Welcome!

Linux Containers Authors: Yeshim Deniz, Liz McMillan, Pat Romanski, Elizabeth White, Stefana Muller

Related Topics: Linux Containers, Containers Expo Blog

Linux Containers: Article

Creating IT Security Policies

An uncompromised necessity in today's business

It's no secret to technical developers that security issues need to be taken into consideration when developing policies. However, the extent of those security issues can easily be overlooked by many organizations.

You may be familiar with blended threats, those that combine the most harmful characteristics of worms, viruses, Trojan horses, and malicious code to exploit existing computer and Internet vulnerabilities. The effects of blended threats are evident with a look back at the Slammer, SoBig, and Blaster worms. These fast-spreading worms disrupted network operations and services around the world and garnered much attention. In addition, they cost companies down time, productivity loss, and many dollars.

The speed and severity of blended threats are not the only things companies should be immediately concerned about - many new threats are lurking around the corner with even more malice and destruction. There are many theorized attacks such as Warhol, Flash, and zero-day threats. These types of threats can spread across the entire Internet community even quicker and can exploit vulnerabilities before they are even recognized. Because these threats will leave little, if any, time to respond, the reactive security measures of the past are no longer sufficient. While they exist only in theory, these threats are driving public and private institutions to feel a greater sense of urgency regarding information security. Add to the increased availability of progressively sophisticated hacker tools for exploiting security vulnerabilities, and the drawbacks of reactive security become clear. Companies now must be proactive in regard to security measures. In addition, IT security and creating IT security policies need to be on the forefront of company agendas.

While most organizations profess to have some type of information security policy, many do not have official policies, in writing, for workers to follow. Having specific written policies in place and making all workers aware of the policies is crucial. These policies must also be taken seriously and enforced by the organization. However, all policies must relate directly to the specific business needs of the organization, so a detailed assessment and approach to creating these policies is important.

One of the most significant issues companies face is the need to comply with industry standards and government regulations for secure business. Industry guides such as the International Standards Organization (ISO) 17799 and government regulations such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act help provide a framework for improved corporate governance and controls. Accurately written and enforced, information security policies enable organizations to not only demonstrate their adherence to these critical regulations and standards but also to articulate their own requirements for mitigating risk.

Creating a Security Policy Task Force

The first step to creating security policies is to identify a task force. A typical security policy task force for a larger enterprise might include a member of senior management, IT directors, an information security expert, auditors, a human resources representative, legal counsel, and a public relations manager. The creation of a task force is extremely important; without it, the information security policy is weakened and less likely to be taken seriously by employees.

Each member of the task force will provide a unique contribution to the team. Garnering the support of a security professional helps ensure that the policy reflects relevant threats and recommended steps to mitigate risk. Input from auditors helps pinpoint the current type of computer-related activities within the company, and human resources personnel can provide direction pertaining to implementation, education, training, and enforcement. Involvement of legal counsel is important to ensure that the information security policy protects company assets, does not violate employees' rights, and addresses applicable laws and regulations. The public relations manager can help set up a communications plan for dealing with the media and keeping stakeholders informed as the company responds to security incidents. Once it is written, the security policy should be signed at the highest corporate level possible to demonstrate the corporation's commitment to information security.

Risk Assessment

Risk assessment is the next step in the process. Risk assessment is the challenging process of weighing security versus exposure. Similar to a business impact analysis, risk assessment pinpoints whether information is underprotected, overprotected, or adequately protected. When assessing which problems would create the most damage, businesses must keep in mind the following variables for each piece of data housed on their networks:
  • What resources are organizations interested in protecting?
  • What is the value of those resources, monetary or otherwise?
  • What possible threats do those resources face?
  • What is the likelihood of those threats being realized?
  • What would be the impact of those threats on the business, employees, or customers, if those threats were realized?
When determining the value of an asset, organizations must consider both its monetary value and its intrinsic value. Monetary value can be determined by considering what would happen if the asset were unavailable for any reason. While many businesses place value on monetary worth, the individual assessing the risk also must place value on intrinsic value. Intrinsic value is the loss of data, loss of privacy, legal liability, unwanted media exposure, loss of customer or investor confidence, and the costs associated with repairing security breaches. Once information assets are identified and valued, threats to those assets must be evaluated through risk assessment.

Although types of sensitive data can be quite broad and can vary from organization to organization, there are a few key types of information that every business should plan to protect. These include all data related to strategic plans, business operations, and financial data. Damage to or loss of any of this information can result in decreased sales, reduced competitive advantage, and decreased profits for the victimized company.

A Security Suite

What is traditionally referred to as a corporate information security policy is actually a suite of documents, including the actual security policy as well as a standards document and a procedures document. The security policy is the smallest of the three; in many cases, a good security policy might be a short two-page document.

While the actual security policy is brief, it is critically important. It touches on four key elements: to whom and what the policy applies, the need for adherence, a general description, and consequences of nonadherence. These key elements provide the framework for the remaining documents. Once the security policy document is complete, it must also be approved and signed by the most senior manager in the organization, then made available to all employees.

The next document in the security policy suite defines what needs to be done to implement security. An information security standards document also describes which security controls are required and which controls apply to each element in the environment.

A typical document set of this sort addresses a variety of security issues, from roles and responsibilities of security personnel to protection against malicious code, information and software exchange, user responsibilities, mobile computing, access control, and more. Standards documents also often detail such issues as systems security requirements, the security of applications and files, and security in development and support processes. In addition, compliance issues - whether legal requirements, security or technical reviews, or audits -are also outlined in a standards document as are government regulations and industry standards. The good news is that like the security policy the information security standards is usually created once; from then on, the document is changed only if new systems, applications, or regulations are introduced.

The information security procedures document is the final component of the corporate information security policy suite and is the largest and most frequently altered document in the suite. This is the last word in the corporation's information security plan and spells out how security controls must be implemented and managed. Procedures are mapped to standards, and complying with any given standard typically requires that many procedures or tasks be completed. With this document, accuracy can make the difference between a solid and enforceable policy and one that is easily dismissed and not followed.

Protection and Uptime

While the effort to create a security policy, standards, and procedures documents is substantial, the rewards can also be significant. Enforcing and measuring compliance is a serious and important step for a growing number of companies. Government legislation continues to call for increased security checks and balances across the entire corporate environment, so enforcement and protection of these efforts is crucial.

Making it easier for organizations to meet their compliance goals, automation tools are available that discover and report on vulnerabilities, then deliver concise and prioritized information to security administrators. With these tools, corporations can focus on resolving security issues, protecting critical assets, and ensuring business continuity within organizations.

Conclusion

It is understandable that the complexity of today's digital environment calls for security strategies to manage business risks while proactively protecting corporate assets and making sure employees comply. While Internet threats accelerate and become increasingly sophisticated and effective, organizations must strengthen their security posture through intelligent security management that is up-to-date and that incorporates new vulnerabilities. A strong security policy that is strictly enforced will provide the foundation for a secure business environment - an uncompromised business necessity.

More Stories By Ronald van Geijn

Ronald van Geijn is director of product marketing at Symantec, where he leverages nearly a decade of IT and security expertise to develop the company's marketing strategy for the vulnerability assessment, policy compliance product lines, as well as the Symantec Security Management System.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science" is responsible for guiding the technology strategy within Hitachi Vantara for IoT and Analytics. Bill brings a balanced business-technology approach that focuses on business outcomes to drive data, analytics and technology decisions that underpin an organization's digital transformation strategy.
DXWorldEXPO LLC, the producer of the world's most influential technology conferences and trade shows has announced the 22nd International CloudEXPO | DXWorldEXPO "Early Bird Registration" is now open. Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22nd international CloudEXPO | first international DXWorldEXPO and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time t...
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform and how we integrate our thinking to solve complicated problems. In his session at 19th Cloud Expo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and sh...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.