Policies and Method of Comparison
Many policies are required to maintain high quality security within a corporation. While the specific elements of each policy will vary depending what the policy is addressing, it is possible to compare and contrast these policies to check effectiveness if the proper criteria is used. A commonly used set of criteria for project management is outlined by the acronym S.M.A.R.T. – Specific, Measurable, Attainable, Relevant and Time-Bound.
Specific is a reminder of the importance to have a clearly defined goal and ensure there are understood answers to the five w questions. Who are the people involved in a project, what is trying to be accomplished, where will this occur, which things are required or will pose challenges, and why is this being done either in purpose or goals. A project should also be measurable by having an established method to determine progress. This aspect should focus on how far along is the project, how close to completion, by knowing what constitutes project completion. Teams require measurable objectives to know if progress is being made and when goals are reached. This leads directly to the A for attainable. Goals can certainly be challenging, but they must be evaluated to ensure they are not too extreme or grandiose to ensure the objective truly can be reached. This is generally done by evaluating how the goal can be accomplished, what steps or tasks are needed for completion. Relevancy is also extremely important to determine if a goal is truly worth doing. Finally goals must be time-bound to provide a target completion date and give the team a frame for timing their progress. Without time constraints a project may become a lower priority than projects with deadlines leading to delays.
Using these criteria sample policies on acceptable use, software installation, passwords and disaster recovery will be evaluated. Each area covered by a policy has its own unique requirements, which will be addressed under each aspect of the S.M.A.R.T. criteria. If any criteria are missing or limited, improvements will be suggested.
InfoSec Acceptable Use Policy
Specific: This policy is somewhat general as it applies to everyone in a corporation. While broad in scope, it attempts to define limitations to use of company computers to limit exposure to risks such as computer viruses, illicit access to network systems and legal concerns. Where this is somewhat broad is that since it is impossible to validate and filter every outside webpage or resource an employee may need, the policy allows for best judgment from employees.
Measurable: This policy is not measurable in the traditional sense, but by laying what is specifically considered unacceptable use employees have a baseline by which to measure, and management has something to compare against. Prohibited activities can be generally defined by a top level policy that is applied to more specific things. These include anything that may harm the company, releases non-public information, utilizes company resources for non-job related tasks or violates any laws or regulations.
Attainable: While there are many restrictions, they are limited to the scope of employment and relationship with the company. As an example blogging about the company is expressly prohibited while blogging about an unrelated topic or hobby is permissible. By establishing clear boundaries for employees, this policy is attainable both from the standpoint of employee compliance, but also internal monitoring and verification.
Relevant: Acceptable use is always relevant for a company since there are costs associated with company resources being used for unrelated activities. Even if this policy is only loosely enforced initially, having it in place gives the company a strong case if the policy is broken.
Time-Bound: This policy is not really time-bound, as it functions in perpetuity. The only thing that may be time-bound would be if the company required regular compliance testing or training on the acceptable use policy.
Software Installation Policy
Specific: Another policy that applies to all employees of a corporation, this is also somewhat general. This policy is very much related to acceptable use as its goal is to limit corporate exposure by restricting the ability to install programs. This helps to prevent the installation or use of software that is not vetted and could cause compatibility issues or create a vulnerability. Since all major operating systems allow for the creation of limited user accounts, there are almost no reasons this policy cannot be implemented.
Measurable: This policy can be measured insofar as ensuring unauthorized individuals are not able to install software without the assistance and approval of the technical support department.
Attainable: Assuming there is an efficient process, or reasonable timeframe, for employees to gain access to the software and applications they require, this policy is easily attainable. As was previously mentioned disabling the ability to install software is an available setting on every modern operating system and only requires competent IT staff to implement and enable.
Relevant: This is highly relevant as employees who are less than savvy about technology may install illicit software, and even those with high comfort and familiarity could install something that causes compatibility issues with proprietary applications.
Time-Bound: This policy is also one that occurs in perpetuity, but does not require training as establishing a limitation is simpler and more effective.
Specific: Another corporate policy that covers all employees, this policy attempts to limit the potential for unauthorized access as a result of weak password. This outline, however, does not specify that it will be made a requirement saying that enforcement will occur by random guessing or password cracking. This could be made more effective by enforcing password requirements instead of simply trying to ensure employees are aware of the characteristics of strong passwords.
Measurable: This policy has a number of measurements. Passwords must be changed at regular intervals and a list of the characteristics of strong passwords is included as well. In relation to passwords, measurement of compliance is more difficult if restrictions are not put in place at the time a password is established. Passwords cannot be kept in any form that can easily be reviewed, and random penetration testing would be very inefficient and time consuming for IT.
Attainable: This depends on enforcement at the time a password is created. If a user can enter anything they want it is highly likely the password will not conform to the requirements. If, however, a password is not accepted unless certain characteristics are met, this policy is easily attainable.
Relevant: Another highly relevant policy, this is important to limit the possibility of an intruder cracking an employee password. This policy is missing aspects of security of passwords in terms of employees not writing them down or not using password protection on important files or when away from their terminal.
Time-Bound: Due to the limitations imposed for how long a password can be continuously used and when it can be re-used, this has multiple aspects that are time-bound. Certain passwords must be changed with differing frequencies depending on the importance and security level of the related information.
Computer Disaster Recovery Plan Policy
Specific: This policy is very lacking in specificity and is not an actual disaster recovery plan as much as a request to management to support the idea of disaster recovery planning. The purpose actually states “this policy defines the need for management to support ongoing disaster planning.” The purpose should be about mitigating data loss, down time and ensuring security in the event of a disaster. The individuals or roles responsible for aspects of recovery and oversight should be listed and the actual methods should be stated.
Measurable: While the contingency planning provides some areas to provide measurable results, there are no baseline standards set to say what specifically needs to be accomplished. If this were for a high traffic website, for example, it would be important to have different objectives for different times of day. If a disaster were to strike during peak hours it would likely be more important to be back up and running as fast as possible even if some functionality were temporarily limited. Alternatively, if it is the middle of the night during the times of lowest traffic, it may be more reasonable to put up a temporarily down message and take some extra time to get everything running optimally.
Attainable: Without clearly defined goals and objectives, as written this policy outline is not clearly attainable.
Relevant: This is highly relevant as downtime can have a significant negative impact to a corporation. If there is a public face to the company a down website can lead to a loss of consumer confidence in the company, especially in times of extremely high traffic. Even if the impact of a disaster is limited to inside the company, employees may be unable to complete tasks or production of goods could be stalled, all of which cost the company money. It is important for an organization to be back up and running as quickly and easily as possible after any type of major disaster.
Time-Bound: As written the plan provides no timeframe for which management should implement some sort of disaster recovery plan. There is one aspect, which requires review and updates of the policy on an annual basis, which is likely sufficient for most organizations. With the changes suggested above, this policy would include regular testing to ensure efficiency and reliability of the contingency systems in place.
While typically thought of for project management, S.M.A.R.T. provides an excellent template for evaluating the policies of an organization as well. Even unrelated policies can be compared on some level by using this method of evaluation. Whether no or not an organization uses S.M.A.R.T. it is important for some steps to be put in place to ensure that policies are thorough, reasonable, enforceable and implementable.