Policy matters

IT security policies need to be based on sound principals rather than technical standards to make sense says Karel Rode, security solutions strategist at CA Africa

  • E-Mail
By  Karel Rode Published  January 14, 2008

No-one wants to live in a police state, but these states exist and some of them exist very close to our borders. Such authoritarian environments reveal how a public living in fear is neither happy nor productive. This is also true of the corporate community.

Still, there must be rules, laws or governance to prevent anarchy. Within the IT space these are referred to as policies and their purpose is to improve organisational performance, reduce IT risk and contribute to good governance. Without defining, maintaining and enforcing IT security policies an organisation could be found negligent in the event of an employee misusing IT assets.

Policies are based on principles that are defined by the business. Generally, most IT security principles focus on the confidentiality, integrity and availability of company data - often referred to as the CIA, or the triad of information security. A principle might be that confidentiality of data must be ensured, which would result in the policy of mandating access control. Mandating access control means deciding who can access what data, and classifying access accordingly. At lower levels there are procedures, standards and guidelines that refine these policies into operational guidelines.

Data integrity is another aspect of a security policy, and refers to data being correct or consistent with the intended state of information. A principle might demand data integrity, but at the policy level the organisation would define integrity or the loss of data integrity (an example of a loss of data integrity might be an employee accidentally or purposely deleting or modifying a data set) and implement preventative controls to monitor or control this policy. This would also involve deciding on penalties for staff members who violate these policies.

So, access control can govern confidentiality and encryption can offer integrity of data. This is most evident in data that are in motion, where technologies such as SSL can secure web pages and Public and Private Keys or PGP can secure email. Data that are static can have hash values created. This will be defined not within the policy but in the standards, procedures and guidelines - the more technical components of the documents.

Principles (and policies), as defined by the business, should not refer to any technical product or vendor solution at a highly technical level, because they are at a stage where the technology controls that would enforce them have not yet been decided. For example, a policy relating to data in motion might say: "All confidential data communicated to external parties must be encrypted." This does not define how the encryption should work, what the strength of the secret key should be, how the key can be shared with the third party or what algorithm should be used in the encryption process. It should only state that in such instances it will be mandated to make use of the company-provided secure email service.

Policies are also not static documents. As companies are dynamic and technologies are fluid we need to review these documents as well as their source principles on a regular basis. This decision is meaningless unless it is enforced, and so annual reviews should be standard. It is also important to remember that if a data classification policy is in place, and the user access management policy is updated, the author and user may have to revisit or link to one or more other policies, as these documents are written. Reviewing and changing one may impact on many others and so this chain needs to be managed very carefully.

Any updates or modifications to policies should be accompanied by legal council and communication of these changes. Acceptance of new or revised policies from the user community is essential. Moreover, not all users need to sign off on all of the policies - just those that are relevant to the execution of an individual's job.

In conclusion, policies are administrative controls. They can also be seen as preventative controls but rarely serve this purpose on their own. Through the use of technology these administrative controls can be enforced and turned into detective controls, bringing more value to the organisation. Sadly, the overuse of such technologies can reproduce the stifling conditions of the police state. Therefore human-readable policies are preferable to technical controls, which make security procedures more tedious and often result in users seeking more creative ways to circumvent them.

Karel Rode is security solutions strategist at CA Africa.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code