Introduction:
This security policy is developed by Center for Information Technology
of Nation Institutes of Health. It can be accessed through Internet
at http://irm.cit.nih.gov/security/sec_policy.html.
Summary:
The Policy consists of five parts: Policy on Chain Letters, Policy
on Passwords, Policy on Warning Banners, Remote Access Policy and
Sanitization Policy. Each of them addresses a specific security issue.
Following the policies, Security Guidelines, which are meant to provide
more detailed information on how to comply with those policies, and
links to federal regulations concerning security issues are also provided.
In summary:
Policy on Chain Letters
emphasizes the prohibition of sending and forwarding chain letters
using NIH network systems, briefly describes possible damages of chain
letters, gives a detailed definition of chain letters, describes the
responsibilities of supervisory personnel and employees, and states
possible punishment for policy violation.
Policy on Passwords addresses the issue of password usage and management.
It requires that every user should choose a password difficult to
decipher and change password at least every 6 months. Since information
system managers and administrative managers take extra roles in enforcing
this policy, it requires system managers to configure the system properly
to enforce the 6 month policy, and requires administrative managers
to develop, post and enforce this policy following the guideline provided.
Policy on Warning Banners requires that "[e]employee"sign-on
warning banners" must be posted at all logon points to Government
computers and systems...". It justifies this policy by quoting
Department of Justice recommendations and advice from the Office of
Inspector General. It even gives an example of warning banners.
Remote Access Policy is actually a summary of The NIH Policy on Remote
Access to the NIH Network (NIH Manual Chapter 26101-26-08). It addresses
the responsibilities of Executive Officers or their designees in developing
and implementing remote access program, defines who can have remote
access to NIH network systems and how the expenses associated with
remote access connections can be covered.
The core of Sanitization
Policy is that "[b]efore any NIH-owned or managed hard
disk or system containing a hard disk is transferred, surplused, or
donated, it must be sanitized by reformatting the hard drive in a
secure manner or by using an approved wipeout utility". It provides
a step by step technical guideline on where sanitization programs
can be found, and what actions should be taken under difference situation.
Criteria:
The following criteria will be used to assess this security policy:
- Completeness:
whether it contains some of the common elements of well-developed
policies. According to Tudor (2001),a well-developed
security policy normally contains "an introduction or background
on why the policy is necessary, what management is trying to achieve
through the establishment of the policy, the approval authority, the
authors, references to other policies and regulations, compliance
measures, consequences to violations, and date of policy". Although
not every policy should contain the above elements, they provide a
guideline to check where one of them is necessary but the policy fails
to mention.
- Readability: whether
the policies are short enough to hold reader's patience or whether
a digested form of policy is provided for long policies. Policies
should be easy to read and understand. They should not contain too
many technical jargons and quote too many legal statements.
- Applicability: There
should be enough guidance and information for users to follow. Contact
information, help desk, tools availability, step by step guide lines
are essential in assisting users to comply the policy.
- Clarity of language:
policies should be unambiguous. Key terms should be clearly defined.
Analysis:
Completeness: The set of policies have different degrees of
completeness. It might be that they are written by several authors.
Policy on Chain Letters can be taken as a good example. It answers
the following questions:
- why the policy is necessary: "The proliferation of chain
letters and other unauthorized "mass mailings" causes network
congestion and impedes the routing of legitimate e-mail messages."
- what to achieve: "NIH e-mail and Internet services are for
government use in support of the NIH mission."
- the authors: Acting Director, Office of Information Resources
Management (OIRM)
- References to other policies and regulations: there are two paragraphs
that are especially devoted to Other Prohibited Uses and Appropriate
Use of Government Resources
- compliance measures: If you receive an e-mail chain letter, you
should simply delete it. If you also wish to report it, contact your
information systems security officer (see list of contacts on the
OIRM Security Page). Other than forwarding the message--for reporting
purposes--to your information systems security officer, you should
never forward an e-mail chain letter to other individuals.
- consequence to violations:"NIH employees and authorized
users who use NIH e-mail, Internet services, and other information
resources in a manner prohibited by the DHHS Standards of Conduct
are subject to disciplinary action."
- date of policy: July 08, 1997
However for Policy on Remote Access, important elements that are
missing or not clear include why the policy is necessary and what
management is trying to achieve through this policy. There is no
stated consequence of violations either.
Readability: Generally, the policies are short, concise,
and most of them use plain languages in describing technical quinces.
Take Policy on Password as an example, it separates its audience
into three parts--all users, System managers and IC managers, and
states each group's responsibilities separately. For an ordinary
user, he/she may just look at the part for users without bothering
about the other parts. There is only one or two sentences in each
part, and language is clear and easy to understand, such as "[c]hange
passwords at least every 6 months", "[c]onfigure servers
and systems to require that users change passwords every 6 months."
The Policy on Remote Access also provides good summary of the longer
NIH Policy on Remote Access to the NIH Network (NIH Manual Chapter
26101-26-08) to help users understand the core elements.
Applicability: The set of policies are quite good at providing
relevance links and guidelines for users. On the security policy
page, immediately following the five policies are fourteen links
for compliance guidance. Inside of each policy, contact information
and help desk information are normally provided. For example the
Sanitization Policy didn't fail to provide a contact list for help--"Consult
with your Information Systems Security Officer (a roster is located
at http://irm.cit.nih.gov/nihsecurity/scroster.html) prior to getting
rid of any computer equipment".
- Clarity of language: The policies reflects different writing
styles. Some policies are very clear, while others are more casual.
Take Policy on Chain Letters again as an example. Immediately after
the first paragraph, the author(s) gives the definition of Chain Letters
as:
"A chain letter e-mail message, sent to several addressees,
typically requests each recipient to send copies to additional individuals;
as a result, its circulation increases geometrically. Chain letters
generally have a similar pattern, consisting of three recognizable
parts: (1) a hook, which catches the reader's interest; (2) a threat,
which warns of negative consequences if the chain is not maintained;
and (3) a request, which asks that the message be forwarded to multiple
addressees. Chain letters may claim a variety of warnings (e.g.,
personal misfortune) if the instruction to forward multiple messages
is ignored. "
If anyone has doubts on what a chain letter is, he/she should be
clear by now. The author of Policy of Warning Banners fails to give
the definition of warning banner, and places its emphasis on quoting
what Department of Justice and Office of Inspector General would
recommend on this issue. It's only after the policy gives an example
of warning banner does the reader begin to understand what he/she
is talking about.
Recommendations:
It is interesting to find that, although the five policies are grouped
together under security policies, they are quite different in terms
of writing style and quality. Some policy serves as a better example
than the other. Policy on Chain Letters excels in completeness and
clarity. Sanitization Policy is good at providing clear and detailed
guidance to users, or applicability. Policy on Passwords is good
in terms of readability. Policy on Warning Banners and Policy on
Remote Access pursued a more casual way, but some important elements
are missing.
My recommendations are: first, set of policies should follow a
similar style. Common elements, clear and short paragraphs make
it easier for its targeted audience to quickly grasp the key points
the policy wants to express. After all, policies are not casual
readings, and needs some efforts to read through.
Second, a straight forward, right-on-the-point style is preferred.
Readers may not care about what Department of Justice or Office
of Inspector General would recommend. A brief statement of why the
policy is important and what the management wants from the reader
concern the reader more.
Third, Tudor (2001)'s
list of common elements provides a good guidance on what should
be covered in the policy. They are important elements as well, and
should generally be covered in a well written policy. For example,
although these policies are good at providing compliance guideline,
but compliance measures and consequences of violation are only mentioned
occasionally.
References:
Tudor, Jan Killmeyer. (2001). Information
Security Architecture: an Integrated Approach to Security in the
Organization. Auerbach: New York
|