Creating a Security Policy
A Security Policy can be one policy or a collection of policies that state what the library should protect, how it should be protected, how to respond to security threats, and who should be involved in that response.
Creating a Security Policy involves several preliminary steps:
- Create a security team
- Develop usage policy statements
- Review security policies from other similar organizations
- Conduct a risk assessment
A security team should be the group that not only creates the policy but also is responsible for its implementation. Team members should include library administration staff, librarians who are responsible for systems and computers, IT staff who are responsible for systems and computers, and staff who assist with the public use computers. Ideally, a representative from each department will be included.
There are two broad categories of usage policy statements: statements of the library's roles and responsibilities and statements concerning users' roles and responsibilities. Some of these statements may be pre-existing, such as a Remote Access Policy, a Password Policy and an Acceptable Use Policy. These can simply be reviewed (and updated if necessary). A Library Security Roles and Responsibilities Policy should state what the library does to protect and maintain resources and why. For instance, the policy could state that the library provides desktop security measures, anti-virus software, Internet filtering (or not), and so on. Reasons for these measures should be explained.
Users' roles and responsibilities policies are more numerous. They may include statements such as:
- What is acceptable on the library's network, including staff and public access computers
- Computers and network are owned by the library, and that they are:
- Provided for the public for specific, enumerated reasons
- Provided to the staff for specific, enumerated reasons
- Which local statutes and federal laws end users must follow when using library network including:
- Laws governing use of copyrighted materials
- Laws governing obscenity and child pornography
- What is NOT allowed:
- Using email to harass or intimate anyone
- Running password crackers
- Installing unlicensed or pirated software
- Turning on file-sharing
- Running streaming media applications
- Whether or not system is monitored
- How the library enforces the policy; what happens if someone is caught breaking the rules
Whenever possible, review security policies from other similar organizations—after all, why re-invent the wheel? Most universities have security policies available online. Finally, conduct a Risk Assessment to determine what assets the library wants to protect and why. You may want to include this as part of the security policy effort.
Components of a Security Policy
A Security Policy has the following basic components:
- Objective or Abstract
- Physical Security
- Network Security
- Software Security
- Disaster Contingency Plan
- Acceptable Use Policy
- Security Awareness
The Objective or Abstract should be a mission statement that defines objectives of the policy. It summarizes what types of assets are important, why the library needs to protect them, and summarizes procedures to be followed to protect assets. The Scope defines the specific assets to be protected by the policy, based on the Risk Assessment. It also defines who must follow the policy, such as members of the public, employees, outside contractors, and vendors. The Responsibilites component describes who is responsible for protecting assets defined in the scope, and how. It generally outlines users' security responsibilities, but it can also include roles of particular users, such as IT department managers and administrators.
The Physical Security section states how the library will physically protect its facility and assets. It should also state who has access to restricted areas, such as server rooms and telecommunications closets. Network Security states how the library will protect data stored on the network(s). It should include information on:
- Workstation security
- Access control and authentication measures
- File system security
- Remote access controls
- Network monitoring
- Port restrictions
- Firewalls, proxy servers and border routers
Software security states how the library will use commercial and noncommercial software on servers, network devices and workstations. It describes who is allowed to purchase and install software, who can download from the Internet and how to deal with violators. The Disaster Contingency Plan should cover both hardware and software (for more on this topic, see Disaster Planning for Computers and Networks). The section on hardware should include a list of equipment to be saved; a detailed hardware inventory with hardware specifications needed for critical assets; a list of the personnel needed to restore servers; and a restore priority. The software section should include information on the software/data backups, off-site storage locations, backup information, personnel needed to restore data, and a restore priority.
An Acceptable Use Policy details the acceptable ways in which the network can be used, including acceptable use of the Internet, acceptable use of computers, limitations on computer use (such as time constraints or filtering restrictions), and sanctions to be imposed if acceptable use standards are not met. Security Awareness states what level of awareness of security issues staff are expected to have. Compliance includes details about sanctions to be imposed if the security policy is violated. Sanctions may include:
- Disconnection from network
- Loss of network privileges
- Personnel disciplinary action
- Legal action
Security Policies are not easy to create. They require a lot of effort by many people. Furthermore, they must be constantly reviewed and updated in response to changes in the organization, additional hardware or software, security breaches, new vulnerabilities, and new threats. Also consult the following:
- Users' Security Handbook - RFC 2504 from the Networking Group, is "intended to provide users with the information they need to help keep their networks and systems secure."
- Site Security Handbook - RFC 2196 from the Networking Group is "a guide to developing computer security policies and procedures for sites that have systems on the Internet."
- The SANS Security Policy Project - Site devoted to information about developing a security policy; includes templates that can be used to quickly develop different types of policies.
- Guide for Developing Security Plans for Information Technology Systems(NIST) (PDF file) - Overview of the security planning process