How to Write a Computer Security Policy

sponsored by the Henderson Group Computer Security Consulting and Training

Introduction It happens at least once in every company: an employee with little background in the area is assigned the task of developing a computer security policy statement. This paper provides help to that employee by summarizing what other companies have put in their policy statements and how successful policies have been implemented. Each company must decide on its own what its policy will include. The following descriptions provide the rough material from which that tailoring can proceed.

Why Have a Computer Security Policy Statement

Policy statements are necessary to make employees aware and to clarify responsibility. Fancy hardware and software will not provide adequate protection unless every employee understands the importance of security, and what the company expects of its staff. A company has a firmer case to terminate or prosecute an offender if the company's policy has been put forth in writing. Finally, the interdepartmental communication which is necessary to develop the policy will help all departments to understand what is needed, what is possible, and what they are responsible for.

Who Should Develop the Policy?

No single employee should develop the policy. Senior managers of every functional area should be involved in its development. (This gets them to "buy in" and ensures that their knowledge and expertise are incorporated.)

One successful approach is for a manager (the director of data processing may be best) to suggest to his or her peers a task force to develop the policy. If they agree, one employee is assigned to be project manager and editor of the policy. The editor selects points to be included from the following suggestions and lists them in "bullet" form for task force review. As the task force discusses the bullet points and tailors them to the company's requirements, the editor updates the working draft of the statement and converts the bullets to sentences and paragraphs. In this way managers can participate without taking too much of their time, and the editor has an opportunity to demonstrate his or her skills as a project manager, meeting facilitator, and negotiator. The editor should have some background in data processing, EDP audit, or computer security.

How Detailed Should the Policy Be?

Detail is less important than thorough coverage. Task force members may not care how the Personnel Department ensures that terminated employees' access privileges are revoked. They do care that the issue is being addressed and that someone is clearly assigned responsibility for it. A good policy won't address every little item. It will however make sure that someone or some department is specifically responsible for developing procedures to handle every important issue.

On the other hand, don't be bothered if procedural details end up in your company's policy statement. They don't detract and you can always change the title to say "Computer Security Policy and Procedures".

Suggested Outline

Here are some major categories to organize your policy and some items to consider including in each:

A) Introduction and Purpose

- Our firm depends on its computers, data, and information processing capabilities.

- Description of technical risks of: altered, stolen, inaccurate, destroyed data and loss of ability to process data

- Description of business risks of: suits for not protecting sensitive data, loss of competitive advantage from theft of customer lists and other business assets, liability for incorrect data, incorrect business decisions due to incorrect data, publicity surrounding regulatory enforcement, inability to process business transactions, and other risks.

- Every employee must be aware of these risks and act in a way to protect the firm.

- This policy statement details employee' responsibilities for computer security.

B) Scope

- This policy applies to all employees, consultants, auditors, and temporary help, and to all users of our computers.

- It applies to our mainframes, minicomputers, personal computers, outside timesharing services, outside suppliers of data, LANs (Local Area Networks), and computer workstations.

- It applies to all company data and reports derived from company data.

- It applies to all programs developed on company time, using company equipment, or by company employees.

- It applies to all terminals, communications lines, and associated equipment on company premises or connected to company computers.

- This policy does/does not address each of the following: how users are identified to computers, how each user's identity is verified, physical protection over equipment, physical control over access to data, logical control over access to data, integrity and quality of data, data retention requirements (how long data must be kept according to all relevant regulatory requirements), disaster recovery planning for data processing, business resumption planning for all business units.

- Who is responsible for making sure that all affected parties are aware of the policy.

C) Responsibility for Computer Security

- The Data Security Officer (DSO) is responsible for ensuring that the company has adequate computer security and that this policy is observed.

- Every employee is responsible for protection of our assets, including computers and data.

- Every employee should notify the Data Security Officer whenever he or she sees actions which seem to go against this policy.

D) USERIDs and Passwords

- No one is to be permitted to use company computers without an authorized USERID (user identification).

- To get a USERID requires the approval of an officer, of a department head, of the Data Security Officer, of some other authority.

- Each user is responsible for all activity which occurs on his or her USERID.

- The spelling of each userid is to be determined by the Data Security Officer, according to a standard designed to meet the spelling and length requirements of every type of computer used in our organization. This standard specifies a maximum length of seven characters, including letters, numbers, and only the following punctuation marks (list of acceptable special characters). The letters in each USERID must be upper case/lower case.

- USERIDs may be revoked (or canceled or suspended) at any time.

- USERIDs will be revoked when an employee terminates of transfers.

- The Data Security Officer may at his or her discretion revoke and/or delete any USERID not used for one hundred or more days.

- USERIDs will be revoked when an incorrect password is entered three times in a row.

- Each user must change his or her password at least every 30 days. Computers are to be programmed to require this.

- Company computers are to be programmed so that only users with authorized USERIDs can access them.

E) Employment Practices

- Every employee, consultant, consultant, and temporary employee should have a copy of this policy.

- All new employees will hear the importance of computer security and their role in it during Orientation.

- Department X will be notified of every employee transfer, promotion, and termination in order to adjust computer access privileges as needed.

- All employees must sign off that they have read, understand, and accept this policy.

- Personnel is responsible for computer security practices relating to employment. This includes: forms for processing employment and termination, informing supervisors of their responsibilities regarding computer security, addressing computer security in the performance review process, assisting in computer security awareness training, distribution of this policy, and Orientation for new employees.

- When an employee is terminated for any reason, the employee's immediate supervisor is directly responsible for having that employee's computer privileges revoked at once on all computer platforms where the employee has privileges. If necessary, the supervisor should log onto that USERID with a sufficient number of passwords to revoke the USERID. The supervisor is responsible for notifying the Computer Security Department and the Personnel Department when a USERID should be revoked or deleted.

F) Access to Equipment

- Only authorized persons whose work requires it will be allowed access to mainframe computers.

- All computers, terminals, and communications equipment will be protected against fire, water, electric power fluctuations, physical damage, and theft. Protection will be selected from among: physical barriers, environmental detection and protection, insurance, and other means on the basis of both replacement cost and effect on our ability to conduct business.

- Department X is responsible for controlling access to mainframe computers and for providing adequate protection to computers, terminals, and communications equipment.

G) Responsibility of Every Employee

- Computer security is the responsibility of every employee.

- No employee shall divulge company information to outsiders.

- Company computers shall not be used for purposes not related to company business.

H) Access to Data

- All data files on company computers will be protected against unauthorized changes.

- Sensitive data files will be protected against unauthorized reading and copying.

- The definition of "sensitive" as used here is....

- Company computers shall be programmed to control which USERIDs can read and which USERIDs can write to any given file.

- Every file shall be associated with an owner. Unless otherwise specified, the owner of a data file is the head of the department which paid for the computer programs which created it.

- The owner of each file is responsible for specifying whether the file is sensitive, and which USERIDs should be allowed to read or write to it. Such specification should be in writing, signed by the owner, and routed to the Data Security Officer.

- The Data Security Officer is responsible for ensuring that the access rules specified by data owners are implemented correctly, and that they match the written specification provided by the owners.

- The Data Security Officer will periodically review access rules for data with the data owners, with Legal, and with the Controller to ensure that the rules provide adequate protection.

- Internal Audit is responsible for periodically verifying that the access rules specified by the owners are correctly implemented.

I) Procedures to Update the Policy

- Who has the authority to change the policy?

- How are changes accomplished?

J) Online Systems

- Access to an online system (that is, through computer terminals) is allowed only to USERIDs which have been authorized to that system.

- What techniques will be used to control access to online systems and terminals (physical barriers, access control software, dial-back system, automatic shutdown of idle terminals, restriction of sensitive transactions to specified terminals)?

K) Encryption

- When must data files be encrypted?

- When must passwords be encrypted?

- What encryption techniques are acceptable (DES, RSA public key, or comparable)?

L) Personal Computers

- Department X is responsible for developing guidelines and procedures for protection of personal computers and the data processed on them.

- When personal computers are connected to telephone lines, they are considered the same as terminals and are to be controlled in the same way as terminals.

M) Contingency Planning

- Department X is responsible for developing and coordinating recovery plans for all departments in the event of the destruction of our data center and also in the event of short- term loss of any of our data processing capability. These plans should be based upon a systematic assessment of the risk of loss of the ability to process transactions for each application on each platform.

N) Miscellaneous

- Stealing software is illegal and can serve as grounds for prosecution and termination of employment. (This sentence may protect your company from a suit if one of your employees is accused of software piracy, since he or she will have allegedly done it in violation of company policy. Refer to appropriate legal counsel.)

- Our company does not permit use or possession of copies of software without paying appropriate fees and signing of appropriate licenses. Department X is responsible for conducting inventories of the software on company-owned personal computers to ensure that no software is on them without proper payment and licenses. (This may protect your organization from SPA (Software Publishers Association) audits conducted by Federal marshals.)

- Department X is responsible for developing guidelines for "spread-sheet audits" or reviews of decision support models to avoid unjustified reliance on computer-generated projections.

- Department X is responsible for providing means to protect access to sensitive computer printouts.

O) Multi-Platform Security

- Local Area Networks (which are subject to sniffer programs), UNIX workstations, and other platforms in user departments (outside the control of the Data Processing Department) are considered not to have rigorous physical security and logical security. Because of this, any such platforms which are to be connected to the company's network must comply with the company's plan for third-party authentication or other means to support multi-platform security. Department X is responsible for researching and coordinating such a plan. This plan should include the means to standardize the spelling of USERIDs across all platforms, so that each user needs to remember only one USERID.

P) Internet Access

- Access to the Internet from company premises or equipment is permitted only under the guidelines and supervision of Department X, which is responsible for developing, documenting, and disseminating such guidelines.

Where To Get More Info

- The RACF User News (for a free subscription, call (301) 229-7187.)

- The Computer Security Institute, (415) 905-2370

- The ISPN News, (508) 879-7999

Help Improve This Paper

This is edition 2 of this document. Many companies and individuals have contributed ideas to it. Your company will likely find additional points and suggestions from which others could benefit. Why not share them with others? We will include all valid suggestions in the next edition of this paper. Send them to:

Stu Henderson 5702 Newington Road Bethesda, MD 20816 Phone (301) 229-7187 Thanks for your help.


Return to HG Home Page (www.stuhenderson.com) the Henderson Group

Stuart Henderson
(301) 229-7187
5702 Newington Road Bethesda, MD 20816-1282
stu@stuhenderson.com

Copyright ©: 1997, Stuart C. Henderson
Revised - September 24, 1997
URL: http://www.sthenderson.com