Home‎ > ‎

InfoSec Policy Process Practice

‘The problem today is not the lack of technology but its intelligent application.’


Information is a managerial and organisation tool.

Drivers influencing organisational information security policies, processes and practices[1],

Part 1: Regulation and best practice context

·         Non-governmental regulation

o   International treaties and standards

o   Industry standards and practices

o   Professional standards and practices

·         Government regulation

o   Computer crime

§  Privacy protection

§  Public disclosure requirements

o   National security

o   National information infrastructures

o   Government internal policy

Part 2: Security processes for organisations

·         Organisation

o   Economics of security

§  Costs and benefits

·         Functionality—security tension (guns or butter)

·         Ethics of security

o   Mandated or optional (due care)

Part 3: Triggers and research

·         Technological

o   Computer and network security

o   Cryptology

·         Vicious circle

Strategic planning in management

1.       A plan or guide for action that leads the firm from a current state to a more desirable state

2.       A pattern of consistent behaviour

3.       A position of products

4.       A perspective or philosophy

5.       A ploy that outmanoeuvres or outwits a competitor

These views unfold into several schools of strategy,

·         Prescriptive: designing, planning or positioning

·         Descriptive: entrepreneurial, cognitive, learning, power, cultural, environmental and configuration

Strategy and policy are sometimes used interchangeably.

The development of strategies with an emphasis on information security happens along three lines. The first, the development of complete strategies that provide exemplars or frameworks; such frameworks are prescriptive and intended for universal implementation.

The second, from fragments of the information security strategy, adapted or adopted by the entire organisation. The third, from ideas on process formulation for information security, aligned with strategy being a descriptive learning process.

Gaston (1996) presented an integrated technological strategy for organisations with intermediate goals for protecting organisational assets, assuring quality, fostering competition, reducing wasteful expense, and customer service. This was a balancing strategy trading-off level of protection, the cost of information security, and ease of access for customers and employees. The plan involves,

1.       Formulating the goals of information security

2.       Positioning information security in relation to management and governance

3.       Mobilising the organisation for its security

4.       Creating an information security policy

5.       Tailoring security measures such that policy is implemented

Hong et al. (2003) based their goals on five discrete information security theories,

1.       Security policy theory

a.       Policy establishment, implementation, and maintenance

b.       Emphasis on policy, sequential structured procedures

2.       Risk management theory

a.       Risk assessment, risk control, review and modification. Study and respond to insecure environment. Ignore security policy and audit mechanisms.

b.       Emphasis on structures

3.       Control and auditing theory

a.       Establish control systems, implement, and audit

b.       Emphasis on internal control and information audits

c.       Requirements planning and contingency for the unexpected, absent

4.       Management system theory

a.       Establish security policy, define security scope, risk management, implement

b.       Information audits are ignored

c.       Periodic checks and feedback, absent

5.       Contingency theory

a.       Policy strategy, risk management strategy, control and audit strategy, management system strategy.

b.       Choose strategy based on internal and external environment

c.       Integration and structures, absent

Merging these strategies into a cohesive security management process produces an integrated strategy for information security.

Fragments of security strategies

Examples of security strategy fragments include susceptibility audits and the information security chain.

The former involves mapping susceptibility, by identifying assets and risk against the likelihood of successful attacks, and the impact and cost of successful attacks on the organisation.

1.      Valuing information assets
2.       Assessing threats
3.       Evaluating the cost of securing assets

The information security chain involves isolating and compartmentalizing security safeguard elements into modules and sub-modules. Each module forms a link the chain that completely encompasses information vulnerabilities. Examples of modules are, intrusion protection, composed of biometric access control, passwords, virus detection etc.

Figure 1. Adapting risk management/susceptibility mapping into an integrated strategy

Formulated processes for security strategy

The approach adopts the view that setting strategy is a continuous emergent process. An example is the Policy Framework for Information Security (PFIRES) by Rees, Bandyopadhyay and Spafford, 2003). The objective is to develop a usable security strategy that can be kept aligned with the information technology lifecycle. It defines four phases,

1.       Assess

2.       Plan

3.       Deliver

4.       Operate

This framework is broader than a strategy involving policy-based security enforcement. Indeed, it begins with the existing organisational policy with the aim of learning from processes to adapt and improve them.

Figure 2. Policy Framework for Information Security: broader than a strategy involving policy-based security enforcement, with the aim of learning from existing organisational policy processes to adapt and improve them


The most prevalent regulatory requirements are those related to privacy and auditing (Sarbanes-Oxley Act of 2002 requiring external auditors to assess security controls on computer-based accounting systems). The most prevalent standards are ISO/IEC 17799 and ISO 27002. The standard recommends best practices for security policies, infrastructure, asset classification, physical security, communications security, access control, systems development and systems continuity. The degree to which organisations must comply must be determined by the information security strategy process. Parts of the standard may not be relevant and for other parts alternative strategies may be prudent. Consequently, compliance is not straightforward, but reviews reviewing standards to determine which apply and to what degree they must be implemented.

Organisation structure and processes

As part of goals assessment, there must be clarity on organisational structures, processes and the integrity of communication channels. Disparate activities must be aligned to each other to provide assurance. Where responsibilities and authority structures are poorly defined, there may be a breakdown in internal organisational controls. This has to do with existing social norms and aligning structures with dominant normative structures.

Structures and processes must be further aligned with technical infrastructure. Most security vulnerabilities result from a lack of integrity between organisational structure and access control mechanisms (Backhouse and Dhillon, 1996). Where security is built-on as an afterthought, there is potential for duality in structures.

Organisational objective

Security contribution (alignment)

Quality assurance







None to low



Privacy and confidentiality




Continuity and availability




Adapted from Gaston 1996, p. 19.

Security environment

For extended organisations, an appreciation of their organisational context for setting security strategy is of great importance. Kalfan (2004) emphasises the import issues in Service Level Agreements (SLAs) between the client and vendor.

Preventive mechanisms must be instituted to prevent vendors subverting controls. Sherwood 91997) suggests four classes of principles to guide a security strategy,

1.       Proper definition of responsibilities and liabilities of both parties

2.       Business process definitions linking the client and the vendor

a.       Security policy mandated authorisations

b.       Outsourcing service provider to act as a custodian with implementation privileges

c.       Adequate audit processes

3.       Documents describing primary security requirements (baseline)

4.       Documentation on prescribed security

In implementation, Sherwood proposed a model where a liaison is maintained between the service providing vendor and the client, through some services security forum.

Essential implementation recommendations,

1.       Legally binding responsibilities. Identify and implement

2.       Organisational structure. Mutually agreed organisation structure for ensuring allocation of responsibilities, liabilities and attributing blame

3.       Process clarity. Clarity and agreement are necessary to maintain security and respond after an event

4.       Performance measurement. Measures for evaluating performance must be defined, particularly with respect to risk management.

5.       Proactive management. All aspects of security, including penalties must be established at the pre-contract stage.


Figure 3. Organisation model for outsourcing security via liaison

Organisational Security Strategy

Major activities,

1.       Acknowledge possible security vulnerability. Interview stakeholders and understand opinions

2.       Identify risks and current security situation. Structure refers to formal reporting structures, responsibilities, authority structures, and formal and informal communication channels. Soft power issues must be mapped. Decide on what to do, do it, monitor the activity, and evaluate outcome.

3.       Identify the real security situation. Conceptualise ideal practices.

4.       Model ideal information security. All activities needed for transformation should match ideal types defined. Monitoring of the operational system is important,

a.       Define measures of performance

b.       Monitor all activities against defined metrics

c.       Control actions taken

5.       Compare ideal with current

a.       Conceptual model as reference for structured questioning. If the real world situation is significantly different from the model

b.       Compare history with model prediction

c.       Generally compare. Helps identify features that may be different from reality

d.       Model overlay.

6.       Identify and analyse measures to fill gaps. Solutions are identified to address intent. If procedures are to be redefined, it may help to involve personnel with knowledge of the SOx Act.

7.       Establish and implement security plan. Ensuring that the solutions do not conflict with the overall strategy.

Top-down security setting process

·         Internal analysis and self-assessment. Usually a committee or team effort; with attention to creating a cross-functional team.

o   security audits—a part of assurance, or

o   risk assessment—involving the determination of the needs or suitability of controls

·         Security procedure development and review

o   Avoid developing procedures in isolation

o   Develop alternatives; circulate to stakeholder group for buy-in

o   Continuous engagement with stakeholder group is necessary to ensure integrity of the procedures

·         Policy development and format

o   In a top-down strategy, policies are an aggregation of procedures codified to comply with the policy

o   Sensitive information is left out of the policy

o   Acts as a guiding document for compliance

o   Minimum security policy sections

§  Statement of policy

§  Authorised access and usage of equipment

§  Prohibited usage of equipment

§  Systems management

§  Penalties for policy violations

§  Review and modifications

§  Limitations of liability

·         Administration. A Policy is executed only following training and user-awareness

o   Must establish owners for each element in the information security policy

o   Clarity on what documents and records to be maintained

Key controls (1995)

1.       Allocation of information security responsibilities

2.       Information security education and training

3.       Reporting of security incidents

4.       Virus controls

5.       Business continuity planning process

6.       Control of proprietary software copying

7.       Safeguarding of organisational records

8.       Data protection

9.       Compliance with security policy


·         Define the initial scope of the ISMS

·         Define the ISMS policy

·         Identify assets

·         Identify threats

·         Do a risk assessment (BS 7799 Business Impact Analysis)

·         Select controls

·         Complete the Statement of Applicability (SOA)


·         Finalise and fine-tune risk treatment plan

·         Implement the risk treatment plan and associated controls


·         Execute monitoring

·         Regular reviews of efficiency and effectiveness

·         Monitor acceptable risk

·         Conduct regular audits of ISMS



Donn Parker’s six security functions (extended)

1.       Avoidance

2.       Deterrence

3.       Prevention

4.       Detection

5.       Recovery

6.       Correction

7.       Mitigation

8.       Transference

9.       Investigation

10.   Sanction or credit

11.   Education

Data-centric architecture

Figure 4. Data-centric architecture

External User

User type


Trust level

1 – not trusted

Allowed access

Tier 1 DMZ only, least privilege

Required security mechanisms

FW, IPS, data encryption, user authentication, and role enforcement

Internal User

User type


Trust level

3 – trusted

Allowed access

Internal network systems, least privilege

Required security mechanisms

FW, IPS, data encryption, user authentication, and role enforcement

Data Owner

User type


Trust level

3 – trusted

Allowed access

Internal network systems, least privilege

Required security mechanisms

FW, IPS, data encryption, user authentication, and role enforcement


User type


Trust level

2 – medium trusted

Allowed access

Least privilege

Required security mechanisms

FW, IPS, file integrity monitoring, and data loss prevention


Risk analysis resources

·         SANS quantitative risk

·         FAIR

·         NIST risk management guide

·         CERT OCTAVE

·         DREAD threat model

·         STRIDE threat classification

Policy and standard resources

·         SANS Policy Project

·         CSOonline

·         CSIRT, http://csirt.org/sample_policies/index.html

System hardening resources

·         NSA hardening guides, http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

·         Windows 2000, http://www.microsoft.com/en-us/download/details.aspx?id=15910

·         Windows 2003, 2008, 7, http://technet.microsoft.com/en-us/library/ {cc163140.aspx, gg236605,aspx, ee712767.aspx}

·         Red Hat Enterprise 5, NSA pamphlet-i731.pdf

·         Mac OS X, http://www.apple.com/support

Security awareness

·         NIST SP 800-50

·         SANS InfoSec Reading Room

·         DISA IA Awareness Posters

Safe and secure computing resources

·         US-CERT

·         CERT

·         SANS Home/Small Office Security

·         NSA Best Practices for Securing Home Network

·         Microsoft Security for Home Computer Users Newsletter

Security Incident Responses Resources


·         Carnegie Mellon, cert.org/csirts/Creating-A-CSIRT.html

·         SANS, whitepapers/incident/creating-managing-incident-response-team-large-company_1821

·         SANS, whitepapers/incident/building-incident-reponse-program-suit-business_627

·         Gartner (paid), id=1389613

Incident response process

·         NIST SP 800-86

·         NIST SP 800-83

·         NIST 800-61

·         CIO.com article, 184145/five_tips_building_an_incident_response_plan


Security tools

Tools for securing the network



Proprietary (industry standard)

Intrusion Detection System (IDS). Monitors and logs network or system activity.

Snort, http://www.snort.org/


Network Access Control (NAC). Attempt to unify endpoint security technology (antivirus, host intrusion prevention, vulnerability assessment), user or system authentication and network security enforcement of devices initially attempting to access a network.

PacketFence, http://www.packetfence.org/home.html

Cisco NAC Appliance (formerly Cisco Clean Access)

Juniper Identity and Policy Control, Unified Access Control.

More, http://mosaicsecurity.com/categories/81-network-access-control

Intrusion Prevention Systems (IPS)

Suricata (IPS), http://www.openinfosecfoundation.org/index.php


Tools for securing systems



Proprietary (industry standard)

OS hardening

Bastille Linux


File Integrity Monitoring (FIM)

Open source Tripwire





Host-based intrusion detection system (HIDS)



Web application firewall




Tools for securing data



Proprietary (industry standard)




Email encryption



Data Loss Prevention (DLP)



Tools for securing monitoring



Proprietary (industry standard)

Log monitoring






Traffic monitoring



Security Information and Event Management



IT Infrastructure Monitoring



Tools for testing security



Proprietary (industry standard)

Web application measurement

Websploit Framework


Penetration testing

Backtrack-Linux, BackBox


Security vulnerabilities, IDS signatures



SQL injection detection and exploit testing



Web pen-testing

Samurai Web Testing Framework


Tools for vulnerability scanning



Proprietary (industry standard)

Vulnerability scanner



Web server scanner



Vulnerability management lifecycle


Rapid7 Nexpose


Comparison of Risk Assessment Models


Perceived strengths

Perceived weaknesses


NIST SP-800—30

Publicly available; broadly reviewed by government and industry

Issued June 2002

Can help develop, or evaluate, the risk management process


Focuses on organisational risk and strategic practice-related issues, balancing organisational risk, security practices and technology

Requires a team of 3—5 personnel with a broad understanding of the organisation and problem-solving ability, analytical ability, ability for team work; possess leadership, and time to invest in the process

Examines organisational and technology issues for comprehensive capture of information security needs

ISO/IEC 17799 and ISO 27001

Common basis for developing organisational security standards, practices and coordination

Standard is comprehensive and reasonably complex, therefore expensive guidance may be necessary to determine where to start and priorities

Standards are being integrated into common practice including the NIST


Ensures business operations information security risks are considered and documented


Systems, applications, platforms, business processes, and business operations are examined one at a time


Widely applicable and accepted standard for good IT security and control practices


A source of best practices among several companies


Threat-Asset Vulnerability (TVA) consensus approach of risk assessment          

For each Asset-Threat pair, vulnerabilities are identified.

For each vulnerability, control strategies will be identified.

1.       When already in place, note and identified as adequate or insufficient

2.       When new opportunities for control exist, they must be documented.


An assessment begins with a risk assessment process that creates an ordered inventory of the organisation’s information assets. Next, a comprehensive list of perceived threats against those assets is developed. These are organised as a matrix. At the intersection of each pair, known or suspected vulnerabilities are enumerated.

Information Assets are the information or data possessed and used by the organisation as well as its systems that process, store and transmit that information or data. A Threat is an object, person or other entity that poses a constant danger to an asset. Threats are relatively well-researched and fairly well understood.

Categories of threats


Acts of human error or failure

Accidents, employee mistakes

Compromises to intellectual property

Piracy, copyright infringement

Deliberate acts of, espionage or trespass

Unauthorised access or data collection

                Information extortion

Blackmail or information disclosure

                Sabotage or vandalism

Destruction of systems or information

                Acts of theft

Illegal confiscation of equipment or information

                Software attacks

Viruses, worms, macros, Denial of Service

Forces of nature

Fire, flood, earthquake, lightning

Deviations in quality of service

ISP, power, or WAN service issues from service providers

Technical hardware failures or errors

Equipment failure

Technical software failures or errors

Bugs, code issues, unknown loopholes

Technological obsolescence

Antiquated or outdated technologies


A Vulnerability is a known, suspected or anticipated weakness in a systems, where controls are not present or presently ineffective. They exist when a specific act or action can occur that may cause a potential loss. A Control, or safeguard or countermeasure, is a mechanism is a mechanism to reduce the loss of value to an information asset when a vulnerability is exploited. They include policy statements, training, implemented technology that will avoid, mitigate or transfer the negative outcome of the loss-causing event.

Asset identification

TVA model-building begins with identification of all information assets, including people, procedures, data and information, software, hardware, and networking elements. Values are associated later in the process.

IT system component

Risk assessment components



Trusted employees

Other staff


Employees of trusted organisations




IT and business standard procedures

IT and business sensitive procedures









Operating systems

Security components



Systems and peripherals

Security devices


Networking components

Intranet components

Internet or DMZ components


Asset Attributes


List all common names of the device or program


Identify the primary and all secondary purposes of the asset

IP address

For network and server devices in static addressing settings –usually does not apply to software

MAC address

Unique, spoof-able, number

Asset type

Function of each asset

Serial number

Uniquely identifies a specific device, including software serial numbers


Useful for analysing threats from manufacturer announcement of specific vulnerabilities

Manufacturer’s model or part number

Identifies asset, precisely

Version of FCO number

Current software and firmware versions, current Field Change Order (FCO) for hardware

Physical location

May also apply to software, if license terms restrict usage

Logical location

Asset placement in the network


Organisational unit that controls the asset


Which other assets are interdependent

Associated impact evaluation questions are, which assets

·         Are most critical to the success of the organisation?

·         Generate the most revenue?

·         Contribute the most to profitability?

·         Most expensive to replace?

·         Most expensive to protect?

·         Loss or compromise is most embarrassing or result in the greatest liability?

Company, Inc. Information Asset Data Collection Worksheet

Information Asset Type


Data Classification

Impact on profitability


Application Server #AS489




Router #R67




Application Support Downloads over FTP




EDI Orders from trading partners for Co. Fulfilment




Example weighted factor analysis worksheet

Information asset

Criteria 1: Impact to revenue

Criteria 2: Impact to profitability

Criteria 3: Public image impact

Weighted score

Criterion weight (1—100)





EDI Document Set 1—logistics BOL to outsourcer (outbound)











Figure 5. Risk

Risk control strategies

·         Avoidance/prevention: applying safeguards that eliminate or reduce uncontrolled risks

·         Transference: to others or outside entities

·         Mitigation: reducing the impact if vulnerability is exploited

·         Acceptance: understanding the consequences and accepting the risk without control or mitigation

Available references

1.       Detmar W Straub, Detmar W Straub and Seymour Goodman. Information Security: Policy, Processes and Practices. ME Sharpe, Inc., 2008.

2.       Mark Osborne. How to cheat at Managing Information Security. Syngress Publishing, 2006.

3.       Andrew Valdimirov, Konstantin Gavrilenko and Andrej Michajlowski. Assessing Information Security: Strategies, Tactics, Logic and Framework. IT Governance, 2010.

4.       Alan Calder. Business Guide to Information Security. Kogan Page Ltd., 2005.

5.       Aaron Woody. Enterprise Security: A Data-Centric Approach to Security the Enterprise. Packt Publishing, 2013.

6.       Venugopal Iyengar. Information Security for Management. Himalaya Publishing House, 2010.

7.       Veena Hingarh and Arif Ahmed. Wiley Corporate F&A: Understanding and Conducting Information Systems Auditing. John Wiley & Sons, 2013

8.       Angus McIlwraith. Information Security and Employee Behavior: How to reduce risk through employee education, training and awareness. Ashgate Publishing Group, 2006.

9.       Steve Purser. A practical guide to Managing Information Security. Artech House, 2004.

10.   Martin T Biegelman and Joel T Bartow. Executive Roadmap to Fraud Prevention and Internal Control: Creating a Culture of Compliance. John Wiley & Sons, 2012.

[1] Detmar W Straub, Detmar W Straub and Seymour Goodman. Information Security: Policy, Processes and Practices. ME Sharpe, Inc., 2008.