Initial version first published and presented: INFOSEC Engineering, AFCEA Educational Foundation, September, 1994

Information Security Program Development

Bruce C. Gabrielson, PhD
Center for Information Security Technology
Columbia, Maryland


Formal adherence to detailed security standards for electronic information processing systems is necessary for industry and government survival. Security standards are needed by organizations because of the amount of information, the value of the information, and ease with which the information can be manipulated or moved. While information security programs are sometimes implemented following an actual loss or incident, prudent business organizations address security early in their corporate life.

For most business enterprises, the concern for physical security is best understood and, as a result, addressed first. However, information security puts the emphasis on protecting the information stored in or processed by the system rather than focusing on simply protecting equipment[1]. Therefore, if the enterprise depends on data processing, a com- prehensive information security program covering computing issues will soon follow.

Corporate Objectives

Ensuring for its survival and profitability is the fundamental driving objective of the corporation. In the modern business environment, profitability and survivability depend on information.. Regardless of the enterprise's business, all of the corporate data resident on the enterprise's computer systems is both valuable and vulnerable.

"The threat extends beyond the physical boundaries of the enterprise"

Because today's business enterprise has extensive electronic communication pathways (computer networks, and telephone systems for example) extending well beyond the physical bounds of the business operation, internal vulnerabilities may be exploited by external threats as well as internal. The consequences can be loss or modification of critical business data, disruption of services, compromise of proprietary business plans or processes. A high school student, working from his bedroom can easily erase all of a company's billing records and halt cash flow for weeks or months. Even well-protected businesses (as well as government organizations) may be vulnerable to attacks on corporate web pages. There are trivial attacks that will give access to the source of a corporate web page to any intruder. While of no intrinsic value, the loss that may occur if the home page is converted to a competitor's, or modified to include obscene or offensive pictures and text might be incalculable.

"Basic security conflict: Cost vs. Benefit"

In today's corporate environment there often exists a conflict between security objectives and operational requirements. Marketing, finance, engineering, and management all produce and use data that are critical to that organization's business activities. In addition, within government or the defense industry, some of this data could be considered classified (i.e., SECRET, TOP SECRET, etc.) or unclassified-but-sensitive, requiring even stricter controls for its protection. Therefore, despite the pressure to overlook security needs, successful and responsible organizations will have a written security policy and formal security plans and procedures in place to guide their employees, as well as their business, in protecting their computing assets.

It is very important that management is able to quantify the benefits of a security program as a function of costs. These benefit:cost tradeoffs are essential if one is to be able justify a security program. In order to formalize this analysis process, certain concepts must be considered:

A business risk is anything that could potentially harm the operation, assets, or profitability of the organization.

Risk analysis is a formal process of determining what your computing assets are worth, identifying vulnerabilities by discovering where threats/exposures could occur, and then determining how much potential harm could be caused if the identified vulnerabilities were exploited.

For each vulnerability identified, the risk analysis produces a cost-benefit analysis to determine if the cost to implement fixes or increase protection is justified by the cost of the asset's loss.

Thus, the security policy and risk go hand in hand: policy is needed to reduce risk, and the risk analysis is used to justify a security policy.

Responsibilities of Management and Employees

If both management and employees understand their respective responsibilities for protecting computer data, it follows that they must also recognize the problems they face in developing and implementing a security program.

"Management's role"

Management has the ultimate responsibility for implementing a data security program based on an assessment of business risk (corporate cost/benefit tradeoff) and an information system (IS) security risk assessment. All levels of management must be involved (and held accountable) to insure the program is understood and properly implemented. Management must understand that they are legally responsible for the integrity of corporate data assets just as they are with other assets of the corporation.

"Employee's role"

Employees must recognize that the corporate data on their computers is both valuable and vulnerable. They must understand their legal responsibilities regarding the unauthorized release of sensitive data. Note that sensitive data means data that requires protection due to the risk and magnitude of loss or harm that could result from its unavailability, disclosure, alteration, or destruction.

The means of ensuring employee understanding and/or recognition of their responsibilities varies. User/employee security awareness training is one of the most common means available to achieve recognition of responsibility and computing asset worth. Some organizations require personnel to sign an agreement that includes the protection of computing assets as a condition of employment, while others sign agreements as a condition of allowing their connection to the organizations network. Another recognition means often implemented is the use of security login banners, which are displayed whenever a user logs onto the corporate network.

"Everyone in the corporation has an important security role"

The following table summarizes the related responsibilities for various management levels within a typical corporation:

1. Chairman of the Board
To protect and insure for continuity of the corporation

2. President
To protect and insure for profitability of the corporation

3. Managers
To maintain information as a strategic asset of the corporation

4. IS Security Manager
To insure written security policies are developed, implemented and followed

5. Users
Ultimate responsibility for accidental or intentional destruction or disclosure

Notice in the above list that operational IS security is not a direct concern of upper management, but the protection of information assets certainly is. Also notice that the IS Security Manager is the key to development and enforcement of a comprehensive security policy. Without this individual physically inserted into the management process, a security program will not be implemented or enforceable, and upper management will not be able to provide for the protection of its information assets.

Recognizing the Scope: Enterprise-wide Security

IS vulnerabilities in general, relate to the weak points of the tangible computing assets in the corporation, and how exposed these assets might be to exploitation. These vulnerabilities can vary greatly depending on the network or stand-alone environment used by the corporation. Obviously, the weakest link in the security chain is also the most vulnerable point. Since the three basic goals of computer security are ensuring secrecy, integrity, and availability of data, vulnerabilities of a computer oriented business can include just about everything related to the business operation. Typical assets are hardware, software, data files, support documentation, people, and outside communications.

"Positively motivate the employees"

Employee motivation is a key feature of computer security. The disgruntled employee who imports or develops a virus generally does so for revenge. He wishes to "get back at management" for that tiny raise, or the overlooked promotion. Crackers who break into protected networks or sensitive files are motivated by peer pressure or simply entertainment. Industrial spies could be driven by political or financial reasons. Regardless of motivation, the personal perspective of individuals who have access to corporate computing assets is of critical importance. Ultimately, the employees must be motivated to recognize the need to protect company information and to report attempts by outsiders to obtain access to that information.

Those individuals who have access to corporate computing assets are those who have the opportunity to create problems. This opportunity not only relates to employees, but also to those who are external to the corporation but might gain access based on weak network protection techniques. Opportunity, or more correctly access control, is therefore the foundation of security for information systems

Four Basic Security Threats

In general, there are four kinds of computer security threats: interruption, interception, modification and fabrication.

Interruptions include any delay or disruption of normal business operations. Computer down time caused by viruses and their removal is a very common problem today. Even just a few minutes for each employee can add up to many lost productive staff hours or staff days.

Interceptions are any unauthorized access to information, which may or may not result in the illicit use of data. Browsing through stored files and monitoring network or telephone transfers are considered access. There are hundreds of methods to remotely gain unauthorized access to computer systems over a network. If the network is the public Internet, then virtually anyone in the world can get access. In private networks, one still must be aware of the insider; most incidents of computer fraud involve insiders to the corporation. Networks and telephone systems are easily tapped, which provides access to much crucial data or the knowledge needed to obtain direct access to the enterprise's computer systems

Modification includes tampering with information once access has been achieved by changing software or hardware controls or the data itself. Think of the consequences if an intruder changed the amounts owed to your company by outside vendors. All of your billings will be incorrect and the cash flow totally disrupted.

Fabrication means fraud and counterfeiting. It is modification in a way to benefit the intruder or to cause problems for the corporation. It can involve skillfully adding data or objects to the computing system such as transactions or additional files on a database. An example of data tampering is accessing a university data base to change the grade received in a class. Or planting compromising email messages that could benefit a sexual harassment lawsuit.

Security Policy Objectives

A comprehensive data security program will involve both people and information.. The typical activities included in such a program are:

1. Prevention
2. Protection
3. Detection/Investigation
4. Damage Assessment
5. Recovery

Security Policy Statement

The policy objectives are set forth in the security policy statement, which is the cornerstone of any effective program for managing and controlling an organization's information assets[2]. Policies are the high level guidance or vision directing the organization. The statement establishes the basic philosophy of the organization and determines the functional areas where controls must be established. Implemented by management to provide information, control and direction, the IS Security Policy is used to support the development of the subsequent security program. According to Peltier2, a good Infosecurity program policy statement must do a number of things:

1. Identify information assets.
2. Define who is responsible for classifying and valuing information assets and who must comply.
3. Describe the role of employees in protecting information.
4. Provide for monitoring and enforcement.
"What is protected"

The security policy statement should describe what information should be protected as well as the extent of allowable distribution. Responsibilities should address all levels of the organizational structure, stating who is responsible for complying with the policy and who is responsible for making sure that the classifying policies are enforced. Each employee's security role should be spelled out; the consequences of non-compliance must be linked to those roles and attendant responsibilities.

"How is it enforced"

Monitoring and enforcement address when the policy becomes effective, conditions under which the policy is enforced, and how it will be monitored. For instance, does it apply only for a specific group of employees while working in the organization's facilities, or does it apply employees on travel or in the field. Normally, background on the need for a policy is also incorporated.

"Keep it simple"

The policy statement should be short, easy to read, and not incorporate technical terms. It must also be unambiguous, so that no one can be exempted from the requirements. One method of ensuring accountability is to incorporate an employee acceptance page at the end of the document which must be signed and returned to appropriate management personnel. This form could also become an annual requirement delivered as part of annual security awareness training.

"Protect people as well as data"

Don't forget that people can make or break a policy.

1. Guard against and remove from unnecessary temptation inappropriate data that employees might be exposed to while fulfilling job responsibilities.
2. Ensure management awareness of the need for security, and their participation in the development and implementation of security policies.
3. Insure the protection of sensitive or confidential data.
4. Provide protection from acts that would cause malfunctions, errors and omissions, inaccuracy, unauthorized disclosure or destruction of data.
5. Insure the controls and procedures are in place that allow immediate detection and countermeasure implementation for information threats.
6. Protect management from charges of imprudence in the event of information compromise.
7. Insure the ability of the organization to survive business interruptions and function adequately afterwards.

Developing the Final Security Implementation Program Plan

The typical areas a security program might include are identified below:

Physical Security. Prudent measures to provide for physical security include the installation of appropriate fire-rated walls, physical access controls to the facility and processing areas, automatic fire detection and extinguishing systems.

Contingency Plan (Disaster Recovery Plan). This aspect of a security plan is based on the realization that if a disaster occurred, the organization must be able to resume its critical processing. It requires the identification of those applications critical to survival, e.g., storage of the related operating systems, operator instructions, utilities, programs, and data in an off-site storage facility. The most crucial aspect of this program is testing the plan using the designated alternate processing site. Many a disaster recovery plan has failed because it was never tested, and when it was needed, no one knew what to do.

Protected Data Controls. Aside from personnel, the most vital computer-related assets are programs and data. They must be protected by proper identification and authentication of the user. Properly controlled, this will insure that the user is who he purports to be and that he is authorized to have access to the data. This control ultimately resides at the disk level, but includes all computer security threats: interruption, interception, modification, and fabrication.

Network Security. Networking systems have evolved into a highly technical discipline. Many organizations rely heavily on these systems to communicate and gather information. Because of this dependency, network systems normally require special security processes, continual proactive security testing, contingency plans, and data access controls over and above corporate controls.

Training and Awareness Program. Without some guidance at the user level regarding appropriate protective measures and actions, the best conceived security plans are not going to cover everything that can happen. Training has become an essential part of ensuring responsible employee use of their computing assets.

"You need all of the pieces"

Each area is critical for the overall security program posture, and each should be covered in final security plans and procedures. However, the protected data controls area and the network security area set the baseline for formal IS Security programs, and are usually combined into the overall IS Security Plan for a corporation. The information flow and timeline for the overall security program is shown in Figure 1. Note that nothing can be done until a security policy is implemented, based on the initial business risk assessment. After that nothing should precede the formal IS risk assessment process, etc.

Figure 1 - IS Security Program Flow


This article has provided a simplified overview of the principal corporate objectives in developing security policy and related plans. Each of the many topics can take many pages to cover adequately and this article hopes to encourage managers to look more deeply into the development of security policies and plans and subsequently develop a formal IS Security Plan, the Disaster Recovery Plan, and the procedures governing corporate physical security safeguards for their own enterprise. Each organization has its own different and unique computing needs and corporate objectives. Merging these two to allow easy acceptance of security controls while fully protecting the corporation's computer information assets is no simple task.


Carroll, John M., Computer Security, Butterworth-Heinemann, Newton, MA, 1995
Pfleeger, Charles P., Security in Computing, Prentice Hall, Englewood Cliffs, NJ 07632
Gabrielson, Bruce C., INFOSEC Engineering, Security Engineering Services, Chesapeake Beach, MD, 1995