Controls 164.310(a)(1)
Workstation Security 164.310(c)
NIST: 7.1. Critical Element: Have adequate physical security controls
been implemented that are commensurate with the risks of
physical damage or access?

9. Our information security policies define the protection requirements of data

during creation, storage, transit and eventual destruction. [__]

Information security policies should cover the protection of data throughout its
lifecycle. First, this requires proper sensitivity labeling of data, in order to define the
proper levels of protection and handling. Once created, data should be protected
both in storage and transit, including both paper and digital media transmission.
Finally, policies should define the proper aging and eventual destruction of data.

Many information security regulations require certain transaction data and other
digital records to be maintained for a period of months or years.

ISO 17799: 10.5 Data back-up

10.7 Media Handling
10.8 Exchanges of Information
COBIT: P02.4 Integrity Management
DS5.11 Exchange of Sensitive Data
HIPAA: Physical Safeguards - Device and Media Controls 164.310(d)(1)
Technical Safeguards - Transmission Security 164.312(e)(1)
 NIST: 8.2. Critical Element: Are there media controls?

10. Our information security policies address systems acquisition and

maintenance, including accreditation of new systems, security baselines,
patch management, and change control. [__]

The proper maintenance of information systems is critical to their overall security.

To properly maintain system security, information protection requirements should be
applied throughout the lifecycle of systems. Policy coverage in this area should
include security requirements of new systems and applications, maintaining
information security baselines, patch management, logging and monitoring, and
proper disposal.

Information security and information technology management frameworks are

specific about system acquisition and maintenance requirements for security.

ISO 17799: 12 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND

MAINTENANCE
COBIT: AI3 Acquire and Maintain Technology Infrastructure
AI7 Install and Accredit Solutions and Changes
HIPAA: Not Specifically Required
NIST: 10.2. Critical Element: Are all new and revised hardware and
software authorized, tested and approved before implementation?

11. Our information security policies address privacy of both customer and
employee data, including support for customer inquiries about their data. [__]

The fastest growing information crime is identity theft, including the lost of customer
data by organizations responsible for managing it. This has resulted in a number of
state, federal and international laws that require organizations to protect customer
data according to Fair Information Principles. In addition to customer data,
regulations also require organizations to protect the personal information of their
employees. Numerous recent cases have involved sanctions against companies for
improperly monitoring employees without proper notification and policies.

These are just some of the regulations that require organizations to maintain data
privacy policies:

Gramm-Leach-Bliley Act of 1999

Health Insurance Portability and Accountability Act of 1996
EU Data Protection Directive of 1998
Personal Information Protection and Electronic Document Act (PIPEDA)

ISO 17799: 15.1.4 Data protection and privacy of personal information

COBIT: AI1.2 Risk Analysis Report
ME3 Ensure regulatory compliance
HIPAA: Privacy Final Rule contains privacy requirements
 NIST: 16.3. Critical Element: If the public accesses the system, are
there controls implemented to protect the integrity of the
application and the confidence of the public?

12. Our information security policies address logging and continuous monitoring
for possible security events. [__]

Audit logs and other system activity logs provide vital data to help monitor and
assess the effectiveness of information security programs, including system
availability and performance metrics. Application and system logs provide critical
data both for real-time detection (via intrusion detection and prevention systems)
and for later validation and forensic analysis of system events. Policies should not
only require logging, but require standards for log management, including the data
that should be logged, the retention and destruction of log data, and the protection
of log data both during collection and later storage.

Most information security regulations and frameworks specifically require logging and
continuous monitoring of information security systems.

ISO 17799: 10.10 Monitoring

10.10.1 Audit logging
10.10.2 Monitoring system use
10.10.3 Protection of log information
COBIT: ME1 Monitor and evaluate IT performance
ME1.2 Definition and Collection of Monitoring Data
HIPAA: Technical Safeguards - Audit Controls 164.312(b)
NIST: NIST SP 800-18
11.2.5 Are intrusion detection tools installed on the system?
11.2.6 Are the intrusion detection reports routinely reviewed and
suspected incidents handled accordingly?

13. Our information security policies cover incident reporting and response,
including collection of evidence. [__]

No information security program is perfect. Organizations should prepare for

incidents, including the related policies and processes for managing them. Incident
reporting, response and management should be explicitly documented within
information security policies. Explicit detail should be given to the area of forensics
and the preservation of digital evidence for possible electronic discovery.

Incident response is required by most information security and privacy laws, and is a
critical part of frameworks such as ISO 17799:2005 and COBIT™.

ISO 17799: 13.0 Information Security Incident Management

13.1.1 Reporting information security events
13.1.2 Reporting security weaknesses
13.2.3 Collection of evidence
COBIT: DS5.6 Security Incident Definition
DS8 Manage Service Desk and Incidents
DS10 Manage Problems
 HIPAA: Security Incident Procedures 164.308(a)(6)
“Implement policies and procedures to address security
incidents.”
NIST: 14.1. Critical Element: Is there a capability to provide help to
users when a security incident occurs in the system?
14.1.1 Is a formal incident response capability available?
14.1.2 Is there a process for reporting incidents?
FISCAM SP-3.4 NIST SP 800-18

14. Our information security policies address the requirements for business
continuity, including development and testing of disaster plans. [__]

In the past, many organizations treated business continuity and disaster recovery as
a minor issue. This is changing rapidly, however, as organizations worldwide have
experienced large-scale physical destruction due to natural disasters, war and
terrorist-related attacks. Policy coverage for business continuity should include the
requirements for building and testing a disaster-recovery plan, the assignment of
proper roles and responsibilities for carrying out business continuity activities, and
periodic review of these plans in light of new threats. Organizations without proper
policy coverage in this area could face the risk of complete business disruption for
days, weeks or even permanently.

ISO 17799: 14.1 Information Security Aspects of Business Continuity

Management
COBIT: DS4 Ensure Continuous Service
4.1 IT Continuity Framework
4.4 Maintaining the IT Continuity Plan
4.5 Testing the IT Continuity Plan
HIPAA: Contingency Plan 164.308(a)(7)
Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)
NIST: 9.2. Critical Element: Has a comprehensive contingency plan been
developed and documented?
“The information security program must include: Plans and
procedures to ensure continuity of operations for information
systems that support the operations and assets of the agency.”

15. Our information security policies address compliance with legal requirements,
including auditing and periodic review of the information security program.
[__]

A fundamental business risk to most organizations is the possibility of being sued,

fined or sanctioned by a regulating body. There are few organizations that are not
subject to some form of regulation, such as Sarbanes-Oxley, HIPAA, or the EU Data
Protection Directive. Many industries either require or choose to user outside
auditors to help validate their compliance efforts. Although it seems obvious, many
organizations do not formally document the requirements for auditing within their
information security policies

Auditing should happen at several levels. First, there is a very high-level review of
the effectiveness of the information security program that should be presented to
executive management at least annually. Next, there are the audits of the
technology controls, such as firewalls and operating system settings, to determine if
they are in line with stated policy. Finally, there is auditing of the human aspects of
security, including the requirements for each person in the organization to read and
understand the information security requirements of their role in the organization.

Many organizations focus on the technical aspects of auditing because they are done
automatically by most software products. However, information security regulations
make it clear that there are many most aspects to an information security program,
and these should all be evaluated on a regular basis.

Another fundamental part of reviewing the information security function is to

examine outsourcing and 3rd party contracts. Outsourcing information technology
functions is now commonplace in many organizations. To create an effective
information security program, all outsourced activity, including use of 3rd party
service providers, should contain information security requirements. These
requirements must contain not only contractual obligations, but the right to audit
significant third parties. Organizations that do not have policy coverage in these
areas are at significant risk if their third-party providers do not have the proper
security controls in place.

ISO 17799: 15.1 COMPLIANCE WITH LEGAL REQUIREMENTS

15.1.1 Identification of applicable legislation
15.3 INFORMATION SYSTEMS AUDIT CONSIDERATIONS
6.2.1 Identification of risks related to external parties
COBIT: ME2 Monitor and evaluate internal control
ME3 Ensure regulatory compliance
DS2 Manage Third-Party Services
HIPAA: Evaluation 164.308(a)(8) “Perform a periodic technical and
nontechnical evaluation, based initially upon the standards
implemented under this rule and subsequently [..]that
establishes the extent to which an entity's security policies and
procedures meet the requirements of this subpart.

Organizational Requirements 164.314 (R) - Business Associate

Contracts and Other Arrangement 164.308(b)(1)
NIST: 2.0 Review of Security Controls OMB Circular A-130, III FISCAM
SP-5 NIST SP 800-18
2.1. Critical Element: Have the security controls of the system
and interconnected systems been reviewed?
References

[1] Control Objectives for Information Technology (COBIT™) 4th Edition – Published
by ISACA, November 2005. [[Link]

[2] ISO/IEC 17799:2005 – Code of practice for information security management -

Published by ANSI [[Link]

[3] Information Security Policies Made Easy, by Charles Cresson Wood. Published by
Information Shield, Inc. 2002-2005. [[Link]

[4] Information Security Roles and Responsibilities Made Easy, by Charles Cresson
Wood. Published by Information Shield, Inc. 2002-2005.
[[Link]

[5] NIST Special Publication 800-26, Security Self-Assessment Guide for Information
Technology Systems, November 2001. National Institute of Standards and
Technology. [[Link]

[6] Federal Information Processing Standards (FIPS) 200, Minimum Security Controls
for Federal Information Systems (December 2005).
[[Link]

[7] Health Insurance Portability and Accountability Act of 1996 (HIPAA): Final
Security Rule. Department of Health and Human Services; Published in the Federal
Registrar. [[Link]

[8] Information Security Forum Standard of Good Practice, Version 4.1 - Published
by the Information Security Forum, January 2005.
[[Link]

[9] NIST Special Publication 800-37: Guide for the Security Certification and
Accreditation of Federal Information Systems. (May 2004)
[[Link]