Writing Information Security Policies--Sample Administrative Policy (Appendix C)

Writing Information Security Policies
Appendix C: SAMPLE ADMINISTRATIVE POLICY

PURPOSE: To establish the policies to administer and enforce these information security policies.

User Training

PURPOSE: To ensure all users know and understand the policies.

POLICY: All users of the Company's networks and systems shall undergo security awareness training to explain these security policies prior to being allowed access. Current users shall undergo training within 30 days from when these policies will be put into effect.

Publishing and Notification

PURPOSE: To publish the policies to be accessible to all users and to notify them when they are published.

POLICY: The Human Resources Department shall be responsible for publishing the Information Security Policies and all updates on the Company's intranet. The Human Resources Department shall notify every user that the policies have been published and how they may be accessed.

PURPOSE: To provide printed copies for those who cannot access the electronic version.

POLICY: The Human Resources Department shall provide each department and users without access to the intranet one printed copy of these policies at the same time the electronic version is published.

Management Responsibilities

PURPOSE: To establish the right to monitor.

POLICY: Management shall monitor all systems activity and network traffic to enforce the provisions of these policies. Management shall be allowed to assign monitoring and other information security duties to appropriate administrators.

PURPOSE: To establish the right to install access controls.

POLICY: Management shall install access controls consistent with the requirements of these policies.

PURPOSE: To establish the right to test access controls.

POLICY: Management and assigned administrators shall have the responsibility for testing access controls and the network for vulnerabilities. Users shall not test for vulnerabilities and access controls by manual or programmatic means.

PURPOSE: To warn against exploiting vulnerabilities.

POLICY: When vulnerabilities are known, users shall not exploit their effects by manual or programmatic means.

PURPOSE: To limit the use of security and testing tools to management and administrators.

POLICY: Management and assigned administrators shall have access to the tools that can help manage and test information security. Users shall not have access to these tools on the Company's network. Users shall not load or download these tools from any location.

Administrators' Responsibility

PURPOSE: To mandate that administrators keep sufficient records of security violations.

POLICY: Security, systems, and network administrators shall maintain records of all security violations. These records shall be in sufficient detail so that they may be used for disciplinary actions and policy review.

PURPOSE: To mandate the use of Risk Acceptance Memos as a mechanism to grant waivers to these policies.

POLICY: Security administrators shall maintain Risk Acceptance Memos for each waiver granted to these policies. Managers who want to ignore a part of these policies must sign that memo accepting responsibility for the security of those systems and networks.

PURPOSE: To mandate that only systems and network administrators can create and maintain user identification and access control information.

POLICY: Systems and network administrators shall be designated as the maintainers of user and access control information. These duties shall include the creation and modification of user accounts and changing access controls when necessary.

PURPOSE: To mandate a semi-annual audit of identification and access controls.

POLICY: Security, systems, and network administrators shall perform a semi-annual audit of user accounts and associated access controls to ensure validity and accuracy.

PURPOSE: To mandate administrators define the logging of appropriate systems and network activities.

POLICY: Security, network, and systems administrators shall define the information that will be saved in systems and network logs. These definitions shall include a record of all security relevant activities.

PURPOSE: To mandate the review of the various logs and that only designated administrators should be the ones to review them.

POLICY: Authorized administrators shall review the system and other logs on a regular basis.

PURPOSE: To mandate the protection of the various logs.

POLICY: Administrators shall take appropriate precautions to prevent logs from being deactivated, modified, or deleted.

PURPOSE: To ensure administrators report security violations appropriately.

POLICY: Administrators shall follow appropriate procedures when discovering violations of these policies or network security.

PURPOSE: To mandate the backup and archiving of the log files.

POLICY: Administrators shall backup active logs to an on-line storage facility. The on-line backup shall be archived to an off-line storage medium on the last day of each month. The off-line storage of logs shall be maintained for two years unless contract or the law requires longer periods.

Enforcement and Incident Reporting

PURPOSE: To establish that everyone is responsible for enforcing these policies.

POLICY: All users shall be responsible for maintaining and enforcing the provisions of these policies and associated procedures. Violations to these policies and associated procedures shall be reported using the designated reporting procedures.

PURPOSE: To establish a program of monitoring the various lists that disclose security incidents and software bugs.

POLICY: Administrators shall monitor public disclosure organizations that report incidents, bugs, and other problems that could affect the security of the Company's network and systems. These public disclosure organizations shall include the vendors of the information systems in use by the Company, at least two general organizations, and the vendor of the Company's chosen anti-virus software.

PURPOSE: To establish procedures on working with law enforcement.

POLICY: The response of violations from law enforcement shall be coordinated with management. Management shall be the lead internal investigator and shall take responsibility for interfacing and cooperating with law enforcement.

PURPOSE: To amplify the requirement to properly handle evidence of security violations.

POLICY: Data regarding information security violations and incident handling shall be retained so that it may be used during the analysis of the information security policies.

Termination Policy

PURPOSE: To establish a procedure when a user is voluntary or involuntarily terminated.

POLICY: Users whose association with the Company is terminated shall have their access privileges to the Company's resources immediately revoked. Administrators shall arrange for the programs and other data used by these users archived. Administrators shall create procedures for revoking access of these users.

Remedies

PURPOSE: To establish the premise for basic behaviors while using the Company's network and systems.

POLICY: Any conduct which adversely affects the ability of others to use the company's systems and networks, or which can harm or offend others, shall not be permitted.

PURPOSE: To establish the right of management to revoke systems and network access to those who violate these policies.

POLICY: Management shall have the right to revoke any user's access privileges and terminate their association with the Company at any time for violations of this policy or demonstrates conduct that disrupts the normal operation of the Company's network and computing systems.

PURPOSE: To establish the right of management to break agreements and contract with those given access to the systems and network that violate these policies.

POLICY: Management shall have the right to sever contracts and agreements with contractors and other outside users if they violate this policy or demonstrates conduct that disrupts the normal operation of the Company's network and computing systems.

PURPOSE: To establish the right of management to report illegal violations to appropriate law enforcement entities.

POLICY: Management shall have the right to exercise their options under the appropriate criminal and civil laws to seek legal remedies from anyone who uses, abuses, or attacks the Company's network and information systems in a manner that would be in violation of the law and these policies.

Writing Information Security Policy's Home Page...

Scott's Home Page...

All questions, comments, and corrections may be mailed to the author at wisp@barman.ws

Last update: August 17, 2003

PURPOSE:	To ensure all users know and understand the policies.
POLICY:	All users of the Company's networks and systems shall undergo security awareness training to explain these security policies prior to being allowed access. Current users shall undergo training within 30 days from when these policies will be put into effect.

PURPOSE:	To publish the policies to be accessible to all users and to notify them when they are published.
POLICY:	The Human Resources Department shall be responsible for publishing the Information Security Policies and all updates on the Company's intranet. The Human Resources Department shall notify every user that the policies have been published and how they may be accessed.

PURPOSE:	To provide printed copies for those who cannot access the electronic version.
POLICY:	The Human Resources Department shall provide each department and users without access to the intranet one printed copy of these policies at the same time the electronic version is published.

PURPOSE:	To establish the right to monitor.
POLICY:	Management shall monitor all systems activity and network traffic to enforce the provisions of these policies. Management shall be allowed to assign monitoring and other information security duties to appropriate administrators.

PURPOSE:	To establish the right to install access controls.
POLICY:	Management shall install access controls consistent with the requirements of these policies.

PURPOSE:	To establish the right to test access controls.
POLICY:	Management and assigned administrators shall have the responsibility for testing access controls and the network for vulnerabilities. Users shall not test for vulnerabilities and access controls by manual or programmatic means.

PURPOSE:	To warn against exploiting vulnerabilities.
POLICY:	When vulnerabilities are known, users shall not exploit their effects by manual or programmatic means.

PURPOSE:	To limit the use of security and testing tools to management and administrators.
POLICY:	Management and assigned administrators shall have access to the tools that can help manage and test information security. Users shall not have access to these tools on the Company's network. Users shall not load or download these tools from any location.

PURPOSE:	To mandate that administrators keep sufficient records of security violations.
POLICY:	Security, systems, and network administrators shall maintain records of all security violations. These records shall be in sufficient detail so that they may be used for disciplinary actions and policy review.

PURPOSE:	To mandate the use of Risk Acceptance Memos as a mechanism to grant waivers to these policies.
POLICY:	Security administrators shall maintain Risk Acceptance Memos for each waiver granted to these policies. Managers who want to ignore a part of these policies must sign that memo accepting responsibility for the security of those systems and networks.

PURPOSE:	To mandate that only systems and network administrators can create and maintain user identification and access control information.
POLICY:	Systems and network administrators shall be designated as the maintainers of user and access control information. These duties shall include the creation and modification of user accounts and changing access controls when necessary.

PURPOSE:	To mandate a semi-annual audit of identification and access controls.
POLICY:	Security, systems, and network administrators shall perform a semi-annual audit of user accounts and associated access controls to ensure validity and accuracy.

PURPOSE:	To mandate administrators define the logging of appropriate systems and network activities.
POLICY:	Security, network, and systems administrators shall define the information that will be saved in systems and network logs. These definitions shall include a record of all security relevant activities.

PURPOSE:	To mandate the review of the various logs and that only designated administrators should be the ones to review them.
POLICY:	Authorized administrators shall review the system and other logs on a regular basis.

PURPOSE:	To mandate the protection of the various logs.
POLICY:	Administrators shall take appropriate precautions to prevent logs from being deactivated, modified, or deleted.

PURPOSE:	To ensure administrators report security violations appropriately.
POLICY:	Administrators shall follow appropriate procedures when discovering violations of these policies or network security.

PURPOSE:	To mandate the backup and archiving of the log files.
POLICY:	Administrators shall backup active logs to an on-line storage facility. The on-line backup shall be archived to an off-line storage medium on the last day of each month. The off-line storage of logs shall be maintained for two years unless contract or the law requires longer periods.

PURPOSE:	To establish that everyone is responsible for enforcing these policies.
POLICY:	All users shall be responsible for maintaining and enforcing the provisions of these policies and associated procedures. Violations to these policies and associated procedures shall be reported using the designated reporting procedures.

PURPOSE:	To establish a program of monitoring the various lists that disclose security incidents and software bugs.
POLICY:	Administrators shall monitor public disclosure organizations that report incidents, bugs, and other problems that could affect the security of the Company's network and systems. These public disclosure organizations shall include the vendors of the information systems in use by the Company, at least two general organizations, and the vendor of the Company's chosen anti-virus software.

PURPOSE:	To establish procedures on working with law enforcement.
POLICY:	The response of violations from law enforcement shall be coordinated with management. Management shall be the lead internal investigator and shall take responsibility for interfacing and cooperating with law enforcement.

PURPOSE:	To amplify the requirement to properly handle evidence of security violations.
POLICY:	Data regarding information security violations and incident handling shall be retained so that it may be used during the analysis of the information security policies.

PURPOSE:	To establish a procedure when a user is voluntary or involuntarily terminated.
POLICY:	Users whose association with the Company is terminated shall have their access privileges to the Company's resources immediately revoked. Administrators shall arrange for the programs and other data used by these users archived. Administrators shall create procedures for revoking access of these users.

PURPOSE:	To establish the premise for basic behaviors while using the Company's network and systems.
POLICY:	Any conduct which adversely affects the ability of others to use the company's systems and networks, or which can harm or offend others, shall not be permitted.

PURPOSE:	To establish the right of management to revoke systems and network access to those who violate these policies.
POLICY:	Management shall have the right to revoke any user's access privileges and terminate their association with the Company at any time for violations of this policy or demonstrates conduct that disrupts the normal operation of the Company's network and computing systems.