May 22, 2013

2.1.3 Importance of Policies in Reducing Risk

Importance of Policies in Reducing Risk

Policies are used by organizations to define and govern behavior. Information is the core resource of IT organizations. As a result several types of policies are created to preserve and protect it in a consistent and reliable manner. Policies are created to fulfill legal, regulatory and security requirements. Let’s focus on the security-related policies.

Privacy Policy

In a (business) transaction there is an exchange of resources. In a business-to-consumer transaction, the consumer usually exchanges money for a product or service. Often, to facilitate the transaction, personally identifiable information (PII) is generated. The value of this information is becoming more apparent. The Privacy Act of 19741 established guidelines and restrictions on how the US federal government can collect, use and share PII. Other federal laws establish rules for corporations and other organizations to manage its users’ private information in specific circumstances, e.g.
  • HIPAA2
    • HIPAA is the acronym for the Health Insurance Portability and Accountability Act passed by Congress in 1996. With respect to IT, HIPAA mandates industry-wide standards for health care information on electronic billing and other processes; and requires the protection and confidential handling of protected health information.
  • Gramm-Leach-Bliley Act (GLBA)3
    • The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, provides limited privacy protections against the sale of your private financial information.
  • Children’s Online Privacy Protection Act (COPPA)4
    • COPPA protects the privacy of children. It states, that it is unlawful for an online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child under the age of 13, to collect personal information from a child in a manner that violates the regulations.
In addition to these government sponsored protections, organizations create and publish their own policies aimed at bolstering transparency of how its users’ “private” information is secured and consumed.

Typical of a lot of privacy policies are these section headings from PayPal’s Privacy Policy:
  • Binding Corporate Rules
  •  How we collect information about you
  • How we use Cookies
  • How we protect and store personal information
  • How we use the personal information we collect
  • Marketing
  • How we share personal information with other PayPal users
  • How we share personal information with other parties
  • Using PayPal Access
  • How you can restrict PayPal from sharing your personal information
  • How you can access or change your personal information
  • How you can contact us about privacy questions
Other names for privacy policies include data use policy and terms of service.

Acceptable Use Policy

An acceptable use policy (AUP), is a set of rules created by the owner of an online resource (network, website, system, etc.) that states etiquettes that a user must agree to in order to be given access to the online resource. An AUP defines the intended uses of the resource, unacceptable behavior and the consequences for non-compliance.

A good AUP will cover provisions for network etiquette, mention limits on the use of network resources, and clearly indicate of the level of privacy a member on the network should expect.5 A good AUP will maximize the common use of the resource and reduce the potential for legal action.

An acceptable use policy is also known as an acceptable usage policy or fair use policy.

Security Policy

A policy is a living document that outlines specific requirements or rules that must be met and outlines why those rules are needed.6 It is updated continuously to adapt to evolving business and technology requirements.

A security policy defines what it means to be secure for a system, organization or other entity.7 It states in writing the rules and procedures that entities accessing IT assets must comply with in order to preserve the confidentiality, integrity and availability of the IT assets. These assets face threats from a wide array of predictable and unpredictable sources and the threats include malicious software, hacking and denial of service attacks. Security policies provide policies and procedures that support and bolster the technical steps taken to secure the system and organization.

International Organization of Standardization (ISO) and the US National Institute of Standards and Technology (NIST) are two governing bodies that have published standards for creating security policies. ISO 17799 provides a comprehensive set of guidelines and controls comprising best practices in information security whereby it can be used as a basis to develop security policy.8

Mandatory Vacations

Mandatory vacations policy is a type of Human Resource (HR) policy which states that active employees should be absent from the office and their duties for an uninterrupted period of time. HR policies cover issues that directly affect anyone doing business for the organization (employees or non-employees). If you ask an HR professional, his justifications will include that this policy avoids burning out and improves productivity.9

To the Security professional, the mandatory vacations policy is an effective internal security control. It essentially ensures that periodically someone else is looking over the activities of an employee and will possibly uncover any fraudulent activities by that individual.

In the Risk Management Manual of Examination Policies, the Federal Deposit Insurance Corporation (FDIC) endorsed the concept of mandatory vacations by saying, “Such a policy is considered an important internal safeguard largely because of the fact that perpetration of an embezzlement of any substantial size usually requires the constant presence of the embezzler in order to manipulate records, respond to inquiries from customers or other employees, and otherwise prevent detection.”10


It is logical that mandatory vacation (along with job rotation and separation of duties) should be a part of an overall HR and Security policy. The organization should avoid a situation where an individual has complete control of important business processes without adequate supervision and oversight. These policies help protect against loss of critical skillsets and acts as a check against fraudulent activities.

These practices also protect against the loss of a critical skill set due to injury, death, or another form of personnel separation.

Job Rotation

Job rotation creates a mechanism where two or more employees can periodically switch roles. Job rotation is promoted by Human Resources (HR) as a valuable tool in the overall training program. The Security department will endorse it as an effective security control by exposing employee process to other employees, possibly uncovering fraudulent or otherwise inappropriate behavior.

Job rotation promotes cross-training and knowledge sharing and helps to expose fraudulent activities.

Separation of Duties

Separation of duties (SoD) dictates that important functions should be broken into multiple tasks and each task performed by separate individuals. The goal is to ensure that no single individual can dominate a process from beginning to end and as should be able to skirt security policies and take advantage of the system for personal gain.

SoD helps prevent conflict of interest and provides a mechanism to detect failures in security controls.
The idea of separation of duties hinges on the concept that multiple people conspiring to corrupt a system is less likely than a single person corrupting it.11


Section 404 of the Sarbanes-Oxley Act requires management to report on the adequacy of the company’s internal control on financial reporting. One of the tools companies and auditors have to meet this requirement is to implement separation of duties policies in the organization.

Least Privilege

In their paper on “The Protection of Information in Computer Systems”, Altzer and Schroeder write, “Every program and every user of the system should operate using the least set of privileges necessary to complete the job”. This policy “limits the damage that can result from an accident or error.”

The least privilege policy gives individuals (or applications) only the minimum amount of privileges they need to perform a task. This is similar to the military concept of “need to know” which states that access to information must be necessary for the conduct of one’s official duty.

People or process should have the least authority necessary to perform a task. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.12

Reference:

  1. The Privacy Act of 1074: http://www.justice.gov/opcl/privstat.htm
  2. HIPAA: http://www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.00%20WhatisHIPAA.aspx
  3. GLBA: http://epic.org/privacy/glba/
  4. COPPA: http://www.ftc.gov/ogc/coppa1.htm
  5. AUP: http://compnetworking.about.com/od/filetransferprotocol/a/aup_use_policy.htm
  6. Security Policy: http://www.sans.org/security-resources/policies/
  7. Security Policy: http://en.wikipedia.org/wiki/Security_policy
  8. Security Policy: http://www.sans.org/reading_room/whitepapers/policyissues/security-policy-roadmap-process-creating-security-policies_494
  9. Mandatory Vacations: http://hr.blr.com/HR-news/Benefits-Leave/Vacations/Make-Vacation-Mandatory-to-Avoid-Employee-Burnout-
  10. Mandatory Vacation: http://www.fdic.gov/regulations/safety/manual/section4-2.html#basicElements
  11. http://www.pearsonitcertification.com/articles/article.aspx?p=1809117&seqNum=2
  12. http://searchsecurity.techtarget.com/definition/principle-of-least-privilege-POLP

Additional References:

No comments:

Post a Comment