Iss Policy Development

Information Systems Security, 16:246–256, 2007 Copyright © Taylor & Francis Group, LLC ISSN: 1065-898X print/1934-869X online DOI: 10.1080/10658980701744861

Information Security Policy Development and Implementation Avinash W. Kadam MIEL e-Security Pvt. Ltd., Education Services, Mumbai, India

ABSTRACT  Development of the information security policy is a critical activity. Credibility of the entire information security program of an organization depends upon a well-drafted information security policy. Most of the stakeholders do not have time or inclination to wade through a lengthy policy document. This article tries to formulate an approach to the information security policy development that will make the policy document capture the essentials of information security as applicable to a business. The document will also convey the urgency and importance of implementing the policy, not only in letter but also in spirit.

Introduction

Address correspondence to Avinash W. Kadam, MIEL e-Security Pvt. Ltd., Education Services, C-611/612/Floral Deck Plaza, Mumbai 400014, India E-mail: [email protected]

Rudyard Kipling probably had no idea that his Six Honest Serving Men would be employed by modern day computer scientists, engineers, and architects for diverse applications. John A. Zachman used them for defining Enterprise Architecture whereas John Sherwood used them for defining Enterprise Security Architecture. These faithful servants serve anyone seeking a deeper understanding of any complex subject. They are the six simple questions starting with: what, why, how, who, where, and when. If you persist in getting the answers to these six questions, a seemingly impossible task such as developing an information security policy, which is relevant to the business, covers major risks and is practical to implement can actually be done with confidence. Let us look at the policies which are developed for other business functions. We will look only at two examples, the financial policy and the human resources policy, and ask our six honest men to find if these policies indeed do what they are expected to do. We will simultaneously map the possible answers to these questions about information security policy. What do these policies contain? The financial policy provides overall direction which the organization should take for having sound financial basis and which leads to successful business operations. The human resources policy provides the basis for attracting the right talent and retaining them,  http://www.zifa.com  http://www.sabsa.org

246

by employing right people for the right job for the right remuneration. Does the organization’s information security policy identify the information, which is critical for the business? Does it provide the direction to perform the business functions in a safe and secure manner? Why are these policies defined? The financial policy contains the accumulated financial wisdom on what is appropriate for the business. It provides for the consistency of financial decisions. The human resources policy is based on the sound values of human dignity and fair treatment. This provides an anchor for the right way to deal with people. Does the organization’s information security policy provide a clear insight into the information security issues while dealing with the business processes? How are these policies used? The financial policy is always referred to while making the business decisions. The human resources policy is consulted while taking complex decisions affecting the careers of the employees. Is the organization’s information security policy referred to when a decision about the right approach for the information usage is to be taken? Who uses these policies? The senior management constantly refers to both the financial policy as well as human resources policy to evaluate any decision to be taken by them. Does senior management refer to the organization’s information security policy to confirm whether their decisions conform with such a policy? Where are these policies used? The financial policy is used for taking all the financial decisions by the company. The universal applicability of the policy ensures consistency of all the actions. Similarly, the human resources policy is the guiding light for all the decisions taken pertaining to the people, irrespective of whether the decisions are taken at the corporate level or at the remote branch location. Is the organization’s information security policy followed universally within the organization and do all the information security decisions demonstrate consistency? When are these policies used? The financial and human resources policies are used almost constantly. The organization stops functioning if it ignores using these policies. Can we say the same about organization’s information security policy? Is it used each time an information access is granted or revoked? 247

HOW TO SELL INFORMATION SECURITY POLICY TO THE ORGANIZATION After reviewing the answers to the six questions, we realize that we have a lot of work to do before the information security policy is considered as important for the organization as the financial or human resources policy. The usual skeptical question will be, if we are surviving quite well without an information security policy so far, why do we need it now? We will have to do much internal convincing or selling before converting the organization into believing in the importance of the information security policy, and implementing it in a wholehearted manner. We always needed financial policy to run a successful business. I am sure that we had sound financial policy even in the days of businesses based on barter. The human resources policy became essential in the industrial age because labor unions demanded fair treatment to the workers. It has taken centuries of effort for both financial policy as well as human resources policy to become well accepted and considered essential for sound business. Comparatively, the information age is very young. Although we started using information as a major resource during the past few decades, the major thrust to the information age came from the commercial exploitation of the Internet, which started hardly a decade ago. This is probably one of the reasons for the casual approach we witness while dealing with information security. Where do we begin our efforts? The answer is of course, at the very top. But do you think that you will get the top management’s attention and interest if we do not talk the same language that they speak, and show the same concerns about the business as they have? How do we get the mind space of the CEO, CFO, and other C-suite occupants? Let us ask our six honest serving men. What are top management’s concerns? How do we grow business, make it efficient and effective, and beat the competition? Do we, as information security experts, have some information security concerns which could affect the business? Can we recommend some information security approaches which will help grow the business and make it more efficient, effective, and beat the competition? Why is top management indifferent about information security policy? Of course the business Information Security Policy Development and Implementation

pressures, competition, pressure on margins, and anxieties about success or failure of new initiatives are some factors, but the most important factor is the fear of the unknown. Most of the senior management is not conversant with the IT field at present though the awareness is increasing. They will get interested only if the application of the information security policy shows appreciable positive gains. So, it is the primary task of the information security experts to demonstrate the gains through the application of the information security policy. Do we have something to offer to reduce the pressure? Can we contribute our might toward the new initiatives by some measures of information security? How do we conduct the business in an ever changing scenario? How do we keep the leading edge? Can information security policy identify ways to cope with the changing scenario and keep the business at the leading edge? Who are the people top management can trust to handle the complexities in the new information age? Can information security experts identify new ways of handling the information resources in a reliable manner, and safeguard the company’s intellectual property? Where will top management look for successful approaches of handling new age initiatives? Can the information security policy provide the direction? When does one spot information as a valuable resource and create a differentiating factor? Can the information security policy provide that differentiation between a successful organization and others? You may frame many different questions using the same six words. Your focus should be to find: ⦁ ⦁ ⦁ ⦁ ⦁ ⦁

What value the information has for the business Why information security makes business sense How you can help make the information secure for the business Who is responsible for making the information secure Where you deploy your resources to make the information secure When you know if the security measures are indeed successful

Finding answers to these questions will definitely improve the top management perception of the information security. Kadam

BUSINESS IMPACT ANALYSIS The concept of business impact analysis (BIA) looks out of place here. We usually talk about BIA when we discuss business continuity and disaster recovery plans. In my opinion, BIA should make its appearance right in the beginning when we conduct the interview with the top management for formulating the information security policy. The depth, coverage, and details of BIA will gradually increase as we do more detailed business impact analysis. BIA is the best tool to understand the importance of information security for the organization, and also to make the top management realize how much they depend on information security for a successful business. How do you conduct BIA where the top management is involved? First, identify what are the critical business processes for the organization. A critical business process usually has the following features: ⦁ ⦁ ⦁ ⦁ ⦁ ⦁

It is one of the star performers for the business. It is associated with the brand value. Its failure could severely impact the organization. Any delays for this business process are unacceptable. Major investments have been made in perfecting the business process. Major technical investments have been made in making the process efficient.

Based on the answers to these questions, you may classify the business processes as critical, important, and routine. Even a single affirmative answer may provide adequate reason to name the business process as critical. It does not mean that you should ignore the routine processes. It only means that the routine processes can be delayed or deferred without having major impact on business. One of the examples of routine processes could be the payroll processing. If this is delayed, employees can still be paid but if the just-in-time delivery of goods is not done just in time, you may have serious impact on business. Now that we have identified critical business processes, we take the help of our six honest serving men. Can we formulate questions to do a BIA with the help of what, why, how, who, where and when? Let us attempt some of these questions. 248

Table 1  What?

Why? How?

Who? Where? When?

Business impact analysis for business process ‘A’

Confidentiality

Integrity

Availability

What is the critical information for this process which should be confidential? Why this information should be confidential? How will the business be affected if the information does not remain confidential? Who is responsible for the confidentiality of this information? Where do you store this information to ensure its confidentiality? When does the confidentiality of this information become critical?

What is the critical information for this process which should be always accurate and reliable? Why this information should be accurate and reliable? How will the business be affected if the information is unreliable?

What is the critical information for this process which should always be available? Why this information should be always available? How will the business be affected if the information is not available when needed? Who is responsible to ensure the availability of this information? Where do you store this information to ensure its availability? When does the availability of this information become critical?

Who is responsible for the integrity of this information? Where do you store this information to ensure its integrity? When does the integrity of this information become critical?

Your objective is to understand the impact of information security on the business, favorable or otherwise. The top management is in the best position to articulate their perception by answering questions like the following: ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ ⦁

What is the critical information for running the business process? Why is it critical? How can you run business if this information is not available to you when you need it? Can you run the business if the information is not correct or if it is stolen? Who is responsible for guarding the information? Where it is located? When does the information become critical for your business?

When you pose these questions, you can keep some examples ready to explain the concept. You can also give examples of some actual information security incidences and the impact these had on (hopefully other people’s) business. Do you need a quantitative assessment of the business impact of loss of confidentiality or integrity or availability at this stage? Probably not, but noting down the responses is important. You may get these responses quantified during subsequent interviews with the middle management and the operational staff. It will help you to develop the answers into a fully quantified statement when the risk mitigation measures are decided and their costs have to be justified. 249

We can design a matrix around our six questions and the three pillars of security, namely confidentiality, integrity, and availability (see Table 1). These interviews will reveal the business impact resulting from loss of confidentiality, integrity, or availability of information as perceived by the senior management. Capturing their concerns will help us in formulating the top level information security policy which will be understood and accepted by them.

Top Level Information Security Policy How does the BIA help us in formulating the top level information security policy? Actually, we have just found out all the reasons why there should be a top level information security policy? The answers that we got from asking the six questions for the three attributes for all the critical business processes can be summarized in the top level information security policy. We may even write the policy as if we are writing answers to the six questions. The top-level information security policy may look something like this. “(What?) The organization recognizes information as one of the key resources, which helps in running a very successful business, delivering various goods and services (we may be more specific here) to our customers and meets expectations of the stakeholders. Information Security Policy Development and Implementation

(Why?) We are very proud of the efficiency and effectiveness we have achieved by our fine tuned business processes (can be more specific). These business processes critically depend on our information systems (can be more specific). Any damage to any information that we possess can adversely impact our business. We strive to maintain all the information with utmost confidentiality, integrity, and make sure that it is available whenever and wherever it is required to be accessed by legitimate users. (How?) We are aware that we constantly face threats to our information systems. These threats could disrupt our business processes and cause severe losses (can be more specific). It is our intention to deploy all possible resources to ensure that we are able to thwart any such threats and maintain the customers’ and stakeholders’ confidence in us by having appropriate technical, procedural and administrative measures in place. We have defined these measures against specific threats and risks in our detailed information security policies. (Who?) The information security measures will be implemented by our information security team, headed by an information security officer, who directly reports to an information security forum (ISF), which is chaired by the CEO. The members of the ISF will be business unit heads and other responsible persons. (Where?) The information security measures will be deployed throughout the organization and all the business processes (can be more specific) will be under the purview of this policy. Any breach of this policy will lead to appropriate disciplinary action. (When?) Information security is a major concern for the organization. We will have incidence management teams working 24×7 to promptly resolve any incidents. We will ensure that all the persons working for the organization are appropriately trained so that they can be vigilant whenever they are using the information. We will also educate our customers so that they can promptly notify us if they notice any information security incidents and need our help (e.g., receiving a suspicious email).” The top level information security policy should be signed by the CEO to carry the message effectively. The above draft gives us a starting point to create an ideal information security policy that reflects top level concerns of the organization. It will be Kadam

specific to the organization and will reflect all the efforts spent in conducting a BIA. BIA will provide enough material to list the real concerns about any compromise of information and how it could affect the organization. An information security policy thus designed will be owned by the top management as their contributions in identifying various critical things that may impact the business, will be clearly mentioned. They will also understand that their involvement is the key success factor. All the concerns that were identified during the BIA will be subsequently followed through during the formulation of detailed information security policies.

THREAT IDENTIFICATION We have now got a Top Level information security policy for the organization. This is an excellent document to get the top level commitment and clearly state the intentions of the organization regarding information security. But it is still a statement of intention and not enough to develop implementable policies. For this, we need to first identify all the threats to the information. The threats we will identify will not be just a general perception of threats. These will now be more specific as we know what the really critical business processes are. The BIA has given us a good insight into this aspect of the business. We also know which aspects of the information security, that is, confidentiality, integrity, or availability are critical for the particular business processes. So, we should be able to narrow down our list to the more realistic threats that can pose danger to the critical information assets. We can also create plausible threat scenarios. By now we have got a good idea about these from conducting the BIA sessions that we had with the top management. We can also take help of our six honest serving men and make a table which will reminds us not to forget any of the contributing threat factors. Please notice that there could be different types of threats which affect the three pillars of information security. A threat which compromises confidentiality may not cause loss of integrity or cause unavailability. We need to identify each of these separately, as shown in Table 2. The questions for threat identification can be asked to the middle management as well as the operational staff. These persons will be facing such 250

Table 2 

Identification of threats for business process ‘A’

Threats to Confidentiality

Threats to Integrity

Threats to Availability

Why? How? Who?

What are the threats to confidentiality of critical information supporting this business process? Why these threats exist? How can these threats actually act? Who will carry out the threat actions?

What are the threats to integrity of critical information supporting this business process? Why these threats exist? How can these threats actually act? Who will carry out the threat actions?

Where? When?

Where can the attack happen? When can the attack happen?

Where can the attack happen? When can the attack happen?

What are the threats to availability of critical information supporting this business process? Why these threats exist? How can these threats actually act? Who will carry out the threat actions? Where can the attack happen? When can the attack happen?

What?

Table 3 

What?

Why? How? Who? Where? When?

Identification of vulnerabilities for business process ‘A’

Vulnerability corresponding to the threats to Confidentiality

Vulnerability corresponding to the threats to Integrity

Vulnerability corresponding to the threats to Availability

What are the vulnerabilities corresponding to the threats to confidentiality? Why these vulnerabilities exist? How can these vulnerabilities be exploited? Who will exploit these vulnerabilities? Where this may happen? When this may happen?

What are the vulnerabilities corresponding to the threats to integrity? Why these vulnerabilities exist? How can these vulnerabilities be exploited? Who will exploit these vulnerabilities? Where this may happen? When this may happen?

What are the vulnerabilities corresponding to the threats to availability? Why these vulnerabilities exist? How can these vulnerabilities be exploited? Who will exploit these vulnerabilities? Where this may happen? When this may happen?

threats in their normal day to day operations. Their answers will give us a greater insight into the threat perception. This in turn will help us in focusing our efforts in creating detailed Information Security policies which address these specific threats. The answers that we are seeking from our six faithful serving men are: ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ ⦁ ⦁

What are the realistic threats to information for our business processes? What are the natural threats? What are the manmade threats? Why do these threats exist? Is there a strong motivational factor for the manmade threats? Are there strong environmental factors which cause the natural threats? How may the threats materialize? Who are the major suspects? Where will we be hit? When are we most prone to these threats?

Once again, remember to ask these questions for each type of information security requirement: confidentiality, integrity, and availability. 251

VULNERABILITY ASSESSMENT—OR HOW WELL THE ORGANIZATION IS PREPARED AGAINST THESE THREATS This will be the next logical step in our journey to develop the information security policy. Even without a formal policy, organization will usually have a few security measures in place. We will try to discover what these are and assess their adequacy. Once again we take the help of our six honest serving men and start probing the middle and operational management into revealing the various practices in place. Some of these practices may even be documented by means of staff notices or departmental circulars. We should collect all of these and study them before conducting the interviews. This will help us understand the current state of information security implementation in the organization. Notice the complex phrase “vulnerability corresponding to the threats.” It means we want to discover if there are any specific vulnerabilities that can be exploited by specific threats to confidentiality/integrity/availability (see Table 3). Information Security Policy Development and Implementation

Table 4 

Vulnerability of individual components of information systems ‘A’ supporting a critical business system

Confidentiality In

So

Ha

Integrity

Pe

Se

Da

In

So

Ha

Availability

Pe

Se

Da

In

So

Ha

Pe

Se

De

What?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Why?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

How?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Who?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Where?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

When?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The answers that we are seeking to our six questions will be: What are the weaknesses in your defense system which may cause leakage of confidential information or unauthorized modification of information or unavailability of critical information? Why these weaknesses are there? Has no one noticed these before or these have been left open hoping that no threat will ever exploit this vulnerability? How a threat will take advantage of these vulnerabilities? If you were the enemy, who knows about these vulnerabilities, how will you use the knowledge to cause maximum damage? Who will most benefit from the knowledge of these vulnerabilities? Will someone be strongly motivated to cause harm to your business? Where will the attack take place? What is the most vulnerable spot? When will the attack take place? When is your organization most susceptible? While seeking answers to these questions, we will realize that each individual question seeks to discover the vulnerability of the basic component which will be the weakest link in the system. Thus, the vulnerabilities of a business process can be narrowed down to the individual components that constitute an information system. The components of an information system are (first two letter of each of the information system components are underlined. These abbreviations are used in the columns of Table 4 and 5): Information (or the data) − Data, databases, data warehouses, Software − Application programs, DBMS, System Kadam

Operating

Hardware − Servers, desktops, networking devices People − Management, users, contract workers Services − Internet, HVAC, power Documents − Agreements, contracts, legal papers Thus we can trace the vulnerabilities of the information system to the vulnerability of an individual component. We can use the Table 4 to identify and document if any of the information system component is vulnerable to any of the threats identified during our study.

Identifying Action Plans We need a number of detailed information security policies to address the multitude of vulnerabilities of the information system components which could be exploited by threats and compromise the confidentiality, integrity, or availability of our critical business systems. We need to formulate individual policy statements which address each of these vulnerabilities and the way to control them. We can use the Table 5 to pair the threats and vulnerabilities and link them to the information system components under attack. Remember, one threat can exploit multiple vulnerabilities of multiple components. The next step will be to define the action statements against each threat and vulnerability combination for each of the affected information system component so that we can reduce the possibility of the threat exploiting the vulnerability of the component and compromising the security. 252

Table 5 

Threat—vulnerability pairs and the action statement to address the risks

Confidentiality Threat Vulnerability

In

So

Ha

Pe

Se

Integrity Da

In

So

Ha

Availability

Pe

Se

Da

In

So

Ha

Pe

Se

Action Policy statement reference Da

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The action statements could consist of a variety of actions. These could include deploying various technical solutions such as firewall, IDS, or antivirus software or defining some physical measures such as barriers or certain administrative (e.g., separation of duty) or punitive (e.g., disciplinary actions) measures. Each of these becomes an action statement.

Writing Information Security Policies We now call upon our six honest serving men. The answers to who, what, and why will be included in policies. How, where, and when will be answered by the procedures. The final list of information security policies may be large as each policy will be written with a specific what in mind. The what is answered by the selection of a control objective. The control objective is defined as a “statement of the desired result or purpose to be achieved by implementing control procedures in a particular process” (Cobit 4.1, IT Governance Institute). Further, the control is defined as “means of managing risk, including policies, procedures, guidelines, practices, or organizational structures, which can be of administrative, technical, management, or legal nature” (ISO/IEC, 2005, 17799). Who will achieve the control objectives by implementing appropriate control procedures? We need to define specific roles and responsibilities. The responsible persons should clearly know why the control objective needs to be achieved. The why gives the main motivation factor behind the information security policy. It may be a legal requirement, a contractual obligation; it may be required  http://www.itgi.org  http://www.iso.org

253

because the organization believes it is the best practice to follow. Whatever the reason, it should be stated clearly. We would start the process of writing the information security policies by first selecting appropriate control objectives that need to be achieved. These can be selected from a standard such as ISO 270014 or a framework such as ISO 177994 or COBIT3 or a compliance requirement such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or Basel II or a law such as the European Union Data Protection Act. The selection will depend on the requirements of the organization. The next step will be to write appropriate policies that meet the requirements of the control objectives. This will be followed by writing the detailed procedures. The policies will cover the administrative, technical, management, and legal requirements. While writing the policy, we should ensure that the action statements fall at right places in the policies. For example, if we have identified the threat of information theft and the vulnerability is the weak implementation of the password, affecting confidentiality of the information, then the action plans will be: Administrative − Provide appropriate training. ⦁ Technical − Enforce strong password selection through appropriate parameters. ⦁ Management − Ensure that the password policy is approved by management. − Ensure user acceptance by asking them to sign appropriate form. ⦁ Legal (or compliance) requirements − Define disciplinary action. ⦁

Information Security Policy Development and Implementation

Yet another threat could be information theft, unauthorized modification and nonavailability due to weak network security. Then the action plans will be: Administrative − Background check of employees and contractors working in network administration. ⦁ Technical − Access control lists, firewall, server hardening, IDS and so on. ⦁ Management − Periodic review of security incidences ⦁ Legal requirements − Appropriate non disclosure agreements with the networking staff and contract workers ⦁

How Many Policies? You can classify policies in various groups: For defined target group − Everyone in the organization − System managers, administrators − Management ⦁ For specific topics − Information classification − Physical and environmental security − Operations management − Data communication − Network security − Back-up − Access control − Password − Incident management − Business continuity ⦁ Department specific topics − Application development − Compliance ⦁

You may be required to define additional policies for particular topics. For example, the topic of access control could spawn many polices like operating system access control, database access control, remote access control, and so on. Dividing policies into target groups will help you to train the people only for the specific policies. Kadam

Writing Procedures and Guidelines Remember, the how, where, and when will be answered by procedures. We need to write answers to these questions. Procedure is a step-by-step method of “how to do it.” It may be a simple thing such as selecting a password or a complex procedure for defining access control rules on the firewall. The “how” should document the entire procedure in as simple a manner as possible. If appropriate, you may use flow charts or decision tables or any other method to convey the message. The “where” will describe the location or the workstation or the right place where the procedure will be performed. For example, a fire evacuation test procedure will be performed in the office or the data center. The answer to “when” in this case may be, last Friday of every month, between 3.00 and 4.00 p.m. Clearly written procedure will be a great help when implementing any policy. You may also include additional guidelines to supplement the procedures. For example, a guideline on how to select a complex password, which is also easy to remember, will be greatly appreciated.

IMPLEMENTATION You have completed all the back office work. You made your six honest serving men slog day and night. Now is the time to deliver the great meal that you have cooked. Implementation is the hardest part. The acceptance by the organization depends on many factors. You will have to constantly battle with conflicting demands of security versus ease of use. Implementation cannot be done just by issuing a fiat. Human ingenuity will always find ways of circumventing things which are viewed as obstacles. You have to take the entire organization in confidence.

Implementation at the Top Where do you begin your efforts? The answer is, as usual, at the very top. Top management has to give its whole-hearted approval to all the policies you have developed. These policies will have ­proposed many 254

changes. These changes will be of different types. Some will be mere procedural changes, but some may require a totally new approach. Some changes will be technical in nature, others will be administrative. Changes will affect everyone in some way or another. By proposing the information security policy, we are trying to introduce discipline in handling information for the organization. Discipline brings in restrictions and restrictions are usually resented, at least in the beginning. New information security policy may also require additional investment in people, processes, and technology. You will have to prepare budgets and also do a cost/benefit analysis to justify the expenditure. So, you will have to prepare a full report on the new information security policy and present it to the top management forum. The report should include a complete project plan giving details of the activities required to implement various policies. These activities will include procurement and implementation of new equipment or techniques such as firewall, IDS, single sign-on, and so forth. It will also include training plans for the entire organization. It will specify how the implementation activities are to be monitored and reported and, answer the most important questions that top management loves to ask, what is the return on security investment (ROSI). How do you prepare and present the report? Ask our six honest serving men to help us. Explain to the top management the answers to the six questions we are so familiar with: what, why, how, who, where, and when, through your report and presentation: What are the information security risks that were identified? What is the total investment in security? What is the ROSI? Why are these risks so critical? Why is the business impact due to these risks not acceptable? How will information security policies help mitigate these risks? How much money will be spent in procuring the security products and techniques and implementing them? How much time and money will be spent on training all the persons in the organization? Who will be responsible for the successful implementation of these policies? 255

Have we assigned responsibility for each policy? Where is the implementation planned? Will the implementation happen at all locations or only at selected locations? When is the implementation planned? Will it be a big-bang approach or a phase-wise approach? You will have to be very well prepared to defend your proposal. Especially tricky part will be the response to the questions regarding ROSI. You will have to convince the top management that avoiding a security incident is much cheaper than paying for the losses that a security incident may cause. The return will be the savings from the potential future losses. Once you have got the approval, you have won half the battle. Next step will be to prepare a training program especially for the top management. You will have to clearly explain their ongoing role in information security for the organization. They will have to lead the organization by setting good example. If the boss participates in a fire evacuation drill, no one will pretend to be too busy and avoid such exercises. If the senior management regularly changes the passwords and learns how to encrypt the data on their laptops, no one will complain about the extra work involved to secure the information. The top management will have to “walk the talk” and demonstrate complete adherence to the information security policy that they have endorsed.

Implementation at the Operations Level This is where you will train the actual implementation team. The system administrators, network administrator, and various other operations staff will be made familiar with the new information security policy. They would be already familiar with the approach. They would be specifically trained on their areas or responsibilities so that they will have an in-depth knowledge of the technology used and the new procedures to be followed. We will seek help of our six faithful servants to make sure that we do not miss anything of importance. We provide answers to the following questions during the implementation at this level: Information Security Policy Development and Implementation

What are the new requirements of the information security policy in individual areas of operation? What are the new products and procedures being implemented? Why these products and procedures were selected? How do these products and procedures work? How do we configure and customize them? How do we test them? How do we maintain them? How do we trouble-shoot them? Who will be responsible for each product and procedure? Where will the products and procedures be implemented? When will the products and procedures be operational? We will have to design the technical training programs for specific security products and procedures selected for the implementation. The operations persons will have to become very well-versed with handling the new security measures. They will also need to be trained on various reporting and escalation procedures. Incident management and response team will require specialized training. The business continuity and disaster recovery team also will need specialized training. All these training programs will have to be completed before the actual implementation. Operations staff should be made responsible for implementing the security controls. This will build their confidence, expertise and the sense of ownership.

Implementation for Everyone This can only be done by a major drive to educate everyone. The right message should reach the right people. The training programs have to be designed keeping in mind the actual groups being addressed. The trainer has to talk the language of the audience. The same training that goes well with system administrators will be received with stony silence or yawns by the general users. Only the relevant policies and procedures should be covered for each group. You may have to customize the training programs. The application programming group may require different training programs compared to the helpdesk staff. Kadam

The training programs should be designed to provide convincing answers to our six questions. 1 . What is the objective of the information security? 2. Why is it necessary to follow the information security policy of the company? Will something really go wrong if we do not follow the policy? Can you give us some examples? 3. How do we work with all these security controls around us? 4. Who is responsible for the information security? Am I really responsible for every piece of information that I access? 5. Where are the security controls? Are they implemented in my area of operation? Are they implemented on e-mail servers, web servers, desk-tops? Are there physical security controls? Where are they located? 6. When these security controls are going to be made operational? You may devise various ways of delivering the training. It could be a classroom training or Webbased e-learning or video-based training. There should be some amount of interactivity in any type of training. The audience should be made to participate in answering our famous six questions pertaining to the training topics designed for them. If they get involved in answering these questions, they will start appreciating the reason for the policy, the necessity of implementing the procedures and more importantly, their own role in guarding the information assets of the organization. You have properly developed the information security policy when the end users can answer the six questions. You have correctly implemented it when they feel responsible for their role.

BIOGRAPHY Avinash Kadam is the Chief Knowledge Resource at MIEL e-Security, a company in the domain of Information Security Consulting, Training, Implementation and Audit. He has worked in the I.T. industry for more than 35 years of which the past 10 years were totally focused on Information Security. He has handled major information security consulting projects for large organizations. 256