Enterprisewide Information Security Policy Best Practices

CIOs are increasingly shouldering the burden of providing the necessary guidance and security measures to protect the enterprise from cyber threats. High-performing CIOs recognize the foundation for security begins by adopting enterprisewide security policies.

META Trend: By 2004, 40% of Global 2000 enterprises (vs. 7% currently) will have transformed into information businesses. The information economy will place new pressures on IT organizations to deliver information products, with industry leaders adept at creating information value networks and information architectures.

Throughout 2000-02, leading CIOs managing the successful transition to information service provider will concentrate on increasing the business perception of information dependence while also developing repeatable processes for sustaining information delivery capabilities.

During the week of February 7, 2000, hackers launched distributed denial-of-service attacks on several prominent Web sites, including Yahoo, E*Trade, Amazon.com, and eBay. On October 26, Microsoft reported hackers had tapped the digital blueprints of future MS products, highlighting major information security risks that plague an increasing number of Global 2000 (G2000) companies with no formal policies, weak or disorganized security measures, and controls. According to recent survey data, nine out of 10 companies and government organizations reported security breaches in the past year. Of the 42% willing (or able) to quantify the damages and financial losses, the total ran to $265M.

As Internet commerce continues to soar, cyber crime is increasing exponentially. The Department of Justice (DOJ) case load reflects this growth. In FY98, DOJ opened 547 computer intrusion cases; in FY99, that number jumped to 1154 (up 53%). Similarly, the number of pending cases increased from 206 at the end of FY97, to 601 at the end of FY98, to 834 at the end of FY99, and to more than 900 by mid-FY00 (a 77% increase in pending cases in less than a three-year period).

And these are only the reported cases. We believe at least 50% of cyber crimes go unreported due to the potentially adverse publicity, embarrassment, and negative effect such disclosure would have on consumer and investor confidence. In FY00, the US Congress appropriated an additional $37M for FY01 for the DOJ to expand its staffing, training, and technological capabilities to continue the fight against computer crime. Together, these enhancements will increase the DOJ’s FY01 funding base for computer crime to $138 million, an increase of 28% more than FY00 funding.

As more companies continue to embrace the Internet commerce channel, we believe the private sector will see similar funding increases for information security controls and program costs, ranging from a 10%-20% increase during 2001/02 to a 25%-30% increase by 2003/04 over current spending levels.

Currently, only 5% of G2000 CIOs have linked IT policies with business policies. By 2002, more than 50% of G2000 firms will have stated business policies, and by 2003 more than 50% will have linked IT policies that integrate with the business model and policies. We believe by 2002, more than 50% of G2000 companies will adopt enterprisewide-specific information security policies, and by 2003/04 this number will be more than 75%. Given that there is an increase pattern in risk, and a corresponding increase in defensive spending to address cyber risks, CIOs should have an understanding of security policy development best practices.

Highly effective CIOs base their enterprisewide information security policy on the results of a risk assessment . The risk assessment provides CIOs with an accurate picture of the security needs specific to the enterprise, and IT security risk assessment information is imperative because proper policy development requires ITO/LOB managers and decision makers to:

Identify sensitive information and critical systems  

• Incorporate local, state, and federal laws, as well as relevant ethical standards
• Define institutional security goals and objectives  
• Set a course for accomplishing those goals and objectives  
• Ensure necessary mechanisms for accomplishing the goals/objectives are in place
• In this way, legal and regulatory concerns, organizational characteristics, contractual stipulations, environmental issues, and LOB input could all be incorporated into policy development. Effective security policy synthesizes these and other considerations into a clear set of goals and objectives that direct staff as they perform their required duties.

Formulating policy is usually a task reserved for top-level decision makers (corporate, executive policy committee); however, contributions to the development of information security policy should be an enterprisewide activity.

While every ITO/LOB employee does not need to attend each security policy planning session, the CIO and senior LOB management should assign representatives from disparate job levels during the information-gathering phase. IT technical/administrative/operations staff have a unique perspective about information risks and controls to share with policymakers.

The CIO should task an ITO leader (usually the head of IT information security department) to gather input from all parties (ITO/LOB) to ensure there is input and buy-in at all levels of the enterprise. Reviewing security arrangements in other organizations might uncover information that can contribute to more effective policy development. In a B2B arrangement, if one or more parties commits to specific encryption policy and software to protect messages and transactions sent over the Internet (and the other B2B partners on the network do not have the encryption keys), they are going to have a very difficult time communicating with their e-commerce partners.

While an organization’s risk assessment informs a CIO of the specific security needs, the following general questions should be addressed clearly and concisely and reviewed by the CIO prior to submission to the corporate policy committee:

• What is the reason for the policy?  
• Who developed the policy?  
• Who approved the policy?  
• Whose authority sustains the policy?  
• Which laws/regulations (if any) is the policy based on?
• Who will enforce the policy?  
• How will the policy be enforced?
• Whom does the policy affect?  
• What information assets must be protected?
• Who is the information owner (best source for shared information)?
• Who is the custodian of the information?
• Who decides who reads, creates, modifies, stores, distributes, or deletes the data?
• What are information users required to do to safeguard the data?  
• How should security breaches and violations be reported? And how often?
• What is the effective date and expiration date of the policy?
• Effective CIOs will absorb these recommendations as appropriate, and communicate the results into a meaningful governance policy that fits the enterprise.

Business Impact: Information security policy provides the governance necessary to invoke and enforce security controls throughout the enterprise. Failure to implement an enterprisewide information security policy puts data/information assets at risk.

Bottom Line: CIOs who guide the formulation of security policy collaboration and enterprisewide information policy will have a better likelihood of earning the trust and respect of their business unit colleagues and communicating the shared responsibility for safeguarding the information assets.

Copyright © 2000 META Group, Inc.

208 Harbor Dr., P.O. Box 120061, Stamford, CT 06912-0061

http://www.metagroup.com

Telephone (203) 973-6700. Facsimile (203) 359-8066.

All rights reserved.