Assignment 3: Explore Security Policy Components

For this assignment, you will explore some of the elements that make up an information security policy. We will use the policies developed by the South Carolina Department of Administration as an example.

Background Material

Information security policies are normally tailored to the needs of a company, agency, or institution. Resources like the NIST Cybersecurity Framework exist to help organizations develop their own policies, and there are certainly plenty of consultants and policy development services available. While it might be tempting to try to find a security policy “off the shelf,” it is important to realize that every policy inherently makes tradeoffs between the pillars of the CIA Triad, and that availability is usually the first thing to suffer.

South Carolina actually has a comprehensive statewide information security policy that we can use as a case study to explore the components – or conceptual pieces – that make up an information security policy. Following a massive data breach at the South Carolina Department of Revenue in 2012, the South Carolina Department of Administration has worked to create a centralized information security policy for all state agencies to follow. To their credit, the Department of Administration has covered all the major components of an information security policy in the process.

The Policy

The entirety of the state information security policy is not contained in a single document. Rather, it is comprised of a fairly large set of documents that each address various components of the policy. The entire document set is available at the South Carolina Department of Administration Technology Services Governance and Resources page. For our purposes, we’re only going to look over a subset of these documents in this assignment.

Policy Development and Implementation

To understand how agencies are supposed to implement the statewide policies, it is helpful to begin with the following set of documents. Since we’re not actually implementing the policies, just give them a skim to understand the overall framework envisioned by the rest of the policy.

• Information Security Program Master Policy
• Information Security Policy Handbook

Policy Components

Our main objective with this assignment is to understand the various components that make up an information security policy (which could also be called a cybersecurity policy, among other names). It is helpful that the SC state policy is organized by major component areas:

• Data Protection and Privacy - includes policies for classification, retention, and disposal
• Threat and Vulnerability Management
• Business Continuity Management - includes disaster recovery
• Incident Response Standards

Note that these examples are only 4 of the total set of policy documents. However, they cover some of the most common components of an information security policy. These components include (but are not limited to):

• Data protection, classification, retention, and disposal
• Management of threats and vulnerabilities
• Plans to maintain operational continuity even if an incident or disaster occurs
• Procedures to follow in the event of a cybersecurity incident

Note that an organization may have additional, or even different, components to its own information security policy. The key takeaway is to start thinking about the kinds of things that need to go into a security policy.

Silo Risks

Although the South Carolina state information security policy is quite comprehensive, it does have a major downside. This policy was created by a centralized team in Columbia in a state-level implementation of what happens in many companies and institutions. At the corporate level, it has become quite common to have an Information Security Manager (ISM) or even a Chief Security Officer (CSO) with a staff of security-oriented professionals working as a single team within the organization. This team often becomes a “silo” in which team members are largely responsible for policy development and security management as their primary job duties.

At first glance, a security team developing a centralized policy sounds like a good idea. However, it quickly becomes problematic, since the security team does not have domain expertise – or even great insight – into the actual business functions and operations of the organization. When the team implements policies that sound good from a purely theoretical perspective, they can unintentionally create new vulnerabilities that actually weaken the underlying security of the organization as a whole. A common example is that of a password policy that requires both the use of complex passwords and the mandatory changing of passwords several times per year. While this policy has excellent theoretical properties, it tends to result either in employees using the same basic password with only minimal variation each time or – much more alarmingly – in an employee writing down the password and taping it to their computer.

Another example of silo-oriented thinking may be found in our state’s information security policy:

• IT Shared Services Standard: Hyper Converged Infrastructure System

As you read the above document, notice how the policy effectively limits this type of system to a single vendor (VMWare). If this vendor ever has a massive security issue, every system complying with this policy will be at risk, and an attacker will be able to use the same techniques to breach each and every compliant implementation at each and every agency. Absent such a vulnerability, relying on only one vendor gives that vendor unlimited pricing power at license renewal time, which is actually a security vulnerability by itself! Since budgets are always finite, an agency might not be able to afford an important upgrade, forcing it to leave an older version of the software in production without the ability to receive security updates.

This particular part of the policy is an excellent cautionary example of why security policies should not be developed exclusively by designated cybersecurity teams. It is also an excellent caution for another point we’ll see later in this course: NEVER over-rely on only one vendor for a major part of an organization’s IT infrastructure.

Initial Post Requirements

For your initial post, pick one component of a security policy on which to focus. Do a little research of your own in addition to the above readings. Focus on the following:

• Explain the purpose of you selected component in the overall security policy.
• Relate your selected component to the CIA Triad.
• Explain how the South Carolina state information security policy addresses the component you selected.
• Identify at least one way that the policy component you identified can create a new, unintentional vulnerability.

Once you have formulated your idea, create an initial discussion post in this week’s forum. Write a narrative post explaining the component you selected. Cite the sources you used. A formal citation in a style is NOT required – it is sufficient just to give the URL or a link to the source.

As a reminder, you must do your own writing. Use of ChatGPT or other artificial intelligence tools is NOT PERMITTED.

Completion Standards

A complete initial post for this assignment:

1. Describes one component of an information security policy.
2. Explains how the described component fits into the overall security policy.
3. Relates the described component to the CIA Triad.
4. Identifies the way in which the South Carolina state information security policy addresses the described component.
5. Indicates the way that the policy component might unintentionally create a new vulnerability.
6. Cites all sources used (informal citations are acceptable).

There are no word limits or targets (minimum or maximum), but try to make the post both complete and concise.

Assessment

Successful completion of this assignment satisfies the following course student learning outcome:

• SLO 2. Explore and extend creative use of emerging information systems technologies in a secure manner.