Showing posts with label Policies. Show all posts
Showing posts with label Policies. Show all posts

Incident Management Plan Policies and Instructions


The IMP's association with other aspects of the Business Continuity Management Plan should be clearly stated within the policies and instructions component. This will ensure that users are guided to the correct supporting policies and procedures that govern the implementation of the IMP (if they are not included within the IMP as stated). The IMP should not seek to duplicate unnecessarily those instructions, policies, plans, or procedures captured within other components of the Business Continuity Management Plan; however, it should briefly articulate how those elements guide the management of the IMP. The core subjects that might be covered for IMP usage are:


  • Structure of the crisis management organization.
  • Decision‐making and authority matrixes.
  • Alert states and response trigger points.
  • Organizational interfaces and their part in the IMP.
  • Communicating IMP activities through the communications plan.
  • Leveraging resources through the resource and procurement plan.
  • Reference policies, protocols, and other planning documents associated with the IMP.
  • Reporting and record‐keeping guidelines.
  • Reference mapping and schematic usage.


As the IMP is designed to be a user‐friendly document, the introductory elements should seek to be succinct and relevant. At most, these elements should introduce supporting policies and plans so that the user can be guided to these elements where required.
at 1:54 AM 0 comments
Labels: , ,

Incident Management Plan Policies and Procedures

The IMP should be aligned with the overarching policies and practices outlined within the overall Business Continuity Management Plan. Information flow should occur according to the communications plan. Organic and outsourced expertise and resources should be leveraged in conjunction with the organizational interface plan and the resource and procurement management plan. Interaction with media, families, and other groups should be guided by the public relations plan, and crisis response actions and decisions should conform with trigger plans and decision and authority matrixes. The IMP should also operate within the auspices of security management plans, standard operating procedures and tactics, techniques, and procedure policies. All policies, procedures, and plans should be complementary, with minimal duplication and overlap to avoid confusion, contradictory guidance, and wasted resources. Often the IMP and Business Continuity Management Plan will complement or leverage any company health and safety plans, as well as existing policies on dealing with the media or other operating practices; and companies may wish to provide some form of guidance to managers as to how the IMP will operate within the Business Continuity Management Plan, and what is expected of them during a crisis event.

The IMP may also work within the framework of security plans, which might determine how security and risk management is undertaken within a facility. A degree of tailoring may be required to merge the IMP into specific regional or task policies and plans. The IMP may also be supported by government response plans, and the points of connection should be defined and aligned to ensure that friction between internal and external plans or protocols does not occur. Modifications to the IMP should be done only as sanctioned by appropriate managers (or an IMP Custodian) in order to avoid conflicts with corporate interests, as well as to reduce the amount of deviation from response measures and information reporting formats.

Information Security
Some aspects of the IMP may be considered sensitive in nature, and consideration should therefore be given to who is permitted access to the plan. Other elements of the plan will be generic and intended for a wider audience, such as fire drills or suspect call responses, and managers should ensure that information and training are made available to the different levels of user audience. Where necessary, terms such as restricted and unrestricted can be applied to different elements of the IMP in order to ensure that managers share appropriate information with a wider audience, or restrict information to defined positions as required. Each recipient of the IMP is responsible for its safekeeping and for ensuring that no unauthorized copies are made.
at 1:49 AM 0 comments
Labels: , ,

Information Systems Support Policies

Workstations, servers, and mainframes require many of the same support policies. Work areas must be clean and air conditioned. On a daily basis, housekeeping resources must enter all work areas except the data library, server, and mainframe rooms for cleaning. There must be policies eliminating the presence of food, beverages, and smoking in the vicinity of computer equipment and media. This may be a harsh idea but more than one laptop/desktop has met its end by a spilled café grande.

Data libraries where real-time and backed up data are stored are perhaps the most critical areas of the workplace. Generally, data libraries store magnetic tapes, optical disks, magnetic disks, application media, and paper-based documents. Often, there are data libraries required for ready access on the office site, while remote data libraries store materials in the event of disaster.

There should be policies governing the conduct of data libraries and the duties of the data librarian. The primary duty, of course, is to support the business' computer operations. Following is a list of data librarian duties for policy consideration:

- Upon receipt of new media, the librarian compares quantity received with the original order and billing information. If incorrect, the librarian notifies the operations manager.

- Inspects all media for physical damage. If any media is damaged, the librarian notifies the operations manager.

- Logs all new media and assigned identification numbers.

- Acknowledges all receipts and deliveries with the operations manager.

- At no time is the librarian to have access to applications or information systems of any kind, preserving separation of duties and least privilege.


Data Entry
Many senior managers have forgotten that data entry is still a vital part of business operations. There is a need to convert raw, bulk data such as credit card applications into a familiar format for use by information systems. Many companies utilize both centralized and decentralized data entry systems. In fact, it is becoming very popular to package and ship forms to foreign countries with relatively low labor costs for data entry. In most cases, the equipment of choice is the online monitor and keyboard; there are others consisting of bar code readers, optical or magnetic character readers, and voice recognition. Policies and procedures for online data entry are as follows:

- All employees and terminals are identified by proper codes to ensure that only authorized equipment and employees enter data.

- When the data is displayed on the monitor correctly, the operator keys in the proper code to transmit the data to the computer.

- All data is checked by the computer system, ensuring that the correct data is being entered. For example, if a field is no more than seven numerical characters in a specific range, the computer will not allow the operator to enter incorrect characters.

- All data entered are logged by terminal number and the data entry employee.

- At no time are the data entry employees to have access to computing hardware outside what is necessary for them to enter data.

- At no time are the data entry employees to have access to applications other than what is necessary for them to enter data. These last two steps help preserve separation of duties and least privilege.


Technical Support
The primary purpose of the technical support units is to provide technical services to computing equipment and software users. There are basically four sections for which they have responsibilities:

1. Communications. The communications support unit is responsible for hardware, software, wiring, cabling, maintenance, and lease services for the operation of all business communications. Included here are the local area networks (LANs), wireless networks, and wide area networks (WANs). They also are responsible for telephone communications, including cellular and wireless, and their respective billing.

2. Database administration. The database manager is responsible for a number of administrators who are responsible for maintaining and controlling the processing related to the company's databases. Their related duties include:

- Selection and maintenance of database software

- Control database access and employees who can create information, read specific information, change information, add information, and delete information

- Maintain file and database backups

- Provide consultations to relevant database users

- Provide disaster-planning procedures and test them

- Report immediately any security breaches or data corruption

- Maintain directory services


The latter duty, depending on the organization's size, can constitute a sizeable part of the database administrator's duties. A directory is a collection of information for a given application. It may hold all the information relating to each application such as user access and logons. They are responsible for the directory's integrity and security. It is important to maintain a division between database support unit employees and production applications so separation of duties and least privilege are observed.

3. Software support. These are the program engineers responsible for supporting the operating systems, applications, and in-house developed and purchased software applications. Some of their responsibilities include but are not limited to:

- Make approved changes to the operating system software when directed by senior managers in writing.

- Document all changes to any production software.

- Report immediately any security issues in any production software.

- Report immediately any physical security breaches.

- Inform computer operators of programming changes in written form.

- Test new software before introducing to a production environment.

- At no time should any programmer have access to live data in any form. Further, at no time should any single employee, programmer or otherwise, have the ability to change the operating system code or any of the production applications. These restrictions will help maintain an atmosphere of least privilege and separation of duties.


4. Workstation/server help desk. These are the employees responsible for affecting the majority of the organization's computer users. They generally address issues such as:

- Workstation and server configurations. They establish standard operation procedures, ensuring that all workstation and server configurations are the same from machine to machine and platform to platform. With standard configurations observed, they can readily identify security or abuse issues and handle them.

- Provide service to employees having difficulty with their equipment and software.

- Service and maintain peripheral equipment.

- Make recommendations of equipment and software.

- Monitor performance and provide feedback to senior managers.

- Train users to maximize equipment and software use.

- Maintain inventory of hardware and software.

- Maintain hardware and software licensing.

- Provide and maintain list of approved software applications.

- Test and approve software and equipment for security and place into production.

- Approve installation of specified software applications.

- Report any security violations involving users.


As with other employees, there must be a separation of duties in that these employees must never have the ability to access live production data, operating system code, or application programming.
at 2:52 PM 0 comments
Labels: , , ,

The Auditors Are Coming. The Auditors Are Coming.

Audit policies and procedures are needed to ensure that employees are meeting management objectives, legal and regulatory requirements, and addressing risks. Auditing is covered in the next post, so it is only going to be lightly addressed here. Management audits assure that resources are being properly utilized and monitored:

- Develop and implement policies addressing human resources management, data, and facilities.

- Ensure that projects are completed on schedule and within budget.

- Ensure that projects have been completed utilizing quality models such as the SDLC.

- Develop and maintain business priorities and long-term strategies.

- Assure that controls are in place for risk detection, prevention, and correction.


Systems Development and Programming Policies
These audits are more technical than management audits and require more knowledge and detail. Frequently, organizations do not have policies governing operations, so employees are left to their own devices, making decisions they are not qualified to make. Systems development involves activities ranging from purchasing commercial off-the-shelf software systems, to developing in-house systems, to purchasing turnkey systems. All systems development must be considered in the light of confidentiality, integrity, and availability.

Organizations must have written policies and auditing programs for:

Systems design and development through quality models

Systems selection and procurement criteria

Systems application development

Program testing

Systems implementation

Systems monitoring

Systems disposal

Systems change controls

Systems documentation

Systems quality assurance


Data Controls
Data control policies have the objectives of addressing confidentiality, integrity, and availability of data. These features are audited in the following areas:

Input controls to any operation must be addressed by policies and procedures. Because input varies considerably, so will policies.

Output controls address electronic and printed media.

Database management controls must be established by policies with compliance assured by audit activities.

Database information backup and storage policies.


Disaster Recovery and Business Continuity
Disaster recovery audit policies also address business continuity. Audit policies must require that auditors obtain evidence that these are in place and combined with regular unannounced testing. Audits of this nature address the existence of the following policies:

Establishment of a Risk Management team

Critical asset identification and prioritization

Threat: impact analysis

Existence of critical asset safeguards

Disaster recovery plan

Establishment of Disaster Recovery team

Designated employees to address public and press inquiries

Business continuity plan

Plan testing


Workstation Audit Policies
These audits address the use of workstations and all company-owned equipment and facilities, including:

Access restrictions to workstations

Inventory of software and hardware reconciled with licensing and purchase documents

Evidence of policy and individual compliance for the procurement and installation of software and hardware

Evidence of individual compliance with policy regarding official use

Evidence of individual compliance with policy regarding network and workstation security

Policy and individual compliance with regular data backup

Evidence of policy and individual compliance with workstation housekeeping
at 11:13 AM 0 comments
Labels: , , ,

Web Server Policies and Procedures

- It is highly recommended that the Chief Information Officer formally approve the content and operation of any Web server to be connected to any organization system.

- Any and all Web site content and features must be approved and installed by the organization's Webmaster.

- Under no circumstances will sensitive information be made available on any company Web site internally or externally accessible.

- All enterprise Web sites must be reviewed, vetted, and approved in the same fashion as officially released reports or other outside correspondence.

- At all times, copyrights will be protected and observed.

- There should be no reason for control of the Web server other than from the Web server's console. Logging on to the Web server from any device other than this console is not permitted, and the server's software should be configured accordingly.

- Systems administrators, firewall administrators, and Webmasters are to report any and all attempts to gain unauthorized access to the Web server located on either the Internet or internal intranet.

- Incoming packet traffic will be scanned and connections to unapproved Web sites will be immediately reported to senior managers.

- Systems maintenance will include the installation of operating systems and applications patches.

- Senior administrators and Webmasters are responsible for change management. Any and all changes must be justified, documented, and submitted to a thorough quality control process before installation.

- Senior administrators and Webmasters are responsible for monitoring system performance, taking appropriate security measures, and ensuring Web sites reflect the highest quality standards.

- Implementation of common gateway interchange (CGI) scripts will be strictly monitored and controlled.

- In order to avoid buffer overflows, systems developers must keep buffer sizes defined when accepting data. In order to avoid CGI vulnerabilities, regular testing will be performed and appropriate security measures taken.

- All user input to any Web site, internal and external, will be filtered for appropriate content.

- In the case of third party applications interacting with programs that contain buffers that do not check for incoming data correctness, it is important that these applications are monitored and patched appropriately.
at 10:51 AM 0 comments
Labels: , ,

Web Server Security Policies and Procedures

Most businesses, governments, and organizations have external Web sites describing their purpose and structure, and often provide the opportunity for public interaction. E-commerce on the Internet is not something that only large businesses can afford to do. It can be a profitable operation for every "Mom and Pop" enterprise as well. For security reasons, Internet Web servers are usually positioned inside the packet-screening firewall that faces the Internet and inside the firewalls that protect precious interior networks. Such architecture has a good security track record if implemented correctly, and is called the demilitarized zone (DMZ).

Organizations may also choose to develop and deploy intranet Web sites for employee use. In these cases, the Web servers are located inside the interior network, as these systems are not intended for outside eyes. Regardless of the organization's size and whether it has Internet or intranet Web sites, considerable amounts of money and resources are spent in the development of a suitable Web site that is informative yet practical. In a very real sense, the company's Web site reflects the organization's branding, image, and business reputation.

The development, maintenance, management, and administration of the company's Internet Web site is usually assigned to a team of experts within the enterprise or outsourced. It is possible a director of online marketing development is responsible for identifying and implementing new online business development opportunities while the company's Webmaster takes charge of the site's technical excellence, content development, management, and security. On the part of the Webmaster, there is a development team responsible for site design, coding, graphics, and business features such as shopping carts.

Internal company Web sites are generally used for posting information relevant to employees. Birthdays, presentations, corporate calendars, directories, organizational charts, and project information are often posted. Project management information posted to an internal network can provide a central reference point for the project team and senior managers with project oversight. Internal Web sites do not have the same visibility as Internet Web sites, but they have the same need to be managed through specific policies and procedures.
at 2:50 PM 0 comments
Labels: , , ,

Intrusion Detection Policies

You are a senior manager with the responsibility of overseeing the company's network administration and security. Your platforms range from servers, firewalls, routers, and related equipment. Your employees are above average in their technical skills and do their best to develop and maintain a secure operating environment. Yet, you find yourself dealing with the skills of an aggressive and persistent attacker. Many senior managers put their trust in firewalls and rely on their administrators to lock down network services and workstations. Other managers have enough wisdom and knowledge to marry effective policies and procedures with technology-based security solutions.

For most businesses, a combination of network administrator skills, policy and procedure, and technology solutions are the approaches best addressing system vulnerabilities.

The IDS dream is a set of distributed systems that identify and sound alarms when systems are being attacked in real-time. Regrettably, it is easier to dream the dream than implement the system. Current IDS products are extremely valuable security tools but generally they do not deliver as much as advertised.

Network and Host IDSs
The host-based vs. network-based intrusion-detection strategy debate has been raging for some time. Currently, the consensus is moving toward a unified approach combining the two technologies.

Network-based products are built on the concept of a real-time wiretap. A sensor examines every information packet traveling through the system. These sensors apply a set of rules or attack "signatures" to the captured packets, attempting to identify hostile traffic. Basically, network IDS sensors are network sniffers with built-in, rule-based comparison engines. If a malicious packet is detected, then the network IDS sounds the alarm.

But the network IDS approach has its problems. It does not scale very well in that it has difficulty keeping up at network speeds of 100 Mbps. With gigabit network speeds arriving in business networks, these network IDS systems do not keep up with the traffic. Additionally, network IDS systems are based on attack signatures that will always be a step behind the latest vulnerability exploits. IDS product vendors have not caught up with all the known attacks, and there are new attacks announced every few days.

Nevertheless, network IDS enjoys some advantages. The greatest feature is stealth. Network IDS can be deployed in an unobtrusive manner, with little or no effect on existing systems. Once deployed, network IDS sensors will listen for attacks, regardless of the destination.

Host-Based IDS
Host-based IDS primarily function within the system audit and event logs. In place of identifying attack-profile packets, they aim to identify known patterns of local and remote users doing things they should not be doing. One type of host IDS product produces a one-way hash of critical files located on a host. These files include user accounts, configuration, and audit operations. If anything changes in these accounts, e.g., an intruder establishes an account on the root level, then the host IDS would notify the system administrator. The host IDS cannot identify what, but it can tell the administrator that something important has changed. Host IDSs have their problems in portability. They run only on specific operation systems platforms so it is possible your favorite operation system is not on the list.

IDSs in general are incredibly useful but the hope of turning them loose on your systems and giving them control is not feasible. IDS technology is not very mature but it is getting better. It is strongly recommended that IDS technology is given serious implementation consideration. But it should be considered being used in conjunction with other critical asset preservation measures and not replace any of them.
at 2:27 PM 0 comments
Labels: , , ,

Policies and Procedures Involving Outsourcing

Policies and Procedures Involving Outsourcing: What Is Yours and What Is Mine?

An organization's policies and procedures must govern the interaction between the organization and outside contractors.

Instead of structuring a relationship based on the value of service they are contracted to provide, they base it on the necessity of doing business, as they are the only people who have the source code. In other cases, they have not delivered sufficient documentation for the organization's employees to maintain the system, thereby requiring their continued services. It is essentially a monopoly of one. Because the organization does not have the source code to their custom system, it has lost control of one of its critical assets. Regrettably, this condition is usually brought to the company's attention after it has already happened. The situation grows more desperate as the company is reluctant to notify its lawyers, fearing that the contracted developers might sabotage the source code by modifying it to render it useless at some time. When structuring systems development projects performed by outside contractors, these are a few policy suggestions to reduce risks:

Get the source code. Be certain to investigate the work history of the contractor, and by all means contact all professional references to ascertain if there were any past problems. The organization must ensure it receives the source code, and there are contractual arrangements with strict requirements to this effect. No excuses are acceptable. The source code must be installed according to the organization's certification and accreditation policies.

Licensing and documentation. Purchase the appropriate licenses for the source code. Businesses want to replicate the development environment exactly, having the ability to keep the code up to date during the maintenance development phase. Make certain the contractor is drafting the required documentation of effort. This documentation should be subject to inspection and audit by the organization's representatives before the product is delivered. If the organization has the resources, any agreements must permit a representative of the organization to conduct an ongoing review of the code. This inspection must also include documentation.

Confirmation. Confirm that you are going to receive what you contracted. Force a rebuild of the programs if you are not satisfied. If you have to pay for it, consider it the cost of doing business.

Secondary plan. Have in the wings a backup developer or other reliable resource familiar with the code base and system design. What if the contractor becomes disabled and is unable to complete the project?

Ownership and delivery. The organization's policy should require that the contract stipulates who is going to own what. Who owns the software? Does the organization own the software or merely a license to use it? Does the organization own the software to such an extent it may do what it wants with it? Write the contract carefully, and by all means have an attorney familiar with these issues review it before signing.

The best outcome is one of complete control where the organization has its asset with the system working as intended in the event of a problem with the developer. What does the organization have to do in the event the developer fails? Much will depend on the contract's language, your lawyer, and the developer. If you have to go to litigation in order to enforce the contract, you may not have possession of your application, and litigation takes time. By the end of legal wrangling, it is possible everyone loses.
at 4:12 AM 0 comments
Labels: , ,

Vendor Policies and Procedures

Vendor Policies and Procedures
The size of business operations and the uneven demand for services influence the type and amount of outsource services required. Within the business, available funds are balanced with needs, and often they are not in agreement. Service vendors outside the organization come in a variety of flavors including consultants, technical service and hardware vendors, and contract human resources. Good business sense, based on ethics and morals, is the best policy in dealing with outside vendors.

Several units within the organization come into play when selecting outside services. The organization's purchasing unit should provide information about vendors, their reliability, financial status, reputation in the business community, and whether they will be in business a year from now. This is information that should be at hand before negotiating a contract.

The legal unit must review any vendor contracts before they are signed and large amounts of capital committed. One of the more-important tasks the legal unit performs is the review of the contract's performance language where there are penalties assessed in the event the vendor fails to complete its responsibilities.

The legal units must ensure there is contract language detailing that promised services or products meet the organization's expectations. This language needs to dovetail with SDLC provisions if services or products must be certified and accredited before the contract is fulfilled. If the project involves classified materials, the legal unit is responsible for requiring and verifying that contractors have security clearances.

The organization's audit unit should be included in the contract review to see that important provisions are detailed that will require its involvement. Such details involve auditing of ongoing contract compliance by the vendor. Auditors should be involved if the vendor provides services within the provisions of the SDLC. The contract should allow the review of development procedures and the quality of the services or product.

Outsource Potentials
Following are possible areas for outsourcing efforts:

- Operations that are difficult to staff and manage

- Providing special skills not available within the organization

- Reducing internal operation costs by not having to develop skills that will be used infrequently

- Delivering system improvements or benefits more quickly than can be performed internally


Consultant Procedures
Outsourcing consultant services can be a valuable asset if the proper relationship is developed. Consultants can just as easily be acquired or employed for all the wrong reasons. Following are several wrong reasons for contracting a consultant:

Not having clear goals and performance expectations. Having very clearly defined goals and performance expectations will permit maximum benefit to be derived from consultants.

If there is bad news for projects in trouble, let the consultant deliver it. Wrong idea. If a project is in trouble, the future of the organization's credibility may be at stake. Handle any internal project problems within the organization. Do not outsource them.

Contracting a "hired gun" from out of town to impress the locals. For some unknown reason, the distance the expert traveled, the cost of the expert, and the perception of the expert's skill set frequently impresses employees. Senior managers have an ability to be impressed with experts who have many titles behind their names. It is not unusual that a consultant came up with a solution that was the same as one developed by your own employees.

Weak senior management. Project managers lacking decisive skills will often attempt to employ consultants to make decisions for them. Consultants are contracted at the staff level of an organization. They should not be substituted for poor managers.

Outsource Vendor Selection Procedures
Choosing vendors for services, software and support, and hardware requires evaluation procedures. When a business decides it requires a vendor to submit proposals, a request for proposal letter is sent to all possible vendor candidates.

In the case of hardware, this request approach details the proposed time period, professional and financial references, hardware and hardware configuration, architecture, and requests a price quote. With software and support, a request defines the target system and asks the vendor to provide a support performance objective for a specific configuration. System operation performance requirements include systems design, configuration and architecture, types and number of users, production volume, maintenance and operation objectives, and price. Outsource service proposals should include at least the following items:

- Professional and financial references

- Objective of delivered services

- Security requirements

- Services delivery schedule

- Documentation

- Pricing


In all request for proposals, there should be a deadline by which proposals must be received by the organization to be considered viable.

Evaluating Proposals
All received vendor proposals should be analyzed in detail. There should be common elements addressing the specific proposal requirements. Organize an ad hoc committee to evaluate the submitted proposals and discuss them. Be mindful that there may be laws and regulations governing the request for proposals and their submission. Most notable are organizations requiring legal adherence of those doing business with federal, state, and local governments. Some governments have requirements where selection preference is granted to vendors doing business within municipal boundaries. In some cases, these restrictions are codified as regulations or laws, and in other cases they merely follow custom or tradition. Failing to observe such restrictions can result in protracted grievance proceedings and litigation.
at 11:09 AM 0 comments
Labels: , ,

Network Vulnerability Assessment Policies

Network Vulnerability Assessment Policies: Why Am I Hearing about My Network Leaking Sensitive Information on the News?
Every organization contains risks, ranging from finance to procurement. Given the risks in doing business through the Internet, it is surprising how many businesses are not finding more ways to enable safeguards and protect their critical assets

Frequently, there is one technique that is overlooked by organizations when developing systems: the vulnerability assessment policy. This is the process of attempting to exploit system vulnerabilities to gain unauthorized access to sensitive information. Vulnerability assessments are attacks originating from a friendly system assessment team targeting a computer system to discover ways of breaching the system's security controls, penetrating the protection afforded to sensitive information, obtaining unauthorized services, or damaging the system by denying services to legitimate users. These policies form a base of testing discovering features, functions, and system capabilities that may be unspecified and unknown to its developers and users. Vulnerability assessments attempt to discover system capabilities that are flaws in the design, implementation, operation, documentation, change controls, and maintenance.

A vulnerability assessment is as thorough as the talent, training, skills, and diligence of the employees performing it. It can place reasonable limits on the knowledge and experience required for the intruder to gain unauthorized access. That knowledge applied to safeguards and protective measures can restrict intruder access below this limit, and give some degree of assurance that the system is operating securely.

Performing the vulnerability assessment utilizing the organization's own resources has certain advantages in the area of in-house knowledge building, employee control, reliability, and trustworthiness. It may lead to discovering risks before attackers do and assist in highlighting the enterprise's security position. There is a lot of preparation that must be performed in the construction of an effective vulnerability assessment. Policies and procedures must be drafted, approved, and installed; relevant employees must be trained; and there must be stringent compliance auditing, a well-developed change management process, and postmortem critique conducted of the assessment where flaws and improvements are addressed.

As with any job, policies and practices must address the means by which vulnerability assessments are conducted. Before the actual vulnerability assessment, there must be a strong foundation of policies and procedures. It is important to ensure that the underlying policies relevant to the organization's network security are in place, facilitating the process. These documents will be the principles underwriting the actions taken when planning and executing the assessment. The organization's vulnerability assessment policy should address the following active components.

Plan to Conduct Vulnerability Assessments
The planning step will include gathering relevant information, defining the assessment activities, defining roles and responsibilities, and making relevant employees aware of the need to make changes based on the findings of the assessment.

A comprehensive vulnerability test plan will improve the odds of achieving system penetration. Penetration planning establishes the ground rules, limits, and scope of the process. The plan identifies the object being assessed and determines when the test is complete. Some planning steps may include interviewing system administrators, reviewing appropriate hardware and software documentation, and reviewing appropriate policies and procedures relative to targeted systems.

Create and develop a good penetration team. Desirable characteristics for the team members include experienced vulnerability testers, employees knowledgeable of the target system, creative people with unusual ideas, SDLC development methods, access control structures, and programming abilities in several languages. Successful team members are characterized by being patient, detail-oriented, having good people and communications skills. One key requirement is of highly ethical, mature professionals who can protect proprietary, sensitive data and flaws in the target system.

Encourage the assessment team to use a variety of mechanisms to achieve unauthorized access, involving exploiting hardware, software, and human resources vulnerabilities. With senior management's consent, more than one vulnerability assessment team has asked for and received root passwords from an employee.

Identify Exposures
This phase may include a variety of tasks. It may include but not be limited to reviewing the resulting data from the assessment phase, actually deploying mechanisms to discover system vulnerabilities and linking findings to the management process so that individual accountability for assessment findings is established and risk issues can be resolved. Of course, this step must be conducted with a great deal of cooperation from senior managers and employees responsible for the system's development, monitoring, and maintenance.

Vulnerability assessments should be framed in the organization's policy as a method to reduce risks and raise profitability. If there are risks associated with negligence on the part of individual employees, senior managers should weigh the assessment's findings in light of employee accountability.

Resolving Exposures
This phase resolves the risks identified in the previous phase. Before any substantive steps can be taken to address assessment findings, an investigation must be done to determine if the risk is in fact relevant to continued business operation. If risks are identified that do not have bearing or insignificant bearing on business operations, then it is possible they may be excused as irrelevant.

Performing a vulnerability assessment can provide a point-in-time representation of the organization's risk position. In fact, this mechanism is insufficient. There must be a method incorporated into the organization's policies and procedures ensuring that the vulnerability assessment process is conducted on a frequent or continuous basis. Only in this manner can policy minimize network risk. Vulnerability assessments are best employed to discover broad capabilities of the target system and flaws contrary to security policies, rather than resulting in a gaming situation between the target system's administrators and the assessment team trying to penetrate a protected asset.

An organization's vulnerability assessment policy must require that all known flaws are repaired. As part of their postmortem critique, the system assessors may suggest the implementation of corrections or safeguards. After the system has been repaired, policy should require that the system is reevaluated to confirm the fixes and to ensure no other flaws were introduced by the repairs or implemented safeguards. An organization's reevaluation process is a complete repetition of the vulnerability assessment process.

By completing policies requiring continuous vulnerability assessments, you facilitate the identification of potential risks before attackers do. Early detection allows the opportunity to address assessment findings before attackers can exploit the vulnerabilities resulting in damage to the company's critical assets.

Policies requiring continuous vulnerability assessments can deliver a picture of how secure sensitive information is, and go a long way in preventing having to read about critical assets being stolen or compromised in the news.
at 4:52 PM 0 comments
Labels: , , ,

Wireless Network Security

Wireless technologies cover a wide range of capabilities geared toward different needs and uses. Wireless local area networks (WLANs) permit users to move a laptop or personal digital assistant (PDA) from place to place within their work area without the need for cables, with the advantage of not losing network connections. There are networks utilizing Bluetooth protocols that permit data transmission between network components. Bluetooth technology can eliminate cables formerly required for printers and other peripheral devices.

Alas, there is a downside; risks are inherent in any wireless technology. Some risks are the same or similar to those of conventional wired networks, while others are exacerbated by the nature of wireless connectivity. The most notable difference between the wired and wireless networks is the communications medium and the risks associated with that medium. Communications transmitted through the airwaves are openly available to being intercepted. Attackers have the ability to locate and communicate with wireless networks with much-less effort than invading wired ones.

Losing confidentiality, integrity, and availability are risks associated with wired networks, and they are easily achieved in wireless networks. Malicious users may gain access to company systems and information and compromise critical asset confidentiality, integrity, and availability. Following are some examples of risks associated with wireless networks:

- All vulnerabilities existing in wired networks also apply to wireless technologies.

- It is possible that unauthorized intrusions may gain access to an organization's wireless network, bypassing firewall safeguards.

- Sensitive information not encrypted before transmission is subject to being intercepted and disclosed by third parties.

- Malicious entities may steal the identity of legitimate users and use them.

- Malware including viruses, Trojan horses, and back door programs permit damage and continuing unauthorized network access, reducing availability and potentially disrupting business operations.

Organizations should not deploy wireless technologies unless they thoroughly understand and manage the accompanying risks. In light of current wireless communications protocols, most commercial products provide inadequate protection and present significant unacceptable risks to business operations. Senior managers must proactively address these risks, protecting their critical assets before wireless network deployment. Often due to apathy or a lack of understanding or education, many organizations poorly administer their wireless networks, relying on "default" installation settings, failing to control access to their access points, failing to implement factory-provided security configurations, and not developing a security policy suitable to the wireless environment. Such wireless safeguards include firewalls between wired and wireless systems, packet screens where unneeded services and ports are blocked, and implementing strong encryption such as Virtual Privacy Network (VPN), or file encryption technologies before data is transmitted.

Organizations must understand the technical and security ramifications of wireless technologies. While wireless connectivity seems like the best solution to connection-without-cables, it is an immature technology coupled with relatively poor security, potential for lax administration, and limited user awareness. In wireless environments, data is transmitted through the air without any control over the geographical limits of these broadcasts. Organizations are unable to exercise typical physical and logical controls that are employed in wired networks. In short, data transmitted over a wireless network can be captured and transactions begun by unauthorized third parties. Because of radio wave attenuation, building construction, and the capabilities of high-gain antennas, the distance for controlling wireless technologies preventing eaves-dropping can be extremely difficult to control.

Following are some suggested best practices to help address wireless network risk issues:

- Organizations must formulate and enforce compliance of applicable policies addressing the use of IEEE wireless standards of 802.11 (a, b, g, and others), Bluetooth, and other wireless technologies. These policies must be implemented before the deployment of wireless connectivity.

- Configuration management and strict change controls must be adopted ensuring that equipment has the latest software patches, including security features addressing vulnerabilities.

- Organizations will adopt configuration standards for all wireless network hardware and software, ensuring consistency of operation. These configurations will reflect steps to proactively address risks. It is noteworthy that many wireless technologies have weak user authentication. Wireless systems using Wired Equivalent Privacy (WEP) have been demonstrated as being subject to unauthorized transmission capture and intrusion, leaving this encryption method of somewhat questionable value.


However, regardless of whether WEP's protection is considered strong, medium, or weak, it is certainly better than open transmissions without encryption. If a wireless system uses 64-bit encryption, by all means use it; and if your wireless system supports 128-bit encryption, better still. In most systems, WEP is disabled at the default installation, so you must manually enable it before thinking your system is protected.

If your system allows the option of setting authentication to Shared Key, it is a wise idea to enable this feature. Change WEP keys on a regular basis, even as often as daily or weekly to help avoid data capture and network intrusions.

Service Set Identifier (SSID)
SSID is essentially the wireless network's identification. SSID helps to secure the network by ensuring the proper clients can access the system's access point. In the wireless platform, the access point is essentially a small transceiver operating on the designated frequency. For example, in an 802.11b system, the AP operates on the 2.4-GHz band with a few hundred feet of range, and in certain circumstances this can be extended to more than 500 feet. The AP is the location where the Internet and the internal network are connected, with the access point then broadcasting to any receiver capable of processing its traffic. This broadcast is received by wireless transceivers known as clients. Because the transmissions travel in all directions, they may possibly be received by intended and unintended recipients.

If WEP is disabled and the SSID is broadcast, it may be captured by anyone. Attackers may begin by compromising the network's access password. In order for clients to gain system access, they must have the SSID and the system password. If passwords are transmitted in the clear, they might be intercepted by any suitable client.

Wireless systems manufacturers usually install default SSIDs. Intruders are well aware of these default SSIDs, consequently changing the default SSID makes your network more difficult to access by someone who is not authorized.

Disabling any options for broadcasting the SSIDs is a good idea. This ensures the client SSID matches the access point SSID before any access is permitted. There is a secondary benefit of concealing the SSIDs — it hides the existence of your wireless network to the world.

Virtual Privacy Network (VPN)
Use of VPN technology between networks and clients assures strong user authentication and message privacy. VPNs are basically closed networks implemented through open-ended networks, including wireless. They allow for secure, authenticated transmissions to take place between designated points. If unauthorized persons intercept VPN-protected traffic, it is encrypted so there is little that can be done with it. Without the correct VPN technology, keys and passwords can be read. Such technology is very cost effective and secure, allowing confidentiality and message integrity over wireless networks.

Secure Sockets Layer (SSL)
Another technology worth considering in a wireless environment is the deployment of SSL technology. Simply stated, SSL provides a secure connection between a workstation's Web browser and a specific Web server. Data transmitted between the server and client is encrypted using technology called public key encryption, ensuring only the intended recipient can decrypt and read the information. In order to secure SSL, each Web site has its own unique digital certificate that defines the public and private encryption keys used during secure communications. If you leave the secure site and browse to another, the original SSL connection is closed. If you return to the SSL secured site or another SSL secured site, a new secure connection is made using a different set of encryption keys. By de facto standard, SSL is the most popular Web-based message security protocol with practically all online purchases and monetary transactions using it.

SSL effectively permits secure transmissions to take place between intended points and stifles intruder attempts to read them. SSL coupled with WEP provides an effective means to pass information over a wireless network with little fear of some unauthorized person reading your traffic.

Wireless Policies
Following are some examples of wireless network policy considerations:

- Organizations will actively sponsor administrator and user security awareness training to raise consciousness about the risks associated with wireless technologies.

- Organizations must have policies specifically addressing employees who are permitted to install wireless equipment and software.

- Organizations must have policies that describe the type of information that can be transmitted over a wireless network.

- Organizations must have policies requiring the reporting of the loss of wireless devices, fixed and mobile.

- Organizations must have policies requiring the reporting of security incidents.

- Organizations must have policies requiring network user IP addresses to be assigned dynamically via DHCP (Dynamic Host Control Protocol).

- Organizations must have policies regarding use of wireless VPN technology.

- Organizations must have policies regarding the use of SSL technology on Web sites.

- Organizations must have configuration policies regarding wireless equipment.

- Organizations must have policies regarding the implementation of WEP.

- Organizations must have policies requiring firewalls to be installed, configured properly, and maintained on all wireless network equipment.

- Organizations must have policies prohibiting the use of equipment or software that would extend the useable range of wireless network equipment.

- Organizations must have policies requiring all wireless equipment to be audited for legal, regulatory, and policy compliance.
at 4:02 PM 0 comments
Labels: , ,

Network Management Policies

Network Management Policies
Network management policies include resource accountability, reporting errors and malfunctions, and preventative maintenance. There are some repetitions of policy elements here, but it is recommended that this section is reviewed. Network protection policies address the continuing need for risk analysis, security awareness and training, security administration, and facilities security. Following are some measures that address network management policies:

Initiate and maintain a formal inventory of network components such as hardware, applications, and attendant components including serial numbers, physical location, version numbers, and dates of acquisition, implementation or installation.

All company network users must be formally authorized to use the network. All users must request access in writing, accompanied by the approval of their supervisor or manager. All access requests, approvals, and denials are retained and archived.

Regularly review network configuration ensuring that all attached components are authorized and configured correctly. Any attempt by employees to alter network configurations by installing unauthorized software or hardware must be reported immediately. Verify network interface equipment and configurations after a unit has been serviced or an audit has been performed. Verify the identity of network interface card user at time of unit maintenance. Deny access to anyone having no authorized network interface card, and report violations.

Depending on the type of work, maintain logs of all network transactions including but not limited to identity of user, log-in time, files accessed, transactions performed, and log-off time.

All media where logs, when feasible, are recorded on WORM media.

Through manual or automated means, all logs are reviewed and filed daily as permanent records.

All security and risk-related events are to be reported immediately and receive immediate senior management attention.

All corrective actions are documented and reported in a timely fashion.

Develop and maintain a schedule of preventative maintenance activities for applications, and equipment. Any hardware and software not conforming to policy, procedures, or standards will be addressed appropriately, with reports made to senior managers. Ensure there is documentation relative to the time and type of maintenance performed on all network components.

Remove any and all data from storage media, e.g., floppy disks, hard drives, tapes, and CDs, before equipment is delivered to maintenance or disposal personnel.

Periodic risk assessments and audits are the responsibility of the network owner and the audit unit. Documentary evidence of these processes is to be made and maintained.

Risk analyses will be performed during the network's SDLC design stage and at any time changes are made to the network design or components. These analyses should measure, among others, the network's vulnerability to:

Improper disclosure of information

Fraud, theft, and abuse

Inadvertent harmful errors

Financial losses to the organization

Harm to individuals' privacy rights

Loss of intellectual property

Loss of continuing profitable operations


Employees responsible for the company's network security and administration must have the necessary experience and should receive sufficient formal training to be able to perform their duties.

All network users are required to attend training sessions and sign an agreement regarding their security responsibilities, privacy, proper use of network facilities, and the safeguarding of data.

Employees have the responsibility to challenge strangers and other individuals who do not possess appropriate identification badges. At no time is an employee to allow someone access to any area by holding open a door equipped with an access control device.

All user activities and their accounts are subject to unannounced audits.

at 3:30 PM 0 comments
Labels: ,

Employees Must Think before Clicking the Send Button: Is There an Undelete Button?

Just because e-mail is one of the quickest ways to communicate with others does not necessarily mean it is the most appropriate way to do business at all times. When you are training employees in the use of e-mail, there are some other important factors to consider.

Confidentiality
E-mail is not private. Messages that are sensitive or private must never be sent through e-mail. Employees should understand there are many persons who have legitimate access to their e-mail, not the least of which are senior managers, systems administrators, auditors, and sometimes investigators. Additionally, there are attackers who are illegitimately engaged in accessing e-mail accounts.

Negotiations
These exchanges are best conducted either face-to-face or through telephone conversations. Regardless of whether they are related to an employee's salary, contract negotiations, or the price of cabbage, dialogues of this nature are best held until the parties can discuss them verbally.

Bad News
Train all employees never to use e-mail to deliver bad news or to discuss performance-related or emotionally charged issues. Senior managers must thoroughly understand this principle. Without the benefit of facial expressions, vocal intonations, and body language, hurt feelings can result.


Plain, Professional Language
Obscenity, vulgarity, profanity, defamation, off-color remarks, and just plain nasty talk have no place at work or in e-mail. Electronic communications are not private and can be read by a variety of persons today and in the future. Plain, courteous, professional language is the language of business. Risks associated with this type of activity are extremely damaging to the organization and to the individual employee.


Attachments
Organizations must be cautious about sending and receiving e-mail attachments. Instruct employees to copy and paste items into the body of the e-mail. If it is not possible, the sender should ask the recipient if the item can be sent as an attachment. Employees should be cautious about opening attachments and they should be mindful that this is primary way that viruses are distributed. If the e-mail users are technically minded, train them so they recognize that attachments with extensions of .exe, .vbs, and .src should never be opened. Systems administrators should consider using software that denies executable attachments from being delivered to the organization's interior networks.

Spam
Instruct employees never to reply to unsolicited or unwanted e-mail, affectionately known as spam. Replies usually have the effect of confirming active e-mail accounts for spammers who may sell or trade viable e-mail accounts to other spammers, thereby compounding the problem. Irate replies usually go to empty e-mail accounts as spammers often use one-time e-mail addresses.

Message Priority
Do not indicate that your e-mail is urgent if it is not. Do not oversell e-mail messages. Reserve urgent notifications for those e-mails that are truly important.

Forwarded E-Mail
Instruct employees they must not forward e-mail, attachments, and the latest newsletters willy-nilly. They may find them interesting, but most recipients will not. Be respectful of your intended e-mail recipient's time. They may not be very excited about receiving the latest and greatest magazine articles about salad dressing.


Salutations and Signatures
Incorporating salutations and signatures into the text of an e-mail threat will establish the employee's role and position. An additional benefit is derived from using salutations and signatures: they provide beginnings and endings to messages attributable to specific individuals.

Spelling and Grammar
Instruct employees to use proper language construction, spelling, and grammar that distinguish professional conduct. Use spell-checking and grammar-checking software before sending e-mail. Avoid word and sentence constructions that have double meanings. Do not editorialize or rant in e-mail messages. Red herrings cost time and money. Employees should be frequently reminded that it is possible their messages will be introduced in a court of law.

Encrypted Communications
There are many ramifications of encrypted e-mail communications. Employees can exchange e-mail, assured of its integrity and confidentially. While this is certainly an advantage, it is easy to e-mail proprietary information to outside parties, using crypto-technology. E-mail encryption programs can be easily purchased and in some cases are free. If organizations are going to monitor e-mail communications, they are not going to be able to read encrypted messages. More than one employee has used the company's encrypted e-mail to send sensitive information to waiting competitors without fear of being caught.

E-Mail for Managers
Managers should remind employees that e-mail and the attendant systems are the property of the organization and are being monitored. Each time a manager reminds employees of this fact, it should be documented so it can be retrieved and formally acknowledged by employees. Human Resources units should have signed acknowledgments from all employees.

All employees are subject to the organization's policies. No one is outside this policy unless specifically and formally exempted. Exemptions must be justified and individually approved. Being a senior manager is not sufficient justification for an exemption. Managers and auditors must enforce the organization's e-mail policy consistently and equitably. Do not allow special rights to some employees that are not enjoyed by all employees.

Out-of-Band Communications
If communications are very sensitive, employees and managers particularly must know about out-of-band (OOB) communications. OOB communications are outside the regular communications channels. They may include conversations through cellular telephone calls outside the workplace, e-mail communications between computers outside the workplace, encrypted communications, etc. OOB communications alternatives should be available to employees with a reason to use them.
at 3:11 AM 0 comments
Labels: ,

Connecting to the Internet: Policies and Procedures of Survivability

Computer networks such as the Internet that do not have central administrative controls or unified security policies should be called open-ended networks. Because of their open-ended nature, there is no realistic way to determine just how many nodes are attached to the network. Regardless of the best efforts of information security officers, no degree of hardening will assure that a computer system that is connected to an open-ended system can be made invulnerable to attacks. However, if systems were designed with the goal of delivering profitable services while maintaining properties such as confidentiality, integrity, and availability, they would go a long way to contributing to an organization's survivability in the face of disasters.

Today's large-scale networks are highly distributed in an effort to improve efficiency and effectiveness by permitting high levels of integration. These levels of integration, while providing great strength of communication between networks, also carry elevated risks associated with unauthorized intrusion and compromise. These risks can be somewhat mitigated by implementing survivability in an organization's systems. Survivability incorporates risk management, fault tolerance, performance testing, and auditing.

Survivability is easily defined as the capability of a system attached to an open-ended network to continue to deliver profitable services in the presence of accidents, attacks, or systems failures.

The terms accidents, attacks, and failures are meant to include all potentially damaging events. Attacks include intrusions, viruses, worms, Trojan horses, and denial-of-service attacks. Any system with an overly restrictive structure because of attack threats may significantly reduce its functionality while directing excessive resources to protect and monitor its assets.

Failures and accidents are risks caused by deficiencies in the system itself, or in an external item on which the system depends. Failures may be attributable to design errors, human errors, hardware failures, coding errors, or corrupted data.

Accidents are usually described as random events such as naturally occurring disasters such as floods, blizzards, earthquakes, etc.

For a system to achieve high levels of survivability, it must react to and recover from damaging events while continuing to deliver efficient and effective services. In fact, reaction and recovery must be at acceptable levels whether or not the cause of the damaging event is ascertained. Levels of survivability are central to the notion that the system is sufficiently redundant that even if significant portions of the system were damaged or destroyed, the system would continue to meet demands.

For example, a survivable financial system maintains confidentiality, integrity, and availability of critical information when nodes or communication systems are not functioning as a result of harmful events. This financial system is survivable owing to its robust design. It recovers and delivers critical services in a timely manner in the face of disaster. The hallmark of a survivable system is the identification of critical services, the essential components that support them within the system and the ability to deliver these services in spite of harmful events. These are some of the key elements of survivable systems connected to open-ended networks:

Resistance to attacks. Strategies include strong user authentication and verification, configuration management, change controls, upgrade and patching policies, audit policies, antivirus policies, e-mail policies; partitioned sub-networks; firewalls; proxy services; network address translation services; redundant data backup copies and critical services; and well-developed risk-management programs.

Recognition of system attacks. Strategies include detecting intrusion attacks and understanding the current state of the system such that evaluating the extent of damage can be accomplished effectively.

Creation of event and transactions logs. These logs must document the external and internal activities taking place on the network. Having details contained in these logs can go a long way to saving your system administration and legal bacon. Many experienced administrators strongly suggest that logs are maintained on Write Once, Read Many (WORM) media. This logging media will prevent a malicious person from deleting his or her harmful activities once done.

Recognition of intrusion attack patterns. Strategies include virus scans, systems vulnerability scans, internal integrity checking, logging, audits, system monitoring, and network monitoring.

Recovery of full or critical services is based on critical asset prioritization, recovery, and business resumption.

Development and implementation of strategies for restoring the following: compromised data, critical functionality, limiting extent of damage, maintenance or resumption of critical services, and the eventual restoration of services as time and resources allow.

Restoration of critical data and applications. Use of alternative services, use of redundant components with same or similar interface, operational procedures to restore system configuration state, containment and isolation of damage, and practiced ability to operate critical services with reduced resources.

Risk management planning requires that risk management decisions and financial balances must be made by senior managers with guidance and recommendations of technical experts in application and data domains, security, and software engineering. System survivability depends at least as much on risk management development and implementation as it does on the technical abilities of the organization's employees. Experts in security and technical issues have the role of providing senior managers with the information necessary to make informed risk management decisions.

In the design of new systems or refitting older systems, survivability imposes structures on all phases of system and software development processes. At the requirement and specification levels, critical assets must be identified. Requirements for damage resistance, recognition, recovery, and resumption should be specifically addressed. System architectures should address survivability equally with other performance properties as capacity, reliability, and maintainability. In the selection of commercial off-the-shelf software, solutions should be chosen with survivability as one of the highest priorities.

Software solution design and implementation should include techniques for containment and isolation, replication, restoration, and migration of critical assets. Survivability solutions must be integrated into both new and existing systems, avoiding systems failure due to attack, accident, or natural disasters.
at 5:46 AM 0 comments
Labels: , ,

E-Mail Policy: Avoiding Hidden Risks

In today's business environment, organizations must be aware of potential liabilities by developing and implementing comprehensive management programs that address e-mail creation, content, retention, privacy, and deletion. E-mail has replaced the telephone call as the preferred means of business communication. Through e-mail threads, employees record their thoughts and read the thoughts of others. Wrongful statements, disparaging remarks, and off-color jokes can be read at future dates. The result is written ammunition that can make or break organizations should a lawsuit or criminal action follow.

In recent litigation about diet pills, some of the most embarrassing evidence against the manufacturer came from internal e-mail exchanges among its own employees. One insensitive message reported an employee expressing her dismay at the thought of spending the balance of her career paying "fat people who are a little afraid of some silly lung problem." The remark was a reflection of the employee's attitude to a rare but fatal condition some diet-pill users developed. Of course, the judge and jury in awarding damages carefully considered these e-mail messages.


In the past, if an investigator was trying to discover what employees were saying or thinking at a given time, the best evidence would generally come from notepads, calendars, diaries, desk pad scrawl, and other informal documents. However, with the use of the computer workstation and the prevalence of e-mail in the workplace, experts can have access to a virtual library of written documents located on hard drives, file servers, and backup media. E-mail records provide important insight about how decisions were made and the timeframe in which they were made. The fact that organizations lack viable e-mail policies means that senior managers do not give it the priority it deserves. It is a mission-critical tool present in daily business and personal life. If not managed properly, e-mail can pose serious risks.
at 9:35 AM 0 comments
Labels: , ,

Enhancements to Written Policies

Other media can augment policies, making them more appealing and useful to intended readers. Reading policies is not very interesting to most employees. These supplements generally consist of some kind of electronic media for them to be effective.

Audio/Video Productions
Many organizations have started to use media convenient for the telecommuter. Video productions can be easily downloaded to the computer of an offsite employee, who can then review it at leisure and send an acknowledgment to the office. Once stored on the employee's computer, these productions can provide future reference for the employee.

Classroom Training Sessions
Most organizations offer formal classroom training sessions to present policies to employees and to obtain feedback from them. Classrooms provide the opportunity to learn from other attendees relative to policy methods and wording. The classroom setting provides an opportunity for attendees to meet with the instructor as well as other employees, and to exchange viewpoints. Instruction of this type may be restricted to the individual employee or include groups sharing policies.

Each organization has a culture that functions best in some environments but not in others. Before arbitrarily spending time and money offering supplements to written policies, weigh each media option and select carefully.
at 7:04 AM 0 comments
Labels: ,

The Policy of Policy Development

The Policy of Policy Development
Good policies address potential threats. If there were an absence of threats, there would be little reason for policies. Organizations need comprehensive policies. A good example is the United States needing policies that address national defense. The state of Colorado does not need a national defense policy, as there are no security threats posed by other states, nor is Colorado in a position to execute treaties with other nations. Nevertheless, Colorado is a significant member of the United States and thereby provides resources to the national defense posture of the whole United States. Unified policies provide a framework for identifying threats and vulnerabilities and a basis for effective safeguards.

Policies are about strategy. You cannot decide countermeasures for information leakage if you do not have policies mandating enforceable countermeasures. For example, you cannot expect 20 software engineers, each of whom is in charge of a small degree of program security, to behave coherently unless there is a unified policy with the same goals in mind. Of course, employees have a policy in mind when they define and implement safeguards, but written policies direct them to a mutual goal.

Every organization needs policies addressing its many functions. Policies should detail who is responsible for policy implementation, enforcement, audit, and review. Policies must contain a very brief explanation as to the reason they exist. Seemingly arbitrary policies delivered from on high with little or no explanation are likely to be ignored completely. Clear, concise, coherent, and consistent policies are more likely to be adopted and followed by the workforce.

Most well-developed policies share many of the same elements. Some are drafted so these elements are specifically identified while others are subtle, requiring a thorough reading and a bit of head scratching.

Some employees will resist policies, regardless of their intent. They view policies as impediments to their ability, restricting their freedom. Sometimes they feel the organization does not trust them and intends to overly govern their behavior. Employees fear that policies will be difficult to incorporate into their business activities or difficult to follow. Managers tend to worry that restrictions placed by policies will adversely impact the organization's morale and profitability. Obviously, the most desirable deliverable goal in policy drafting is the win-win-win scenario. Managers win, employees win, and the organization wins. This strategy requires skill, daring, and terrific delivery.

Team Leadership
Successful policy development teams must have a fanatical executive sponsor. This senior manager needs to be a "true believer." The policy development team needs to have a leader with excellent business knowledge, analysis, management, and communications skills.

Team leaders are able to guide and direct the team's efforts by:

- Asking questions that stimulate ideas and fruitful discussions.

- Using reflective listening skills.

- Directing but not overly managing the team's discussions.

- Developing and fostering an informal and relaxed atmosphere.

- Celebrating the achievement of milestones and objectives.

Policy Team Members
Carefully select the policy development team members. Team members should be selected from relevant business units. There is a decided advantage if members have the ability to write in plain, simple language.

Common Policy Components
All policies must be given an effective date. Effective dates cannot be before the release date of the policy, but prior events can be included as part of the policy statement.

Every policy should be subject to a review or expiration date. This date assures that the policy will be reviewed periodically to determine if it is still needed. In this way, old policies may be updated, obsolete policies can be abandoned, and new requirements can be incorporated into existing policies.

Affected business units or positions should be listed as the policy audience. If the policy is companywide, then it should clearly state this fact; however, if it is applicable to just a few people, then those positions should be specifically detailed. Avoid the tendency to make policies just to impress someone such as a new operations officer or company president. Make policies that matter.

Executive Approvals
Policies should specify which executives approved them. They should be named along with their official title in the policy document. Here are two points on executive approvals:

Do not name an artificially high officer who has little relevance to the policy as the authorizing person. This may result in the policy being challenged without a knowledgeable defense.

The authorizing officer should be of sufficient authority so that higher-ranking executives could not overrule if the policy were challenged.

Policy Exemptions
Just as important as the body of the policy is the process outlining how exemptions can be requested. If exemptions are not possible, then the policy should state why. It is not important to state the conditions under which exemptions may be granted; just the process for requesting them. It is likely that if you are overly explicit in defining the exemptions, you will receive a deluge of similarly worded exemption requests.

Changes
Policies cannot remain unchanged forever. Successful policies have explicit procedures for generating succeeding policies. In some cases, policy changes are merely a technical review while others will require a full narrative justification, including a process for combining old procedures with newer ones.

Violations
All policies must contain an explanation of consequences when employees violate them. Disciplinary actions can vary from the least level, where a violator's supervisor must acknowledge that the policy has not been followed, to severe disciplinary action resulting in the employee's dismissal and prosecution. The level of discipline must be commensurate with the importance of the policy. For example, a new employee violates a policy that requires e-mail to be used only for job-related purposes. It is sufficient for his supervisor to issue an information reminder about the use of e-mail. However, if a senior employee were to send an e-mail containing obscene language or racial insults, this would likely result in counseling the employee, and depending on the circumstances, suspension without pay or even dismissal. Exhibit 1 is a common format for policy headings.

The policy purpose section explains the objectives of the policy. When drafting purpose statements, consider using a consistent opening paragraph containing one or two sentences. Avoid rambling or flowery sentences; the language should be sufficiently comprehensive and concise in meaning. Do not use abbreviations, which abbreviations cause confusion and provide a basis for misunderstanding.

The revision history shows previous revisions to the policy and provides a historical view of the document, showing the policy as it was instituted and how it was revised since that time. In the case of ISO 9000 or the Capability Maturity Model, policy and revision histories are requirements. This section is a good place to set dates for a future review, noting who should perform this review and why.

The affected personnel section identifies the employees to whom the policy applies. It states the users of the policy and should identify the affected persons by business unit positions rather than specific persons by name, e.g., "All server systems engineers" rather than specific employees such as "John Doe."

The next heading, the policy's body, is the most important. In this section, the general attitude of the company, its goals, mission, and vision are reflected. This is the section that should include any clarifying narratives or definitions. All readers should have a common vocabulary if they are going to clearly understand the policy. Avoid stating the policy in part, then referring the reader to another section for the rest of the policy. Regardless of the length, state the policy completely. The whole purpose of writing an easy-to-read policy is to assist the reader to understand and remember the information on the first reading.

Exemption processes should be the next section. State the process by which exemptions may be obtained. Be certain to detail the written format that exemption applications need to follow and specify the position to which they should be submitted for consideration.

Disciplinary actions should be plainly stated in the policy for noncompliance. Accountability, responsibility, and employee empowerment are current management tools that are available in explaining the policy.

Do the Policy Right the First Time
Avoid drafting, vetting, and approving a policy only to discover shortly thereafter that it does not address the problem. Get it right the first time. Policy teams lose credibility and senior management support if they complete the process and need to undo or revise the policy a few days later.

Vetting Policies
We live in a litigious world. Laws, contracts, union agreements, regulations, and international treaties affect the workplace. Policies must pass through an established vetting process where they can be reviewed for consistency and compliance. The complexity of this process depends on the policy, the size of the organization, and the policy's affected universe. At a minimum, these are the parties that should review the policy, making any corrections before it is adopted: affected business units, Human Resources, union representatives, Legal, Audit, Finance, and Executive Committee. Failure to adequately vet a policy might adversely affect the company and preclude it from doing business.
at 12:26 AM 0 comments
Labels:

Policies and Procedures

Policies, Procedures, Standards, and Politics
Modern organizations have developed into a complex waltz of human resources, data, equipment, facilities, processes, policies, and procedures. For most of us, our daily activities are not scripted and rely on policies and procedures to create an efficient and productive environment. Developing and implementing fixed policies often seems like a futile exercise, yet unless there is a formal architecture, employees end up spinning their wheels.

In the same sense that countries require laws governing the conduct of their citizens, organizations require policies to govern the conduct of their critical assets. Policy development and enforcement is neither an academic drill nor an exercise just to placate auditors. It is an essential component of sound business operations. If appropriate conduct were decided on a voluntary basis, it would be observed about as often as those who make a complete stop at stop signs without a police officer present. True, it does happen, but not often.

Policies are the methods by which business processes are documented and disseminated. Not all policies are going to apply to all business units. Consequently, policies may have general coverage areas, or coverage that is directed to specific business units and even specific functions. They provide employees with limits, alternatives, and governance. Formal policies allow senior managers to conduct their business without constant intervention, enabling employees to work within defined frameworks. They reduce the range of individual decisions and encourage managers to deal with items that are only outside that framework.

Policies assure equitable access to secure resources for authorized users. They make certain that safe, consistent, correct procedures are being employed to conduct the organization's work. Many policies are not optional; rather, they are mandated by legal and regulatory requirements while others are based on fear, uncertainty, and doubt (FUD).

Ask any system administrator how many times he or she has repeated the company's policy mandating that employees not open e-mail attachments. Before long, the system administrator has to deal with an employee who has done exactly the opposite.

There is another purpose for developing written policies and procedures to help guide the practice and performance of professionals who are faced with a combination of mundane tasks and crisis-related activities requiring an immediate decision. Professionals such as lawyers, accountants, auditors, scientists, physicians, and others are dependent on policies to assure their efforts are directed toward specific accepted practices. The logic behind policies for professionals assures that the work is done the same way, regardless of who is doing it, as the accepted manner of completing the task is consistent from professional to professional.

Under most circumstances, senior employees are expected to be promoted, leaving vacancies behind them. The generally accepted idea is that the employee accepting the position will be able to "hit the ground, running," because there will be written policies and procedures left by the employee vacating the position. Written policies and procedures refined by the incumbent ensure that the employee filling this position will be able to work effectively and efficiently at this job with a minimum of delay. These policies bridge the gap between two employees doing the same job at different times, locations, or even business divisions.

When followed, these policies guarantee the consistency of the work performed previously or in different locations. They form a core of institutional communication between the experienced, knowledgeable person who developed or enhanced the work plan, and the new person assuming the position. Policies address ways to handle routine situations, and can form a directory of operating procedures to be used in unique circumstances. As a learning tool, policy documents form a basis for describing new procedures or explaining the application of special circumstances to others.

Written policies and procedures form essential components of the organization's management system because they detail management instructions that are often the result of high-level discussions or legislated requirements. Statements of policy, especially as they relate to critical incident management, are the manifestation of executive direction in the organization's environment. As practical instruments of managers, written procedures bind the organization's philosophy to the actual work-related task.
at 11:17 AM 0 comments
Labels: ,
Subscribe to: Comments (Atom)

Popular Posts