January 1994 
                           CSL Bulletin 


COMPUTER SECURITY POLICY:  SETTING THE STAGE FOR SUCCESS
Executives and managers are faced with many choices in directing
the protection of computer assets.  Some choices can be based
upon quantifiable tradeoffs, but others involve competing
tradeoffs, questions of organizational strategic direction, or
other parameters which do not lend themselves to quantitative
analysis.  In making these choices, policy is established for an
organization and is then used as the basis for protecting
resources, both information and technology, and guiding employee
behavior.

Familiarity with various types of policy will aid managers in
addressing computer security issues important to the
organization.  Effective policies ultimately result in the
development and implementation of a better computer security
program and better protection of systems and information.  

This CSL Bulletin discusses four types of computer security
policy, their components, and aspects of policy implementation. 
Program-level policy is used to create an organization's computer
security program.  Program-framework policy establishes the
organization's overall approach to computer security (i.e., its
computer security framework).  Issue-specific policies address
specific issues of concern to the organization.  Lastly, system-
specific policies focus on policy issues which management has
decided for a specific system.  Comparison of an organization's
computer security policies to the types described in this
bulletin will assist managers in determining if their policies
are comprehensive and appropriate.  

*****SIDEBAR:  This bulletin summarizes a chapter of a computer
security handbook being developed by CSL.  In August 1993, we
presented a discussion of the establishment and operation of a
computer security program.   Our October 1993 bulletin on
"People:  An Important Asset in Computer Security" summarized
another handbook chapter.  Additional bulletins will be issued as
chapters are finalized.  END SIDEBAR

Types of Computer Security Policy
Organizations need program-level policy to establish the security
program, assign program management responsibilities, state
organization-wide computer security purpose and objectives, and 
provide a basis for compliance.  Program-level policy is
typically issued by the head of the organization or another
senior official, such as the top management officer.

Program-framework policies provide organization-wide direction on
broad areas of program implementation.  For example, they may be
issued to assure that all components of an organization address
contingency planning or risk analysis.  They are appropriate when
an organization can yield benefits from a consistent approach. 
Program-framework policies are issued by a manager with
sufficient authority to direct all organization components on
computer security issues.  This may be the organization's
management official or the head of the computer security program.

Issue-specific policies identify and define specific areas of
concern and state the organization's position.  Depending upon
the issue and attendant controversy, as well as potential impact,
issue-specific policy may come from the head of the organization,
the top management official, the Chief Information Officer, or
the computer security program manager.  

System-specific policies state the security objectives of a
specific system, define how the system should be operated to
achieve the security objectives, and specify how the protections
and features of the technology will be used to support or enforce
the security objectives.  A system refers to the entire
collection of processes, both automated and manual.  System-
specific policy is normally issued by the manager or owner of the
system (which could be a network or application), but may
originate from a high official, particularly if all impacted
organizational elements do not agree with the new policy.  

*****SIDEBAR
Tools to Implement Policy:  Standards, Guidelines, and Procedures
Because policy is written at a broad level, organizations also
develop standards, guidelines, and procedures which offer users,
managers, and others a clearer approach to implementing policy
and meeting organizational goals.  Standards and guidelines
specify technologies and methodologies to be used to secure
systems.  Procedures are yet more detailed steps to be followed
to accomplish particular security-related tasks.  Standards,
guidelines, and procedures may be disseminated throughout an
organization via handbooks, regulations, or manuals.

Organizational standards specify uniform use of specific
technologies, parameters, or procedures when such uniform use
will benefit an organization.  Standardization of organization-
wide identification badges is a typical example, providing ease
of employee mobility and automation of entry/exit systems. 
Standards are normally compulsory within an organization.

Guidelines assist users, systems personnel, and others in
effectively securing their systems.  The nature of guidelines,
however, immediately recognizes that systems vary considerably
and imposition of standards is not always achievable,
appropriate, or cost-effective.  An organization guideline may,
for example, be used to help develop system-specific standard
procedures.  Guidelines are often used to help ensure that
specific security measures are not overlooked, although they can
be implemented, and correctly so, in more than one way. 

Procedures normally assist in complying with applicable security
policies, standards, and guidelines.  They are detailed steps to
be followed by users, system operations personnel, or others to
accomplish a particular task (e.g., preparing new user accounts
and assigning the appropriate privileges). 

Some organizations issue overall computer security "manuals,"
"regulations," "handbooks," or similar documents.  These may mix
policy, guidelines, standards, and procedures, since they are
closely linked.  While manuals and regulations can serve as
important tools, they are most useful when they clearly
distinguish between policy and its implementation (sometimes a
difficult process).  This promotes flexibility and cost-
effectiveness by offering alternative implementation approaches
to achieving policy goals.   ***** END SIDEBAR 

Program-Level Policy
Program-level policy establishes the computer security program
and its basic framework.  This high-level policy defines the
purpose of the program and its scope within the organization,
assigns responsibilities for direct program implementation (to
the computer security organization) as well as responsibilities
to related offices (such as the IRM organization), and addresses
compliance issues.  Components of program-level policy should
include:

Purpose:  Clearly states the purpose of the program.  This
includes defining the goals of the computer security program as
well as its management structure.  Security-related needs, such
as integrity, availability, and confidentiality, can form the
basis of organizational goals established in policy.  For
instance, in an organization responsible for maintaining large
mission-critical databases, reduction in errors, data loss, or
data corruption might be specifically stressed.  In an
organization responsible for maintaining confidential personal
data, however, goals might emphasize stronger protection against
unauthorized disclosure. 

The program management structure should be organized to best
address the goals of the program and respond to the particular
operating and risk environment of the organization.  Important
issues for the structure of the central computer security program
include management and coordination of security-related
resources, interaction with diverse communities, and the ability
to relay issues of concern to upper management.  The policy could
also establish operational security offices for major systems,
particularly those at high risk or most critical to
organizational operations.  

Scope:  Specifies which resources (including facilities,
hardware, and software), information, and personnel the program
covers.  In many cases, the program will cover all systems and
agency personnel, but this is not always true.  In some
instances, a policy may name specific assets, such as major sites
and large systems.  Often tough management decisions arise when
defining the scope of a program, such as determining the extent
to which the program applies to contractors and outside
organizations utilizing or connected to the organization's
systems.  The Computer Security Act of 1987 requires federal
agencies to address the security of all federal interest systems.
 
Responsibilities:  Addresses the responsibilities of officials
and offices throughout the organization, including the role of
line managers, applications owners, users, and the data
processing or IRM organization.  The policy statement should
distinguish between the responsibilities of computer services
providers and the managers of applications utilizing the computer
services.  It can also serve as the basis for establishing
employee accountability.  Overall, the program-level assignment
of responsibilities should cover those activities and personnel
who will be integral to the implementation and continuity of the
computer security policy.  

Compliance:  Authorizes the use of specified penalties and
disciplinary actions for individuals who fail to comply with the
organization's computer security policies.  Since the security
policy is a high-level document, penalties for various
infractions are normally not detailed here.  However, the policy
may authorize the creation of compliance structures which include
violations and specific penalties.  Infractions and associated
penalties are usually defined in issue-specific and system-
specific policies.
 
When establishing compliance structures, consider that violations
of policy can be unintentional on the part of employees.  For
example, nonconformance can be due to a lack of knowledge or
training.  

Program-Framework Policy
Program-framework policy defines the organization's security
program elements which form the framework for the computer
security program and reflect decisions about priorities for
protection, resource allocation, and assignment of
responsibilities.  

Criteria for the types of areas to be addressed as computer
security program elements include, but are not limited to:

o    areas for which there is an advantage to the organization by
     having the issue addressed in a common manner;
o    areas which need to be addressed for the entire
     organization;
o    areas for which organization-wide oversight is necessary;
     and
o    areas which, through organization-wide implementation, can
     yield significant economies of scale.

The types of areas addressed by program-framework policy vary
within each organization as does the way in which the policy is
expressed.  Some organizations issue policy directives, while
others issue handbooks which combine policy, regulations,
standards, and guidance. (See text box on page *****.)   Many
organizations issue policy on "key" areas of computer security,
such as life cycle management, contingency planning, and network
security.

Keep in mind the criteria stated above for the types of areas
that should be addressed in program-framework policy.  If the
policy (and its implementing standards and guidance) is too
rigid, cost-effective implementations and innovation could be
stifled.

As an example of program-framework policy, consider a typical
organization policy on contingency planning.  The organization
might require that all contingency plans categorize criticality
of processing according to a standard scale.  This will assist
the organization in the preparation of a master plan (for use if
the organization's physical plant is destroyed) by facilitating
prioritization across intra-organizational boundaries.

Policy in these areas normally applies throughout the
organization and is usually independent of technology and the
system or application.  Program-framework policies may be
comprised of components similar to those contained in program-
level policy -- but may be in a very different format (e.g., in
organizational handbook directives).  

Issue-Specific Policy  
Issue-specific policies focus on areas of current relevance and
concern (and sometimes controversy).  Program-level policy is
usually broad enough that it requires little modification over
time.  Conversely, issue-specific policies require more frequent
revision due to changes in technology and related factors.  As
new technologies develop, some issues diminish in importance
while new ones continually appear.  It may be appropriate, for
example, to issue a policy on the proper use of a cutting-edge
technology, the security vulnerabilities of which are still
largely unknown.

A useful structure for issue-specific policy is to break the
policy into its basic components:  statement of an issue,
statement of the organization's position, applicability, roles
and responsibilities, compliance, and points of contact.  Other
topic areas may be added as needed.  

Issue Statement:  Defines the issue, with any relevant terms,
distinctions, and conditions.  For example, an organization might
want to develop an issue-specific policy on the use of
"unapproved software," which might be defined to mean any
software not approved, purchased, screened, managed, and owned by
the organization.  Additionally, applicable distinctions and
conditions might need to be included, for instance, software
privately owned by employees but approved for use at work and for
software owned and used by other businesses under contract to the
organization.  
 
Statement of the Organization's Position:  Clearly states the
organization's position on the issue.  To continue the example of
unapproved software, the policy would state whether use of
unapproved software is prohibited in all or some cases, whether
or not there are further guidelines for approval and use, or
whether case-by-case exceptions will be granted, by whom, and on
what basis.  
 
Applicability:  Clearly states where, how, when, to whom, and to
what a particular policy applies.  For example, the hypothetical
policy on unapproved software may apply only to the
organization's own on-site resources and employees and not to
contractor organizations with offices at other locations. 
Additionally, the policy's applicability to employees travelling
among different sites or working at home who will transport and
use disks at multiple sites might require clarification. 
 
Roles and Responsibilities:  Assigns roles and responsibilities. 
To continue the software example, if the policy permits
unapproved software privately owned by employees to be used at
work with appropriate approvals, then the approving authority
would be identified.  An office responsible for compliance could
also be named.  
 
Compliance:  Gives descriptions of the infractions which are
unacceptable and states the corresponding penalties.  Penalties
must be consistent with organizational personnel policies and
practices and need to be coordinated with appropriate officials,
offices and, perhaps, employee bargaining units.  

Points of Contact and Supplementary Information:  Gives the name
of the appropriate individuals to contact for further information
and lists any applicable standards or guidelines.  For some
issues the point of contact might be a line manager; for other
issues it might be a facility manager, technical support person,
or system administrator.  For yet other issues, the
point-of-contact might be a security program representative. 
Using the software example, employees need to know whether the
point of contact for questions and procedural information would
be the immediate superior, a system administrator, or a computer
security official. 
 
System-Specific Policy
Program-level policy and issue-specific policy both address
policy from a broad level, usually encompassing the entire
organization.  System-specific policy, on the other hand, is much
more focused, since it addresses only one system.  

Many security policy decisions apply only at the system level. 
Some examples include:  

     o  Who is allowed to read or modify data in the system?
     o  Under what conditions can data be read or modified?
     o  Are users allowed to dial into the computer system from
          home or while on travel?

To develop a comprehensive set of system security policies, use a
management process which derives security rules from security
goals.  Consider a three-level model for system security policy: 
security objectives, operational security, and policy
implementation.

Security Objectives:  First, define security objectives.  While
this process may start with an analysis of the need for
integrity, availability, and confidentiality, it cannot stop
there.  A security objective must be more specific, concrete, and
well-defined.  It also should be stated so that it is clear that
the objective is achievable.  

The security objectives should consist of a series of statements
which describe meaningful actions about specific resources. 
These objectives should be based on system functional or mission
requirements, but should state the security actions which support
the requirements.  

Operational Security:  Next lay out the operational policy which
gives the rules for operating a system.  Following the same
integrity example, the operational policy would define authorized
and unauthorized modification:  who, (by job category, by
organization placement, or by name) can do what (modify, delete,
etc.) to which pieces of data (specific fields or records) and
under what conditions.

Managers need to make decisions in developing this policy since
it is unlikely that all security objectives will be fully met. 
Cost, operational, technical, and other constraints will
intervene. 

Consider the degree of granularity needed for operational
security policies.  Granularity refers to how specific the policy
is with regard to resources or rules.  The more granular the
policies, the easier to enforce and to detect violations.  A
policy violation may indicate a security problem.  In addition,
the more granular the policy, the easier to automate policy
enforcement.

Consider the degree of formality you want in documenting the
policy.  Once again, the more formal the documentation, the
easier to enforce and to follow policy.  Formal policy is
published as a distinct policy document; less formal policy may
be written in memos.  Informal policy may not be written at all. 
Unwritten policy is extremely difficult to follow or enforce.

On the other hand, very granular and formal policy at the system
level can also be an administrative burden.  In general, good
practice suggests a granular formal statement of the access
privileges for a system due to its complexity and importance. 
Documenting access controls policy makes it substantially easier
to follow and to enforce.  Another area that normally requires a
granular and formal statement is the assignment of security
responsibilities.

Some less formal policy decisions may be recorded in other types
of computer security documents such as risk analyses,
accreditation statements, or procedural manuals.  However, any
controversial, atypical, or uncommon policies may need formal
policy statements.  Atypical policies would include any areas
where the system policy is different from organization policy or
from normal practice within the organization, either more or less
stringent.  They should also contain a statement explaining the
reason for deviation from the organization's standard policy.  

Policy Implementation:  Determine the role technology will play
in enforcing or supporting the policy.  Security is normally
enforced through a combination of technical and traditional
management methods.  

While technical means are likely to include the use of access
control technology, there are other automated means of enforcing
or supporting security policy.  For example, technology can be
used to block telephone systems users from calling certain
numbers.  Intrusion detection software can alert system
administrators to suspicious activity or take action to stop the
activity.  Personal computers can be configured to prevent
booting from a floppy disk.

Automated security enforcement has advantages and disadvantages. 
A computer system, properly designed, programmed, and installed,
consistently enforces policy, although no computer can force
users to follow all procedures.  In addition, deviations from the
policy may sometimes be necessary and appropriate.  This
situation occurs frequently if the security policy is too rigid. 


*****BLOCK  Helpful Hints
To be effective, policy requires visibility.  Visibility aids
implementation of policy by helping to ensure that knowledge of
the policy is diffused throughout the organization.  Use
management presentations, videos, panel discussions, guest
speakers, question/answer forums, and newsletters, as resources
permit.  The organization's computer security training and
awareness program can effectively notify users of new policies.   

Introduce computer security policies in a manner that ensures
that management's unqualified support is clear, especially in
environments where employees feel inundated with policies,
directives, guidelines, and procedures.  The organization's
policy is the vehicle for emphasizing management's commitment to
computer security and making clear their expectations for
employee performance, behavior, and accountability. 

Computer security policy should also be integrated into and
consistent with other organizational policies, such as personnel
policies).  One way to help ensure this is to thoroughly
coordinate policies during development with other offices in the
organization.  *****END BLOCK

Conclusion  
Formulating viable computer security policies is a challenge for
an organization and requires communication and understanding of
the organizational goals and potential benefits to be derived
from policies.  Through a carefully structured approach to policy
development, which includes the delegation of program management
responsibility and an understanding of program-level, program-
framework, issue-specific, and system-specific policy components,
your organization can achieve a coherent set of policies.  These
will help produce a framework for a successful computer security
program.