June 15, 1998

INTRANET ADVISOR

Steven L. Telleen
 

Establishing a Formal Policy for Corporate Security

Q:Our management has asked for a formal security policy for our intranet. How does one go about developing such a policy? 

A: The first step is to develop a written security charter. 

It is a good idea to have this charter--as well as any ensuing policies-developed by a cross-organizational group that includes those departments responsible for current computer security policies, your company's Web "council," and representatives from any business units interested in security. 

Your company should develop specific security policies in three major areas:

• Responsibilities for protecting information and resources
• Attempts to circumvent access controls or intended use
• Actions on termination of employment.

Another thing you should consider is whether your policy is one of allow- ing open access, except to sites specifically identified for denial, or is one of denying access to everything except sites specifically identified for access. Abiding by one policy or the other will have very different impacts on the culture, productivity, and innovation of your organization. 

The responsibility section explains how security will be administered within your enterprise. This section should include who (which organization and which position) is responsible for maintaining and monitoring the corporate intranet security strategy and policy, and who is responsible for reviewing and approving that strategy and policy. 

The responsibility statement should also include a detailed description of how the function and strategy fit with other security organizations in the enterprise, and what is expected of each organization. 

TAKING RESPONSIBILITY
The second step in creating an intranet security policy is to write up a process describing how responsibility for in- tranet security will be delegated, implemented, and enforced. This includes a management section and an individual employee section. 

The management section should contain a description of responsibilities at each organizational and management level, as well as your company's security objectives and how those objectives will be monitored. 

The objectives, of course, should be consistent with the goals in your charter. Where appropriate, you may wish to provide standards to help each manager make decisions consistent with overall corporate goals and policies. 

Standards and security classifications can be particularly useful in helping managers determine when they need to classify (or not classify) a specific type of information. 

An effective security implementation also requires a clear statement of employee responsibilities, expectations, and sanctions. Remember that no matter how clear it is, a statement is useless if employees are not aware of its existence. 

You should follow the statement with a well-defined employee communication program that addresses not only the initial introduction of expected responsibilities to each employee but also ongoing awareness training. Your company can do this in conjunction with other security awareness programs and Internet standards programs. 

FOLLOW THROUGH
The third step in creating an intranet security policy is defining an audit program to monitor and manage compliance and risk. The security policy should explicitly call for regular audits, both internally and by independent auditors, and define how they will happen and who in the enterprise will be apprised of the audit results. 

For servers with sensitive information (and this includes the firewall protecting the intranet) a program of continual logging, analysis, and monitoring of activity for suspicious patterns is critical. A program of active intrusion testing-checking for vulnerabilities-is also a good idea. 

In summary, your company's security policy should provide clear, brief statements on

• Who the policy applies to
• What behaviors are expected
• Who is responsible for enforcement
• How compliance will be monitored
• The sanctions for noncompliance.