Implementation responsibility: Agency/company management; IT Security Management Team
The Information Security Policy defines the level of IT security to which the organisation aspires. The Information Security Policy contains the IT security objectives which the organisation has set itself and the IT security strategy it pursues. In this way it constitutes both an aspiration and a statement that the IT security level specified is to be achieved at all levels of the organisation. Preparation of the Information Security Policy should be considered under the following headings:
Responsibility of Management for the Information Security Policy
Convening of a team responsible for development of the Information Security Policy
Determination of the IT security objectives
Content of the Information Security Policy
Distribution of the Information Security Policy
Drawing up of additional IT system security policy documents
An example of an Information Security Policy is enclosed as an aid on the CD-ROM at word20\hilfsmi\13policy.docVerweis.
The preparation of the Information Security Policy requires the following stages:
Responsibility of Management for the Information Security Policy
The Information Security Policy documents the strategic position of Management with regard to the creation and implementation of the security concept, achievement of the IT security objectives at all levels of the organisation and the priorities which apply to the various types of measure.
It is important that Management is 100% behind the Information Security Policy and the objectives stated therein. Even if individual tasks relating to the IT security process are delegated to persons or organisational units which are then responsible for their implementation, overall responsibility remains with Management.
Convening of a team responsible for development of the Information Security Policy
If an IT Security Management Team already exists within the organisation, then this should be responsible for developing and/or reviewing and re-working the Information Security Policy. The draft document is then submitted to Management for approval.
If IT security management is only being established for the first time, then a development team should be established to draw up the Information Security Policy. This team can assume the function of IT Security Management Team during the IT security process. It is a good idea that this development team should include representatives of the IT users and the IT operational team plus one or more additional employees who already possess sufficient knowledge and experience in matters of IT security. Ideally, a member of Management who is able to assess the importance of IT to the agency/company should be called in from time to time.
Further information on this subject is provided in S 2.193 Establishment of a suitable organisational structure for IT security.
Determination of the IT security objectives
An assessment should be made at the outset as to what information and information processing systems contribute towards the accomplishment of tasks and what value should be attributed to them. To do this, it is important to classify the information, the technical infrastructure and the IT applications of the agency/company. In the context of IT security what is of primary relevance here is the significance of IT for the organisation and its work. The strategic and operative importance of IT is particularly critical here. It is therefore important to consider more than just the material value of the IT itself and understand the extent to which the accomplishment of work within the organisation depends on the use of IT and its smooth functioning. To assist in assessing the extent of such dependence, the following are some of the questions which need to be considered:
What critical tasks within the agency/company cannot be performed at all without IT support or can only be partially performed or with considerable additional effort?
What essential decisions made within the agency/organisation rely on the confidentiality, integrity and availability of information and information processing systems?
What are the consequences of deliberate or unintentional IT security incidents?
Are the IT assets used to process information which requires particular protection due to its confidential nature?
Do major decisions depend on information that is processed using IT being correct and up-to-date?
The outcome of these deliberations can now be used to specify what degree of IT security is sufficient and reasonable for this particular organisation.
Some example criteria for an assessment of this kind are listed below. The importance of IT, the specific threat situation and the relevant statutory requirements play a critical role here. The IT security level (low, moderate, high or maximum) which applies will be the one whose defining statements are the most relevant to the organisation.
Maximum:
The protection of confidential information must be guaranteed and comply with strict secrecy requirements in critical areas.
It is critically important that the information is correct.
The central tasks of the institution cannot be carried out without IT. Swift reaction times for critical decisions require constant presence of up-to-date information. Downtime is unacceptable.
Summary: failure of IT may be expected to result in the total collapse of the agency/company or have serious consequences for large parts of society or industry.
High:
The protection of confidential information must comply with stringent legal requirements and be increased in critical areas.
The information processed must be correct; any errors must be detectable and avoidable.
Time-critical processes run in central areas of the institution or large-scale tasks which are only possible using IT are carried out. Only short periods of downtime can be tolerated.
Summary: in the event of damage, central areas of the agency or company can no longer function. The result of damage is considerable disruption to the agency/company itself or to third parties.
Moderate:
The protection of information only intended for internal use must be guaranteed.
Minor errors can be tolerated. Errors which considerably disrupt the fulfilment of the tasks must, however, be detectable and avoidable.
Extended periods of downtime which lead to deadlines being missed cannot be tolerated.
Summary: damage causes disruption within the agency/company.
Basic:
Confidentiality of information is not required.
Errors can be tolerated, provided they do not render the fulfilment of tasks impossible.
Long-term failure should be avoided, moderate periods of downtime are, however, acceptable.
Summary: damage causes only minor disruption within the agency/company.
Achievement and maintenance of a given degree of IT security requires a corresponding effort. Therefore when specifying the IT security level for a given organisation, care should be taken to ensure that the costs associated with attaining this level are appropriate to the circumstances and are also affordable.
The diagram below is intended to illustrate the relationship between financial outlay and the aspired-to level of IT security. The diagram conveys an idea of the personnel, time and monetary resources required to achieve the IT security level. As a point of orientation, the financial outlay in private industry for IT security per year is an average of 5% of the total IT investment.
Figure: Cost-benefit trade-off for IT security
After the overall security level for the agency/company has been specified using the approach described above, the IT security objectives which go with that security level must be defined.
Examples of possible IT security objectives are listed below:
ensuring the high reliability of actions, particularly with regard to deadlines (IT availability is required here), correctness (the integrity of the IT) and confidentiality;
ensuring the good reputation of the institution in the eyes of the public;
preserving the value of the investment in technology, information, work processes and knowledge;
protecting the high and possibly irretrievable value of information processed;
protecting the quality of information, e.g. where it serves as the basis for major decisions;
satisfying the requirements resulting from statutory provisions;
reducing the costs arising in the event of damage (through both avoidance and prevention of damage), and
ensuring the continuity of the work processes within the organisation.
The individual IT security objectives can be implemented in different ways. In this connection general IT security strategies should be developed. Some examples of possible IT security strategies are:
rigorous data backups in all IT areas,
strict encryption of all information leaving the organisation,
use of strong authentication procedures for all accesses to IT systems,
isolation of particularly sensitive IT applications on stand-alone IT systems.
These general IT security objectives and strategies apply to most organisations working with IT support. In order to determine the specific IT security objectives and IT security strategies of an organisation, it is essential to express these objectives in relation to the work and projects carried out in the organisation.
Example: Where person related data which falls within the ambit of the Data Privacy Act is handled (e.g. in Human Resources), the requirements regarding confidentiality and integrity specified in that Act must be satisfied through adherence to the technical organisational framework conditions.
The results of such considerations should be specified in the Information Security Policy.
Content of the Information Security Policy
The Information Security Policy should contain the following information as a minimum:
importance of IT security and IT to the accomplishment of work,
security objectives and the security strategy for the IT used.
assurance that the impetus for implementation of the Information Security Policy comes from Management,
description of the organisational structure established for implementation of the IT security process (see S 2.193 Establishment of a suitable organisational structure for IT security).
It may also include statements on the following:
classification of information, access control, control of access to information and security of information processing systems;
assignment of responsibilities in the IT security process, notably to the IT Security Management Team, the IT Security Officer, the IT users and IT administrators;
account of how the Information Security Policy is enforced, including procedures for dealing with security breaches and the disciplinary consequences of such breaches;
overview of documentation of the IT security process;
statements regarding periodic reviews of the IT security measures;
statements regarding programmes to promote IT security through training courses and measures intended to raise awareness of security issues.
The Information Security Policy should be written in a concise style. It should be examined at regular intervals to ensure that it is still up-to-date, and be amended as necessary. It may be appropriate to document these cycles in the policy document.
Distribution of the Information Security Policy
It is important that Management presses home its objectives and expectations by having the Information Security Policy distributed, and that it stresses the value and importance of IT security in the organisation as a whole.
As Management has ultimate responsibility for the Information Security Policy, the policy should be set down in writing. The document must have been formally approved by Management.
Finally, all members of staff should be made aware of the fact that commitment, co-operation and responsible behaviour are expected of them not only with regard to the fulfilment of tasks in general, but also with regard to the fulfilment of the "IT security" task.
Drawing up additional IT system security policy documents
Separate IT system security policy documents should be prepared for IT systems or IT services which are located in a security-critical area, whose configuration is complex or which are relatively complex to use. Examples here include system security policy documents for firewalls, anti-virus protection measures, the use of e-mail or the use of Internet (see appendix on Additional Aids (in German)). The IT system security guidelines should contain:
a description of the functionality of the system, the external interfaces and the requirements relating to the operational environment;
a description of the threats against which the system is to be protected;
a description of the actions which persons or technical processes may perform on data or programmes;
a description of the protection requirements for the system objects;
a description of the residual risks which the operator of the system can accept;
all the safeguards which are to be implemented in the system to counter the threats;
all the known vulnerabilities of the system.
Additional controls:
Has the Information Security Policy been distributed to all staff affected?
Are new members of staff referred to the Information Security Policy?
Is the Information Security Policy updated at regular intervals?
For which IT systems are there separate IT system security policy documents?