what makes an effective information security police.pdf

14 feature Unfortunately, a common problem with most information security policies is that they fail to impact the users ‘on the ground’. Documenting an information security poli- cy that reflects the organization’s vision and mission and at the same time entrenching the policy in the organization so that it becomes a normal and acceptable part of day-to-day operations is difficult at best. Quite often, users are ignorant of the poli- cy’s existence; users do no
of 3
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
  14 feature Unfortunately, a common problem withmost information security policies is thatthey fail to impact the users ‘on the ground’.Documenting an information security poli-cy that reflects the organization’s vision andmission and at the same time entrenching the policy in the organization so that itbecomes a normal and acceptable part of day-to-day operations is difficult at best.Quite often, users are ignorant of the poli-cy’s existence; users do not fully understandthe document; it is too long or too techni-cal; users do not see the relationshipbetween the policy and their daily tasks andsee it as a nuisance. In other words, theinformation security policy appears to betotally ineffective and is not achieving itsaim of explaining the need and concepts of information security to the users. What is an effective information security policy? In the Oxford Dictionary of Current English  ,effectiveness is defined as “producing thedesired results”[1]. In business terms, man-agerial success is measured against effective-ness, i.e. to achieve the organization’sbusiness objectives. Again, effectiveness isexpressed in terms of achieving a certainresult. Applying these definitions to aninformation security policy would thusmean that an effective information security policy assists in achieving the informationsecurity objectives of the organization. It is a fact that all businesses are becoming morereliant on knowledge and information todeliver value-added, quality services and tohave a competitive advantage. Therefore,the protection of all information is becom-ing more important.One of the main goals of an informationsecurity policy is to define the rights andresponsibilities of information resourceusers [2]. An effective information security policy will help the users understand whatacceptable and responsible behaviour is with regards to information resources toensure the safe and secure handling of information in their daily tasks. In fact, tobe fully effective the information security policy needs to incorporate both the users’needs for accurate and reliable informa-tion, as well as the business’s needs forachieving its strategic objectives. In doing so, the users will be convinced that infor-mation security is not a necessary evil, butrather exists to ensure that the right infor-mation is available to them at the righttime to make informed business decisionsand achieve profit and success. In short, aneffective information security policy is anunderstandable, meaningful, practical andinviting document that addresses the usersdirectly and convinces them of the need forhandling information resources securely. What does an effective information security policyconsist of? Information security is becoming moreand more a people and business issue andit is therefore imperative that the infor-mation security policy is adapted accord-ingly. At the end of the day, the users willdetermine how effective the informationsecurity policy really is. This means thatthe information security policy, and allsupporting activities, should be com-pletely user focussed — from the writing style and the way in which it is presentedto the deployment of the document. Thevarious supporting activities all have a role to play in ensuring the success andeffectiveness of the information security policy and should therefore not be con-sidered in isolation when creating thepolicy. This concept is illustrated inFigure 1.The styling of the document, whichdescribes the manner of writing, shouldat all times be consistent with the organi-zation’s overall communication style. Itshould in fact fit in with the organiza-tional culture. This eliminates the risk of alienating the documenting from the restof the organization’s official documentsand thus turning information security into an unfamiliar and foreign concept.The style and tone should furthermore beuser-friendly and clear to ensure that theusers understand the concepts surround-ing information security [3] Using copiesof other organization’s information secu-rity policies or even samples found in thepublic domain, such as the Internet, caneasily lead to creating a mismatched What Makes an EffectiveInformation SecurityPolicy? Karin Höne and J.H.P.Eloff It is a well-known fact that the information security policy is one of the most impor-tant controls needed within an organization to manage the implementation and ensure the effectiveness of information security. The information security policy isessentially the direction-giving document in an organization and defines the broad boundaries of information security. Furthermore, it indicates management’s com-mitment to, and support for, information security in an organization and defines therole it has to play in reaching and supporting the organization’s vision and mission. DevelopmentPresentationCommitmentDisseminationMaintenanceStyling EFFECTIVEINFORMATIONSECURITYPOLICY Figure 1: Supporting activities for an effective information security policy   feature 15 document that users cannot relate to. Whereas smaller organizations tend tocultivate a culture of trust and reliance onuser discretion, larger organizations oftenneed stricter controls for proper manage-ment of the more diverse environment.The organizational approach needs to bereflected in the style of the informationsecurity policy, which cannot be easily done when creating a ‘cut and paste’ ver-sion. Very often, the information security policy is turned into a highly technicaldocument crammed with as much detailas possible, thus making it cumbersomeand difficult to understand. For a non-technical person the document thenmeans little and the user cannot relate to what is expected acceptable behaviour.Unfortunately, it is also true that the doc-umenting of the information security policy is often left to the technical staff, who admittedly may know the informa-tion security technologies very well. Thesame technical staff have, however, littleor no understanding of their users andhow information security should fit intothe broader organizational culture. Thisproblem can be eliminated by ensuring that the information security policy isdeveloped in conjunction with represen-tatives of all the stakeholders who have a vested interest in the policy’s success.Even though this takes up more time andresources initially, this approach can go a long way towards ensuring that the infor-mation security policy is accepted andtherefore is an effective control measure[4]. The actual wording of principlestatements is also critical to the effective-ness of the information security policy, asa misinterpreted statement can damagean organization’s information security arrangements.Presenting the document as a fun andattractive communication will ensure thatthe users take note of it and the messages itcontains. This also implies that the docu-ment should not be long, but rather short,concise and to the point. The main docu-ment should rather be very brief, but withinteresting cartoons or dialogue which theusers can relate to. Supplementary policies,standards and guidelines should then bedeveloped to support the main policy anddetail the specific topics. The documentshould, however, at all times be presentedas a quality deliverable to help underlinethe fact that information security is impor-tant and that the organization is notadverse to taking it seriously and treating itas a business-critical issue.The commitment and buy-in from topmanagement is vital for the effectivenessof the information security policy, as peo-ple generally live by example. Changing the attitudes and the behaviour of usersstarts right at the top with the chief exec-tive officer (CEO) and the executivecommittee [5]. Users will not believe inthe information security policy if they donot see their leaders conforming to, andliving by, it. In fact, for the policy to betruly effective, it needs buy-in from alllevels of the organization. An information security policy cannotbe effective if the users do not know about it. Therefore, it is important thatthe information security policy is correct-ly and appropriately deployed through-out the organization and actually broughtto the users. There are various methodsthat can be used to disseminate an infor-mation security policy. The dissemina-tion can be done through distributing full paper-based or electronic copies of the document, through publishing thedocument on an internal communicationsite such as the intranet, through summa-rizing the policy on colourful brochures.Once again, the dissemination methodshould ideally fit in with the organiza-tion’s traditional dissemination methods.This does not mean that there is no scopefor creativity, but rather that there will becertain dissemination methods that areeasier to implement and more acceptableto the organization than others. In fact, a clever marketing-type drive will ensurethat the users take definite note of thepolicy and are more likely to understandand adhere to it. The information securi-ty policy can also be deployed during anawareness session, which gives the oppor-tunity to reinforce and explain the mes-sage of the policy immediately to theusers. An advantage of using this methodcan furthermore be that top managementsupport can be visibly demonstrated. Thefact that top management is willing totake the time to attend an awareness ses-sion sends a far stronger message regard-ing their support for information security than a signature on a document [4].The information security policy shouldbe a living document. It should at alltimes grow and develop with the organi-zation to ensure that it supports theachievement of the organization’s visionand mission. Updating the informationsecurity policy regularly has severaladvantages. These include keeping intouch with the organizational develop-ments and ensuring that the documentdoes not become static and outdated [6]. As a review of a high-level policy docu-ment often introduces changes to theorganization, the review period shouldpreferably fit in with the organization’snormal business cycles. During certaintimes in the cycle, the users will be moreacceptable to change and the re-enforce-ment of ideas and principles, than at others. Financial year-end periods are forexample critical and busy periods and theusers do not want to be exposed to new ideas or changes at such times.To achieve an effective informationsecurity policy, it is important that the var-ious supporting activities are consideredand implemented with care. These sup-porting activities help as a whole to createan effective information security policy. Conclusion  An effective information security policy isa policy with which the users can identify and from which they can clearly see whatis expected from them in terms of han-dling information resources. The effective-ness of the policy does not so much rely onthe right content, but rather the way in which the content is addressed in the doc-ument and ultimately communicated tothe users. At the end of the day, an effec-tive information security policy, willdirectly result in effective informationsecurity. Karin Höne Department of Computer Science, Rand Afrikaans University,    J.H.P. Eloff, Department Computer Science, University of Pretoria, South  Africa, eloffrkw.  References [1] Oxford Dictionary of Current English. Oxford University Press,1998.ISBN 0-19-860233-2.[2] Sholtz, Paul, 2001. Internal Security Rules and Risks. [3]PricewaterhouseCoopers, August 2001. IT Security Survey: Issuesand Trends in the Middle East.[4]Human Firewall Organization.2002.Human Firewall — Issues.[5] The Software Engineering Institute(SEI), Carnegie Mellon University. May 2002. State of Practice of IntrusionDetection Technologies,[6] Briney, A. September 2000. Security Focused.  16 e-commerce: the dark side E-COMMERCE: THE DARK SIDE The situation has got so dire thatGartner, a leading consulting organiza-tion, estimates that cyber-fraud cost com-panies over $700 million in 2001. TheGartner study claims that over 5% of online shoppers have experienced creditcard fraud and nearly 2% suffered identi-ty theft. These numbers are staggering and put into perspective the often-quotedcomments from credit card companiesthat online fraud is a tiny percentage of total charges. Of course they are tiny  when compared with the vast amount of total credit card purchases. But to say that fraud against one buyer out of 20 isimmaterial when they have suffered fromcyber-fraud is disingenuous at best, mis-leading at worst. It is not the dollar valueof the losses at present that constitute theproblem; it is the fact that so many of theonline shoppers are defrauded in somemanner. Imagine for a moment what would have happened to credit card usein general if 5% of the users had fraudcommitted against them! It’s pretty obvious that many, perhaps most people would simply decline to use credit cards. The collective impact of such losses is probably one reason why E-commercehas lagged behind the dizzying rateanticipated by its advocates. There are too many people who have been victimized to ignore. If the consumerexperience of cybercrime is bad the cor-porate counterpart is at least as bad. Thepolice and law enforcement agencieshave had some successes, but largely against the less skillful and less success-ful criminals. Reviewing the list of unsolved high profile cybercrimes, oneis struck by the fact that the list contin-ues to grow, and none of the more seri-ous crimes have been solved.For example, in November 2001 anattacker extracted a number of customeraccounts from the site. Theintruder actually showed customershe/she had successfully penetrated theiraccounts by sending them their creditcard numbers via email. One of the most disturbing cases hap-pened in the summer of 2001when a hacker managed to obtain personal infor-mation of as many as 350 000 customersof Ecount, a gift certificate company. Thecriminals attempted to extort $45 000 orthey threatened to release the information.The investigation has been open now fornearly a year with no successful resolution.In fact the criminals have taunted man-agers at Ecount for their inept investiga-tions and inability to find them We have previously discussed the CD Universe case, which dates from January 2000. In one of the most successful attacks ever, about 350 000 cred-it card numbers were taken from the com-pany’s website. ‘Maxus’, as the criminalidentified himself or herself, is still at largeand although many suspect the criminalsare connected to Russian organized crimethere has been no arrest so no closure.The fact is that law enforcement agen-cies of leading countries simply have notbeen able to bring to justice hackers whoperpetrate these attacks. Although policeofficials are getting better at tracking and Card Fraud — More SeriousThan Given Credit For Bill Boni There is a war going on in cyberspace and the ‘good guys’ appear to be losing it.The combat is not just cyber terrorists probing and defacing military, political or economic targets, but much more commonly at this point, between cyber criminals and managers of IT staffs supporting E-commerce operations. The factsare that a class of ‘elite’ hackers is now commonly able to attack sites, extract credit card account information then cover their tracks by destroying digital evidence along their path. These intruders have become more brazen as they havebecome more successful.
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks