Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Book Reviews Books Media

Building an Effective Information Security Policy Architecture 70

Ben Rothke writes "Security policies are like fiber, that is, the kind you eat. Everyone agrees that fiber is good for you, but no one really wants to eat it. So too with information security policies. They are sorely needed, but most users don't go out of their way to comply with them. And in many firms, they are not even trained in what they have to do. But failure to have adequate information security policies can lead to myriad risks for an organization." Keep reading for the rest of Ben's review.
Building an Effective Information Security Policy Architecture
author Sandy Bacik
pages 340
publisher CRC
rating 8
reviewer Ben Rothke
ISBN 978-1420059052
summary Good book for information security policy development
For the sake of a basic definition, a policy is a formal, brief, and high-level statement or plan that embraces an organization's general beliefs, goals, objectives, and acceptable procedures for a specified subject area. The purpose of information security is to protect an organization's resources. The cornerstone of any information security strategy is a robust set of policies, procedures, standards and guidelines.

There are many reasons what information security policies are needed. Some of the most imperative reasons are:
  • To inform users of their information protection duties
  • Advise them what they can and cannot do with respect to sensitive information.
  • Define how users are permitted to represent the organization, what they may disclose publicly, and how they may use organizational computer resources for personal purposes.
  • To clearly define protective measures for these special information assets. The existence of a policy may be a decisive factor in a court of law, showing that the organization took steps to protect its intellectual property.
  • Define both acceptable and unacceptable behavior. For example, spending a lot of time surfing the web and downloading videos off the net are both generally unacceptable.
  • Policies are needed to establish the basis for disciplinary action, up to and including termination.


Building an Effective Information Security Policy Architecture does a good job of showing the reader how to start from scratch and build their security policy infrastructure. The book starts off at a high-level about the need for policies, and then goes into details on how to develop, write and sell these policies to management.

The book is a good guide to the entire policy lifecycle, and how to use various means to get to the ultimate goal. At 340 pages, the first ten chapters comprise 155 pages and deal with creating the policy infrastructure, communicating with management, and putting the entire policy puzzle together. The final 185 pages comprise 21 appendices of various examples of different policies.

A most significant downside and frustrating part to the book is that there is no CD-ROM with it, or companion website in which to download and use the numerous policy and process examples. At $80.00, such an option should be de rigueur. The lack of electronic versions of the policies in a book such as this is senseless.

Also, this is the first technology book that I have ever seen that did not cite a single reference. It is hard to imagine writing a book on this topic without using some sort of external reference. While the author may not want to quote sources, she should at least point the reader to other sources of information about security policies. Two notable and essential sources in the information security policy space are the SANS Institute — SANS Security Policy Project, which is free, and Information Security Policies Made Easy from Information Shield, Inc., which is $795.00, but worth every penny for a serious security policy effort. Full disclosure: I am on the Information Shield Expert Panel, but get no financial incentives or compensation.

Overall, Building an Effective Information Security Policy Architecture is a good resource to use if you are tasked to create or modify your organizations set of information security policies. The book will likely find itself on the desk of many information security professionals.

While it is frustrating that the book makes you reinvent the wheel by not having electronic versions of the polices, its value still can't be underestimated. Let's hope future versions of the book will fix that anomaly.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Building an Effective Information Security Policy Architecture from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

Building an Effective Information Security Policy Architecture

Comments Filter:
  • What, do they pass chapters by value?
    • Re: (Score:1, Offtopic)

      by niceone ( 992278 )
      If it's like fiber, without it you don't pass anything at all?
    • Re: (Score:1, Offtopic)

      by Alzheimers ( 467217 )
      Just pass it as (Void *) and let the reader figure it out on their own.
      • Re: (Score:1, Offtopic)

        by Alzheimers (467217) on Friday June 13, @03:30PM (#23783459)
        Just pass it as (Void *) and let the reader figure it out on their own.
        I seem to vaguely remember forgetting something about void * ...
  • by southpolesammy ( 150094 ) on Friday June 13, 2008 @01:41PM (#23782739) Journal
    1. Open only as necessary per app.
    2. Deny everything else.

    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Friday June 13, 2008 @02:05PM (#23783119)
      Comment removed based on user account deletion
      • by Bishop ( 4500 ) on Friday June 13, 2008 @03:05PM (#23783947)
        If you break the security polices you should be fired. I don't care if it is trivially easy to tunnel protocol X over HTTP. If you are willing to break the IT security policies why should you be trusted?

        The problem with the "block known bad things" approach is that there are a lot of unknown bad things. It is far easier to profile for, and allow "known good things."

        Watching all traffic for anomalies is a joke. No one has figured out how to do it yet and they have been chasing that goal for a decade at least. I have seen countless demos of "network anomaly detectors" that have all failed. Anomaly detection probably requires AI to work.

        Given the technology available today the only effective technical controls we have to enforce an IT security policy is a default deny policy.

         
        • Re: (Score:2, Insightful)

          by Jansingal ( 1098809 )
          >>If you break the security polices you should be fired. I

          that is sooooo stupid.

          Not every policy violation deserves the worker to be fired.

          What's next? Kill the jaywalkers?

        • That's great, until you take into account that slowing down a senior technical person by an hour on some project costs the company hundreds of dollars every time it happens.

          Assuming that you're talking about network security for a business, security policy is a business decision. It's a business decision that requires extensive technical expertise to properly make, but it's really a tradeoff between various scenarios where the company loses money. A security breach isn't simply "we lose, game over" - it's

      • Sure you will. If it is setup right, you aren't getting around it. Not without lots of buzzers, lights and shit going off in any case. This is all figuratively speaking of course, there obviously will be no real buzzers and lights. But there will in fact be someone standing at your desk with your security escort out of the building. What most "technically savvy" users don't get is there are laws on our side. You screw with my system I will put you in jail, long time employee who is valuble to the company or
      • You are for more right than Bishop is wrong ... or something like that.

        THE MISSION IS ALL! Security that prevents mission/CoreBiz+ performance is more harmful than valuable to the mission. However, probable mission success without some respectable and reasonable degree of security can be problematic.

        Don't let security stop reality. Keep security in perspective and segment the critical (plans, G2, accounts ...) content & systems from the daily office/public traffic. Security policy fails when you rely on
    • I have seen such firwewalls, great!
      yeah, but they stay in that state for about a week :(
  • "LAX"ative, as in digital Feen-a-mint and digital Ex-Lax....

    Big dirty mess at the end, butt no.body wants to clean up the mess...

    Now, IT are looking at "data retention" policies to wipe up the mess before it sticks around too long..., and avoiding legal anu-tubal ligat... umm, litigation...

    (see InformationWeek June 9, 2008, p 27...)

  • by willyhill ( 965620 ) <`moc.liamg' `ta' `kaw8rp'> on Friday June 13, 2008 @01:54PM (#23782941) Homepage Journal
    Never, ever do this yourself. Hire an consulting firm to come in and give you an outsider's view of your dirty laundry. More often than not when you're just used to how "things work around here" you end up overlooking an amazing amount of stuff that happens around you, which in turn leads to all the effort, time and money being wasted.

    Trust me on this one, my company tried to hot dog this ourselves twice and we failed both times. It wasn't until we brought someone else in that we ended up with a good working policy that really worked.

    Some people will get their egos dinged and feelings hurt in the process (including some near the top), but a VP's indigestion is far more manageable than a massive level I breach. This is especially true if your company handles anyone else's financial or personal data for a living.
    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Friday June 13, 2008 @02:14PM (#23783207)
      Comment removed based on user account deletion
      • I second-second this as truth.
      • I second this, only because outsiders are fairly immune to inner-office politics and squabbles,

        Which is usually why they are brought in.

        so their recommendations are usually much more "pure" than from people already in the company that don't want to piss off certain people or don't want to anger others.

        Wrong. Outsiders are an untouchable extension of the party or interest that called them in. They're more often than not used as a tool or weapon against opponents or to rent loyalty. As long as the outsider is fully dependent, they'll be loyal. So stocking a project or team with rented outsiders is a way of buying control.

        Case in point: I've seen several occasions where teams spent a few months investigating and making detailed recommendations, only to be

    • Excellent point!

      works all the time.

    • mistake many firms make is that they think they can just cut and paste policy.
      it ain't that simply.
      in fact, that is the worst approach.
  • Colon Blow? (Score:1, Offtopic)

    by Hell O'World ( 88678 )
    Sounds delicious, but does it really have more fiber?
  • ...reflect the risk tolerance of the business?
  • Slashvertisement (Score:3, Insightful)

    by Anonmyous Coward ( 1290620 ) on Friday June 13, 2008 @02:01PM (#23783051)
    I mean, come on, who really cares about information security policies. The only thing they're good for is figuring out where to place the blame if something goes wrong. They're the tools of Mordac [wikipedia.org] and something pushed by consultants who don't know security from the hole in their ass but want to sell you the very expensive service of developing a detailed policy that's completely impractical to follow.


    You can't identify sensitive information assets because there's just too much data and no one can agree on what's sensitive and what's not. You shouldn't bother telling uses what they can and can't do because they aren't paying attention and even if they are, when a situation comes up where they should actually be using that info, they've forgotten it. And users who can't figure out on their own that surfing the net for pr0n on company time is unacceptable will probably do it anyway.


    The only thing he got right is "Policies are needed to establish the basis for disciplinary action, up to and including termination." But it's an excuse for firing someone you probably didn't like anyway. If they're actually a valuable employee, you'll probably have to overlook whatever they did.

    • by hike2 ( 550205 )
      Posted and reasoned from the point of view of the employee. The point is to keep the company relatively safe from legal claims of all kind (internal and external). Part of it is to keep the company working in case something goes wrong (business continuity). Most of these things are there to help mitigate risks so that the company can keep making money that will use to pay you for work you should be doing instead of wasting time on Slashdot :) Kinda like me
    • You miss one of the biggest points because of your (common) preconceived notions.

      One of the big points is that if no one adheres to your security policy, it is useless.

      Hence, you need to design a security policy that users will respect and obey.
    • Actually policies are quite good at proactively preventing problems. As a reactive tool, you're exactly right, they're useful for discipline but little else. However, if you company has a policy that all customer contact information must be stored in an encrypted form at rest then application designers will follow the policy when building new applications. You can use policy to shape the development of your company and to ensure that new initiatives comply with a baseline of security. Of course, it's go
    • I second this as truth, because twice I have been the target of pet-rock management blame-storm witch-hunts (I'm still here, I think, maybe not).
    • Security policies (Score:4, Insightful)

      by Beryllium Sphere(tm) ( 193358 ) on Saturday June 14, 2008 @12:04AM (#23789055) Journal
      You always have a policy. It may be implicit, relying on the experience and intuition of the technical people. It may be dysfunctional, like "everything goes". Or it may be written down, which I gather is the sort you find useless.

      Written security policies are just plain indispensable if you're covered by PCI/DSS or HIPAA, since both standards require them. They also give you a way to do knowledge transfer: before a written policy, the technogeeks know not to download free toolbars, after a written policy everyone does.

      Anything good has a policy underpinning it. Are the backup tapes encrypted? If so, it's because there was a policy decision to encrypt them, even if that decision was made by an empowered IT person rather than a suit or a consultant.

      >You can't identify sensitive information assets because there's just too much data and no one can agree on what's sensitive and what's not.

      You can identify enough to be useful. Customer credit card information and health records are things people can agree on, especially when external forces require them to. Protect the things you know are sensitive, and you can reduce the risk of something damaging or embarrassing happening, and reducing the risk is all you can hope for anyway.
  • That book may be nice, but what about using ISO standards when it comes to information security ?
    Standards have been made after a long process of elaboration to be able to cope with every possible situations.

    More informations on wikipedia : http://en.wikipedia.org/wiki/ISO_27001 [wikipedia.org]
    And here : http://www.27000.org/index.htm [27000.org]

    NB : allas, the documention don't seem free :/
  • CIO and CSO (Score:1, Insightful)

    by Anonymous Coward
    I can see that there will be a new job in future for "Chief Security Officer" in addition to "Chief Information Officer" in every organization. The penguins of the board room will all get together and decide how best to separate information-tech from security because CIOs today don't know sh** about security, but they pretend and talk like they do. Of course there must be a few good ones, but the majority are a waste of cash and stock options. If they had been doing their job well, we wouldn't need these
    • CSO, good-one, I have noticed that as the number of C*O positions increase the more businesses screw-up, fail, lose money ....

      Maybe a stock investment rule can be found surveying corporations' C*O positions and quantity (CEO, CIO, CTO, CSO ...). CSO is another good funnnnnnny.
      • Have you seriously not worked in a company with a CSO? That's surprising. The last 3 companies I've worked for over the last 10 years have all had a CSO, a CISO, or both.

        Not having a function responsible for information security separate from the CIO is, unfortunately, generally a conflict of interest. Too many CIOs focus only on the availability aspect of security.
        • Info/NetSec functions fall under CTO or CIO at HQ location.

          When I saw CSO, I chuckled, reminds me of legacy viewgraph [powerpoint] engineers ... an animated breed of pet-rock. I feel many (not only USA) companies' C?O positions are populated by animated breeds of pet-rock.

          So many can screw-up, all their lives, and get very well paid. We all know that worker-bees, pack-mules, liberal-public-heathens, and unexpected (totally surprising) economic conditions are the most believable cause of business failures, a
          • Yep - you're right. I must admit that I've seen my fair share of incompetents in that role. Some of the decisions (or lack thereof) I've seen made just boggles the mind.
  • "So too with information security policies. They are sorely needed, but most users don't go out of their way to comply with them. And in many firms, they are not even trained in what they have to do. But failure to have adequate information security policies can lead to myriad risks for an organization"

    No amount of security policies is going to protect the 'computer', unless and until they can come up with a design that don't get 'infected' merely by clicking on a URL or opening an email attachment.
  • As part of a general security program, an information security policy can help to reduce exposure to legal liability for break-ins. . . . However, FTC did punish TJX (unfairly) [blogspot.com] even though it had a good faith security program. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html [blogspot.com]
  • From the Back Cover [amazon.com]

    * Phishing and spyware
    * Identity theft
    * Workplace access
    * Passwords
    * Viruses and malware
    * Remote access
    * E-mail
    * Web surfing and Internet use
    * Instant messaging
    * Personal firewalls and patches
    * Hand-held devices
    * Data backup
    * Management of sensitive information
    * Social engineering tactics
    * Use of corporate resources

    - unquote -

    If they let their own IT staff get on with the job, instead of ordeing in the latest innovative fad, then we wouldn't even need a security poli
    • link is broken.

      but then again, what is the post of your posting?

      supposed to mean what??>>>
      • link is broken. but then again, what is the post of your posting?

        My point is that none of these would be a problem if they innovated a computer thaat was secure, by default, without the poor sufering end user having to: Take steps to protect against phishing and spyware, identity theft, viruses and malware, e-mail, web surfing and Internet use, instant messaging. Add a 'personal firewall' which is next to useless, endlessly downoad and install patches that break something .. and so on ad nauseum ...

        C [amazon.com]
        • yes, but even an enduser can obviate a lot of so called secure systems
          • by rs232 ( 849320 )
            "yes, but even an enduser can obviate a lot of so called secure systems"

            No, you have to make it so as the end user don't have to do anything, like verifying a color coded URL or verifying an email is really from the sender, without opening it first .. :)
            • dude, i agree with you 100000%.
              but, this will neva eva happen.

              no one can build such a system that is secure and the world will accept.

              imaging a real secure Operating system. u think the nascar idiots who use PC's could figure out how to use security?
  • From the summary:
    "Define both acceptable and unacceptable behavior. For example, spending a lot of time surfing the web and downloading videos off the net are both generally unacceptable."

    Acceptable behavior in the workplace should certainly be codified but by and large it is not a security issue. Gawking at YouTube videos all day is counter productive and probably not what your employers had in mind when they hired you. But it is not a security issue, it's a peformance issue and should be dealt with acco
  • Easy solution. Work at a company and ... have a backup of their security policy ready. Think of it as a template.

    When you leave that company do a replace on the company name and make it the official policy of the new company.

    In case you get an audit match the auditors requirements with your security policy and enhance it where it lacks using the format of the template you brought along.

    During the time of the audit have signs up in the office, revoke the CEO's and any other big shots/pain in the ass user's s
    • I second this as another security truth. Whatever happened to PKI, biometrics ... and other technologies to help those poor pitiful techphobic C?Os.
  • I wouldn't buy a book from CRC personally: CRC Lawsuit Frequently Asked Questions [wolfram.com]

    • Re: (Score:2, Funny)

      by Jansingal ( 1098809 )
      So silly.

      like no other publisher is under litigation.

      with this logic, you could never buy another book, ever!
  • Well-defined and documented security policies are practically useless if they are not technically enforced.

    IT departments need to stop faulting the user as "They forgot X when handling information of Y type" because not every user who will be handling sensitive data will be capable of remembering and understanding how sensitive data should be handled. For example, do you think every person you talk to at a call-center at an health insurance company or hospital is a technical person, or are they a low-i

No spitting on the Bus! Thank you, The Mgt.

Working...