Information Security Requires Only One Policy
http://www.thinktankarticles.com/articles/13115/1/Information-Security-Requires-Only-One-Policy/Page1.html
Donald Johnston
I started consulting because of my work experience in: Systems Management - processes used to manage information systems; IT Architecture - infrastructure definition & readiness; Security - Privacy and Trust; & Education - curriculum development & course delivery. <a href="http://www.maseconsulting.com" title="http://www.maseconsulting.com" target="_blank">http://www.maseconsulting.com</a> By Donald Johnston
Published on 02/6/2010
Large "P" policy vs small "p" polices
Large "P" policy vs small "p" polices ... in many cases the word "policy" is overused in information security to refer to not only what should truly be a high-level statement but also to what are actually standards and guidelines. The real structure should consists of a policy supported by a strategy with metrics, standards, guidelines, and procedures.
This structure is dictated by the use of the documents and by the level at which they must be authorized: for example, the CEO and Board usually authorize the policy which then gives authority to the CISO to develop all remaining materials.
Organizational Assets
Valuable corporate assets that should be protected. An organization utilizes four major asset types: people, information, infrastructure, and money. To survive an organization must properly manage all of its assets, and "to manage" something implies the need "to secure" it. This article focuses on the information asset and the document set required to ensure its proper protection.
What is meant by "Information"?
In the context of "Information Security" the term information is used inclusively to include data, information, and knowledge.
Since we're looking at Information Security here maybe we should define what is meant by "information". The need to answer this question is because of the hierarchy of data, information, knowledge, understanding, and wisdom as follows:
- data - the raw numbers collected (for example the age of everyone in a community)
- information - data that has been processed to be useful (i.e. the average age of the people, the number of people by 5 year age groups, the oldest person, etc.)
- knowledge - an application of the data and information (i.e knowing that the majority of the people are from 15 to 25 years old maybe we want to sell games in this community)
- understanding - an appreciation of why (i.e. it's always people in there late teens and early twenties that have money but still enjoy gaming)
- wisdom - knowledge that is endowed with age and experience (i.e. how do people like to receive a message? what's the best way to market to this group?)
And what is "Information Security"?
Information Security is a lot more then computer security! So what exactly is "Information Security" then? The first step is to look at where information exists so we don't confuse it with "Information System Security" or "Information Technology Security" (i.e. IS or IT Security). Information storage may be moving toward electronic systems but we are still a long way from the paperless world. Information is found on many different media: paper, microform, computers, CDs, and yes even in our brains. So unless we're looking at all of these we won't have Information security.
Information Security is the protection of information, wherever it might exists, from disclosure, modification, destruction, or mis-use. This will ensure that the "right people" get the "right information" at the "right time" for the "right reasons".
Strategy, Policy, Standards, Guidelines, and Procedures Definitions
What then is to be included in each of the document types?
- Strategy: A strategy consists of a list of objectives, the processes to be followed to meet those objectives, and the metrics that let you know when you've met those objectives.
- Policy: A policy is a high-level statement that provides a framework of expected and mandated behaviour of workers, management, technology, and processes. It includes instructions, procedures, courses of action, and principles that are mandatory within the organization.
- Standards: Standards outline specific technologies processes and technologies within an organization, such as implementation steps, systems design, operating systems, applications, interfaces and algorithms.
- Guidelines: Guidelines are optional and recommended behaviour of workers, management, technology and processes. The difference between many policies and guidelines is the use of words such as “shall” or “must” in procedures being replaced with “should” in guidelines.
- Procedures: Procedures are a list of detailed and outlined steps of a process that individuals must employ while conducting the process.
This structure is dictated by the use of the documents and by the level at which they must be authorized: for example, the CEO and Board usually authorize the policy which then gives authority to the CISO to develop all remaining materials.
Organizational Assets
Valuable corporate assets that should be protected. An organization utilizes four major asset types: people, information, infrastructure, and money. To survive an organization must properly manage all of its assets, and "to manage" something implies the need "to secure" it. This article focuses on the information asset and the document set required to ensure its proper protection.
What is meant by "Information"?
In the context of "Information Security" the term information is used inclusively to include data, information, and knowledge.
Since we're looking at Information Security here maybe we should define what is meant by "information". The need to answer this question is because of the hierarchy of data, information, knowledge, understanding, and wisdom as follows:
- data - the raw numbers collected (for example the age of everyone in a community)
- information - data that has been processed to be useful (i.e. the average age of the people, the number of people by 5 year age groups, the oldest person, etc.)
- knowledge - an application of the data and information (i.e knowing that the majority of the people are from 15 to 25 years old maybe we want to sell games in this community)
- understanding - an appreciation of why (i.e. it's always people in there late teens and early twenties that have money but still enjoy gaming)
- wisdom - knowledge that is endowed with age and experience (i.e. how do people like to receive a message? what's the best way to market to this group?)
And what is "Information Security"?
Information Security is a lot more then computer security! So what exactly is "Information Security" then? The first step is to look at where information exists so we don't confuse it with "Information System Security" or "Information Technology Security" (i.e. IS or IT Security). Information storage may be moving toward electronic systems but we are still a long way from the paperless world. Information is found on many different media: paper, microform, computers, CDs, and yes even in our brains. So unless we're looking at all of these we won't have Information security.
Information Security is the protection of information, wherever it might exists, from disclosure, modification, destruction, or mis-use. This will ensure that the "right people" get the "right information" at the "right time" for the "right reasons".
Strategy, Policy, Standards, Guidelines, and Procedures Definitions
What then is to be included in each of the document types?
- Strategy: A strategy consists of a list of objectives, the processes to be followed to meet those objectives, and the metrics that let you know when you've met those objectives.
- Policy: A policy is a high-level statement that provides a framework of expected and mandated behaviour of workers, management, technology, and processes. It includes instructions, procedures, courses of action, and principles that are mandatory within the organization.
- Standards: Standards outline specific technologies processes and technologies within an organization, such as implementation steps, systems design, operating systems, applications, interfaces and algorithms.
- Guidelines: Guidelines are optional and recommended behaviour of workers, management, technology and processes. The difference between many policies and guidelines is the use of words such as “shall” or “must” in procedures being replaced with “should” in guidelines.
- Procedures: Procedures are a list of detailed and outlined steps of a process that individuals must employ while conducting the process.