Creating an Information Security Policy
Hardly a week passes without hearing about a new virus, worm, or Trojan Horse that infects networks of computers. These problems not only cost the company money in their aftermath, but there is a loss of productivity that can never be replaced. Although these problems primarily hit the operating system and software of one vendor, no operating system is safe. Remember, the first publicized worm was unleashed in 1988 and was designed to attack Digital VAX and Sun Systems based on a version of UNIX.
When writing policies, you first have to establish the need for protection. You may think that is not necessary, but it helps establish the requirement for these policies and strengthens their effectiveness. Then the policies should include how the organization will provide virus protection (centralized or localized) and rules for handling third-party software. Finally, the policies need to discuss the users' role in security.
The Need for Protection
Some organizations feel that they have to worry about the legal implications of a piece of software scanning information on the users' system. Although you might believe that this should not be a worry, your organization might never know how policies can be misconstrued if there should be problems. This is not to say that you are going to have problems. But many corporate attorneys want a statement establishing the need for virus protection and the organization's right to mandate the use of anti-virus software.
One way to ensure that the disclosure responsibility is met is to ensure that the policy includes a statement that initiates the anti-virus program in a language that limits its scope to this program. Although there should be specifics based on the anti-virus program strategy (that is, centralized versus distributed programs), start with the establishment of the program. Following is an example of a passage suggested by an attorney:
On the Advice of Counsel...
An old joke that says, "If you put two attorneys in a room, you get three opinions," could not be truer when discussing the law and information security. Although I tend to allow attorneys to override certain technical decisions when writing information security policies, you should not be afraid to question their judgment on these topics.
One attorney told me that the biggest mistake attorneys make is with the jurisdiction of a possible claim. For example, if the policy statement is going to read like a human resource concern, have them understand that any problems might have to be defended under employment law.
Some organizations prefer a policy statement that does not sound as if it came from a legal brief. Assuming that your organization will install anti-virus software on all systems, rather than using network filters, you might want to use a statement like the following:
The traditional approach to virus protection has been the thing to do with systems running various versions of Microsoft's Windows operating systems or other Microsoft applications. However, there are virus problems that can affect other systems regardless of the type of operating system. Viruses that appear in certain applications can infect every system it runs on. One example of this is Lotus Notes, which can spread viruses to UNIX servers running the Notes server as well as those running Windows NT. There are even proof-of-concept viruses for PalmOS-based devices.
If your organization relies on cross-platform applications, your policy should consider protecting all platforms and not just the Windows systems.