Handbook of Information Security Management:Policy, Standards, and Organization

Previous Table of Contents Next


Computer-Based Policies

Policies are frequently linked to measurement or enforcement methods that are based in the computer systems. Recently, procedures have been developed to help monitor and enforce standards and policies with reduced or no personal involvement by auditors, reviewers, or management.

Tests and policy monitors have been developed to process program code and command files against a set of automated standards “rules.” Results of these batch processes can be returned to the program or procedure writer for update based on the findings of these monitoring packages. Generally, with each comment or marked violation a text narrative of the standard itself is provided, helping the developer to read and apply the standard to the work being done. Although helpful, this process can often lead to ad hoc program and command development that can circumvent obsolete or inappropriate standards. Batch review procedures, if tightly enforced, can often fail to accommodate special situations that can be essential for proper and efficient business operations.

Less strict methods can be used to provide an informational review of methods in view of accepted policies. This approach is generally monitored by an audit or security compliance group that reviews the results of the process evaluation and can choose to implement the method over the difference with policies, or can send the method back to its developer. Although this technique doesn’t replace the human judgment factor, it helps to highlight technical issues that may be hiding in large or complex programs or commands. As a result, the reviewers’ task can be completed quicker and with greater accuracy, allowing them to spend more time developing effective solutions rather than measuring current shortfalls.

In some special situations, policies are joined with the development of the application in a real-time mode. Through editors or precompilers, standards and policies can be enforced as the commands are written. This technique requires significant effort to bring the real-time monitor into production, but can help guide developers toward node compliant code without the moans and groans often heard when a completed element requires major rewriting because of the policies that existed, but were unknown when the component was developed. Programmers and systems technicians are advised of standard methods as they are developing code, not as an added check once they’ve been completed.

Another popular technique to offer policy and procedure advice is with “help” screens and buttons that can be invoked as necessary or when desired. This technique has been used effectively in several areas. One location for a “help” button which yields a positive effect is on the sign-in or log-in screen. Simple policies and techniques can be presented to those who use the organization’s computer as they are initially entering the system. Policies like password change guidelines help in selecting effective passwords, file storage and use methods, and official use policies are well placed at initial entry. This technique works well when different policies are introduced in a few words, with a button available to provide more detail when desired.

Standard “help” text can also be developed and added to several input or processing screens. This help text normally is used to explain more about the individual application, but can also be used to provide guidance regarding policies that are in effect for this application or this function. It is important to remember that this method is best used as a supplement to written procedures. Brief summaries or help screens are not generally formatted to contain all that the written text of the policy is designed to contain.

Classroom Experiences

Many organizations offer opportunities to develop or improve existing policies in a classroom or workshop setting. This experience can provide several benefits to developing useful and effective policies. In addition to the specifics of the policy itself, the classroom offers the opportunity to learn from other attendees regarding methods and wording that worked in a variety of settings. Different viewpoints are offered by participants, and the attendee has the opportunity to make contact with others after the session has ended. Sometimes these sessions are offered for several industries in a community or functional setting. Sometimes they are for a single industry or industry group. Both settings can be effective, offering either a focused view from similar viewpoints, or a broad range of options presented from different perspectives.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.