Wednesday, February 20, 2008
My Last three Identity Management Implementations : A Comparative Analysis
Stay tuned for key learnings and analysis....Till then good bye
Must Read Identity management links
Please follow the must read below if you want to learn Identity managementhttp://msdn2.microsoft.com/en-us/library/aa480030.aspxhttp://www.courion.com/http://www.oracle.com/technology/products/id_mgmt/index.html
Saturday, January 26, 2008
What are the compliance requirement for PCI DSS ?
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Monday, January 14, 2008
The story of credit card theft - Part -1
The recent credit card theft that took place at TJX and Officemax retail stores are very common in spite of lot of Government and industry mandates. The moment you make a purchase using your credit card, chances are the device that is being used by the company aren’t updated for last 10-15 years – bit scary.
All Visa and MasterCard of this world at their level have instituted a good protection systems, security standards and policy but in the complete transaction cycle – Merchant application(RETAIL STORE ETC) remains at a risky state due to lack of awareness or support from business vis-à-vis becoming the MOST VULNERABLE POINT in the financial transaction. Hence, most of the security breach happens to the systems that involves large retail stores, Gas stations etc. They are largely an open invitation to part time computer geeks with an access to internet.
Here is how, the moment you swipe your card, the credit card details are captured raw(plain text/weak encryption) and then send it to the central system from the local retail center server as part of the daily consolidation. A hacker or a wrongdoer could gain access to this system and might be able to get 200-400 active credit accounts. However, smart hackers, look into the upstream system and find out way to get into the mail server. This number could be in range of 40-45 million CREDIT CARD ACCOUNTS - Once the hacker is able to get into the main central system - he can also get access to -
1) Credit card number
2) Expiration date details
3) CVV number (remember the security code that most of the websites ask for double validation - This is also no fool proof)
4) Private information - Home address, Telphone number etc
5) Your authentication details if the merchant holds websites to manage through e-business
This is what might have happened to TJX and OfficeMax stores.
Stay tuned for more information -
- How to manage this information ?
- What are the protections systems that are possible ?
- What are the various governmental and industrial mandates ?
- What is Credit Card companies doing to ensure better protection of your credit card account?
Till then STAY TUNED…
Saturday, September 01, 2007
Saturday, October 28, 2006
Did you miss the bus regarding Network Security ?
"Network is computer" - Sun microsystem's network vision is more than a reality.With the use of networks for sharing information, come additional risks that contribute to the network security concerns.
1)Distributed File Storing - Concerns
File servers can control users' accesses to various parts of the file system. This is usually done by allowing a user to attach a certain file system (or directory) to the user's workstation, to be used as a local disk. This presents two potential problems. First, the server may only provide access protection to the directory level, so that a user granted access to a directory, has access to all files contained in that directory. To minimize risk in this situation, proper structuring and management of the network file system is important. The second problem is caused by inadequate protection mechanisms on the local workstation. For example, a personal computer (PC) may provide minimal or no protection of the information stored on it. A user that copies a file from the server to the local drive on the PC, looses the protection offered by the file when it was stored on the server. For some types of information, this may be acceptable. However, other types of information may require more stringent protections. This requirement focuses on the need for controls in the PC environment.
2) Remote Computing - Concerns
Remote computing must be controlled so that only authorized users may access remote components and remote applications. Servers must be able to authenticate remote users who request services or applications. These requests may also call for the local and remote servers to authenticate to each other. The inability to authenticate can lead to unauthorized users being granted access to remote servers and applications. There must be some level of assurance regarding the integrity of applications utilized by many users over a network.
3) Topologies and Protocols - Concerns
The topologies and protocols used today demand that messages be made available to many nodes in reaching the desired destination. This is much cheaper and easier to maintain than providing a direct physical path from every machine to every machine. (In large networks, direct paths are not feasible.) The possible threats inherent include both active and passive wiretapping. Passive wiretapping includes not only information release but also traffic analysis (using addresses, other header data, message length, and message frequency). Active wiretapping includes message stream modifications (including modification, delay, duplication, deletion or counterfeiting).
4) Messaging Services - Concerns
Messaging services add additional risk to information that is stored on a server or in transit. Inadequately protected email can easily be captured and perhaps altered and retransmitted, affecting both the confidentiality and integrity of the message.
5)Other Network Security Concerns
Other network security problems include
· Inadequate network management and security policies
· Lack of training for proper network usage and security
· Inadequate protection mechanisms in the workstation environment
· Inadequate protection during transmission.
A weak security policy also contributes to the risk associated with a network. A formal security policy governing the use of networks should be in place to demonstrate management's position on the importance of protecting valued assets. A security policy is a concise statement of top management's position on information values, protection responsibilities and organizational commitment (Security strategy and implementation are discussed later). A strong network security policy should be in place to provide direction and support from the highest levels of management. The policy should identify the role that each employee has in assuring that the network and the information it carries are adequately protected.
The Network security policy should stress the importance of and provide support for network management. Network management should be given the necessary funding, time and resources. Poor network management may result in security lapses. The resulting problems could include security settings becoming too lax, security procedures not being performed correctly, even the necessary security mechanisms not being implemented.
The use of PCs in the network environment can also contribute to the risk of the network. In general, PCs have a relative lack of control with regard to authenticating users, controlling access to files, auditing etc. In most cases, the protection applied to information that is stored and processed on a server, does not follow the information when it is sent locally to a PC.
Lack of user awareness regarding the security of the network can also add risk. Users who are not familiar with the security mechanisms, procedures etc. may use them improperly and perhaps less securely. Responsibilities for implementing security mechanisms and procedures and following the policies regarding the use of the PC in a network environment, usually fall on the user of the PC. Users must be given the proper guidance and training necessary to maintain an acceptable level of protection in the network environment.
"Network is computer" - Sun microsystem's network vision is more than a reality.With the use of networks for sharing information, come additional risks that contribute to the network security concerns.
1)Distributed File Storing - Concerns
File servers can control users' accesses to various parts of the file system. This is usually done by allowing a user to attach a certain file system (or directory) to the user's workstation, to be used as a local disk. This presents two potential problems. First, the server may only provide access protection to the directory level, so that a user granted access to a directory, has access to all files contained in that directory. To minimize risk in this situation, proper structuring and management of the network file system is important. The second problem is caused by inadequate protection mechanisms on the local workstation. For example, a personal computer (PC) may provide minimal or no protection of the information stored on it. A user that copies a file from the server to the local drive on the PC, looses the protection offered by the file when it was stored on the server. For some types of information, this may be acceptable. However, other types of information may require more stringent protections. This requirement focuses on the need for controls in the PC environment.
2) Remote Computing - Concerns
Remote computing must be controlled so that only authorized users may access remote components and remote applications. Servers must be able to authenticate remote users who request services or applications. These requests may also call for the local and remote servers to authenticate to each other. The inability to authenticate can lead to unauthorized users being granted access to remote servers and applications. There must be some level of assurance regarding the integrity of applications utilized by many users over a network.
3) Topologies and Protocols - Concerns
The topologies and protocols used today demand that messages be made available to many nodes in reaching the desired destination. This is much cheaper and easier to maintain than providing a direct physical path from every machine to every machine. (In large networks, direct paths are not feasible.) The possible threats inherent include both active and passive wiretapping. Passive wiretapping includes not only information release but also traffic analysis (using addresses, other header data, message length, and message frequency). Active wiretapping includes message stream modifications (including modification, delay, duplication, deletion or counterfeiting).
4) Messaging Services - Concerns
Messaging services add additional risk to information that is stored on a server or in transit. Inadequately protected email can easily be captured and perhaps altered and retransmitted, affecting both the confidentiality and integrity of the message.
5)Other Network Security Concerns
Other network security problems include
· Inadequate network management and security policies
· Lack of training for proper network usage and security
· Inadequate protection mechanisms in the workstation environment
· Inadequate protection during transmission.
A weak security policy also contributes to the risk associated with a network. A formal security policy governing the use of networks should be in place to demonstrate management's position on the importance of protecting valued assets. A security policy is a concise statement of top management's position on information values, protection responsibilities and organizational commitment (Security strategy and implementation are discussed later). A strong network security policy should be in place to provide direction and support from the highest levels of management. The policy should identify the role that each employee has in assuring that the network and the information it carries are adequately protected.
The Network security policy should stress the importance of and provide support for network management. Network management should be given the necessary funding, time and resources. Poor network management may result in security lapses. The resulting problems could include security settings becoming too lax, security procedures not being performed correctly, even the necessary security mechanisms not being implemented.
The use of PCs in the network environment can also contribute to the risk of the network. In general, PCs have a relative lack of control with regard to authenticating users, controlling access to files, auditing etc. In most cases, the protection applied to information that is stored and processed on a server, does not follow the information when it is sent locally to a PC.
Lack of user awareness regarding the security of the network can also add risk. Users who are not familiar with the security mechanisms, procedures etc. may use them improperly and perhaps less securely. Responsibilities for implementing security mechanisms and procedures and following the policies regarding the use of the PC in a network environment, usually fall on the user of the PC. Users must be given the proper guidance and training necessary to maintain an acceptable level of protection in the network environment.
Section 404 SOX Compliance
A complete federated identity access management and collaboration platform to comply with Sarbanes-Oxley.
Business problem
Sarbanes-Oxley Act (SOX) was passed to reform the accounting practices, financial disclosures and corporate governance of public companies.
Section 404 of SOX requires the management to perform an annual assessment of internal controls over financial disclosures and obtain attestation from external auditors.
Compliance requires major changes in corporate governance, accounting, auditing and financial reporting practices. It requires companies to strengthen and document their internal controls and corporate IT systems to support the affected business processes. It requires adherence to structured, documented identity access management security practices that protect information.
Compliance creates new demands on IT. Systems once thought to be secure and capable of maintaining user confidentiality must be readdressed. Unauthorized access to systems and the data they contain may unwittingly permit individuals to alter information or commit acts of fraud that may damage the company and cause it to violate regulatory standards.
SOX is just one of many pieces of legislation that require this level of compliance: Gramm - Leach - Bliley Act (GLB), 21 CFR Part 11, HIPAA, and the California Database Security Breach Notification Act are examples of the many items enacted within the last several years.
Solution
Ensure that only authorized users are allowed access to systems.
Employ access granularity that specifically defines what people can view or actions they can take once they have gained access to the systems. For example, a financial analyst may be granted access to view financial data for report construction but not be allowed to initiate a transaction or modify the information.
Maintain centralized control over who is authorized to access particular systems, what information within the system they are authorized to access, and when a user leaves the company, ensures their access rights are completely revoked from all systems.
Sunday, July 09, 2006
Genomics: A future Global Privacy and Identity Challenge
(Author - Ullas O Tharakan)
2020 AD: World a better place. Get ready for the ultimate shopping experience, the designer babies. Imagine the fertility Hospital near your lane offer you to manipulate the Gene sequence to get you the perfect baby with intelligence as Einstein, Blue eyes – sort of Tom Cruise killer Looks and the so called perfect shape. Days are not far away, when Designer Babies becomes a reality and Hitler infamy ambition of defining a super human unintentionally finds a place in the Society.
Genome research has given a new dimension to “code” human beings. Humans are not just by chance; they are manipulated to fit the best, defying the Darwin’s Law of Evolution, making it an instant process than a gradual one spread across thousands of years. Entire human gene has already been decoded in the ambitious Human Genome project. In the projected future, going to be closer than we think, Governments and organizations will have has to concentrate to protect people from the negative side of this individual problem, there is a need to demarcate the goods and bad of this unprecedented innovation. Already there has been ban on human cloning world wide, a well-respected step taken by governments worldwide.
With the intense research and the indecorous intention to make business, there could be lot of loopholes, which will affect the humans worldwide. For example, when a Baby is born, he/she will walk out of the maternity with a Human Code CD - a more futuristic form of Birth Certificates. CD will contain the entire Genome code of the baby. This specifies predictive disease list with accurate prediction on likely hood of disease occurrence. Early prediction of disease will be always an advantage as it could help to improve the quality of life and as well as increase the natural lifespan by taking preventive medications.
But what happens if somebody else gets to access to these information. It would be the ultimate disaster for somebody in waiting. Governments need to redefine the existing laws in order to prevent this. The social, ethical and legal issues will have a daunting effect on the individual. Fairness of usage of information will be a big issue. For example Insurance companies can target you for high money and can also deny your qualification for Insurance. Pharmaceutical companies can create customized drugs eventually this being used a one-to-one marketing campaign at a premium cost. Corporate can disqualify you from job because of your predicted future based on genes.
This could lead to Psychological impact, stigmatization, and discrimination due to an individual’s man made genetic differences – the existing ones and the expected ones.
There will be Conceptual and philosophical implications regarding human responsibility, free will vs. genetic determinism, and concepts of health and disease. This will lead to Commercialization of humans design as products including property rights (patents, copyrights, and trade secrets) and accessibility to data and materials needs to be mandated.
In order to make this Genetic experience fruitful and more poised towards humanity governments worldwide should initiate a due diligence. Governments would need to establish a Global Genetic Privacy Protection (GGPP) model to enable a framework for protecting the future human rights violation. Worldwide Health Ministry Departments needs to foray over a period of time for a GGPP model. This model needs to start with these basic aspects:
- Embryonic stage manipulation: Protection of the Genetic Trait Modification
- Gene Selective Manipulation Law
- Human Code access Protection Law (Practices can be extended from the existing HIPPA global laws)
Better, governments worldwide start enacting a law and stop this world moving towards the digital apartheid era preventing the human community from the next privacy disaster in waiting.
(Author - Ullas O Tharakan)
2020 AD: World a better place. Get ready for the ultimate shopping experience, the designer babies. Imagine the fertility Hospital near your lane offer you to manipulate the Gene sequence to get you the perfect baby with intelligence as Einstein, Blue eyes – sort of Tom Cruise killer Looks and the so called perfect shape. Days are not far away, when Designer Babies becomes a reality and Hitler infamy ambition of defining a super human unintentionally finds a place in the Society.
Genome research has given a new dimension to “code” human beings. Humans are not just by chance; they are manipulated to fit the best, defying the Darwin’s Law of Evolution, making it an instant process than a gradual one spread across thousands of years. Entire human gene has already been decoded in the ambitious Human Genome project. In the projected future, going to be closer than we think, Governments and organizations will have has to concentrate to protect people from the negative side of this individual problem, there is a need to demarcate the goods and bad of this unprecedented innovation. Already there has been ban on human cloning world wide, a well-respected step taken by governments worldwide.
With the intense research and the indecorous intention to make business, there could be lot of loopholes, which will affect the humans worldwide. For example, when a Baby is born, he/she will walk out of the maternity with a Human Code CD - a more futuristic form of Birth Certificates. CD will contain the entire Genome code of the baby. This specifies predictive disease list with accurate prediction on likely hood of disease occurrence. Early prediction of disease will be always an advantage as it could help to improve the quality of life and as well as increase the natural lifespan by taking preventive medications.
But what happens if somebody else gets to access to these information. It would be the ultimate disaster for somebody in waiting. Governments need to redefine the existing laws in order to prevent this. The social, ethical and legal issues will have a daunting effect on the individual. Fairness of usage of information will be a big issue. For example Insurance companies can target you for high money and can also deny your qualification for Insurance. Pharmaceutical companies can create customized drugs eventually this being used a one-to-one marketing campaign at a premium cost. Corporate can disqualify you from job because of your predicted future based on genes.
This could lead to Psychological impact, stigmatization, and discrimination due to an individual’s man made genetic differences – the existing ones and the expected ones.
There will be Conceptual and philosophical implications regarding human responsibility, free will vs. genetic determinism, and concepts of health and disease. This will lead to Commercialization of humans design as products including property rights (patents, copyrights, and trade secrets) and accessibility to data and materials needs to be mandated.
In order to make this Genetic experience fruitful and more poised towards humanity governments worldwide should initiate a due diligence. Governments would need to establish a Global Genetic Privacy Protection (GGPP) model to enable a framework for protecting the future human rights violation. Worldwide Health Ministry Departments needs to foray over a period of time for a GGPP model. This model needs to start with these basic aspects:
- Embryonic stage manipulation: Protection of the Genetic Trait Modification
- Gene Selective Manipulation Law
- Human Code access Protection Law (Practices can be extended from the existing HIPPA global laws)
Better, governments worldwide start enacting a law and stop this world moving towards the digital apartheid era preventing the human community from the next privacy disaster in waiting.
Tuesday, July 04, 2006
CyberLaw : Overview of the Indian IT Act 2000
(Authored by Ullas Tharakan)
In India, the IT Bill 2000 was adopted in October 2000 and is called the Information Technology Act 2000. This act consists of 12 parts and runs into a length of 44 pages.
• Part I of the Act: Outlines the general purpose of the Act, provides definitions for terminologies used within the Act and defines the scope of the application of the Act
• Part II of the Act: In this section, electronic records and electronic signatures are dealt as taken care of. With limited exceptions, electronic records and signatures must be accorded the same treatment as paper records and signatures for purposes of complying with statutory writing, signature, evidentiary and record-keeping requirements. But this does not compel the Government organizations to accept or issue electronic document, if they do not wish to do so. This part addresses the acceptance and use of electronic records and electronic signatures by governmental entities.
• Part III of the Act: This addresses the integrity and authentication of secure electronic records and secure electronic signatures. The concept of a secure electronic record or a secure electronic signature will foster the growth of electronic commerce by providing businesses with assurances that records and signatures which meet the statutory definitions of "secure" records or signatures will be accorded the heightened evidentiary presumptions necessary to make business transactions effectively nonrepudiable.
• Part IV of the Act: This addresses issues of electronic contracting. This Part deals with the form in which an offer and an acceptance may be expressed and legal recognition of contracts formed in an electronic medium. This Part aims to provide increased legal certainty as to the conclusion of contracts by electronic means.
• Part V of the Act: This provides for the appointment and functioning of a Controller for Certifying Authorities who will regulate the issuance of digital certificates by licensed Certifying Authorities.
• Parts VI and VII of the Act: These part addresses the legal issues related to the use of digital signatures. Digital signature technology, which utilizes asymmetric cryptography technology, has been developed to facilitate secure transactions over the Internet and other computer networks. Although the electronic contracting sections of the Act have been drafted to be technologically neutral, these parts have been included to establish rules for the use of the most prominent current technology.
• Part VIII of the Act: Provides for penalties and for their adjudication by an adjudicating officer appointed by the Central Government.
• Part IX of the Act: Provides for the formation, composition, functioning and powers of a Cyber Regulations Appellate Tribunal to which appeal shall lie from the orders of the adjudicating officer. The Civil Court shall not have jurisdiction with reference to the offences set out under this Act. An appeal shall lie to the High Court from the orders of the Cyber Regulations Appellate Tribunal.
• Part X of the Act: Provides criminal penalties for intentional damages or destruction of information systems or data, intentional "trespass" into a system and intentional theft of computer services, tampering with data, interrupting network services and intentionally introducing viruses into computers or computer networks.
• Part XI of the Act: Deals with issues relating to the liability of network service providers.
• Part XII of the Act: Sets out miscellaneous provisions with respect to power to search premises, removal of difficulties, etc.
(Authored by Ullas Tharakan)
In India, the IT Bill 2000 was adopted in October 2000 and is called the Information Technology Act 2000. This act consists of 12 parts and runs into a length of 44 pages.
• Part I of the Act: Outlines the general purpose of the Act, provides definitions for terminologies used within the Act and defines the scope of the application of the Act
• Part II of the Act: In this section, electronic records and electronic signatures are dealt as taken care of. With limited exceptions, electronic records and signatures must be accorded the same treatment as paper records and signatures for purposes of complying with statutory writing, signature, evidentiary and record-keeping requirements. But this does not compel the Government organizations to accept or issue electronic document, if they do not wish to do so. This part addresses the acceptance and use of electronic records and electronic signatures by governmental entities.
• Part III of the Act: This addresses the integrity and authentication of secure electronic records and secure electronic signatures. The concept of a secure electronic record or a secure electronic signature will foster the growth of electronic commerce by providing businesses with assurances that records and signatures which meet the statutory definitions of "secure" records or signatures will be accorded the heightened evidentiary presumptions necessary to make business transactions effectively nonrepudiable.
• Part IV of the Act: This addresses issues of electronic contracting. This Part deals with the form in which an offer and an acceptance may be expressed and legal recognition of contracts formed in an electronic medium. This Part aims to provide increased legal certainty as to the conclusion of contracts by electronic means.
• Part V of the Act: This provides for the appointment and functioning of a Controller for Certifying Authorities who will regulate the issuance of digital certificates by licensed Certifying Authorities.
• Parts VI and VII of the Act: These part addresses the legal issues related to the use of digital signatures. Digital signature technology, which utilizes asymmetric cryptography technology, has been developed to facilitate secure transactions over the Internet and other computer networks. Although the electronic contracting sections of the Act have been drafted to be technologically neutral, these parts have been included to establish rules for the use of the most prominent current technology.
• Part VIII of the Act: Provides for penalties and for their adjudication by an adjudicating officer appointed by the Central Government.
• Part IX of the Act: Provides for the formation, composition, functioning and powers of a Cyber Regulations Appellate Tribunal to which appeal shall lie from the orders of the adjudicating officer. The Civil Court shall not have jurisdiction with reference to the offences set out under this Act. An appeal shall lie to the High Court from the orders of the Cyber Regulations Appellate Tribunal.
• Part X of the Act: Provides criminal penalties for intentional damages or destruction of information systems or data, intentional "trespass" into a system and intentional theft of computer services, tampering with data, interrupting network services and intentionally introducing viruses into computers or computer networks.
• Part XI of the Act: Deals with issues relating to the liability of network service providers.
• Part XII of the Act: Sets out miscellaneous provisions with respect to power to search premises, removal of difficulties, etc.
Smart Tips for Information Security Policy Design Process
(Authored by Ullas Tharakan)
A policy design should follow a well thought of process. The following steps are considered to arrive at the process.
· Choose the policy development team.
· Designate a person or “body” to serve as the official policy interpreter.
· Decide on the scope and goals of the policy.
(Scope should be a statement about what is covered by the policy.)
· Decide on how specific should be the policy.
All people affected by the policy should be provided an opportunity to review and comment on the policy before it becomes official.
· Unrealistic for large organizations.
· Often difficult to get the information out and ensure people read it.
· Incorporate policy awareness as a part of employee orientation.
· Provide refresher overview course on policies once or twice a year.
While creating the policies and processes, one must keep in mind that policies should be:
· Be implementable and enforceable.
· Be concise and easy to understand.
· Be a balance of protection with productivity.
· Be updated regularly to reflect the evolution of the organization.
Policies should:
· State reasons why policy is needed.
· Describe what is covered by the policies - whom, what, and where.
· Define contacts and responsibilities to outside agencies.
· Discuss how violations will be handled.
Determining Level of Control
· Security needs and culture play major roles.
· Security policies MUST balance level of control with level of productivity.
· If policies are too restrictive, people will find ways to circumvent controls.
· Technical controls are not always possible.
· Must have management commitment on level of control.
(Authored by Ullas Tharakan)
A policy design should follow a well thought of process. The following steps are considered to arrive at the process.
· Choose the policy development team.
· Designate a person or “body” to serve as the official policy interpreter.
· Decide on the scope and goals of the policy.
(Scope should be a statement about what is covered by the policy.)
· Decide on how specific should be the policy.
All people affected by the policy should be provided an opportunity to review and comment on the policy before it becomes official.
· Unrealistic for large organizations.
· Often difficult to get the information out and ensure people read it.
· Incorporate policy awareness as a part of employee orientation.
· Provide refresher overview course on policies once or twice a year.
While creating the policies and processes, one must keep in mind that policies should be:
· Be implementable and enforceable.
· Be concise and easy to understand.
· Be a balance of protection with productivity.
· Be updated regularly to reflect the evolution of the organization.
Policies should:
· State reasons why policy is needed.
· Describe what is covered by the policies - whom, what, and where.
· Define contacts and responsibilities to outside agencies.
· Discuss how violations will be handled.
Determining Level of Control
· Security needs and culture play major roles.
· Security policies MUST balance level of control with level of productivity.
· If policies are too restrictive, people will find ways to circumvent controls.
· Technical controls are not always possible.
· Must have management commitment on level of control.
Subscribe to:
Posts (Atom)