Information Systems Security, 16:246–256, 2007
Copyright © Taylor & Francis Group, LLC
ISSN: 1065-898X print/1934-869X online
DOI: 10.1080/10658980701744861
Information Security Policy
Development and Implementation
Avinash W. Kadam
MIEL e-Security Pvt. Ltd.,
Education Services,
Mumbai, India
Address correspondence to
Avinash W. Kadam,
MIEL e-Security Pvt. Ltd.,
Education Services,
C-611/612/Floral Deck Plaza,
Mumbai 400014, India
E-mail: awkadam@vsnl.net
ABSTRACT  Development of the information security policy is a critical
activity. Credibility of the entire information security program of an organi-
zation depends upon a well-drafted information security policy. Most of the
stakeholders do not have time or inclination to wade through a lengthy pol-
icy document. This article tries to formulate an approach to the information
security policy development that will make the policy document capture the
essentials of information security as applicable to a business. The document
will also convey the urgency and importance of implementing the policy,
not only in letter but also in spirit.
Introduction
Rudyard Kipling probably had no idea that his Six Honest Serving Men
would be employed by modern day computer scientists, engineers, and
architects for diverse applications. John A. Zachman used them for defining
Enterprise Architecture whereas John Sherwood used them for defining
Enterprise Security Architecture. These faithful servants serve anyone seek-
ing a deeper understanding of any complex subject. They are the six simple
questions starting with: what, why, how, who, where, and when. If you
persist in getting the answers to these six questions, a seemingly impossible
task such as developing an information security policy, which is relevant to
the business, covers major risks and is practical to implement can actually
be done with confidence.
Let us look at the policies which are developed for other business func-
tions. We will look only at two examples, the financial policy and the human
resources policy, and ask our six honest men to find if these policies indeed
do what they are expected to do. We will simultaneously map the possible
answers to these questions about information security policy.
What do these policies contain? The financial policy provides overall direc-
tion which the organization should take for having sound financial basis
and which leads to successful business operations. The human resources
policy provides the basis for attracting the right talent and retaining them,
 http://www.zifa.com
 http://www.sabsa.org
246
by employing right people for the right job for the
right remuneration.
Does the organization’s information security pol-
icy identify the information, which is critical for the
business? Does it provide the direction to perform
the business functions in a safe and secure manner?
Why are these policies defined? The financial pol-
icy contains the accumulated financial wisdom on
what is appropriate for the business. It provides for
the consistency of financial decisions. The human
resources policy is based on the sound values of
human dignity and fair treatment. This provides an
anchor for the right way to deal with people.
Does the organization’s information security policy
provide a clear insight into the information security
issues while dealing with the business processes?
How are these policies used? The financial policy
is always referred to while making the business
decisions. The human resources policy is consulted
while taking complex decisions affecting the careers
of the employees.
Is the organization’s information security policy
referred to when a decision about the right approach
for the information usage is to be taken?
Who uses these policies? The senior management
constantly refers to both the financial policy as well
as human resources policy to evaluate any decision
to be taken by them.
Does senior management refer to the organiza-
tion’s information security policy to confirm whether
their decisions conform with such a policy?
Where are these policies used? The financial policy
is used for taking all the financial decisions by the
company. The universal applicability of the policy
ensures consistency of all the actions. Similarly, the
human resources policy is the guiding light for all
the decisions taken pertaining to the people, irre-
spective of whether the decisions are taken at the
corporate level or at the remote branch location.
Is the organization’s information security policy
followed universally within the organization and do
all the information security decisions demonstrate
consistency?
When are these policies used? The financial and
human resources policies are used almost constantly.
The organization stops functioning if it ignores using
these policies.
Can we say the same about organization’s infor-
mation security policy? Is it used each time an infor-
mation access is granted or revoked?
247 Information Security Policy Development and Implementation
HOW TO SELL INFORMATION SECURITY
POLICY TO THE ORGANIZATION
After reviewing the answers to the six questions,
we realize that we have a lot of work to do before the
information security policy is considered as impor-
tant for the organization as the financial or human
resources policy. The usual skeptical question will
be, if we are surviving quite well without an informa-
tion security policy so far, why do we need it now?
We will have to do much internal convincing or sell-
ing before converting the organization into believing
in the importance of the information security policy,
and implementing it in a wholehearted manner.
We always needed financial policy to run a suc-
cessful business. I am sure that we had sound finan-
cial policy even in the days of businesses based on
barter. The human resources policy became essential
in the industrial age because labor unions demanded
fair treatment to the workers. It has taken centuries
of effort for both financial policy as well as human
resources policy to become well accepted and con-
sidered essential for sound business. Comparatively,
the information age is very young. Although we
started using information as a major resource during
the past few decades, the major thrust to the infor-
mation age came from the commercial exploitation
of the Internet, which started hardly a decade ago.
This is probably one of the reasons for the casual
approach we witness while dealing with information
security.
Where do we begin our efforts? The answer is of
course, at the very top. But do you think that you
will get the top management’s attention and interest
if we do not talk the same language that they speak,
and show the same concerns about the business as
they have? How do we get the mind space of the
CEO, CFO, and other C-suite occupants? Let us ask
our six honest serving men.
What are top management’s concerns? How do
we grow business, make it efficient and effective,
and beat the competition? Do we, as information
security experts, have some information security
concerns which could affect the business? Can we
recommend some information security approaches
which will help grow the business and make it more
efficient, effective, and beat the competition?
Why is top management indifferent about infor-
mation security policy? Of course the business
pressures, competition, pressure on margins, and
anxieties about success or failure of new initiatives
are some factors, but the most important factor is the
fear of the unknown. Most of the senior management
is not conversant with the IT field at present though
the awareness is increasing. They will get interested
only if the application of the information security
policy shows appreciable positive gains. So, it is the
primary task of the information security experts to
demonstrate the gains through the application of the
information security policy.
Do we have something to offer to reduce the
pressure? Can we contribute our might toward the
new initiatives by some measures of information
security?
How do we conduct the business in an ever chang-
ing scenario? How do we keep the leading edge? Can
information security policy identify ways to cope
with the changing scenario and keep the business
at the leading edge? Who are the people top man-
agement can trust to handle the complexities in
the new information age? Can information security
experts identify new ways of handling the informa-
tion resources in a reliable manner, and safeguard
the company’s intellectual property?
Where will top management look for successful
approaches of handling new age initiatives? Can the
information security policy provide the direction?
When does one spot information as a valuable
resource and create a differentiating factor? Can the
information security policy provide that differentia-
tion between a successful organization and others?
You may frame many different questions using
the same six words. Your focus should be to find:
⦁ What value the information has for the business
⦁ Why information security makes business sense
⦁ How you can help make the information secure
for the business
⦁ Who is responsible for making the information
secure
⦁ Where you deploy your resources to make the
information secure
⦁ When you know if the security measures are
indeed successful
Finding answers to these questions will definitely
improve the top management perception of the
information security.
Kadam 248
BUSINESS IMPACT ANALYSIS
The concept of business impact analysis (BIA)
looks out of place here. We usually talk about BIA
when we discuss business continuity and disaster
recovery plans. In my opinion, BIA should make its
appearance right in the beginning when we conduct
the interview with the top management for formulat-
ing the information security policy. The depth, cover-
age, and details of BIA will gradually increase as we
do more detailed business impact analysis. BIA is the
best tool to understand the importance of informa-
tion security for the organization, and also to make
the top management realize how much they depend
on information security for a successful business.
How do you conduct BIA where the top manage-
ment is involved? First, identify what are the critical
business processes for the organization. A critical
business process usually has the following features:
⦁ It is one of the star performers for the business.
⦁ It is associated with the brand value.
⦁ Its failure could severely impact the organization.
⦁ Any delays for this business process are
unacceptable.
⦁ Major investments have been made in perfecting
the business process.
⦁ Major technical investments have been made in
making the process efficient.
Based on the answers to these questions, you may
classify the business processes as critical, important,
and routine. Even a single affirmative answer may
provide adequate reason to name the business pro-
cess as critical. It does not mean that you should
ignore the routine processes. It only means that the
routine processes can be delayed or deferred with-
out having major impact on business. One of the
examples of routine processes could be the payroll
processing. If this is delayed, employees can still be
paid but if the just-in-time delivery of goods is not
done just in time, you may have serious impact on
business.
Now that we have identified critical business pro-
cesses, we take the help of our six honest serving
men.
Can we formulate questions to do a BIA with the
help of what, why, how, who, where and when? Let
us attempt some of these questions.
Table 1  Business impact analysis for business process ‘A’

Confidentiality Integrity Availability

What? What is the critical information for
this process which should be
confidential?
Why? Why this information should be
confidential?
How? How will the business be affected if the
information does not remain
confidential?
Who? Who is responsible for the confidentiality
of this information?
Where? Where do you store this information to
ensure its confidentiality?
When? When does the confidentiality of this
information become critical?
What is the critical information for
this process which should be
always accurate and reliable?
Why this information should be
accurate and reliable?
How will the business be affected if
the information is unreliable?
Who is responsible for the integrity
of this information?
Where do you store this information
to ensure its integrity?
When does the integrity of this
information become critical?
What is the critical information for
this process which should always
be available?
Why this information should be
always available?
How will the business be affected if
the information is not available
when needed?
Who is responsible to ensure the
availability of this information?
Where do you store this information
to ensure its availability?
When does the availability of this
information become critical?

Your objective is to understand the impact of infor-
mation security on the business, favorable or other-
wise. The top management is in the best position to
articulate their perception by answering questions
like the following:
⦁ What is the critical information for running the
business process?
⦁ Why is it critical?
⦁ How can you run business if this information is
not available to you when you need it?
⦁ Can you run the business if the information is not
correct or if it is stolen?
⦁ Who is responsible for guarding the information?
⦁ Where it is located?
⦁ When does the information become critical for
your business?
When you pose these questions, you can keep
some examples ready to explain the concept. You
can also give examples of some actual information
security incidences and the impact these had on
(hopefully other people’s) business. Do you need
a quantitative assessment of the business impact
of loss of confidentiality or integrity or availabil-
ity at this stage? Probably not, but noting down
the responses is important. You may get these
responses quantified during subsequent interviews
with the middle management and the operational
staff. It will help you to develop the answers into
a fully quantified statement when the risk mitiga-
tion measures are decided and their costs have to
be justified.
We can design a matrix around our six questions
and the three pillars of security, namely confidenti-
ality, integrity, and availability (see Table 1).
These interviews will reveal the business impact
resulting from loss of confidentiality, integrity, or
availability of information as perceived by the senior
management. Capturing their concerns will help
us in formulating the top level information security
policy which will be understood and accepted by
them.
Top Level Information
Security Policy
How does the BIA help us in formulating the top
level information security policy? Actually, we have
just found out all the reasons why there should be
a top level information security policy? The answers
that we got from asking the six questions for the
three attributes for all the critical business pro-
cesses can be summarized in the top level informa-
tion security policy. We may even write the policy
as if we are writing answers to the six questions.
The top-level information security policy may look
something like this.
“(What?) The organization recognizes informa-
tion as one of the key resources, which helps in
running a very successful business, delivering vari-
ous goods and services (we may be more specific
here) to our customers and meets expectations of
the stakeholders.

249 Information Security Policy Development and Implementation

 (Why?) We are very proud of the efficiency and
effectiveness we have achieved by our fine tuned
business processes (can be more specific). These
business processes critically depend on our infor-
mation systems (can be more specific). Any damage
to any information that we possess can adversely
impact our business. We strive to maintain all the
information with utmost confidentiality, integrity,
and make sure that it is available whenever and
wherever it is required to be accessed by legitimate
users.
(How?) We are aware that we constantly face
threats to our information systems. These threats
could disrupt our business processes and cause
severe losses (can be more specific). It is our inten-
tion to deploy all possible resources to ensure that
we are able to thwart any such threats and main-
tain the customers’ and stakeholders’ confidence in
us by having appropriate technical, procedural and
administrative measures in place. We have defined
these measures against specific threats and risks in
our detailed information security policies.
(Who?) The information security measures will
be implemented by our information security team,
headed by an information security officer, who
directly reports to an information security forum
(ISF), which is chaired by the CEO. The members
of the ISF will be business unit heads and other
responsible persons.
(Where?) The information security measures will
be deployed throughout the organization and all the
business processes (can be more specific) will be
under the purview of this policy. Any breach of this
policy will lead to appropriate disciplinary action.
(When?) Information security is a major concern
for the organization. We will have incidence man-
agement teams working 24×7 to promptly resolve
any incidents. We will ensure that all the persons
working for the organization are appropriately
trained so that they can be vigilant whenever they
are using the information. We will also educate our
customers so that they can promptly notify us if they
notice any information security incidents and need
our help (e.g., receiving a suspicious email).”
The top level information security policy should be
signed by the CEO to carry the message effectively.
The above draft gives us a starting point to cre-
ate an ideal information security policy that reflects
top level concerns of the organization. It will be
Kadam 250
specific to the organization and will reflect all the
efforts spent in conducting a BIA. BIA will provide
enough material to list the real concerns about any
compromise of information and how it could affect
the organization. An information security policy
thus designed will be owned by the top manage-
ment as their contributions in identifying various
critical things that may impact the business, will be
clearly mentioned. They will also understand that
their involvement is the key success factor. All the
concerns that were identified during the BIA will be
subsequently followed through during the formula-
tion of detailed information security policies.
THREAT IDENTIFICATION
We have now got a Top Level information security
policy for the organization. This is an excellent docu-
ment to get the top level commitment and clearly state
the intentions of the organization regarding informa-
tion security. But it is still a statement of intention
and not enough to develop implementable policies.
For this, we need to first identify all the threats to
the information. The threats we will identify will not
be just a general perception of threats. These will
now be more specific as we know what the really
critical business processes are. The BIA has given us
a good insight into this aspect of the business. We
also know which aspects of the information secu-
rity, that is, confidentiality, integrity, or availability
are critical for the particular business processes. So,
we should be able to narrow down our list to the
more realistic threats that can pose danger to the
critical information assets. We can also create plau-
sible threat scenarios. By now we have got a good
idea about these from conducting the BIA sessions
that we had with the top management. We can also
take help of our six honest serving men and make a
table which will reminds us not to forget any of the
contributing threat factors. Please notice that there
could be different types of threats which affect the
three pillars of information security. A threat which
compromises confidentiality may not cause loss of
integrity or cause unavailability. We need to identify
each of these separately, as shown in Table 2.
The questions for threat identification can be
asked to the middle management as well as the
operational staff. These persons will be facing such
Table 2  Identification of threats for business process ‘A’

Threats to Confidentiality Threats to Integrity Threats to Availability

What? What are the threats to confidentiality of What are the threats to integrity of What are the threats to availability of
critical information supporting this critical information supporting this critical information supporting this
business process? business process? business process?
Why? Why these threats exist? Why these threats exist? Why these threats exist?
How? How can these threats actually act? How can these threats actually act? How can these threats actually act?
Who? Who will carry out the threat actions? Who will carry out the threat actions? Who will carry out the threat
actions?
Where? Where can the attack happen? Where can the attack happen? Where can the attack happen?
When? When can the attack happen? When can the attack happen? When can the attack happen?

Table 3  Identification of vulnerabilities for business process ‘A’

Vulnerability corresponding to the Vulnerability corresponding to the Vulnerability corresponding to the

threats to Confidentiality threats to Integrity threats to Availability
What? What are the vulnerabilities What are the vulnerabilities What are the vulnerabilities
corresponding to the threats to corresponding to the threats to corresponding to the threats to
confidentiality? integrity? availability?
Why? Why these vulnerabilities exist? Why these vulnerabilities exist? Why these vulnerabilities exist?
How? How can these vulnerabilities be How can these vulnerabilities be How can these vulnerabilities be
exploited? exploited? exploited?
Who? Who will exploit these vulnerabilities? Who will exploit these vulnerabilities? Who will exploit these vulnerabilities?
Where? Where this may happen? Where this may happen? Where this may happen?
When? When this may happen? When this may happen? When this may happen?

threats in their normal day to day operations. Their

answers will give us a greater insight into the threat
perception. This in turn will help us in focusing our
efforts in creating detailed Information Security poli-
cies which address these specific threats.
The answers that we are seeking from our six
faithful serving men are:
⦁ What are the realistic threats to information for
our business processes?
⦁ What are the natural threats?
⦁ What are the manmade threats?
⦁ Why do these threats exist?
⦁ Is there a strong motivational factor for the man-
made threats?
⦁ Are there strong environmental factors which
cause the natural threats?
⦁ How may the threats materialize?
⦁ Who are the major suspects?
⦁ Where will we be hit?
⦁ When are we most prone to these threats?
Once again, remember to ask these questions for
each type of information security requirement: con-
fidentiality, integrity, and availability.
VULNERABILITY ASSESSMENT—OR
HOW WELL THE ORGANIZATION IS
PREPARED AGAINST THESE THREATS
This will be the next logical step in our journey to
develop the information security policy. Even with-
out a formal policy, organization will usually have a
few security measures in place. We will try to dis-
cover what these are and assess their adequacy. Once
again we take the help of our six honest serving
men and start probing the middle and operational
management into revealing the various practices in
place. Some of these practices may even be docu-
mented by means of staff notices or departmental
circulars. We should collect all of these and study
them before conducting the interviews. This will
help us understand the current state of information
security implementation in the organization. Notice
the complex phrase “vulnerability corresponding to
the threats.” It means we want to discover if there
are any specific vulnerabilities that can be exploited
by specific threats to confidentiality/integrity/avail-
ability (see Table 3).

251 Information Security Policy Development and Implementation

 Table 4  Vulnerability of individual components of information systems ‘A’ supporting a critical business system

Confidentiality Integrity Availability

In So Ha Pe Se Da In So Ha Pe Se Da In So Ha Pe Se De
What?                                    
Why?                                    
How?                                    
Who?                                    
Where?                                    
When?                                    

The answers that we are seeking to our six ques- Hardware

tions will be:
What are the weaknesses in your defense system
which may cause leakage of confidential informa-
tion or unauthorized modification of information or
unavailability of critical information?
Why these weaknesses are there? Has no
one noticed these before or these have been left
open hoping that no threat will ever exploit this
vulnerability?
How a threat will take advantage of these vulner-
abilities? If you were the enemy, who knows about
these vulnerabilities, how will you use the knowl-
edge to cause maximum damage?
Who will most benefit from the knowledge of
these vulnerabilities? Will someone be strongly moti-
vated to cause harm to your business?
Where will the attack take place? What is the most
vulnerable spot?
When will the attack take place? When is your
organization most susceptible?
While seeking answers to these questions, we
will realize that each individual question seeks to
discover the vulnerability of the basic component
which will be the weakest link in the system. Thus,
the vulnerabilities of a business process can be nar-
rowed down to the individual components that con-
stitute an information system.
The components of an information system are
(first two letter of each of the information system
components are underlined. These abbreviations are
used in the columns of Table 4 and 5):
Information (or the data)
− Data, databases, data warehouses,
Software
− Application programs, DBMS,
System
− Servers, desktops, networking devices
People
− Management, users, contract workers
Services
− Internet, HVAC, power
Documents
− Agreements, contracts, legal papers
Thus we can trace the vulnerabilities of the infor-
mation system to the vulnerability of an individual
component. We can use the Table 4 to identify and
document if any of the information system compo-
nent is vulnerable to any of the threats identified
during our study.
Identifying Action Plans
We need a number of detailed information secu-
rity policies to address the multitude of vulnerabili-
ties of the information system components which
could be exploited by threats and compromise the
confidentiality, integrity, or availability of our critical
business systems.
We need to formulate individual policy state-
ments which address each of these vulnerabilities
and the way to control them. We can use the Table 5
to pair the threats and vulnerabilities and link them
to the information system components under attack.
Remember, one threat can exploit multiple vulner-
abilities of multiple components.
The next step will be to define the action state-
ments against each threat and vulnerability combi-
nation for each of the affected information system
component so that we can reduce the possibility of
Operating the threat exploiting the vulnerability of the compo-
nent and compromising the security.

Kadam 252
Table 5  Threat—vulnerability pairs and the action statement to address the risks

Confidentiality Integrity Availability Action Policy

Threat Vulnerability In So Ha Pe Se Da In So Ha Pe Se Da In So Ha Pe Se Da statement reference
                                       
                                       
                                       
                                       
                                       
                                       

The action statements could consist of a variety because the organization believes it is the best prac-
of actions. These could include deploying various tice to follow. Whatever the reason, it should be
technical solutions such as firewall, IDS, or antivirus stated clearly.
software or defining some physical measures such We would start the process of writing the infor-
as barriers or certain administrative (e.g., separation mation security policies by first selecting appropriate
of duty) or punitive (e.g., disciplinary actions) mea- control objectives that need to be achieved. These
sures. Each of these becomes an action statement. can be selected from a standard such as ISO 270014
or a framework such as ISO 177994 or COBIT3 or a
compliance requirement such as the Health Insur-
Writing Information Security Policies ance Portability and Accountability Act of 1996 (HIPAA)
or Basel II or a law such as the European Union
We now call upon our six honest serving men. The Data Protection Act. The selection will depend on
answers to who, what, and why will be included in the requirements of the organization.
policies. How, where, and when will be answered by The next step will be to write appropriate poli-
the procedures. The final list of information security cies that meet the requirements of the control objec-
policies may be large as each policy will be written tives. This will be followed by writing the detailed
with a specific what in mind. The what is answered procedures. The policies will cover the adminis-
by the selection of a control objective. The control trative, technical, management, and legal require-
objective is defined as a “statement of the desired ments. While writing the policy, we should ensure
result or purpose to be achieved by implementing that the action statements fall at right places in the
control procedures in a particular process” (Cobit policies. For example, if we have identified the
4.1, IT Governance Institute). threat of information theft and the vulnerability is
Further, the control is defined as “means of man- the weak implementation of the password, affecting
aging risk, including policies, procedures, guide- confidentiality of the information, then the action
lines, practices, or organizational structures, which plans will be:
can be of administrative, technical, management, or
legal nature” (ISO/IEC, 2005, 17799). ⦁ Administrative
Who will achieve the control objectives by imple- − Provide appropriate training.
menting appropriate control procedures? We need ⦁ Technical
to define specific roles and responsibilities. The − Enforce strong password selection through
responsible persons should clearly know why the appropriate parameters.
control objective needs to be achieved. The why ⦁ Management
gives the main motivation factor behind the infor- − Ensure that the password policy is approved by
mation security policy. It may be a legal require- management.
ment, a contractual obligation; it may be required − Ensure user acceptance by asking them to sign
appropriate form.
 http://www.itgi.org ⦁ Legal (or compliance) requirements
 http://www.iso.org − Define disciplinary action.

253 Information Security Policy Development and Implementation

 Yet another threat could be information theft,
unauthorized modification and nonavailability due
to weak network security. Then the action plans will
be:
⦁ Administrative
− Background check of employees and contrac-
tors working in network administration.
⦁ Technical
− Access control lists, firewall, server hardening,
IDS and so on.
⦁ Management
− Periodic review of security incidences
⦁ Legal requirements
− Appropriate non disclosure agreements with
the networking staff and contract workers
How Many Policies?
You can classify policies in various groups:
⦁ For defined target group
− Everyone in the organization
− System managers, administrators
− Management
⦁ For specific topics
− Information classification
− Physical and environmental security
− Operations management
− Data communication
− Network security
− Back-up
− Access control
− Password
− Incident management
− Business continuity
⦁ Department specific topics
− Application development
− Compliance
You may be required to define additional poli-
cies for particular topics. For example, the topic of
access control could spawn many polices like oper-
ating system access control, database access control,
remote access control, and so on. Dividing policies
into target groups will help you to train the people
only for the specific policies.
Kadam 254
Writing Procedures and Guidelines
Remember, the how, where, and when will be
answered by procedures. We need to write answers
to these questions. Procedure is a step-by-step
method of “how to do it.” It may be a simple thing
such as selecting a password or a complex proce-
dure for defining access control rules on the firewall.
The “how” should document the entire procedure in
as simple a manner as possible. If appropriate, you
may use flow charts or decision tables or any other
method to convey the message.
The “where” will describe the location or the
workstation or the right place where the procedure
will be performed. For example, a fire evacuation
test procedure will be performed in the office or the
data center. The answer to “when” in this case may
be, last Friday of every month, between 3.00 and
4.00 p.m.
Clearly written procedure will be a great help
when implementing any policy.
You may also include additional guidelines to
supplement the procedures. For example, a guide-
line on how to select a complex password, which is
also easy to remember, will be greatly appreciated.
IMPLEMENTATION
You have completed all the back office work.
You made your six honest serving men slog day
and night. Now is the time to deliver the great meal
that you have cooked. Implementation is the hardest
part. The acceptance by the organization depends
on many factors. You will have to constantly battle
with conflicting demands of security versus ease of
use. Implementation cannot be done just by issu-
ing a fiat. Human ingenuity will always find ways
of circumventing things which are viewed as obsta-
cles. You have to take the entire organization in
confidence.
Implementation at the Top
Where do you begin your efforts? The answer is, as
usual, at the very top. Top management has to give its
whole-hearted approval to all the policies you have
developed. These policies will have ­proposed many
changes. These changes will be of different types.
Some will be mere procedural changes, but some
may require a totally new approach. Some changes
will be technical in nature, others will be adminis-
trative. Changes will affect everyone in some way or
another. By proposing the information security pol-
icy, we are trying to introduce discipline in handling
information for the organization. Discipline brings in
restrictions and restrictions are usually resented, at
least in the beginning.
New information security policy may also require
additional investment in people, processes, and
technology. You will have to prepare budgets and
also do a cost/benefit analysis to justify the expendi-
ture. So, you will have to prepare a full report on the
new information security policy and present it to the
top management forum. The report should include a
complete project plan giving details of the activities
required to implement various policies. These activi-
ties will include procurement and implementation of
new equipment or techniques such as firewall, IDS,
single sign-on, and so forth. It will also include train-
ing plans for the entire organization. It will specify
how the implementation activities are to be moni-
tored and reported and, answer the most important
questions that top management loves to ask, what is
the return on security investment (ROSI).
How do you prepare and present the report? Ask
our six honest serving men to help us. Explain to the
top management the answers to the six questions we
are so familiar with: what, why, how, who, where,
and when, through your report and presentation:
What are the information security risks that
were identified?
What is the total investment in security?
What is the ROSI?
Why are these risks so critical?
Why is the business impact due to these risks
not acceptable?
How will information security policies help
mitigate these risks?
How much money will be spent in procuring
the security products and techniques and
implementing them?
How much time and money will be spent on
training all the persons in the organization?
Who will be responsible for the successful
implementation of these policies?
255 Information Security Policy Development and Implementation
Have we assigned responsibility for each
policy?
Where is the implementation planned?
Will the implementation happen at all locations
or only at selected locations?
When is the implementation planned?
Will it be a big-bang approach or a phase-wise
approach?
You will have to be very well prepared to defend
your proposal. Especially tricky part will be the
response to the questions regarding ROSI. You will
have to convince the top management that avoiding
a security incident is much cheaper than paying for
the losses that a security incident may cause. The
return will be the savings from the potential future
losses. Once you have got the approval, you have
won half the battle.
Next step will be to prepare a training program
especially for the top management. You will have
to clearly explain their ongoing role in information
security for the organization. They will have to lead
the organization by setting good example. If the
boss participates in a fire evacuation drill, no one
will pretend to be too busy and avoid such exer-
cises. If the senior management regularly changes
the passwords and learns how to encrypt the data
on their laptops, no one will complain about the
extra work involved to secure the information. The
top management will have to “walk the talk” and
demonstrate complete adherence to the information
security policy that they have endorsed.
Implementation at the
Operations Level
This is where you will train the actual implemen-
tation team. The system administrators, network
administrator, and various other operations staff will
be made familiar with the new information secu-
rity policy. They would be already familiar with the
approach. They would be specifically trained on
their areas or responsibilities so that they will have
an in-depth knowledge of the technology used and
the new procedures to be followed. We will seek
help of our six faithful servants to make sure that
we do not miss anything of importance. We provide
answers to the following questions during the imple-
mentation at this level:
 What are the new requirements of the infor-
mation security policy in individual areas of
operation?
What are the new products and procedures
being implemented?
Why these products and procedures were
selected?
How do these products and procedures work?
How do we configure and customize them?
How do we test them?
How do we maintain them?
How do we trouble-shoot them?
Who will be responsible for each product and
procedure?
Where will the products and procedures be
implemented?
When will the products and procedures be
operational?
We will have to design the technical training pro-
grams for specific security products and procedures
selected for the implementation. The operations
persons will have to become very well-versed with
handling the new security measures. They will also
need to be trained on various reporting and escala-
tion procedures. Incident management and response
team will require specialized training. The business
continuity and disaster recovery team also will need
specialized training.
All these training programs will have to be com-
pleted before the actual implementation. Operations
staff should be made responsible for implementing
the security controls. This will build their confi-
dence, expertise and the sense of ownership.
Implementation for Everyone
This can only be done by a major drive to educate
everyone. The right message should reach the right
people. The training programs have to be designed
keeping in mind the actual groups being addressed.
The trainer has to talk the language of the audi-
ence. The same training that goes well with system
administrators will be received with stony silence
or yawns by the general users. Only the relevant
policies and procedures should be covered for each
group. You may have to customize the training pro-
grams. The application programming group may
require different training programs compared to the
helpdesk staff.
Kadam 256
The training programs should be designed to pro-
vide convincing answers to our six questions.
1 . What is the objective of the information security?
2. Why is it necessary to follow the information
security policy of the company? Will something
really go wrong if we do not follow the policy?
Can you give us some examples?
3. How do we work with all these security controls
around us?
4. Who is responsible for the information security?
Am I really responsible for every piece of infor-
mation that I access?
5. Where are the security controls? Are they imple-
mented in my area of operation? Are they imple-
mented on e-mail servers, web servers, desk-tops?
Are there physical security controls? Where are
they located?
6. When these security controls are going to be
made operational?
You may devise various ways of delivering the
training. It could be a classroom training or Web-
based e-learning or video-based training. There
should be some amount of interactivity in any type
of training. The audience should be made to par-
ticipate in answering our famous six questions per-
taining to the training topics designed for them. If
they get involved in answering these questions, they
will start appreciating the reason for the policy, the
necessity of implementing the procedures and more
importantly, their own role in guarding the informa-
tion assets of the organization.
You have properly developed the information
security policy when the end users can answer the
six questions. You have correctly implemented it
when they feel responsible for their role.
BIOGRAPHY
Avinash Kadam is the Chief Knowledge Resource at
MIEL e-Security, a company in the domain of Infor-
mation Security Consulting, Training, Implementation
and Audit. He has worked in the I.T. industry for more
than 35 years of which the past 10 years were totally
focused on Information Security. He has handled
major information security consulting projects for large
organizations.