Security Policy: underpinning information security
By Diane Seddon, August 14, 2002.
The DTI Information Security Breaches Survey 2002 highlighted security policy as the most basic and fundamental discipline in information security. Despite this fact, the study found that only 27% of the UK businesses it surveyed had a documented security policy in place, rising to 59% for larger companies. Although this figure has doubled since the previous survey undertaken in 2000, the number still remains low. With such a huge amount of data now held on networked systems and the increasing transfer of information across the Internet, it is imperative that organisations address information security as a business issue, with policies and procedures underpinning technology.
It is a common misconception, perpetuated by the media, that the greatest threat to information security comes from hackers. Although web-attacks do constitute a significant risk, there are other issues such as natural disasters, failure of equipment and accidental operational errors which also need to be accounted for; namely in a clearly laid-out and documented security policy. By definition, security policy refers to the collection of procedures, standards and guidelines governing all aspects of an organisation's information assets. It is the set of rules which governs the use of IT systems, defining what behaviour is and is not permitted, by whom and under what circumstances.
Technology plays a vital role and there is a vast range of technical solutions to the business issues that are faced by organisations, all of which need to be correctly configured so that they form part of a 'layered approach' to information security. Behind the technology sit the equally important procedural and human factors. Who is responsible for ensuring that the appropriate patches are applied when they are released by manufacturers; who is responsible for communicating the acceptable use of systems to the organisation and training staff in security awareness; what is the business continuity plan and how often is it updated to ensure that it meets the evolving needs of the organisation? From defining the appropriate distribution of resources through to job responsibilities and staff awareness, security policy plays an essential and central role in protecting the data that is held on networked systems.
Unauthorised access and other security incidents resulting from a lack of or an ineffective security policy not only increase the risk of loss of business but may also have legal implications for the organisations involved. The Data Protection Act (1998) requires adequate protection of personal information throughout the data's lifecycle, from collection to transmission, storage and destruction. If the Act is contravened and an individual is found to have suffered damage, the data controller can be ordered to pay compensation. Worryingly, the DTI report found that only 48% of UK businesses had documented procedures to ensure compliance with this Act. The Turnbull Report ("Internal Control - Guidance for Directors on the Combined Code") states that risk management is the responsibility of the whole board and internal controls need to be in place. These controls should be reviewed at least once a year, to keep pace with any legal or technology developments. The recommendations in this report, written in 1999, became mandatory for companies listed on the London Stock Exchange and certain public bodies in December 2001. If the directors do not comply, they must communicate this fact to the shareholders and risk the wrath of the market. Whilst employers have rights to protect their systems from abuse, employees also have rights under The Human Rights Act (1998). Under this Act employers must identify and communicate when they will and will not read an employee's email. This may be necessary, for example, in the event of a security incident investigation. Other Acts concerning the holding and transferal of information include the Interception of Communications Act (1985), The Electronic Communications Act (2000), the Regulation of Investigatory Powers Act (2000), the Copyright Designs and Patents Act (1988) and the Computer Misuse Act (1990). Recent research has shown that knowledge of the Acts and their directly applicable content is very limited amongst company and board directors in the UK and until case law develops further (with respect to information security) it is very difficult to predict the likely outcome of any future cases.
The British Standard BS7799 is now becoming recognised as an important framework for the management of information security. Its origins go back to 1993 when the DTI sought to produce a code of best practice for secure online business. By consulting with selected large corporations, they introduced a set of security standards which are now recognised worldwide, being approved with only minor modifications as a standard in Australia and New Zealand and becoming part of the international standard ISO17799 in December 2000. The BS7799 standard is broken down into ten controls which address information security in a way that is suited to the needs of business and industry. The first control, Security Policy, forms the backbone for the standard and covers the allocation of responsibilities for every aspect of security implementation and an explanation of the reporting process for suspected security incidents. It also addresses the need for a review process to ensure that the policy document is maintained as business needs evolve and for the assessment of policy effectiveness with regards to cost and technological changes. Security Organisation and Asset Classification and Control define the authorisation process for hardware and software purchases and the establishment of an asset register for hardware, software and information. The standard also includes Personnel Security (such as staff vetting), Physical and Environmental Security, Communications and Operations Management (including the protection and authentication of data during transfers), System Access Control (such as the use of passwords and automatic terminal time-outs), System Development and Maintenance (including input data validation and data encryption), Business Continuity Management and finally Compliance with current legislation and contractual commitments such as those under software licence agreements.
Adhering to the BS7799 standard can reduce legal exposure (the standard is in compliance with the Data Protection Act for example) and provides the first nationally recognised benchmark upon which an organisation can build a bespoke security policy. It also provides a useful check on security best practice and is a useful framework for ensuring that security issues and incidents are managed in an effective manner. Furthermore, with lack of consumer confidence often cited as a barrier to online transactions, compliance with the standard demonstrates that the organisation has comprehensive security measures in place, increasing confidence in much the same way as the regulatory bodies which govern holiday and travel companies, for example.
Despite the comprehensiveness and value of BS7799, uptake in the UK is still relatively low and the DTI Security Breaches Survey 2002 found that only 15% of people interviewed were aware of its content, rising to 42% for larger organisations (although interestingly the website poll which was run concurrently found the overall figure to be 69%). Despite still being relatively low, awareness of the standard has increased over the last two years. The same survey conducted in 2000 found that only 25% of companies were aware that the standard existed (not its content as asked in the 2002 interviews) and only 6% were able to quote its number. Although it is a promising move in the right direction, given the amount of publicity surrounding BS7799, it is disappointing that knowledge of the standard and its content is not greater. The survey went on to suggest that further barriers include the cost of obtaining a copy of the controls and the perception that it is only applicable to the larger business model.
Unfortunately, in many organisations which have a documented security policy, the procedures and standards have been put in place by IT professionals who lack the commercial knowledge to ensure that it addresses the company's business needs. As a result, with or without the presence of a security policy, information security is often ad-hoc with little or no strategic planning and inappropriate distribution of funds. Furthermore, employees will often try to circumvent security measures that they feel are excessive, as the reasons behind security practices have not been effectively communicated. The DTI report stated that 16% of large businesses attributed their worst security incident in 2001 to poor training on security issues. The survey found that non-compliance with security policy often only came to light in the event of a security incident.
It is this lack of security awareness amongst employees that is often cited as one of the main barriers to information security. The Ernst and Young Global Information Security Survey 2002 found that less than 50% of the organisations it surveyed have information security awareness programmes and a worryingly low 7% of DTI survey respondents who had a security policy in place stated that they had developed it to make staff aware of security issues and their own responsibilities. Most businesses developed a policy because they thought it was good business practice to have one (67%); surely it is only good practice if it is effectively communicated to and acknowledged at the very core of the business, i.e. its staff.
A good security policy will have a substantial number of controls and be comprehensive in addressing the business needs of the organisation. Before its development, it is imperative that risks and their potential effects on the organisation are analysed so that funds are allocated appropriately. Risks are not static and need to be under regular review; indeed risk management can make a positive contribution to overall business, not just information security. The policy should cover all procedures relating to information security, including the use of technology, external audit (such as penetration testing), job responsibilities and business continuity. The most comprehensive security policies are further broken down into sets of individual requirements and guidelines such as a 'security incident response policy' which enables the organisation to react promptly and efficiently to any incident and ensure that the network is restored to its normal operational state within an acceptable (and defined) period of time, or a 'joiners and leavers policy' and so on. The policy should also be reviewed periodically to ensure that it continues to apply as the needs of the business evolve. Fundamentally it must be delivered across the organisation, most effectively via the desktop and through training. It should not be too restrictive (it would be difficult to recruit employees to work under such conditions) but should foster a positive attitude towards security, communicating the benefits it brings to the organisation.
The DTI provides useful information on security policy development, including an example of a corporate Information Security Policy (for more information and to obtain a free copy visit www.dti.gov.uk/cii/datasecurity/businessmanagersguide). It is also possible, and in many cases advisable (for example where in-house security skills and training are limited), to outsource the development and deployment of security policies. Specialist consultancies can advise on compliance to legislation and recommended standards and ensure that the technologies in place are adequate and appropriate. The DTI Security Breaches Survey found that 60% of businesses that had a security policy in place in 2001 had indeed outsourced its development.
It is a sad fact that information security is often treated as an overhead rather than an investment. Many organisations consider a firewall and anti-virus software as adequate protection without properly assessing their business needs. No two organisations will have the same security policy requirements and what is more, without clarifying, documenting and delegating policies and procedures it is impossible to ascertain whether the security needs of the organisation are being met. A security policy will define the role that IT security plays in supporting the requirements of the organisation, helping to identify the information assets which need safeguarding and will ensure that funds are distributed appropriately.
