We noticed you're blocking ads.

Keep supporting great journalism by turning off your ad blocker.

Questions about why you are seeing this? Contact us

Font Size

- Aa +

Tue 14 Oct 2008 04:00 AM

Font Size

- Aa +

Policy formation 101

There is no tomorrow when writing a security policy. Sathya Mithra Ashok finds out what makes for an effective policy document, and how companies can go about putting together a comprehensive statement of intent.

There is no tomorrow when writing a security policy. Sathya Mithra Ashok finds out what makes for an effective policy document, and how companies can go about putting together a comprehensive statement of intent.

Security policies are where companies start when they want to plan right for their security investments in technology. Or rather where they should start before making investments.

"From the security point of view, having a policy in place is one of the most over-looked elements. More than 98% of companies in the region do not have a security policy. Even when they do have a policy, it is almost always copied from a book. As a result, they are not designed in line with a company's core requirements," says Faisal Khan, senior security consultant at McAfee Middle East.

The actual policy should be written by professional writers. When policies are written by the purely technical guys, even with the guidance of the steering committee, they tend to be either too comprehensive and over-engineered, or too broad.

But as with almost everything connected to technology in the Middle East, there is always a counter-opinion.

"Surprisingly, I have seen a tremendous improvement in at least the larger organisations, that is ones with 500 or more employees. We always see that they have a security team in place, they have a security framework, if not a comprehensive policy, that they adhere to. These larger organisations that we have been working with, they take a very serious view of security, because they know that somewhere in their history, at some point or the other, they have been at the wrong end of ignoring such policies," states Guru Prasad, general manager for networking at FVC.

A formal document stipulating security rules is essential in any organisation, not only to educate employees on the range of external threats and how to protect themselves against them, but to also inform them in order to prevent the possibility of inadvertent data losses from within the organisation.

Many enterprises in the Middle East, especially if they are below the 500 personnel mark, still lack in a comprehensive security policy or even a framework to work within. A lot of these organisations, however, in the light of their increasingly global interactions, are working towards putting in place their very first policies. And a majority of them are discovering that this is not as easy as could be hoped for.

At ground zero

The secret to an effective security policy begins at home and the first place to start when an organisation wants to put down a policy framework in writing, is right at the top.

"The first place that any organisation should start at is to get the initial and sustained executive buy-in, from the CEO right down to the key corporate stakeholders in the company. This is absolutely the first place to start. I have been part of a fair number of policy writings in my time and I have seen that most policies fail if they do not have executive buy-in," states Prasad.

Once you have got the management in the loop, the next step would involve setting down  the company's main objectives.

"A security policy should always be designed keeping in mind what the company's business is and what its larger objectives are. A bank will or should have a totally different security policy, and a comparatively rigid one, while a run of the mill large enterprise  will have a security policy that is slightly lenient. Essentially and ideally, the security policy will have to differ from organisation to organisation," says Khan.The identification of company objectives should be followed by an analysis of the data that flows within the firm's systems.

"The organisation needs to identify what they are trying to protect; that is one of the most important things. They should also identify who they are trying to protect it from. This will mean that they will need to narrow down the threats that they face," states Ganesh Lakshmanan, security team lead at CA in the region.

"You need to first of all identify all assets that you are trying to protect, identify the vulnerabilities and the threats associated with that, and the likelihood of the threats happening. If you feel that the threat is small but the likelihood is high, then calculate the loss that you will suffer. These are very important details to identify, so that the cost of a threat is known," adds Lakshmanan.

You need to identify all the assets that you are trying to protect, identify vulnerabilities, the threats associated with these, and the likelihood of these threats actually happening.

He stresses the need for an initial risk assessment, conducted by an external consultant, as an essential step for organisations before they get to writing the policy. The organisation can use all the processes above to recognise what it wants the specific policy to achieve. Ideally, policies should also outline incidence response and escalation route, if not deal with disaster recovery as a fully fledged topic.

Apart from the above, it is essential to understand user behaviour within the company, and how willing users will be to change procedures for the greater security picture.

"In my belief, the whole thing starts with an understanding of the way in which you want your users to behave.  Previously too much was based on negative security models. It was always a ‘thou shalt not, do not do this, do not do that and you are not allowed,' style of security. But what we have seen now within information security, is that there are much more sophisticated behavioural analysis tools, that allow you to measure the way that your data is used. This allows companies to have a positive security model, where they can understand what their staff normally does and ingrain that in their policy, as well as regularly evolve it," states Paul Davie, founder and COO of Secerno.

"The organisation should also ideally ensure that there is at least a security policy working group or a steering committee, that actually ensures this process can be institutionalised, that there is a definite course and proper continuous review," says Prasad.

According to him, the key stakeholders and representatives of organisational departments, should be a part of the team.

"The steering committee should include personnel or representatives from IT, operations, security - both physical and technological. It should include legal counsel. If the organisation has an inhouse team they should be included in the formation process; if they do not have one, they should get some outside legal advice once the policy has been formed to ensure the validity of the document. The procurement or purchasing department should be there. If they have a contracts department, they should be on the committee. The human resources and finance departments must be included, because they support the sustainability of the policy. For very large organisations that touch the public, the public relations department should also be involved," states Prasad.

Prasad emphasises that the CEO of the company should chair any steering committee meeting or any policy approval meetings. He will have to be the one who actually approves and also ensures compliance across the organisation. While the steering committee will be involved in setting down the basics that will go into the policy, the actual writing of the policy will have to be done by concerned experts.

"The actual policy should be written by professional writers. We have seen that when policies are written by the purely technical guys, even with the guidance of the steering committee, they tend to be either too comprehensive and over-engineer the policy, or they tend to make it too broad. This is why it is crucial to have a competent writer forming the policy," states Prasad.

Khan agrees: "For writing the policy, the company needs to hire a good, security technical writer. These are people who have experience in writing security policies. They are available in the Middle East, and if companies are willing to pay the price, they can get the quality that they require as writers."Once a draft has been done, it should be circulated among employees, as well as the steering committee, for further negotiation and changes, leading to an eventual consensus.

Written on stone

While that may appear deceptively simple, the truth is that organisations can and do tend to make a lot of mistakes on the way to forming their first policy. If not rectified or altered in time, these mistakes can prove to be the death knell for security in the organisation.

"Some mistakes are really glaring. In most of the cases  where I have seen policies fail, it was because they lacked an initial or sustained interest from the executives. Another issue is that from day one, the objectives on which the policy is based are faulty. The third mistake involves engineering. I have seen teams that build reams and reams of paper with policy and procedures, which no one actually bothers using. As organisations get larger, they do tend to over-engineer policies," says Prasad.

Other mistakes include getting the technical team to write the policy, instead of a specialised writer. They may also not include appropriate departments in the formation committee and work on the negative model instead of the positive one.

"Another common mistake that organisations make is not marketing the security policies properly internally. One important thing to keep in mind is that employees are already loaded with their work and you should not expect them to run after the policies in the intranet to have fun reading them. Therefore, organisations have to be innovative in the way the security policies are marketed to the employees," says Ahmed Etman, security business development manager at Cisco in the region.

Most companies let their policies remain stuck on the wall, or circulated as an internal document, without taking measures to spread the word. This is equivalent to not having a policy at all, since if the employees are not using it and implementing it in their daily lives, the company's security levels are increased no further.

Employee education on policies needs to be done by way of innovative methods, including the use of cartoons, daily tips, delivering incentives after grading knowledge (through online quizzes and competitions) or penalising behaviour that differs from the set policy.

"It is fair to say that in the majority of cases, even if there is a well-crafted, well put together security policy, it is no guarantee that one, the employees of the organisation will read it, two, understand it, and three, that they will keep to it. If a company was to simply rely on the policy being there without visible enforcements, then they are going to be dissapointed with this in due course," says Davie.

"The most important thing is getting them to understand the effects of not complying with the security policies. Generally the easiest way is by telling people what the perils are, of not following the policy. The first thing you need to do is say ‘hey guys, did you know that someone did this, and this was the result that it had on the organisation, on the person, on that team'.'   It's very important to talk about the threats and how these threats can affect them. What we used to do is run standards based training but we found that users do not relate as much to it. They relate more to incidents as compared to standards," adds Prasad.

Khan agrees saying, "Whenever there is a security violation in the company, it should be marketed all across the organisation. Only then will people start taking the security policy seriously, otherwise it has no meaning."

The firm should also take adequate measures to keep the security policy updated as part of a continuous process.

"There should be periodic audits of the policy. In a large organisation, this should be done at least once a quarter. There must be a continuous review of all the security devices, threats and patch management should be a continuous process," says Prasad.Lakshmanan adds, "If you do not update the policy according to the new development or the new technology change or the new kind of trends that are emerging, the policy can prove to be inefficient in the long term."

Experts recommend reviewing the policy for changes, at least twice a year for large organisations. Moreover, if there are any changes in the technology used, or in the business objectives of the organisation, it is essential to re-visit the policy and change it as appropriate.

The final call

Writing the initial security policy calls for a lot from an organisation in terms of resources, man-hours and senior management effort.

However, organisations in the Middle East, cannot afford not to have a written policy, which they can enforce enterprise-wide to not only improve current security levels, but also guide them in their future security investments.

As Lakshmanan puts it, "Not having a security policy is the biggest mistake of all. Organisations believe that implied policy is all that is necessary, and if this is communicated intermittently to employees, then they will behave likewise and data breaches will be minimised, without the need for a formal, written policy. This is not true. A well-written security policy is a basic necessity, and organisations will need to do it."

Tips to writing a better security policy

1. External help - if you do not possess adequate IT skills inhouse, call in an external consultant to help you with forming the policy.

2. Identify and locate assets - an organisation needs to have a very clear idea of the kind and amount of assets it has in its network, including physical equipment as well as the data stored in them. Evaluate how much this loss would cost the organisation.

3. Assess your risk - you will need to analyse and categorise the various threats that are likely to affect these assets. You will also need to have an idea of the likelihood of threats, and the resultant damage.

4. Access privileges - irrespective of whether it is senior management or not, adopt a strict ‘need to know' policy when granting access privileges. Remember that the more passwords you allow, the more the likelihood of a breach.

5. Perform site survey - move yours assets around to safer areas, relocate them so that they are more secure. Look at everything from wiring routes, cables to entry and exit points of these assets.

6. Classify data - structure your information based on how important it is to you as an organisation and identify which groups of employees have access to these.

7. Have a DR plan - incidence response and an escalation plan, if not a proper disaster recover plan, should be part of any security policy. Plan to have that in place from the beginning.

8. Appoint a team for policy enforcement - make someone responsible for ensuring that the policy is enforced across the organisation. Also conduct regular team meetings to establish innovative ways to spread the policy among your employee base.

9. Review response to procedural changes - know for sure whether your employees will be able to adhere to procedural tasks such as keeping their passwords to themselves and locking their drawers before leaving for the night.

10. Update your policy regularly - be ready to make changes to your policy at periodic intervals, as the threat landscape changes and as your internal systems and personnel get transferred or changed.

Arabian Business: why we're going behind a paywall

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.
Real news, real analysis and real insight have real value – especially at a time like this. Unlimited access ArabianBusiness.com can be unlocked for as little as $4.75 per month. Click here for more details.