Formulating a Security Policy

This section contains the following topics:

Statement of Goals

Primary Elements of a Security Policy

Systems Software Security Policy

Applications Software Security Policy

Auditor Function Security Policy

Operations Security Policy

All Users Security Policy

Corporate Level Security Policy

Application Level Security Policy

Statement of Goals

Detail your security implementation goals before you set out to achieve them. Your installation's CA Top Secret implementation plan should be based on the following premises:

CA Top Secret is a means to an end: Your environment is not secure immediately after installing CA Top Secret. CA Top Secret is the tool used to build a secure data processing installation.
Implementation requires adequate support: A security implementation does not go quickly and it requires internal support. Security must have support in terms of management direction, manpower, and resources. Take the time to evaluate the environment and plan the implementation. A rushed implementation often requires rework.
Security is a global concern: The corporate area assigned to handle security administration is not the only area that needs to be concerned with security and the security product. Security is not a function that can be restricted to one area. It is an environment consisting of every person involved in the data processing function-from the EDP auditors to the end‑users. Without the support of all individuals, it is unlikely that security will be taken seriously within your organization.
Security implementation is ongoing: The security implementation never ends. After implementation of CA Top Secret, you will find that your use of CA Top Secret must be continually adjusted to reflect changes which occur within your installation. Your implementation is just as dynamic as your data processing environment. It will require continual analysis, review, and modification to properly protect your installation.
Management support: Management support is critical during the implementation of security. The proper creation of an attitude throughout your organization that emphatically supports the implementation of security must be encouraged at the highest level. No security software will stop cooperative parties in strategic positions from violating the security software and procedures. Policies must be established that indicate the importance and level of security required for the particular environment. These policies must be communicated to all individuals who use the data processing facilities as part of their job function.

Primary Elements of a Security Policy

The security policy should address the following areas:

Objectives

The need for security in your environment.

Scope of security

What is to be protected (for example, data, data processing facilities, hardware).

Ownership of resources

Who owns the data processing resources (such as data, facilities, and hardware).

Responsibility for the integrity of the resources

Who is responsible to ensure that resources are being accessed, used, or modified in a secure manner.

Requirements to access the resources

Who needs access. Requirements might also specify those job functions authorized to determine when an individual requires access to a resource.

Statement of intent

How are violations logged and reported.

Accountability

Action to be taken when security is breached.

Account protection requirements

In password‑based security systems, this protection could include change intervals, one account per employee, and account assignment for remote users. This approach assumes that:

Access to data processing facilities and data is company property granted to the employee to perform a specific job function.
Each employee is responsible for the use of his account.

Responsibility by functional area

What is expected of each functional area in the support and enforcement of the policy. Each user of the data processing facility must understand that he has a role to play in the security scheme and must understand what that role is.

Systems Software Security Policy

Identify those responsible to:

Maintain the security software in a secure and responsible manner, ensuring that the data processing environment is always protected when it is available for use by the user community.
Notify the appropriate parties if the security software is disabled
Limit development and availability of facilities capable of bypassing security to only those situations in which they are absolutely necessary
Work with the security administration function to ensure that system resources are properly protected
Design the security requirements for the vendor‑supplied system software for which they are responsible, and to work with the security administration area in implementing those requirements

Applications Software Security Policy

Applications areas must interface properly with the security areas to ensure that application resources are properly protected.

Consider assigning responsibilities to:

Define the security requirements for the application, and to work with the security administration area in implementing security for the application
Notify the appropriate security administrator of all revisions to the application that affect the security design

Auditor Function Security Policy

The auditors should be responsible for monitoring the effectiveness of the security procedures and controls. Consider assigning responsibilities to them to:

Monitor all responsible areas to ensure that they adhere to the security policy
Audit the use of all critical system and application resources
Periodically monitor user activity
Monitor the access requirements set by the security administration area

Operations Security Policy

The operations area is responsible for scheduling, controlling, running, and distributing the production processing. Consider assigning responsibilities to them to:

Handle all responsibilities of production processing in a secure manner
Access all resources only through the production facilities developed by the systems and applications software areas, and only for the purposes defined by those facilities

All Users Security Policy

General responsibilities can be assigned to all users regardless of functional area. Consider assigning responsibilities to the general users to:

Keep confidential all accounts used to access data processing resources and facilities
Revise the password to these accounts at regular intervals
Notify the appropriate areas if abuse of an account is suspected
Actively support all security procedures

Corporate Level Security Policy

A corporate level of globally acceptable security measures and procedures is the typical level of policy that is issued for general distribution to all users of the data processing facilities.

Application Level Security Policy

There are often applications that require additional measures above the level set by the corporate policy. Specific policies can be developed which detail the additional security requirements necessary for facilities such as accounts payable, human resources, or particularly sensitive facilities. These policies might be distributed to only the necessary functional areas.