Information Security Program Development
Bruce C. Gabrielson, PhD
SAIC
Center for Information Security Technology
Columbia, Maryland
Introduction
Formal adherence to detailed security standards for electronic information processing systems is necessary for industry and government survival. Security standards are needed by organizations because of the amount of information, the value of the information, and ease with which the information can be manipulated or moved. While information security programs are sometimes implemented following an actual loss or incident, prudent business organizations address security early in their corporate life.
For most business enterprises, the concern for physical security is best understood and, as a result, addressed first. However, information security puts the emphasis on protecting the information stored in or processed by the system rather than focusing on simply protecting equipment[1]. Therefore, if the enterprise depends on data processing, a com- prehensive information security program covering computing issues will soon follow.
Corporate Objectives
Ensuring for its survival and profitability is the fundamental driving objective of the corporation. In the modern business environment, profitability and survivability depend on information.. Regardless of the enterprise's business, all of the corporate data resident on the enterprise's computer systems is both valuable and vulnerable.
Because today's business enterprise has extensive electronic communication pathways (computer networks, and telephone systems for example) extending well beyond the physical bounds of the business operation, internal vulnerabilities may be exploited by external threats as well as internal. The consequences can be loss or modification of critical business data, disruption of services, compromise of proprietary business plans or processes. A high school student, working from his bedroom can easily erase all of a company's billing records and halt cash flow for weeks or months. Even well-protected businesses (as well as government organizations) may be vulnerable to attacks on corporate web pages. There are trivial attacks that will give access to the source of a corporate web page to any intruder. While of no intrinsic value, the loss that may occur if the home page is converted to a competitor's, or modified to include obscene or offensive pictures and text might be incalculable.
In today's corporate environment there often exists a conflict between security objectives and operational requirements. Marketing, finance, engineering, and management all produce and use data that are critical to that organization's business activities. In addition, within government or the defense industry, some of this data could be considered classified (i.e., SECRET, TOP SECRET, etc.) or unclassified-but-sensitive, requiring even stricter controls for its protection. Therefore, despite the pressure to overlook security needs, successful and responsible organizations will have a written security policy and formal security plans and procedures in place to guide their employees, as well as their business, in protecting their computing assets.
It is very important that management is able to quantify the benefits of a security program as a function of costs. These benefit:cost tradeoffs are essential if one is to be able justify a security program. In order to formalize this analysis process, certain concepts must be considered:
Thus, the security policy and risk go hand in hand: policy is needed to reduce risk, and the risk analysis is used to justify a security policy.
Responsibilities of Management and Employees
If both management and employees understand their respective responsibilities for protecting computer data, it follows that they must also recognize the problems they face in developing and implementing a security program.
Management has the ultimate responsibility for implementing a data security program based on an assessment of business risk (corporate cost/benefit tradeoff) and an information system (IS) security risk assessment. All levels of management must be involved (and held accountable) to insure the program is understood and properly implemented. Management must understand that they are legally responsible for the integrity of corporate data assets just as they are with other assets of the corporation.
Employees must recognize that the corporate data on their computers is both valuable and vulnerable. They must understand their legal responsibilities regarding the unauthorized release of sensitive data. Note that sensitive data means data that requires protection due to the risk and magnitude of loss or harm that could result from its unavailability, disclosure, alteration, or destruction.
The means of ensuring employee understanding and/or recognition of their responsibilities varies. User/employee security awareness training is one of the most common means available to achieve recognition of responsibility and computing asset worth. Some organizations require personnel to sign an agreement that includes the protection of computing assets as a condition of employment, while others sign agreements as a condition of allowing their connection to the organizations network. Another recognition means often implemented is the use of security login banners, which are displayed whenever a user logs onto the corporate network.
The following table summarizes the related responsibilities for various management levels within a typical corporation:
Notice in the above list that operational IS security is not a direct concern of upper management, but the protection of information assets certainly is. Also notice that the IS Security Manager is the key to development and enforcement of a comprehensive security policy. Without this individual physically inserted into the management process, a security program will not be implemented or enforceable, and upper management will not be able to provide for the protection of its information assets.
Recognizing the Scope: Enterprise-wide Security
IS vulnerabilities in general, relate to the weak points of the tangible computing assets in the corporation, and how exposed these assets might be to exploitation. These vulnerabilities can vary greatly depending on the network or stand-alone environment used by the corporation. Obviously, the weakest link in the security chain is also the most vulnerable point. Since the three basic goals of computer security are ensuring secrecy, integrity, and availability of data, vulnerabilities of a computer oriented business can include just about everything related to the business operation. Typical assets are hardware, software, data files, support documentation, people, and outside communications.
Employee motivation is a key feature of computer security. The disgruntled employee who imports or develops a virus generally does so for revenge. He wishes to "get back at management" for that tiny raise, or the overlooked promotion. Crackers who break into protected networks or sensitive files are motivated by peer pressure or simply entertainment. Industrial spies could be driven by political or financial reasons. Regardless of motivation, the personal perspective of individuals who have access to corporate computing assets is of critical importance. Ultimately, the employees must be motivated to recognize the need to protect company information and to report attempts by outsiders to obtain access to that information.
Those individuals who have access to corporate computing assets are those who have the opportunity to create problems. This opportunity not only relates to employees, but also to those who are external to the corporation but might gain access based on weak network protection techniques. Opportunity, or more correctly access control, is therefore the foundation of security for information systems
Four Basic Security Threats
In general, there are four kinds of computer security threats: interruption, interception, modification and fabrication.
Security Policy Objectives
A comprehensive data security program will involve both people and information.. The typical activities included in such a program are:
Security Policy Statement
The policy objectives are set forth in the security policy statement, which is the cornerstone of any effective program for managing and controlling an organization's information assets[2]. Policies are the high level guidance or vision directing the organization. The statement establishes the basic philosophy of the organization and determines the functional areas where controls must be established. Implemented by management to provide information, control and direction, the IS Security Policy is used to support the development of the subsequent security program. According to Peltier2, a good Infosecurity program policy statement must do a number of things:
The security policy statement should describe what information should be protected as well as the extent of allowable distribution. Responsibilities should address all levels of the organizational structure, stating who is responsible for complying with the policy and who is responsible for making sure that the classifying policies are enforced. Each employee's security role should be spelled out; the consequences of non-compliance must be linked to those roles and attendant responsibilities.
Monitoring and enforcement address when the policy becomes effective, conditions under which the policy is enforced, and how it will be monitored. For instance, does it apply only for a specific group of employees while working in the organization's facilities, or does it apply employees on travel or in the field. Normally, background on the need for a policy is also incorporated.
The policy statement should be short, easy to read, and not incorporate technical terms. It must also be unambiguous, so that no one can be exempted from the requirements. One method of ensuring accountability is to incorporate an employee acceptance page at the end of the document which must be signed and returned to appropriate management personnel. This form could also become an annual requirement delivered as part of annual security awareness training.
Don't forget that people can make or break a policy.
Developing the Final Security Implementation Program Plan
The typical areas a security program might include are identified below:
Physical Security. Prudent measures to provide for physical security include the installation of appropriate fire-rated walls, physical access controls to the facility and processing areas, automatic fire detection and extinguishing systems.
Contingency Plan (Disaster Recovery Plan). This aspect of a security plan is based on the realization that if a disaster occurred, the organization must be able to resume its critical processing. It requires the identification of those applications critical to survival, e.g., storage of the related operating systems, operator instructions, utilities, programs, and data in an off-site storage facility. The most crucial aspect of this program is testing the plan using the designated alternate processing site. Many a disaster recovery plan has failed because it was never tested, and when it was needed, no one knew what to do.
Protected Data Controls. Aside from personnel, the most vital computer-related assets are programs and data. They must be protected by proper identification and authentication of the user. Properly controlled, this will insure that the user is who he purports to be and that he is authorized to have access to the data. This control ultimately resides at the disk level, but includes all computer security threats: interruption, interception, modification, and fabrication.
Network Security. Networking systems have evolved into a highly technical discipline. Many organizations rely heavily on these systems to communicate and gather information. Because of this dependency, network systems normally require special security processes, continual proactive security testing, contingency plans, and data access controls over and above corporate controls.
Training and Awareness Program. Without some guidance at the user level regarding appropriate protective measures and actions, the best conceived security plans are not going to cover everything that can happen. Training has become an essential part of ensuring responsible employee use of their computing assets.
Each area is critical for the overall security program posture, and each should be covered in final security plans and procedures. However, the protected data controls area and the network security area set the baseline for formal IS Security programs, and are usually combined into the overall IS Security Plan for a corporation. The information flow and timeline for the overall security program is shown in Figure 1. Note that nothing can be done until a security policy is implemented, based on the initial business risk assessment. After that nothing should precede the formal IS risk assessment process, etc.
 
Figure 1 - IS Security Program Flow
Conclusion
This article has provided a simplified overview of the principal corporate objectives in developing security policy and related plans. Each of the many topics can take many pages to cover adequately and this article hopes to encourage managers to look more deeply into the development of security policies and plans and subsequently develop a formal IS Security Plan, the Disaster Recovery Plan, and the procedures governing corporate physical security safeguards for their own enterprise. Each organization has its own different and unique computing needs and corporate objectives. Merging these two to allow easy acceptance of security controls while fully protecting the corporation's computer information assets is no simple task.
Bibliography