Question

If an organization is going to have a chance at a successful security program they need to develop policies that provide direction for all security efforts and guide the conduct of the users. These policies need to be well written to provide the organization with solid guidance to support their security objectives.

• Identify and briefly describe the three types of security policies. Your response should include a discussion of where each should be used.
• Where should policy writers look to find supporting material when developing the policies for their organization?

Policies function like laws in an organization because they dictate acceptable and unacceptable behavior there, as well as the penalties for failure to comply. Like laws, policies define what is right and wrong, the penalties for violating policy, and the appeal process. Standards, on the other hand, are more detailed statements of what must be done to comply with policy. They have the same requirements for compliance as policies. Standards may be informal or part of an organizational culture, as in de facto standards. Or, standards may be published, scrutinized, and ratified by a group, as in formal or de jure standards. Practices, procedures, and guidelines effectively explain how to comply with policy. Figure 4-2 shows the relationships among policies, standards, guidelines, procedures, and practices. This relationship is further examined in the nearby Offline feature.

The meaning of the term security policy depends on the context in which it is used. Governmental agencies view security policy in terms of national security and national policies to deal with foreign states. A security policy can also communicate a credit card agency's method for processing credit card numbers. In general, a security policy is a set of rules that protects an organization's assets. An information security policy provides rules for protection of the organization's information assets.

Management must define three types of security policy, according to Special Publication (SP) 800-14 of the National Institute of Standards and Technology (NIST):

1.Enterprise information security policies

2.Issue-specific security policies

3.Systems-specific security policies

Figure 4-2 Policies, standards, guidelines, and procedures

Several published information security frameworks by government organizations, private organizations, and professional societies supply information on best practices for their members

Answer 1

The three types of security policies are:
1.Enterprise Information Security Policies (EISP),
2.Issue-Specific Security Policies, and
3.Systems-Specific Security Policies.

A brief description of each type of security policies:

1) Enterprise Information Security Policies (EISP), is also referred to as general security policy. These are documents from the executive level to shape the security philosophy in their respective company's IT environment. These documents serve as guidelines for the development, implementation, and management of the security program across the organization.

These policies establish the requirements and assign responsibilities to the various areas of security, simultaneously keeping in mind the definition of scope, constraints, purpose, and applicability of the program. It also handles the legal compliance aspect. It is drafted by and starts from the Chief Information Security Officer (CISO) of the organization guiding the entire Enterprise Security Program.

These policies support the mission, vision, and directions of an organization. These policies basically, provide rules or laws for the protection of an organization's information assets. The policy sets the direction, scope, and tone for all security efforts. The policy is modified only if there is a change in the strategic direction of the organization.

2) Issue-specific policies (ISSP), these policies are designed to administer and manage the end users' usage of resources, services, assets, and/or activities used to support the organizations business goals and objectives. These policies are applied on all employees who are always on the organization’s resources like laptops, desktops, networks, other devices, accounts, services, and usages like, applications, e-mail, Internet, mobile phones, BYODs (Bring Your Own Devices) such as the company-owned computers, laptops, mobile phones, and network at home, and usage of any cloud and portable storage, and network devices.

These policies address specific technologies requiring frequent updates and containing statements on the organization’s position on specific issues. These policies address and evaluate on concerns: who has access to the Internet, usage of personal pieces of equipment on company networks, usage of photocopy and printer equipments, and prohibitions or violations against hacking.

3) System-Specific Security Policies, SysSP, is unique when compared to EISP and ISSP. It is a set of policies functioning as instructions or procedures used when configuring systems. E.g., A company's management provides documents to guide the configuration of technology intended devices, resources, electronic appliances, etc to support information security in the company.

These policies detail on how to set up and maintain individual systems. It differs from other policy types and its various components. Companies would have implemented system-specific policies for firewalls, VPN, proxy, software, and other technologies so users, administrators, support personnel, and other related employees in the company use it as a guide. It is like a manual of procedures illustrating on how systems should be configured or maintained.

A discussion of where each should be used:

Information Security Policies or Enterprise Information Security Policies are used mostly in organizations, corporate companies, enterprise environments in general, both public and private sector companies, governemnt agency, related companies, and offices. In general, information security policies can be and are used anywhere and everywhere, where information at rest and in transit are to be safegaurded for securing them from any confidentiality, integrity and availability issues.

Issue Specific Policies (ISSP) are independent and are used covering specific issues like a specific department or division and its asset and are meant for specific technolohgies.

System-Specific Security Policies, SysSP, are used mostly in corporate companies or simply in enterprise environments.

These policies are very targeted documents, related to only specific systems they are designed to be addressed. Hence, each system at workplaces needs its own Systems-specific Security Policies to define and outline how it functions, how to be configured, and how it is managed.

In order for the policy writers to find supporting material when developing the policies for their organization, they should look in several published information security frameworks by government organizations, private organizations, and professional societies that supply information on best practices for their members.

Policy writers can also refer to the documents published by the National Institute of Standards and Technology (NIST). They can refer to the 'standards' such as the 'de facto standards' which are more detailed statements of what must be done to comply, comprising of policies with same requirements for compliance as policies. They can also refer to the published and scrutinized standards, and which is then ratified by a group in formal or 'de jure standards'.

The policy writers could also look in and refer to the practices, procedures, and guidelines explaining on how to comply with policies.

It is evident, the policy writers should specifically look in the three types of security policies namely, Enterprise information security policies (EISP), Issue specific policies (ISSP), and System-Specific Security Policy, SysSP.