Security Policy on Social Networking Sites

Social Networking sites present some unique challenges for organizations that must attract and keep young workers. Is the use of social networking sites at work a necessary perk or an unacceptable risk to corporate information? Some argue that organizations must allow access to social networking and other Web 2.0 sites to help attract a more "fickly" twenty-something workforce that are used to life online. Others say that the risks are simply too great, both in terms of wasted time and potential for infected computers.

The Fall 2007 issue of the security awareness newsletter Protecting Information covers the most common risks of social networking sites. In the issue Rebecca Herold describes several incidents where employees were terminated based on content posted on their personal pages on various social networking sites. Clearly this issue is going to grow as fast as the number of people that use social networking sites - now estimated at over 200 million.

Does your organization block social networking sites? Is social networking addressed within your information security policies? What are some of the concerns that you feel should be addressed in policy?

Effective Security Policy Management - Part 2

Part 2 of 7: Seven Elements of an Effective Information Security Policy Management Program

Effective Security Policies Part 2. Defined Policy Document Ownership

Security Policies can be viewed as contract between senior management, employees and third-parties about the ways in which the organization will protect information. By definition, a contract is between parties, and in the case of written security and privacy policies one of the parties is always senior management.

Each written security policy document should have a defined owner and/or author. This statement of ownership is the tie between the written policies and the acknowledgement of management’s responsibility for updating and maintaining information security policies. The policy author also provides a point of contact if anyone in the organization has a question about specific policies. Many organizations have written information security policies that are so out-of-date that the author is no longer employed by the organization.

Another area of responsibility that should be documented within written security policies is the executive sponsor. The executive sponsor is a C-level manager or executive that puts the final “stamp of approval” on each document. A high-level executive sponsor demonstrates to all employees that your organization is serious about information security in general, and security policies in particular. Ideally, this is the CEO or equivalent top executive within the organization. In some larger organizations, this might be the head of large region or perhaps the Chief Operating Officer. Within the requirements of Sarbanes-Oxley, senior management must actually sign a written document attesting to the adequacy of the organization's internal controls. Written policies are a key part of these internal controls.

In some cases, the executive sponor is listed as part of each published policy document. In other cases, the sponsoring executive may issue a seperate memorandum stating the importance of information security and that following published policies is required for continued employement within the company.

Effective Information Security Policy Management - Part 1

How mature is your information security policy program? Do you have a set of outdated documents stored in a binder or intranet site? Or do you have a documented management program that keeps your policies up to date, your users informed and your internal auditors sleeping at night?

This is the first article in the series: Seven Elements of an Effective Information Security Policy Management Program. In this series we review seven key characteristics of an effective policy management program. These characteristics are culled from leading practices, security and privacy frameworks, and incidents involving information security policies. Organizations can use this quick checklist to evaluate the maturity of their existing management program.

Part 1: Written documents with version control

Even though it seems obvious, nearly every information security standard and framework specifically requires information security policies to be written. Since security policies define management’s expectations and stated objectives for protecting information, policies cannot be “implied” – but have to be documented. Having a “written policy document” is the first key control established within the international standard ISO/IEC 1-7799:2005, and is critical to performing both internal and external audits. But what are some characteristics that make for an effectively-written policy document?

Policy documents should be written in plain and simple language. Many information security and privacy policies are written in legalese that is difficult for end users to read and understand. Since user education and training is a key component of all information security frameworks, clear, user-oriented language is critical. If your information security policies are written by either the information technology (IT) or legal department, make sure you employ a technical writer or other editor who can help simplify the language of your documents.

Policy documents should also have a standard format so that they can be effectively managed and updated. The standard format not only enforces consistency among documents, it ensures that each document contains key elements that facilitate the overall management of the information security policies, such as the owner/author, title, scope and effective dates of the policy.

Written documents should also have a policy version number. A policy version number clearly articulates which version of the policy is in force at the time of publication, and helps maintain a version history of each document. Maintaining a version history is not only good practice for preserving digital evidence in case of a lawsuit, it also demonstrates that the organization was performing due-diligence by updating its security policies on a regular basis.

In order to facilitate a clear document history that can be reviewed by auditors, some form of access-controlled document management system should be used. It can be as simple as folders on a network drive or a full-blown document management system. Complete systems usually provide a detailed audit trail of all changes and updates to documents.