June 15, 1998
Establishing a Formal Policy for Corporate Security
Q:Our management has asked for a formal security policy for our intranet. How does one go about developing such a policy?
A: The first step is to develop a written security charter.
It is a good idea to have this charter--as well as any ensuing policies-developed by a cross-organizational group that includes those departments responsible for current computer security policies, your company's Web "council," and representatives from any business units interested in security.
Your company should develop specific security policies in three major areas:
Another thing you should consider is whether your policy is one of allow- ing open access, except to sites specifically identified for denial, or is one of denying access to everything except sites specifically identified for access. Abiding by one policy or the other will have very different impacts on the culture, productivity, and innovation of your organization.
The responsibility section explains how security will be administered within your enterprise. This section should include who (which organization and which position) is responsible for maintaining and monitoring the corporate intranet security strategy and policy, and who is responsible for reviewing and approving that strategy and policy.
The responsibility statement should also include a detailed description of how the function and strategy fit with other security organizations in the enterprise, and what is expected of each organization.
The management section should contain a description of responsibilities at each organizational and management level, as well as your company's security objectives and how those objectives will be monitored.
The objectives, of course, should be consistent with the goals in your charter. Where appropriate, you may wish to provide standards to help each manager make decisions consistent with overall corporate goals and policies.
Standards and security classifications can be particularly useful in helping managers determine when they need to classify (or not classify) a specific type of information.
An effective security implementation also requires a clear statement of employee responsibilities, expectations, and sanctions. Remember that no matter how clear it is, a statement is useless if employees are not aware of its existence.
You should follow the statement with a well-defined employee communication program that addresses not only the initial introduction of expected responsibilities to each employee but also ongoing awareness training. Your company can do this in conjunction with other security awareness programs and Internet standards programs.
For servers with sensitive information (and this includes the firewall protecting the intranet) a program of continual logging, analysis, and monitoring of activity for suspicious patterns is critical. A program of active intrusion testing-checking for vulnerabilities-is also a good idea.
In summary, your company's security policy should provide clear, brief statements on