Constructing Thorough Administrative Security Policies
By Edward J. Hawkins, II
Contributor, In Cyber Defense
One of the most challenging aspects of a security program is translating the administrative security into its logical counterparts. While it may sound easy to say, “I want a website for e-commerce and nothing else,” it is not always easy to create that website in a secure fashion, even though implementation has gotten better over time.
That’s not to say this process is difficult, but some of the laws involved can be quite exhaustive and confusing. This is where administrative security comes in and sets the stage for logical and physical security plans.
The Legalities Involved in Administrative Security
Administrative security is where an organization takes into consideration its mission statement (e.g. its reason for being in business), the laws and the regulations in which the organization will operate. In turn, this becomes the framework for the information that needs to be protected.
Almost every author who writes about the legal frameworks of information technology (IT), policies and risk management always addresses the four primary laws and one industry regulation. The four primary laws are:
- The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
- The Gramm-Leach-Bliley Act of 1999 (Public Law 106-102)
- The Sarbanes-Oxley Act of 2002 (Public Law 107-204)
- The Federal Information Security Management Act of 2002 (part of the Public Law 107-347)
The major industry regulation in the IT legal space is the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS (currently version 3.2.1 as of May 2018) is not a law, but an agreement among payment card industry venders (e.g. Visa, MasterCard and others) to self-regulate how they protect their customers’ data.
While these four laws and one industry regulation are the heavy hitters of IT legislation, they are not the only laws that organizations must contend with. According to the National Conference of State Legislatures (NCSL), more than 265 bills or resolutions were introduced in at least 35 state legislatures in 2018. The NCSL also lists the laws that target private businesses.
Writing Administrative Security Documentation
Once an organization’s leaders thoroughly examine and understand how the laws apply to the business, it is time to write administrative security documents. The most common forms of documentation are the actual policies on behaviors that the organization expects from its employees and/or clients.
These documents can be in the form of an Acceptable Use Policy (AUP), a Non-Disclosure Agreement (NDA) or even a non-compete agreement. It is important to recognize that not all states recognize non-compete agreements or bar their use. In many cases, an organization’s policies are based on an ethical premise or stance.
A major benefit to administrative security can be seen in the form of return on security investment (ROSI). As information assurance writer Keith D. Willett states, “security addresses business risk.”
The Role of Risk Management in Administrative Security Policies
Risk management is a key aspect of administrative security, as it outlines in writing what risks the organization may be facing or believes it will face. Risk management is an imperative part of administrative security for the organization because it shows auditors what risks the organization faces and how they plan to mitigate those risks, which then cascades into an organization’s logical security.
Security policies that are implemented under the administrative security umbrella should provide, at a minimum, a uniform structure that identifies a categorical type, an agreement statement, the policy definition, and the actual policy. These sections of a policy provide the outline and justification for the security policy and who is subject to it.
Security Policies Should Be Reviewed by a Legal Team
Remember, any policy that is created is auditable should be reviewed by a lawyer or legal team to ensure that the organization maintains legal standing to implement and maintain its security policy. The last thing any organization wants is to implement an administrative security policy that is unlawfully written and can be held liable in a court of law.
Ideally, the organization’s legal team should review all policies, regardless of status (e.g. draft or implemented), for any verbiage that may be weak in stature if it was tried in a court of law. Policies should have teeth to them, meaning that they should be able to withstand the scrutiny of our legal system if they were ever examined in court. This is also where frameworks such as ISACA’s Control Objects for Information and Related Technologies (COBIT) come in.
The goal of COBIT is to separate the governance of enterprise IT from its management. This goal allows organizations to utilize various methodologies, frameworks and technologies to meet the organization’s aims while adhering to legal and regulatory requirements. By utilizing a framework, an organization can operate or support multiple industries while showing compliance with those industries’ security requirements.
Overall, the organization should:
- Review the laws and regulations to which the organization is accountable.
- Develop policies that are defensible in a court of law.
- Determine and translate policies into logical solutions, where applicable.
- Review policies for relevance on a regular basis.
A good administrative security policy can influence the overall culture of the environment just as much as a bad one. Let’s hope that more good policies are written than bad ones.