- Email: [email protected]
Computer security policy: Important issues
Computers
& Security, 7 (1988) 559-562
Refereed Article
Computer Security Policy: Important Issues Dr. Jan H.P. Eloff
A key success factor in implementing computer security is the much discussed and important issue of management commitment. Management commitment is demonstrated through the effective fostering of a computer security policy within the organization. Many textbooks provide guidelines on what to include or exclude in compiling a computer security policy. However, little is said about issues such as accountability, responsibility and the actual scope of computer security. This paper will address various issues of critical importance in compiling a computer security policy. Keywords: Computer security, Policy, Responsibility, Scope of computer security.
1. Introduction
C
omputer security is a common term used today by the business world for grouping problems related to the protection of an organization’s computer and information assets. Computer security can be functionally viewed within two distinct areas, namely logical and physical security. Logical security can be defined as the action that protects data, information and
0167-4048/88/$3.50
@
programs stored in the system. Physical security is the action preventing physical harm to the hardware resources of a computer system. In the past decade we have seen major companies implementing a computer security program, with only a few achieving the desired results. This prompted the question “What are the critical success and failure factors in implementing computer security?” There are various answers; however, two of the major reasons for failure are given below. (1) Lack of senior management involvement. Interestingly enough, the lack of senior management’s involvement can be credited to the use of the words “computer security”. This terminology unfortunately leads to the misconception that it is a problem only for the computer department. (2) A second reason for failure is that too much emphasis in both research and practice went into the technical, as opposed to the managerial, aspects of computer security. Most of the numerous problems resulting from these attitudes can
1988, Elsevier Science Publishers
Ltd.
be addressed by enforcing an effective computer security policy. It is an urgent matter for each organization to establish a computer security policy which involves top management and addresses both logical and physical security. Furthermore, responsibilities need to be detailed unambiguously and concretely so that all employees take computer security more seriously. The objective of this paper is to discuss briefly some issues requiring careful consideration when compiling a computer security policy.
2. Computer Policy
Security
Current literature provides good examples of computer security policies, especially work done by Parker [4]. We define a computer security policy for the purpose of this paper as follows. A COMPUTER SECURITY POLICY serves as a vehicle to demonstrate senior management’s involvement in introducing, implementing and maintaining a secure computer systems environment throughout the organization. The following activities should be executed during the compilation of a computer security policy. (2.1) Compile an abbreviated set of common compi;ter security terminology to be used within your organization. (2.2) Briefly describe the purpose of computer security (why?). (2.3) Define the scope of computer security. (2.4) Define the responsibilities of all parties involved.
559
J. H. P. E/off/ Computer
3. Common Framework of Terminology The implementation and maintenance of computer security is a multidisciplinary activity requiring commonly used terminology throughout theorganization. This aspect we found badly neglected by most organizations. The lack of common terminology creates confusion regarding the various aspects to be addressed within the scope of computer security. Furthermore, it is a reason why employees fail to assume responsibilities for implementing computer security. They should understand the penalties for ignoring these responsibilities. The following terms can be used as a framework of terminology and amended for specific environments. computer security/ software security/access control/mainframe security/application systems security logical security/facilities security/disaster recovery/ backup’s /peripheral security goals of organization/information as an asset/business functions networks/stand-alone microcomputer/local area network/micro-mainframe link responsibility/accountability/line management/staff function/support function/computer department/information centre/information services.
4. Purpose of Computer Security It is extremely important that the “WHY?”
560
for implementing
com-
Security
Policy
puter security in your organization is clearly understood by all employees. This section of the policy needs to be speciflcally fitted to the environment of your organization. Following is a general guideline of reasons. (1) Dependency of the organization on computerized business systems. (2) To ensure continuation of efficient operations of each business function. (3) Relationship of computer security to other policies and procedures already in existence, e.g. safety policy, quality policy, security on hardcopy documents. (4) Protection of information which is an asset.
6. Responsibility
5. Define the Scope of Computer Security Computer technology used in practice differs greatly among organizations with the result that the actual implementation of computer security will be company specific. Senior management together with the management of the computer department need to define very carefully the rcope ofcomputer security applicable to their organization. Over the past decade, the introduction of microcom-
SCOPE OF COMPUTER Centralized
Mainframe
puters has shown us that conventional security controls developed for mainframe environments may be insufficient for microcomputer and local area network environments. Although most organizations realize the impact of microcomputers on computer security, little effort is put into addressing micro issues within their overall computer security programs. The prioritization of specific issues within the scope of computer security will not be discussed in this paper; such issues are subordinate to an effective corporate computer security policy. The following serves as an example.
Defining the responsibilities of all parties involved in the computer security program is critical to the success of a computer security function. To understand clearly the roles of various business functions during implementation and maintenance of a computer security program it is essential to agree on organizational aspects such as line vs. staff relationships accountability vs. responsibility
SECURITY Environment-Logical -Physical
Data Communications Single/Multiple Stand Alone Microcomputers Networked Microcomputers-Local Area Networks -Micro-Mainframe Computer Document
Personnel Security
Computers and Security, Vol. 7, No. 6
The majority of major organizations differentiate between line and stafrelationships. For the effective implementation of computer security we also need to differentiate clearly between accountability and responsibility. In general terms we can say that accountability lies within the line relationship whereas responsibility can be delegated to experts, e.g. computer personnel, information centre, personnel department. Experience indicates that the successful implementation of computer security depends on allocating accountability to line management. Various papers, such as refs. [l] and [2], provide guidelines on the responsibilities of all parties involved, e.g. top management, departmental managers, personnel department, internal audit, computer department, data security officer. The following issues are also of interest. (1) Overall responsibilityfor creating a climate favouring computer security lies with top management; as stated in ref. [l] their involvement should be evident in the following areas. l define an appropriate organizational structure l allocate resources and establish a policy l compile a budget for computer security (2) Establish a computer security steering committee. This committee should include representation from all user departments, computer facilities and information centre personnel.
Responsibilities of this com-
mittee should
include
the prioriti-
zation and monitoring of specific computer security meas-
ures. Furthermore, tee should delegate
this commitresponsibility
for establishing implementing
standards, detailed
dures and approving summary,
management
results.
this committee
have a coordinating role without
referred to as a computer security project leader. This problem occurred at most of the companies that were unsuccessful in implementing computer security. A computer security project leader can be successfully utilized in a coordinating role as well as to report regularly to management (or a computer security steering committee) on the status of computer security.
proceIn
should
and advisory
detracting
from
line
responsibility.
(3) Each department or line manager is accountable for computer security within his business functipn. He may, however, delegate responsibility for certain actions to a service department such as an information centre. (4) Compileanaccountability / responsibility/consult matrix. This matrix is based on a high level checklist of computer security activities directly derived from the scope of computer security as defined for your organization. The table below can be used as a guideline. (5) Do not delegate the implementation of computer security to a single individual, usually Checklist: Computer security
7. Conclusion The introduction of computer security within an organization should be an evolutionary as opposed to a revolutionary process. The first and most important step in implementing such a program is to compile and communicate an effective computer security policy to all employees.
Line
staff
relationships
rehionships
Manage-
User
men? Computer security policy -Compilation -Management commitment -Enforcement Physical security -Centralized mainframe equipment --Stand alone microcomputers -Backup: mainframe-based operational systems Disaster recovery -Recovery of business function -Restore application systems -Restore data
A’ A A
R’
Computer
Pen.
Dpr.
Dpt.
C’
A
A
R
R
A A’
R
A A
C
R R
R/C
’ A, accountable; R, responsible; C, consult.
561
J. H. P. Eloffl Computer Security Policy
References [ 11 J.L. Boockholdt, Security and integrity controls for microcomputers: a summary analysis, Inr Manqe., 13 (1987) 33-41. (21 C.C. Wood, Information systems security: management success factors, Compur. Sew., 6 (1987) 314-320. (31 R. Paans and I.S. Henchberg, Computer security: the long road ahead, Comput. Secur., 6 (1987) 403-416. [4] D. Parker, Computer Security Management, Prentice-Hall, Englewood Cliffs, NJ, 1981, pp. 3035. [S] J.H.P. Eloff, Selection process for security packages, Comput. Secur., 2 (1983) 256-260.
562
JanH.P. Eloff received a B.Sc. (computer science) degree at the Rand Afrikaans University, Johannesburg, South Africa, in 1978. In 1980 he received an M.Sc. degree in computer science at the same university. His dissertation involved an in-depth study ofall the logical aspects of computer security. Part of this research was published in Computers G Securiry
(November 1983) under the title “Selection process for security packages”. In 1985 he received a Ph.D. (computer science) degreewith a thesis titled “The science) degree with a thesis titled “The development of a specification language for a computer security system”. Part of the research done for his Ph.D. degree was published in Computers G Securiry under the same title. He also delivered papers at IFIPISEC’84 and IFIPISEC’85and gained practical experience by working as a computer consultant and manager of a large information centre. He is currently a professor of computer science at the Rand Afrikaans University, P.O. Box 524, Johannesburg 2000, South Africa.
& Security, 7 (1988) 559-562
Refereed Article
Computer Security Policy: Important Issues Dr. Jan H.P. Eloff
A key success factor in implementing computer security is the much discussed and important issue of management commitment. Management commitment is demonstrated through the effective fostering of a computer security policy within the organization. Many textbooks provide guidelines on what to include or exclude in compiling a computer security policy. However, little is said about issues such as accountability, responsibility and the actual scope of computer security. This paper will address various issues of critical importance in compiling a computer security policy. Keywords: Computer security, Policy, Responsibility, Scope of computer security.
1. Introduction
C
omputer security is a common term used today by the business world for grouping problems related to the protection of an organization’s computer and information assets. Computer security can be functionally viewed within two distinct areas, namely logical and physical security. Logical security can be defined as the action that protects data, information and
0167-4048/88/$3.50
@
programs stored in the system. Physical security is the action preventing physical harm to the hardware resources of a computer system. In the past decade we have seen major companies implementing a computer security program, with only a few achieving the desired results. This prompted the question “What are the critical success and failure factors in implementing computer security?” There are various answers; however, two of the major reasons for failure are given below. (1) Lack of senior management involvement. Interestingly enough, the lack of senior management’s involvement can be credited to the use of the words “computer security”. This terminology unfortunately leads to the misconception that it is a problem only for the computer department. (2) A second reason for failure is that too much emphasis in both research and practice went into the technical, as opposed to the managerial, aspects of computer security. Most of the numerous problems resulting from these attitudes can
1988, Elsevier Science Publishers
Ltd.
be addressed by enforcing an effective computer security policy. It is an urgent matter for each organization to establish a computer security policy which involves top management and addresses both logical and physical security. Furthermore, responsibilities need to be detailed unambiguously and concretely so that all employees take computer security more seriously. The objective of this paper is to discuss briefly some issues requiring careful consideration when compiling a computer security policy.
2. Computer Policy
Security
Current literature provides good examples of computer security policies, especially work done by Parker [4]. We define a computer security policy for the purpose of this paper as follows. A COMPUTER SECURITY POLICY serves as a vehicle to demonstrate senior management’s involvement in introducing, implementing and maintaining a secure computer systems environment throughout the organization. The following activities should be executed during the compilation of a computer security policy. (2.1) Compile an abbreviated set of common compi;ter security terminology to be used within your organization. (2.2) Briefly describe the purpose of computer security (why?). (2.3) Define the scope of computer security. (2.4) Define the responsibilities of all parties involved.
559
J. H. P. E/off/ Computer
3. Common Framework of Terminology The implementation and maintenance of computer security is a multidisciplinary activity requiring commonly used terminology throughout theorganization. This aspect we found badly neglected by most organizations. The lack of common terminology creates confusion regarding the various aspects to be addressed within the scope of computer security. Furthermore, it is a reason why employees fail to assume responsibilities for implementing computer security. They should understand the penalties for ignoring these responsibilities. The following terms can be used as a framework of terminology and amended for specific environments. computer security/ software security/access control/mainframe security/application systems security logical security/facilities security/disaster recovery/ backup’s /peripheral security goals of organization/information as an asset/business functions networks/stand-alone microcomputer/local area network/micro-mainframe link responsibility/accountability/line management/staff function/support function/computer department/information centre/information services.
4. Purpose of Computer Security It is extremely important that the “WHY?”
560
for implementing
com-
Security
Policy
puter security in your organization is clearly understood by all employees. This section of the policy needs to be speciflcally fitted to the environment of your organization. Following is a general guideline of reasons. (1) Dependency of the organization on computerized business systems. (2) To ensure continuation of efficient operations of each business function. (3) Relationship of computer security to other policies and procedures already in existence, e.g. safety policy, quality policy, security on hardcopy documents. (4) Protection of information which is an asset.
6. Responsibility
5. Define the Scope of Computer Security Computer technology used in practice differs greatly among organizations with the result that the actual implementation of computer security will be company specific. Senior management together with the management of the computer department need to define very carefully the rcope ofcomputer security applicable to their organization. Over the past decade, the introduction of microcom-
SCOPE OF COMPUTER Centralized
Mainframe
puters has shown us that conventional security controls developed for mainframe environments may be insufficient for microcomputer and local area network environments. Although most organizations realize the impact of microcomputers on computer security, little effort is put into addressing micro issues within their overall computer security programs. The prioritization of specific issues within the scope of computer security will not be discussed in this paper; such issues are subordinate to an effective corporate computer security policy. The following serves as an example.
Defining the responsibilities of all parties involved in the computer security program is critical to the success of a computer security function. To understand clearly the roles of various business functions during implementation and maintenance of a computer security program it is essential to agree on organizational aspects such as line vs. staff relationships accountability vs. responsibility
SECURITY Environment-Logical -Physical
Data Communications Single/Multiple Stand Alone Microcomputers Networked Microcomputers-Local Area Networks -Micro-Mainframe Computer Document
Personnel Security
Computers and Security, Vol. 7, No. 6
The majority of major organizations differentiate between line and stafrelationships. For the effective implementation of computer security we also need to differentiate clearly between accountability and responsibility. In general terms we can say that accountability lies within the line relationship whereas responsibility can be delegated to experts, e.g. computer personnel, information centre, personnel department. Experience indicates that the successful implementation of computer security depends on allocating accountability to line management. Various papers, such as refs. [l] and [2], provide guidelines on the responsibilities of all parties involved, e.g. top management, departmental managers, personnel department, internal audit, computer department, data security officer. The following issues are also of interest. (1) Overall responsibilityfor creating a climate favouring computer security lies with top management; as stated in ref. [l] their involvement should be evident in the following areas. l define an appropriate organizational structure l allocate resources and establish a policy l compile a budget for computer security (2) Establish a computer security steering committee. This committee should include representation from all user departments, computer facilities and information centre personnel.
Responsibilities of this com-
mittee should
include
the prioriti-
zation and monitoring of specific computer security meas-
ures. Furthermore, tee should delegate
this commitresponsibility
for establishing implementing
standards, detailed
dures and approving summary,
management
results.
this committee
have a coordinating role without
referred to as a computer security project leader. This problem occurred at most of the companies that were unsuccessful in implementing computer security. A computer security project leader can be successfully utilized in a coordinating role as well as to report regularly to management (or a computer security steering committee) on the status of computer security.
proceIn
should
and advisory
detracting
from
line
responsibility.
(3) Each department or line manager is accountable for computer security within his business functipn. He may, however, delegate responsibility for certain actions to a service department such as an information centre. (4) Compileanaccountability / responsibility/consult matrix. This matrix is based on a high level checklist of computer security activities directly derived from the scope of computer security as defined for your organization. The table below can be used as a guideline. (5) Do not delegate the implementation of computer security to a single individual, usually Checklist: Computer security
7. Conclusion The introduction of computer security within an organization should be an evolutionary as opposed to a revolutionary process. The first and most important step in implementing such a program is to compile and communicate an effective computer security policy to all employees.
Line
staff
relationships
rehionships
Manage-
User
men? Computer security policy -Compilation -Management commitment -Enforcement Physical security -Centralized mainframe equipment --Stand alone microcomputers -Backup: mainframe-based operational systems Disaster recovery -Recovery of business function -Restore application systems -Restore data
A’ A A
R’
Computer
Pen.
Dpr.
Dpt.
C’
A
A
R
R
A A’
R
A A
C
R R
R/C
’ A, accountable; R, responsible; C, consult.
561
J. H. P. Eloffl Computer Security Policy
References [ 11 J.L. Boockholdt, Security and integrity controls for microcomputers: a summary analysis, Inr Manqe., 13 (1987) 33-41. (21 C.C. Wood, Information systems security: management success factors, Compur. Sew., 6 (1987) 314-320. (31 R. Paans and I.S. Henchberg, Computer security: the long road ahead, Comput. Secur., 6 (1987) 403-416. [4] D. Parker, Computer Security Management, Prentice-Hall, Englewood Cliffs, NJ, 1981, pp. 3035. [S] J.H.P. Eloff, Selection process for security packages, Comput. Secur., 2 (1983) 256-260.
562
JanH.P. Eloff received a B.Sc. (computer science) degree at the Rand Afrikaans University, Johannesburg, South Africa, in 1978. In 1980 he received an M.Sc. degree in computer science at the same university. His dissertation involved an in-depth study ofall the logical aspects of computer security. Part of this research was published in Computers G Securiry
(November 1983) under the title “Selection process for security packages”. In 1985 he received a Ph.D. (computer science) degreewith a thesis titled “The science) degree with a thesis titled “The development of a specification language for a computer security system”. Part of the research done for his Ph.D. degree was published in Computers G Securiry under the same title. He also delivered papers at IFIPISEC’84 and IFIPISEC’85and gained practical experience by working as a computer consultant and manager of a large information centre. He is currently a professor of computer science at the Rand Afrikaans University, P.O. Box 524, Johannesburg 2000, South Africa.