Explain the development of security policies.

Developing security policies involves a systematic approach to identify, assess, and mitigate risks within an
organization's information technology infrastructure. These policies serve as guidelines for employees and
stakeholders to ensure the confldentfality, Integrity, and avallabllity of data and systems. Here's a step-by-
step overview of the process:

1. Risk Assessment: Begin by conducting a comprehensive risk assessment to Identify potential threats
and vulnerabilities. This involves analysing the organization's assets, such as data, hardware, software, and
network infrastructure, and assessing the potential impact and likelihood of various risks.

2. Policy Framework: Establish a framework for developing security policies. This includes defining the
scope of the policies, determining the responsible stakeholders, and outlining the goals and objectives of the
security program.

3. Polley Development: Create specific security policies that address Identified risks and align with
industry best practices and legal/regulatory requirements. Common areas of focus Include access control,
data classification, incident response, password management, network security, and employee training. Each
policy should clearly state its purpose, scope, responsibilities, and compliance requirements.

4 . Policy Documentation: Document the security policies in a clear and concise manner. Use language
that is easily understandable by employees at all levels of the organization. Include examples and scenarios
to clarify expectations and illustrate proper implementation.

5. Stakeholder Involvement: Involve key stakeholders from various departments and levels of the
organization In the policy development process. This ensures that pollcles reflect the needs and concerns of
different areas, Increasing buy-In and compliance.

6. Legal and Regulatory Compliance: Ensure that security policies adhere to relevant legal and
regulatory requirements specific to your industry and geographical location. Consider standards such as the
General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA),
Payment Card Industry Data Security Standard (PCI DSS), or any other applicable regulations.

7. Communication and Training: Effectively communicate the security policies to all employees,
contractors, and third-party vendors who Interact with the organization's systems and data. Conduct regular
training sessions to educate personnel about the policies, procedures, and their roles In maintaining security.

8. Implementation and Enforcement: Establish mechanisms to Implement and enforce the security
policies effectively. This includes defining roles and responsibilities, assigning accountability, and
implementing appropriate security controls and technologies. Regularly monitor and audit compliance to
identify areas for improvement and address policy violations.

9. Review and Update: Regularly review and update security policies to keep pace with evolving threats,
technology advancements, and changes within the organization. Conduct periodic audits to evaluate the
effectiveness of policies and procedures and make necessary adjustments.

10. Continuous Improvement: Foster a culture of continuous Improvement by actively seeking feedback
from employees and stakeholders. Encourage reporting of security incidents, near-misses, and potential
vulnerabilities to enhance the security posture of the organization.
 ·t Polic y .
Need for an Infor mati on Secu r• Y
. th overall objective of an inforrnat1
From the software professional's perspective. e on
. 'd t ·13 rty
1 and availability of informa tio
security policy is to protect the integrit y. conf1 en • . . . n. It
· t the organization obJect1ve. It is kn
1s true from the security perspe ctive: howeve r. no owr
that information is an asset and the property of an organization. As an asset, the
th e appropriate levels of
management of an organization is expected to ensure that
controls are in place to protect this resource.
An information security policy should be part of any organization's overall asset security
policy. This policy is not defined to meet the security needs or audit requirements; it is a
business process that allows management with the processes required to perform the
fiduciary responsibility. The management of an organization is charged with a trust to
ensure that adequate controls are in place to safeguard the asset of an enterprise. The
security policies. standards, and procedures define a security progra m.

The informa tion security professionals of an organization are responsible to implement

security policies that depict the business and mission requirements of an organization.

Let's now discuss the information security standards defined by ISO.

Infor mati on Secu rity Stan dard s - ISO

It is known that security plays an important role in safeguarding the assets of an
organization. As no single formula can guarantee 100% security, there is a requirement
for a set of standards to ensure that the appropriate level of security is achieved,
resources are utilized efficiently, and the best security practices are implemented. This
section discusses the various standards and regulations available for information security.
/ 1947. is a non-gov . · ·
rne IS 0· established in ernmental international body that collaborates
with
the International Electrotechnical
. . .
c . .
omm1ss1on (IEC) and the International
. .
feleC omrnumcat1on Union (ITU). ISO has laid the foll owing security standards:
C1 ISoflEC 27002:200S. (Code . of practic •
- e for mformation security management): Refers
to a code of practice for information security management w h'1c h se t s as a common
basis and practical guideline for developing enterprise-level security standards and
effective management practices.

This standa rd specifies guidelines and best practices recommendations for the
following ten security domains:

, Security policy

, Organization for information security

, Asset management

, Human resource security

• Physical and environmental security

• Communications and operations management

• Access control

• Information systems acquisition. development. and maintenance

• Information security incident management

• Business continuity management and compliance

~ 1S0/IEC 27001 :2005 (information security management system - requirements):

Specifies the requirements for establishing, implementing, operating. monitoring.
reviewing, maintaining. and improving a documented Information Security
Management System (ISMS) within an organization. This standard allows an
organization to select the adequate and proportionate security control to secure
information assets. This standard is applicable for all types of organizations. including
business enterprises. government agencies. etc.
This standard defines a cyclic model known as "Plan-Do-Check-Act" (POCA) model
Witt) the objective of establishing. implementing, monitoring, and improving the
effectiveness of an enterprise's ISMS. The phases of the POCA cycle are as follows:

• The Plan phase to establish the ISMS

th
• The Do phase to implement and operate e ISMS
 • The Check phase to monitor and review the ISMS

• The Act phase to maintain and im·prove the ISMS

0 ISO/IEC 1S408 (evaluation criteria for IT security}: Consists of three parts: IS0/IEc
15408-1 :2005 (introduction and general model). 1SO/IEC 15408-2:~00S (security
functional requirements). and ISO/IEC 15408-3:2005 (security assuranc
requirements). This standard helps an organization in evaluating. validating. an;
certifying the security assurance of a technology product against various factors such
as security functional requirements specified in the standard.

□ ISO/IEC 133S (IT Security Management}: Consists of a series of guidelines for

technical security control measures such as:

• The ISO/I EC 13335-1 :2004 standard defines the concepts and models for
information and communication technology security management

• The 1SO/IEC TR 13335-3: 1998 standard defines the techniques for the
management of IT security

• The 1SO/IEC TR 13335-4:2000 standard covers the selection of safeguards

• The 1SO/IEC TR 13335-5:2001 covers management guidance on network security

Introduci ng Various Security Policies

and Their Review Process
It has been discussed earlier that many organizations are required to develop and
maintain specific security policies and procedures. Apart from designing a security policy,
its review process is also essential to ensure that the policy is appropriate or adequate.
Let's begin with a discussion on the following types of security policies and then focus on
the review process:

o The World Wide Web (WWW) policy

□ The e-mail security policy

□ The corporate policy

This section also presents yet another sample security policy.

WWW Policy
The Internet is a network of t k . . . · rnailS,
ne wor s prov1dmg various services such as sending e-
transferring files login f f the
· rom remote systems, and WWW. The WWW is the universe 0
 Internet-accessible information. While browsing the Internet. there are various risks,
some of which are as follows:

o The software provided to the employees for business use can be used for any for-
profit outside business activity or potentially embarrasses the company

o The software or documents downloaded over the WWW can contain virus

o The users of an organization while browsing the Internet can access sites containing
offensive materials

To avoid such risks. the organization needs to define the WWW policy. Some examples of
WWW policy are as follows:

o No offensive or harassing material may be made available through company websites

o No personal commercial advertising should be made available through company

websites

o The personal material on or accessible from the website should be minimal

□ No company confidential material should be made available ·

□ Users of an organization should not be permitted to install or run Web servers

E-mail Security Policy

E-mails can be used not only to improve the communication between employees, but also
to transmit proprietary information, harass other users. engage in illegal activities, and
serve as evidence against the company in legal actions. E-mail is actually the electronic
version of a postcard and requires special policy considerations from archiving to content
guidelines. Therefore, the organizations should take various points into consideration
while writing e-mail policies.

Generally, while creating an e-mail policy, the general rules and guidelines that users need
to follow should appear first in the e-mail policy document. An organization can include
the following "Ten Commandments of E-mail" while developing an e-mail policy:

1. You will [may be replaced may be complicated by readers] demonstrate the same
respect thy gives to verbal communications.

2. You will check thy spelling, thy grammar, and read thine own message thrice before
thou send it.
 3. You will not forward any chain letter.

4. You will not transmit unsolicited mass e•mail (spam) unto anyone.
5. You will not send messages that are hateful. harassing. or threatening unto fellow
users .

6. You will not send any message that supports illegal or unethical activities.

7. You will remember thine e-mail is the electronic equivalent of a post card and will not
be used to transmit sensitive information.

8. You will not use thine email broadcasting facilities except for making appropriate
announcements.

9. You will keep thy personal email use to a minimum.

10. You will keep thy policies and procedures sacred and help administrators protect
them from abusers.

Corporate Policy
Corporate policy is the formal declaration of the principles and procedures according to
which a company will operate. These principles or guidelines are laid down by the board
of directors of a company or the senior management policy committee. A corporate policy
comprises:

□ Company's mission statement

□ Company's objectives

□ Principles on the basis of which strategic decisions are made

A corporate policy also lays down the factors for measuring performance and ensuring
accountability at all levels of an organization. It is also known as company policy, which is
defined after an analysis of all internal and external factors, affecting an organization's
objectives. operations. and plans.

Sample Security Policy

Let's now look at the sample security policy. The template of the sample security policy is
as follows:

1. Information security policy

a. Purpose
 ts
b. A im s a n d co m m it m e n
c. Responsibilities

d. Councils
e n ts
e. Heads o f d e p a rt m
al parties
f. Users and extern
ation
e n t an d th e cl as sification o f inform
2 _ Risk a ss e ss m
ld
is k a ss e ss m e n t o f information he
a. R
b. Personal data

f in fo rm a ti o n sy stems and assets

3. P ro te ct io n o
ion
fid e n tia l informat
4. P ro te ct io n o f co n
a. S to ra g e

b. Access

c. R e m o te access

d. C o p yi n g

e. Disposal
vices o r media
f. Use o f p o rt a b le de
f in fo rm a ti o n and use o f e-mail
g. E xc h a n g e o
n tr o ls
h. C ry p to g ra p h ic co
and acceptance
i. System p la n n in g

j. B a ck u p
on
k. F u rt h e r in fo rm a ti

I. Hard copies
g
i. P ro te ct iv e m a rk in

ii. .s to ra g e

iii. Removal
on
iv. T ra n sm is si

V. Disposal
 j. Enforcement
k. Compliance
I. Other relevant university policies or guidance
m. Contacts for further information
n. Sample risk assessment
o. Scope. criteria . and organization

i. Scope
ii. Criteria
5. Risk identification and analysis
a. Assets
b. Threats and risks
6. Appendix 1: Sample risk assessment
7. Glossary

Policy Review Process

Each policy created should be reviewed appropriately to ensure successful policy
development. Figure 1 shows the six important steps to be performed while evaluating
information
security policy:

Step 1: Have someone other than the person who wrote the policy review it

-<_ 7
Assessing policy for completeness

'( 7
Ensure policy statements are clear, consise, and SMART

"<_ 7
Ensure the policy answers the 5 Ws

~7
Ensure consistency with laws, regulations, and other levels of policy

~7
Checking policy freshness and easy availability to organization members

• Figure 1: Showing the Steps Involved in Policy Review Process

Let's discuss each of these st eps .m detail.
□ Step 1: Having som eone other than the person who wrote the policy · · ·t
review 1 :
Generally. people tend to identify their own errors in a small percentage of time.
Therefore. someone other than the person who created the policy should review and
assess for mi stakes. The policy reviewer should be aware about the organization
fu nd amentals of information security and detail oriented for best results . Moreover.
th e person should be technically sound to review the policy for technical accuracy.

The security policy should have an owner who has approved management
responsibility for the development. review. and evaluation of the policy. Instead of the
policy owner. the other person or team should be assigned the task to improvise the
policy.

□ Step 2: Assessing policy for completeness: The second step is divided into the
following sub steps:

• Assessing policy framework for completeness: Checks or examines the existence

of standards and procedures supporting the policy set

• Assessing policy elements for completeness: Checks or examines if the policy is

not flawed due the lack of an element

□ Step 3: Ensuring that policy statement is clear. concise. and SMART: SMART stands
for specific. measurable. achievable. realistic. and time-bound. In this step. the policy
reviewer ensures that the policy is clear. and simple language is used to ensure that
it can be easily understood by everyone.

□ Step 4: Ensuring that policy answers the 5 Ws: In this step, the reviewer checks
whether the appropriate function is defined for the correct person in place. The
reviewer also ensures when the actions will be accomplished. In other words. the
policy should clearly explain the purpose. background, or policy statement.

□ Step S: Ensuring consistency with laws. regulations. and other levels of policy: In this
step, the reviewer ensures that the policy is consistent with various laws and
regulations: otherwise. the organization will face lawsuits. Also. the policy should
ensure consistency with the laws and regulations of each country. During policy
assessment. the policies are checked for consistency with lower and higher levels.
Any discrepancy found should be resolved.
□ 6: Che ckin g poli cy fres hne ss and easy availability to org aniz atio n members • \
Step ~
ons to keep it upd ate d. This is impo~an
this step, a poli cy is examined for provisi
damage tha n goo d .
because an out dat ed policy can res ult into
Publishing and Notification Requirements of the Policies
After the policies have been written, they will not do your organization any good
if they sit on the shelf collecting dust. Not only should it be a living document,
but it also should be accessible to all users. A common way of doing this is to
publish the policies on the organization's intranet. This way, not only are the
policies available to all users, but your organization will save on printing costs
and updates can be made in one central location without having to ensure they
are distributed.

Policies in this area should cover both the publishing of the policy documents
and notification of when published. This policy also should cover who is
responsible for these acts. Many organizations.