Upside/Downside

The Internet is an open standards-based bunch of technologies that the IAB and IETF document thereby ensuring that all the various software developers have a set of basic reference specifications that can form the foundation core upon which they build their applications.

Unfortunately, the down side to this is that those wishing to perpetrate malicious activities also have access to these very same standards and specifications. It is this access to the technical specifications of how the Internet and Internet technologies are implemented that allows an attacker to subvert systems, networks and the Internet for their own ends.

Today we find that this tends to mean cybercrime such as identity theft, fraud, theft, malicious intent (creating damage to the detriment of others) various forms of Denial-of-Service (DoS) attacks, phishing, malware in general and the one we all hate with a passion Spam.

Civilizations, Societies, and Protocols

In order for a civilization to develop and prosper social beings and the societies they belong to create various protocols (rules concerning acceptable/”normal” roles, behaviors, customs and etiquettes etc.) which allow them to communicate with other members of that society. Language is but one of these protocols.

In these regards humans, bees, ants etc all have much in common. The important difference is that humans have a capacity for conceptualization and virtualization of thought and self.

Knowledge and Information Technologies

Over time it has proven most beneficial for one generation to pass onto succeeding generations the knowledge that it inherited, developed and further progressed. The label we humans have given to these processes is Information Technology (IT) and its most obvious manifestation in today is the Internet.

The benefits and freedoms delivered by these Information Technologies are susceptible to damage, degradation, subversion and destruction from a host of very diverse threats. Thus, securing information technologies against these threats becomes a desirable necessity and is achieved by way of a wide variety of technologies, processes, and training.

Before we can design and implement security procedures it is important that we first define the ultimate goals which we hope that our initiatives will achieve once implemented. Here are some of the more important security related concepts.

Security and Privacy

Because of the significant degree of entanglement of privacy and security it is practically impossible to deal with the one without involving the other. In order to deal with security and privacy related issues we must first clarify what we mean by security and being in a secure state.

In short; security is the state of being safe, protected, and free from worry about possible loss by the assurance that something of value will not be taken away, degraded, or threatened in any manner by attack from without or subversion from within.

Security measures and initiatives on the other hand are those precautions taken to defend, maintain or improve the safety and sanctity of an entity(s) (somebody or something) from attack, danger, or crime be they potential perceived or real.

Security Goals

Security goals are the predefined targeted levels of protection, precautions, and/or defensive strategies deemed to be adequate and/or appropriate for specific “real world” scenarios. Thus security goals can and do vary considerably from one entity to the next.

However; from the “big picture” perspective, we find that security goals developed by different organizations will all have the commonality of providing an acceptable predefined level(s) of security assurance in conjunction with varying degrees of acceptable exposure(s) usually weighted by economic factors such as cost effectiveness.

Security Auditing and Accounting

Security auditing is the process of recording; usually to a log file, information regarding network and resource access and access requests including which computer(s) and/or user(s) are issuing said access requests. Typically audited criteria include system/network resources, security events, unauthorized access, logon attempts and outcomes as well as communications related events.

Security-in-Depth

Security-in-depth is a strategic security concept based around hierarchies, multiple layers of defenses and the removal of single-point-of-failure instances. The basic philosophy here is to use multiple layers of defenses with each using multiple different types of defenses at every stage and station of a security infrastructure.

The result of this is that any time a user requires access to assets or resources with prescribed access and privilege levels above that of the user's current logon account status said user will be required to supply additional authentication credentials in order to proceed.

For instance an example of security/defense-in-depth would use variable combinations of password authentication in conjunction with and supplemental to smart cards, keypads, biometrics, digital signatures/certificates etc.

Additional Networking and Security Infrastructure

Additional factors worthy of consideration when designing and building a security infrastructure include: physical accessibility, system/network availability, firewalls, Demilitarized Zones (DMZs), surveillance systems (video cameras), traffic control mechanisms, check-points, email security initiatives, multi-factor authentication, intrusion detection systems and intrusion prevention systems.

Security Policies

A security policy is a document containing a set of organization/enterprise-level rules governing acceptable usage of enterprise assets and resources as well as user behaviors. Response measures (what to do when things go wrong) are usually included in security policy documentation as well.

Other criteria commonly found in security policies includes: information technology resources, acceptable security practices, acceptable operational procedures, best practices guidelines, recommended procedure and practices, glossary of terms and terminology used etc.

There are quite a number of different types of policies that all organizations, enterprises, business and institutions must develop and implement. Most of these policies will be created primarily in response to legislation.

Generally speaking, this group of essential and mandatory policies includes: authentication policies, password policies, privacy policies, environmental policies, auditing and accounting policies, physical security policy, emergency events and response policies, general resources and assets usage policies.

Under Attack

An attack is considered to be the direct or indirect; real or perceived, consequences and effects of action(s) perpetrated by one or more entities with the intent to intrude, compromise, degrade, control, or adversely affect; either directly or indirectly, the assets, prerogatives, freedoms and rights of one or more other entities; generally with deliberate malicious intent, manner or purpose.

A threat is any entity possessed with the deliberate intent to cause hazard, harm, degradation or unsolicited action to the disadvantage, peril or jeopardy of another entity or asset. An exploit is usually some vulnerability that can be taken advantage of by a threat in an unsolicited, unfair or selfish manner; to the advantage or intent of said threat, and/or disadvantage or detriment of that being exploited (target/victim).

Security analysts have identified a special category of vulnerability; known as a zero-day vulnerability, which is generally considered by security professionals to be of the highest order of risk because there are no known patches or countermeasures available at the time the vulnerability, exploit or flaw is first publically disclosed.

Napoleonic Tactics - Divide and Conquer

In order to be able to manage the vast array and types of attacks with an eye to producing the most appropriate response with the shortest possible delay/lag between identification/notification and the development and roll-out of countermeasures it is helpful to break up the attacks into classes delineated by the relative location of the source of the attack as well as the relative location of the target as follows:

Outside

Resources and assets external to an organization come under attack. The effects and consequences of which are felt by the organization and other parties. This type of attack can result in damage arising directly from malicious intent by the attacker and targeting you specifically.

Damage from outside sources can also be collateral in nature. This type of damage arises directly or indirectly out of malicious intent and/or actions by the attacker directed at another party but adversely affecting you in the processes.

Outside-In

A more classical form of attack whereby an external attacker desires to intrude into the targeted system/network by penetrating said system or network defenses in order to execute ill intent or to perpetrate malicious and vindictive activities.

Data theft; particularly of Personally Identifiable Information (PII) and financial information in general, tends to be the main motive here. Other vindictive actions such as data corruption do occur as the result of outside-in attacks.

A more recent twist on this theme sees the villains gaining access to inside resources including databases and accounts information. Once in; they will encrypt your data thereby denying you rightful access to it. For a sum of money the perpetrators will give you the encryption key. In short; this form of outside-in attack is nothing other than extortion.

Inside

The attacker is internal to the target system or network. A very common example of this is when authentic users of a system/network attempt inappropriate access of resources, services, or data to which they are not explicitly entitled.

Examples of insider attacks include the inappropriate unauthorized downloading of materials of a non-work related nature or use of an organization's resources in the pursuit of personal activities. Using the company printer to print family photos or using network resources to play online games or downloading movies and MP3s are all examples of this class of insider attack.

There is another more serious type of insider attack where an authentic user attempts to gain access to resources which they are not and may never be entitled to access. Company financial records, upper management documents and employee history records are examples of this type of insider attack.

Inside-Out

The attacker is inside the target and either instigates a remote malware download and then does its damage or the attacker wishes to propagate from its current host system to other external systems. The unauthorized export of company data to the attacker's external offsite storage devices is a classic example of the inside-out attack. Most consider this to be industrial espionage.

Proxy

The attacker focuses on surreptitiously enslaving; usually very large numbers, of unprotected innocent 3RD party machines and then; when ready, will launch an attack from all enslaved machines simultaneously. The intended result is to over-whelm the target by sheer volume. Malicious “botnets” are an example of this attack source category that has gained much notoriety of late.

Diffuse Perimeter

A relatively new category related to the morphing of the “security perimeter” as a result in the recent massive expansion of ad hoc wireless public access networks.

Secure resources are now traveling out into an ever more insecure environment where they will encounter wireless networks in places where once there were no freely publicly accessible networks. Now there are many. Airports and transit centers along with the hospitality industry are primary locations from which nefarious activities are launched upon the unsuspecting.

Mobile

Many attacks today are implemented by mobile (in transit) devices such as laptops and notebooks. This makes it very hard to identify the attacker. Another much publicized form of mobile attack is the practice of “war driving”.

Generally; war driving entails an attacker cruising around in a vehicle with a wireless enabled laptop or notebook placed on the seat next to them. When a wireless is detected the attacker will use packet-sniffing software among others to determine as to whether or not the victim network is transmitting in plain language (not encrypted).

Cloud

Considering the current rate of uptake; by business and individuals alike, of cloud computing technologies such as Software-as-a-Service (S-a-a-S) it comes as no surprise to learn that the security world now recognizes that attackers and attack mechanisms that exploit various aspects of cloud computing technologies constitute a new attack source.

Make no mistake about it; a thorough understanding of the differences between policies and standards is oh so essential to competitive resiliency, business continuity and the development of applicable, relevant policies for you and your organization.

Standards

From a generic point-of-view, standards usually originate from without an organization.

In areas with no official standards or regulatory requirements organizations are free to choose whether or not to voluntarily adopt the various standards and/or proposed standards (this is known as opt-in). In these cases the degree of compliance can also vary considerably from one organization to the next.

Conversely external factors such as the need to comply with legislation or industry-wide recommendations may conspire to force an organization to adopt specific standards.

Whenever legislation and/or other regulations are applicable failure to comply with their provisions will ultimately result in the imposition of punitive penalties. Depending upon the breach incarceration may result.

Policies

On the other hand and in marked contrast to standards policies generally originate from within an organization. The primary objectives and basic functions distributed and/or detailed/proposed via the policy format are generally intended to deliver positive benefits whilst avoiding negative effects at least from the organization's perspective.

Think of a policy as being a statement of organizational intent with the goal of formulating a deliberate plan of action to guide decisions and achieve rational outcome(s). As such the term may apply to government, private sector organizations and groups, as wells as to individuals.

Policy-Based Decision Making

The term “policy” is also used to refer to the process of making important organizational, management, financial and administrative decisions. This includes the identification of different viable alternatives such as processes, programs, projects or spending priorities. These alternative options are considered to form a pool of possible solutions from which the final selection will come.

One area where adherence to policy has considerable impact is in the making of a selection from this pool of possible solutions particularly when many of the candidates in the range are more-or-less equal prospects. In these situations it is often the case that company policy will act as the “tie-breaker” by influencing or even dictating which option wins by clearly defining and delineating the criteria for selection in each instance.

So it is; that generically speaking, company policy aims to facilitate the rapid attainment of specifically defined explicit goals while preserving organization-wide consistency.

Policy Compliance

Compliance with corporate policy is generally not negotiable and the individual at fault will generally experience some form of penalty. The type of penalty will vary from one organization to the next. The ultimate penalty for non-compliance with organizational policies would be termination of employment.

Policy Goals, Objectives and Targets

The possibilities here are endless so to provide a “big picture” view of policies I will make special note of a couple below. Some of the reasons for developing a policy include:

Exploitation - Policies may created to improve an organization's capacity to exploit the positive benefits (from their perspective) of any given scenario or situation as identified by that organization

Mission Statement - Regardless of the type of policy being implemented a clearly defined policy mission (mission statement) is always instrumental in maximizing a policy's capacity to perform and attain its goals.

Privacy - Privacy policies such as corporate privacy policies are widely used today and will generally include information pertaining to their collection, storage, updating, notification, security and eventual secure disposal.

Distribution Policies - Distribution Policies regulating the distribution and sharing of resources within the organization are another common type of policy to be found around the globe in a multiplicity of guises.

Security - Never forget the many elements of security. Policies will need to be developed and implemented concerning personal well-being, intruders, hackers, accidents, down-time etc.

Monitoring - Monitoring and evaluating the current policy status in order to determine whether or not your policy initiatives have/are effective is critical to the success of your overall plan. You can also learn a lot about what to do and where change will have the most beneficial effects at the best dollar/benefit. Policy adherence issues must be dealt with in real-time as and where they arise.

Policy Management

Adopting a life-cycle approach to business policy management has the advantage of ensuring that all business policy can proactively adapt rapidly in concert with the prevailing yet ever changing business, political, social and regulatory climates now and well into the future. One example of a widely accepted business policy management life-cycle is the Bridgeman/Davis Policy Life Cycle depicted below.

Policy Documentation

One fundamental aspect of policy and policy development that may be overlooked is the task of adequately and appropriately documenting the policy. This is true whether it be an organization specific policy, an opt-in standards-based policy or a regulatory required standards-based policy. Elements that must be included with all documentary policy statements include:

Policy Purpose Statement - Why the policy is being implemented & what it is supposed to achieve

Policy Scope Statement - Who and what the policy affects as well as any express exclusions relating to specific individuals, organizations and/or actions

Policy Time Statement - When the policy takes effect, its intended period of tenure and when it is scheduled for updating and/or termination

Policy Responsibilities and Obligations Statement - identification of who is responsible for what along with clear and unambiguous identification of governance structures

Policy Effect Statements - The specific organizational standards, regulations, requirements, modifications and/or behaviors that the policy is intended to address or create

Policy Change and Change Management Statement - The formal declaration of accepted process and procedure for the instigation of change to or of policy

Policy Background Statement - The origins, reasoning, motivation, and historical perspective for creating the policy in the first place. Any underlying, extenuating or extrapolated process will be clearly identified and stated here.

Policy Milestone Statement - Clearly defined and listed stages at which the policy is deemed to have progressed throughout its life-cycle. Many milestones will therefore be used for the purpose of providing management with the metrics by which they can determine the progress of the development or current life-cycle status of the policy. Milestones will also feature prominently in policy sign-off statements and the policy sign-off pages or policy sign-off documentation (if separate to the remainder of policy documentation).

Policy Definitions and Terminology Statement - Clear and unambiguous definition and explanation of the terminology, concepts, methodologies and processes contained within the policy

Policy Life-Cycle Statement - Detailed presentation of the specific policy life-cycle model applicable to the policy. Clear and unambiguous statement of all terms conditions and processes applicable to the policy during each and every stage of its life-cycle and development.

Policy Sign-Off Statement - Provision for formal signature sign-off as the policy progresses through each of its life-cycle stages. Some of the milestone points where authoritative sign-off will be required will include initiation, identification, design, drafting, revision, re-evaluation, approvals, implementation, maintenance, continuing review redevelopment, redrafting and change implementation and eventual replacement and/or decommissioning.

Policy Milestone Sign-Off Page Statement - Provision of a formal sign-off page(s) intended for use as that section of the policy document where the required signatories must formally apply their signature to indicate currency and formal acceptance.

Let us start by defining the difference between policies and standards. After which we will delve a little deeper into the world of policies. Then we will look at how to develop your very own policies.

Standards

Standards tend to originate from without. In many instances organization's can adopt various standards voluntarily. External factors such as the need to comply with legislation or industry-wide recommendations may force an organization to adopt specific standards.

Standards infer compliance or opt-in. The degree of compliance tends to be rigid in areas where legislative regulations are enforced. In this case, failure to comply will ultimately result in the imposition of punitive penalties. Depending upon the breach incarceration may result.

Policies

Policies on the other hand originate from within an organization. The primary objective of policies is to deliver positive benefit or avoiding negative effect from the organization's perspective.

Compliance with corporate policy is generally not negotiable and the individual at fault will generally experience some form of penalty. This will vary from one organization to the next. The ultimate penalty for non-compliance with organizational policies would be termination of employment.

A policy is a deliberate plan of action (organizational intent) to guide decisions and achieve rational outcome(s). As such the term may apply to government, private sector organizations and groups, as wells as to individuals.

Policy also refers to the process of making important organizational, management, financial and administrative decisions. This includes the identification of different viable alternatives such as programs or spending priorities. This forms the basic pool of options from which the final selection will come. It is often the case that company policy will dictate which option wins.

Selection Criteria

Company policy influences the decision making process by defining the criteria for selection. Choosing from among a range of nearly equal prospects is one area where policy has considerable impact. Generally, company policy is to ensure the rapid attainment of specifically defined explicit goals.

Risk/Threat Impact Identification

Identification of real and potential risks and threats takes place. Each risk and threat is analyzed in regards to the impact that it would have upon the organization. Now conduct an impact evaluation.

Implement measures designed to avoid those specific negative effects or impacts identified as posing to high a degree of risk, threat or impact to the organization.

Maximize Positive Benefits

Policies may also be designed to address and maximize the organization's capacity to exploit the positive benefits (from the organization's perspective) of a given scenario or situation as identified by that organization.

Policy Examples

Examples of policies widely used today include corporate privacy policies and distribution policies regulating the distribution and sharing of resources within the organization are another.

Policy Development and Management

Without doubt the easiest way to create, develop, and maintain a consistent appropriate policy or set of policies across an organization's expanse is to apply structure and form to your organizational and personal policy objectives.

Since policy needs to respond to an ever-changing environment and/or environmental factors it is best; as is the case with other intangibles, to adopt a life-cycle managerial approach. One example of the life-cycle approach to policy management is the Bridgman/Davis policy life cycle.

The Bridgman/Davis Policy Life: Cycle1

1. Issue Identification
2. Policy Analysis
3. Policy Instrument Development
4. Consultation (which permeates the entire process)
5. Coordination
6. Decision
7. Implementation
8. Evaluation

Policy Documentation

Policy documents usually contain the following standard components:

• Policy Purpose Statement - Why the policy is being implemented & what it is supposed to achieve
• Policy Scope Statement - Who and what the policy affects. Express exclusions relating to specific individuals, organisations and/or actions
• Policy Time Statement - When the policy takes effect and when it is due to be terminated
• Policy Responsibilities and Obligations - Who is responsible for what including identification of governance structures
• Policy Statements - The specific organizational regulations, requirements, modifications and/or behaviors that the policy is creating
• Background Statement - The reasoning, motivation, and historical perspective for policy creation
• Statement of Definitions and Terminology - Clear and unambiguous definition and explanation of the terminology, concepts, methodologies and processes contained within the policy

After a long investigation I realized the problem; a nineteenth century management structure.

Although business practices may have been tweaked in 1950, a Victorian could feel at home.

To complain about a supervisor requires one complain to that supervisor. What is the point? To gain special consideration requires a step by step meander through levels. Why bother?

As all aspects of the business are covered by "policy" (probably formulated in 1860) an employee must bring him or herself into conformity.

A Typical Example

The engineer wished to attend his brother's wedding and needed a week off. It was decided that as he had taken leave within the past twelve months he was ineligible.

The engineer took the week.

It was knee jerk he be fired as soon as he walked back into the building.

Exploring his work history one found a man who arrived early, left late, did overtime, was available twenty four hours a day seven days a week.

He was denied leave because it was "company policy" that no one could take leave twice in one year.

Company Policy

Not the needs of this employee, nor his particular reason, but a writ in stone "company policy" that applies "equally", regardless of the facts, to all employees.

It was no longer a mystery why ambitious young people resigned from this company?

When one examines the newest, most dynamic companies one discerns they are often headed by someone who never worked before, hasn't a clue what "company policy" is, and believes in making it up as he goes along.

As the new billionaire has no idea what the nineteenth century modus is, he is not setting up hierarchies, procedures and forms in triplicate.

Stop and Think About It

Think of all the time you waste with nineteenth century 'procedures' when an office wide email suffices.

Further, recognize an employee is not a slave nor an indentured laborer. If one wishes to not pay him for the week he doesn't work, that is the extent of the employer's sanction. To decree he can not attend his brother's wedding will be met by his walking off the job.

If you are losing workers, it is probably your "system" which is at fault. Move into the twenty first century.?