The overall objective of an information assurance program is to protect the confidentiality, integrity and availability of organizational information and IT-enabled services. Fundamental to the establishment of an effective information assurance program is the organization's establishment of appropriate information assurance policies, procedures and standards.
Policies can be defined as a high-level statement communicating an organization's goals, objectives, and the general means for their accomplishment. The creation of information assurance policies may be driven by the need to comply with laws and regulations or simply reflect executive management's analysis of the organization's information assurance requirements. There can actually be a hierarchy of policies with each lower layer providing increasing degrees of specificity, but still recognizable as policies by their focus on "know what" content rather than "know how." Because policies tend to be formulated in general terms, organizations will generally develop procedures and standards that more specifically elaborate what needs to be done. Policies might be used to identify information assets meriting special safeguards (e.g., client lists, product designs, market analysis), delineating information related roles and responsibilities (e.g., establishing a Chief Security Officer position) specifying the establishment and performance of information assurance related tasks or processes (e.g., organizational policy might dictate the establishment and conduct risk assessment and change management processes described below).
Standards can be thought of as a specific class of policies. Standards are mandatory rules (e.g., ensure desk is cleared of working papers before leaving worksite for the day), technical choices (e.g., all desktop systems connecting to the organizational network will have a particular anti-virus program loaded), or some combination of the two (e.g., the signature file for the anti-virus software is to be updated on a daily basis). The delineation of standards and policies can be fuzzy. A policy might dictate that servers containing confidential information reside behind a network firewall. A standard might specify the type of firewall to be used and even specify the configuration of the firewall. But all of that information might reside in a single policy document. Finally, an organization might specify procedures that spell out the specific activities or steps required to conform with designated policies and procedures. The procedures constitute the instructions for performance of policy- or standard-related tasks. The formal definitions matter less than the way the terms are actually employed with any given organization. The important point to understand is that the formulation of policies, procedures and standards constitute important elements of an organization's information assurance program and an organization's ability to avoid system failures.
There are extensive guidelines governing the development of effective policies, procedures and standards, and the reader is encouraged to consult such guidance if he or she becomes directly involved in the process of writing policies and procedures. However, we think it useful to briefly describe criteria for judging the effectiveness of information assurance policies. Good policies should:
- Good policies have the support of upper management. One can hardly imagine a factor more likely to undermine policy compliance within an organization than the realization that upper levels of management do not care about the policy, are unwilling to provide resources required to implement the policies or have no intention of conforming to the policies in their own behavior.
- Good policies are clear, concise and well written. Every attempt must be made to reduce ambiguity by selecting appropriate language, identifying a clear scope to which the policy applies and ensuring the policies are consistent with other organizational policies and practices. Organizational members cannot comply with policies if they cannot understand them and ambiguity may encourage the development of undesirable policy interpretations.
- Good policies will clearly delineate responsibilities and identify the resources required to support their implementation. If one commonly hears the phrases, "it's not my job" or "I don't have the resources" with respect to policy compliance, problems with compliance likely exist.
- Good policies are living documents. It seems that the only constant in today's world is change. Policies can quickly become outdated. Out-of-date policies lead to two problems. First, the policies gradually become inadequate as organizational requirements change over time and as well as due to changes in the types of risks present in the organization's environment. Second, as policies become increasingly inaccurate and irrelevant to the organization's needs, there is a natural tendency for the policies to be ignored.
- Good policies specify enforcement provisions and a process for handling policy exceptions. If there are no adverse consequences associated with policy non-compliance, then compliance will likely suffer. As it is difficult if not impossible to anticipate every contingency in the formulation of policies, long term compliance will be enhanced by specifically including provisions for requesting policy exceptions.
Finally, it is difficult to overestimate the importance of education and training in establishing effective policy compliance. The effectiveness of policies, procedures and standards are seriously undermined if organizational users are able to claim ignorance of their existence. This is particularly true with respect to compliance with specific standards and procedures. Education and training requirements will vary depending on the job responsibilities. Employees who deal with confidential information may require guidance concerning legitimate use of the information. IT professionals may require specialized training in order properly configure and employ technology used to increase reliability and security of information services. In short, the establishment of a comprehensive information assurance training program constitutes a critical a critical management risk mitigation control.
- 瀏覽次數:5902
