Академический Документы
Профессиональный Документы
Культура Документы
Introduction
Rudyard Kipling probably had no idea that his Six Honest Serving Men
would be employed by modern day computer scientists, engineers, and
architects for diverse applications. John A. Zachman used them for defining
Enterprise Architecture whereas John Sherwood used them for defining
Enterprise Security Architecture. These faithful servants serve anyone seek-
ing a deeper understanding of any complex subject. They are the six simple
questions starting with: what, why, how, who, where, and when. If you
persist in getting the answers to these six questions, a seemingly impossible
task such as developing an information security policy, which is relevant to
the business, covers major risks and is practical to implement can actually
be done with confidence.
Let us look at the policies which are developed for other business func-
tions. We will look only at two examples, the financial policy and the human
resources policy, and ask our six honest men to find if these policies indeed
do what they are expected to do. We will simultaneously map the possible
answers to these questions about information security policy.
What do these policies contain? The financial policy provides overall direc-
tion which the organization should take for having sound financial basis
Address correspondence to
and which leads to successful business operations. The human resources
Avinash W. Kadam,
MIEL e-Security Pvt. Ltd., policy provides the basis for attracting the right talent and retaining them,
Education Services,
C-611/612/Floral Deck Plaza,
Mumbai 400014, India http://www.zifa.com
E-mail: awkadam@vsnl.net http://www.sabsa.org
246
by employing right people for the right job for the HOW TO SELL INFORMATION SECURITY
right remuneration. POLICY TO THE ORGANIZATION
Does the organization’s information security pol-
icy identify the information, which is critical for the After reviewing the answers to the six questions,
business? Does it provide the direction to perform we realize that we have a lot of work to do before the
the business functions in a safe and secure manner? information security policy is considered as impor-
Why are these policies defined? The financial pol- tant for the organization as the financial or human
icy contains the accumulated financial wisdom on resources policy. The usual skeptical question will
what is appropriate for the business. It provides for be, if we are surviving quite well without an informa-
the consistency of financial decisions. The human tion security policy so far, why do we need it now?
resources policy is based on the sound values of We will have to do much internal convincing or sell-
human dignity and fair treatment. This provides an ing before converting the organization into believing
anchor for the right way to deal with people. in the importance of the information security policy,
Does the organization’s information security policy and implementing it in a wholehearted manner.
provide a clear insight into the information security We always needed financial policy to run a suc-
issues while dealing with the business processes? cessful business. I am sure that we had sound finan-
How are these policies used? The financial policy cial policy even in the days of businesses based on
is always referred to while making the business barter. The human resources policy became essential
decisions. The human resources policy is consulted in the industrial age because labor unions demanded
while taking complex decisions affecting the careers fair treatment to the workers. It has taken centuries
of the employees. of effort for both financial policy as well as human
Is the organization’s information security policy
resources policy to become well accepted and con-
referred to when a decision about the right approach
sidered essential for sound business. Comparatively,
for the information usage is to be taken?
the information age is very young. Although we
Who uses these policies? The senior management
started using information as a major resource during
constantly refers to both the financial policy as well
the past few decades, the major thrust to the infor-
as human resources policy to evaluate any decision
mation age came from the commercial exploitation
to be taken by them.
of the Internet, which started hardly a decade ago.
Does senior management refer to the organiza-
This is probably one of the reasons for the casual
tion’s information security policy to confirm whether
approach we witness while dealing with information
their decisions conform with such a policy?
Where are these policies used? The financial policy security.
is used for taking all the financial decisions by the Where do we begin our efforts? The answer is of
company. The universal applicability of the policy course, at the very top. But do you think that you
ensures consistency of all the actions. Similarly, the will get the top management’s attention and interest
human resources policy is the guiding light for all if we do not talk the same language that they speak,
the decisions taken pertaining to the people, irre- and show the same concerns about the business as
spective of whether the decisions are taken at the they have? How do we get the mind space of the
corporate level or at the remote branch location. CEO, CFO, and other C-suite occupants? Let us ask
Is the organization’s information security policy our six honest serving men.
followed universally within the organization and do What are top management’s concerns? How do
all the information security decisions demonstrate we grow business, make it efficient and effective,
consistency? and beat the competition? Do we, as information
When are these policies used? The financial and security experts, have some information security
human resources policies are used almost constantly. concerns which could affect the business? Can we
The organization stops functioning if it ignores using recommend some information security approaches
these policies. which will help grow the business and make it more
Can we say the same about organization’s infor- efficient, effective, and beat the competition?
mation security policy? Is it used each time an infor- Why is top management indifferent about infor-
mation access is granted or revoked? mation security policy? Of course the business
Kadam 248
Table 1 Business impact analysis for business process ‘A’
Your objective is to understand the impact of infor- We can design a matrix around our six questions
mation security on the business, favorable or other- and the three pillars of security, namely confidenti-
wise. The top management is in the best position to ality, integrity, and availability (see Table 1).
articulate their perception by answering questions These interviews will reveal the business impact
like the following: resulting from loss of confidentiality, integrity, or
availability of information as perceived by the senior
⦁ What is the critical information for running the management. Capturing their concerns will help
business process? us in formulating the top level information security
⦁ Why is it critical? policy which will be understood and accepted by
⦁ How can you run business if this information is them.
not available to you when you need it?
⦁ Can you run the business if the information is not
correct or if it is stolen?
⦁ Who is responsible for guarding the information? Top Level Information
⦁ Where it is located? Security Policy
⦁ When does the information become critical for
your business? How does the BIA help us in formulating the top
level information security policy? Actually, we have
When you pose these questions, you can keep just found out all the reasons why there should be
some examples ready to explain the concept. You a top level information security policy? The answers
can also give examples of some actual information that we got from asking the six questions for the
security incidences and the impact these had on three attributes for all the critical business pro-
(hopefully other people’s) business. Do you need cesses can be summarized in the top level informa-
a quantitative assessment of the business impact tion security policy. We may even write the policy
of loss of confidentiality or integrity or availabil- as if we are writing answers to the six questions.
ity at this stage? Probably not, but noting down The top-level information security policy may look
the responses is important. You may get these something like this.
responses quantified during subsequent interviews “(What?) The organization recognizes informa-
with the middle management and the operational tion as one of the key resources, which helps in
staff. It will help you to develop the answers into running a very successful business, delivering vari-
a fully quantified statement when the risk mitiga- ous goods and services (we may be more specific
tion measures are decided and their costs have to here) to our customers and meets expectations of
be justified. the stakeholders.
Kadam 250
Table 2 Identification of threats for business process ‘A’
Kadam 252
Table 5 Threat—vulnerability pairs and the action statement to address the risks
The action statements could consist of a variety because the organization believes it is the best prac-
of actions. These could include deploying various tice to follow. Whatever the reason, it should be
technical solutions such as firewall, IDS, or antivirus stated clearly.
software or defining some physical measures such We would start the process of writing the infor-
as barriers or certain administrative (e.g., separation mation security policies by first selecting appropriate
of duty) or punitive (e.g., disciplinary actions) mea- control objectives that need to be achieved. These
sures. Each of these becomes an action statement. can be selected from a standard such as ISO 270014
or a framework such as ISO 177994 or COBIT3 or a
compliance requirement such as the Health Insur-
Writing Information Security Policies ance Portability and Accountability Act of 1996 (HIPAA)
or Basel II or a law such as the European Union
We now call upon our six honest serving men. The Data Protection Act. The selection will depend on
answers to who, what, and why will be included in the requirements of the organization.
policies. How, where, and when will be answered by The next step will be to write appropriate poli-
the procedures. The final list of information security cies that meet the requirements of the control objec-
policies may be large as each policy will be written tives. This will be followed by writing the detailed
with a specific what in mind. The what is answered procedures. The policies will cover the adminis-
by the selection of a control objective. The control trative, technical, management, and legal require-
objective is defined as a “statement of the desired ments. While writing the policy, we should ensure
result or purpose to be achieved by implementing that the action statements fall at right places in the
control procedures in a particular process” (Cobit policies. For example, if we have identified the
4.1, IT Governance Institute). threat of information theft and the vulnerability is
Further, the control is defined as “means of man- the weak implementation of the password, affecting
aging risk, including policies, procedures, guide- confidentiality of the information, then the action
lines, practices, or organizational structures, which plans will be:
can be of administrative, technical, management, or
legal nature” (ISO/IEC, 2005, 17799). ⦁ Administrative
Who will achieve the control objectives by imple- − Provide appropriate training.
menting appropriate control procedures? We need ⦁ Technical
to define specific roles and responsibilities. The − Enforce strong password selection through
responsible persons should clearly know why the appropriate parameters.
control objective needs to be achieved. The why ⦁ Management
gives the main motivation factor behind the infor- − Ensure that the password policy is approved by
mation security policy. It may be a legal require- management.
ment, a contractual obligation; it may be required − Ensure user acceptance by asking them to sign
appropriate form.
http://www.itgi.org ⦁ Legal (or compliance) requirements
http://www.iso.org − Define disciplinary action.
Kadam 254
changes. These changes will be of different types. Have we assigned responsibility for each
Some will be mere procedural changes, but some policy?
may require a totally new approach. Some changes Where is the implementation planned?
will be technical in nature, others will be adminis- Will the implementation happen at all locations
trative. Changes will affect everyone in some way or or only at selected locations?
another. By proposing the information security pol- When is the implementation planned?
icy, we are trying to introduce discipline in handling Will it be a big-bang approach or a phase-wise
information for the organization. Discipline brings in approach?
restrictions and restrictions are usually resented, at
You will have to be very well prepared to defend
least in the beginning.
your proposal. Especially tricky part will be the
New information security policy may also require
response to the questions regarding ROSI. You will
additional investment in people, processes, and
have to convince the top management that avoiding
technology. You will have to prepare budgets and
a security incident is much cheaper than paying for
also do a cost/benefit analysis to justify the expendi-
the losses that a security incident may cause. The
ture. So, you will have to prepare a full report on the
return will be the savings from the potential future
new information security policy and present it to the
losses. Once you have got the approval, you have
top management forum. The report should include a
won half the battle.
complete project plan giving details of the activities
Next step will be to prepare a training program
required to implement various policies. These activi-
especially for the top management. You will have
ties will include procurement and implementation of
to clearly explain their ongoing role in information
new equipment or techniques such as firewall, IDS,
security for the organization. They will have to lead
single sign-on, and so forth. It will also include train-
the organization by setting good example. If the
ing plans for the entire organization. It will specify
boss participates in a fire evacuation drill, no one
how the implementation activities are to be moni-
will pretend to be too busy and avoid such exer-
tored and reported and, answer the most important
cises. If the senior management regularly changes
questions that top management loves to ask, what is
the passwords and learns how to encrypt the data
the return on security investment (ROSI).
on their laptops, no one will complain about the
How do you prepare and present the report? Ask
extra work involved to secure the information. The
our six honest serving men to help us. Explain to the
top management will have to “walk the talk” and
top management the answers to the six questions we
demonstrate complete adherence to the information
are so familiar with: what, why, how, who, where,
security policy that they have endorsed.
and when, through your report and presentation:
Kadam 256