{"id":1072,"date":"2014-12-08T20:05:10","date_gmt":"2014-12-08T20:05:10","guid":{"rendered":"https:\/\/trouble.org\/?p=1072"},"modified":"2014-12-08T20:05:10","modified_gmt":"2014-12-08T20:05:10","slug":"1072","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=1072","title":{"rendered":"<3 Policy"},"content":{"rendered":"

\"rc\"
\nSecurity Policies<\/strong><\/p>\n

Let us\u00a0praise, slay, and bury security policies together.<\/p>\n

A security policy is perhaps the best way to deal with the security monster. It concerns itself with business and organizational issues, and is designed to assist the organization succeed in spite of human nature.<\/p>\n

I sometimes not-so-glibly say that a security policy is simply an expression of your desire. What do you want to see within your organization happen?<\/p>\n

But ultimately a security policy is an information and resource filter.<\/p>\n

It covers both the strategy and tactics of the implementation and design of your organization\u2019s security posture.<\/p>\n

And let me tell you (if I have to!), this is a lot of work. At least a book\u2019s length of material covering everything about security in your organization. No one person could write it alone, and it needs to capture the business, spirit, and the culture of your organization\u2026 and when anything changes, it needs to change alongside of it as well. Exceptions alone could fill up a book. All of this is particularly tricky when dealing with rapidly moving technology and when companies merge or integrate with other organizations.<\/p>\n

A reasonable way to measure security is simply how well a computer adheres to its security policies; assuming the policies are sound and up-to-date and a user, network, or computer complies with them you may meaningfully call them secure. It doesn’t mean that nothing bad could happen, it simply means that it’s doing what you want, and there is, at times, a large gulf between the two.<\/p>\n

And while it is a little fascicle, you could claim that your security level is simply:<\/p>\n

Security = (Policy \u2013 Non-Compliance) \/ 100<\/p>\n

Audits, are, of course, vehicles to measure \u00a0compliance. And while there is a surfeit of<\/p>\n

Not all computers, users, and resources are created equal, of course, and a policy must reflect the different roles that everyone plays within the organization. IT administrators are granted access to key resources where sales personnel are not, for instance. Servers providing key resources are usually locked down more than a sales person\u2019s laptop. And so on.<\/p>\n

When a device undergoes some fundamental or structural change in its role or usage its policy must change along with it as well.<\/p>\n

And, of course, to create the right filters there are a number of steps that must be taken. In 1989 Fites et al wrote in “Control and Security of Computer Information Systems” that one should:<\/p>\n

1. Identify what you are trying to protect.
\n2. Determine what you are trying to protect it from.
\n3. Determine how likely the threats are.
\n4. Implement measures which will protect your assets in a cost-effective manner.
\n5. Review the process continuously and make improvements each time a weakness is found.<\/p>\n

These certainly sound common-sensical and might well be the overall strategy or battle plan to attack the security policy problem.<\/p>\n

However, as Donald Knuth wrote in his Turing award acceptance speech that \u201cscience is knowledge which we understand so well that we can teach it to a computer; and if we don\u2019t fully understand something, it is an art to deal with it.\u201d He also was an advocate of something he called Literate Programming, where he talked of curling up by the fire on a cold winter eve and sitting down to read a program like one would read a book. It’d be delightful to think the same of a security policy, although I must confess the ones I typically see I’d prefer throwing into the first rather than curling up and warming my cockles* with.<\/p>\n

We are a far ways from teaching computers how to deal with policies.<\/p>\n

Perhaps I\u2019m asking too much, or assuming too much difficulty. There are certainly a plethora of policy books, reference materials, and computer products with pre-canned policies, eager to get your hard earned dollars. Surely they\u2019re not all selling snake oil?<\/p>\n

Charles Cresson Woods is (was?) a well-known security policy pusher. On the web site that sells his book and CD (for $800), it said:<\/p>\n

Struggling with information security policies? Relax. We’ve created the most complete set of leading practices available – so you don’t have to. Over 1350 policies ready for you to customize. Why reinvent the wheel when we have been perfecting it for years?<\/em><\/p>\n

I would ask you a favor. If a salesperson, vendor, or security guru comes to you claiming that they can write the book on your security policies and practices, that they know your situation better than you\u2026 throw them out. Study such things, beg, borrow, or steal (just kidding) security policies and implementation ideas from your friends. But you need to do this yourself, as you are \u2013 like it or not \u2013 the expert.<\/p>\n

A security policy is more than a book \u2013 it\u2019s a blueprint, a foundation, a philosophy, a veritable virtual bible on which not only all your users must abide by, but from which all of your business units, processes, dealings with customers and 3rd parties\u2026 everything springs from. Allowing an outsider to set the tone of your organization\u2019s fundamental business philosophy \u2013 for that\u2019s what it is \u2013 would be tragic.<\/p>\n

Writing a policy is something akin to being a prophet; you are translating the will of the higher powers to the ignorant masses. Embrace this.<\/p>\n

Meta policies<\/strong><\/p>\n

One of the less talked about but more important aspects of policies are the statements that define the basic posture that should consistently permeate your policy documents. These are not so much individual mandates for particular areas as broad or global statements that should color all aspects of every security function throughout your organization(!) This is one of the most important components of your policy to widely disseminate.<\/p>\n

First and foremost \u2013 what is your security posture? While you can slice and dice it a million ways, the basic question of whether you think that an allow all or deny all posture is more appropriate (and in which areas) is something that is surprisingly absent from the most people\u2019s security policy lexicon. Not only does this bubble down to how to configure, say, firewalls, but when in-house developers are writing applications this should influence their overall design and architecture.<\/p>\n

For instance, simply\u00a0because the commodity traders on the floor can\u2019t be interrupted in their business (or, at least, think they shouldn\u2019t be) doesn\u2019t mean that they shouldn’t\u00a0adhere to transparent security terms and conditions. And because you allow such fluidity\u00a0to the traders it doesn\u2019t mean that their actions and computers\u00a0shouldn\u2019t be closely examined – indeed, the reverse is true.\u00a0And most definitively\u00a0it doesn’t mean that\u00a0security controls should be removed.<\/p>\n

It\u2019s just these kinds of issues that should be emblazoned, in bold type, throughout your policy documents.\u00a0What risks are you willing to take? How high do you want people to jump (and if it’s too high, you might consider a different vocation)? But really, how secure is enough? Is it CYA, industry standard, best practices, keep-out-of-newspapers, keep-your-job, or…? \u00a0I’m not here to preach – that’s your job. But security should never sacrifice clarity.<\/p>\n

Policies as literature<\/strong><\/p>\n

Indeed, security policies could be considered their own art form, for at their best they\u2019re an absolutely unique mix of highly technical writing alongside and mixed in with fluid prose.<\/p>\n

Is it a stretch to say that writing a security policy is art? I don\u2019t think so. Indeed, I would claim that there is a specific kind of art it closely resembles \u2013 or, rather, should resemble, and that is literature.<\/p>\n

This starts to get at one of the more unusual aspects of polices \u2013 their layered construction. Layers \u2013 or abstractions, if you\u2019d like \u2013 permeate the design, literature, and production of computers. Whether the 7 layers of the OSI networking model (applications to physical) or the virtual abstraction layers on computers that transport physical bits to physical screens, going from the physical media to bits, bytes, files, the running kernel, applications, etc. that lead us back to the physical world of peripherals and screens\u2026 to the political and business models within your organization, layers and abstractions abound.<\/p>\n

Security policies have to deal with all these layers, and are ideally constructed in layers themselves, the higher layers designed for humans and the lower levels for computers.<\/p>\n

By this I mean the highest layer of a policy should lay out the overall security strategy as well as laying out the basic defensive postures (more on that in a bit.) The lowest layers could be configuration files, pointers to programs, etc., and are what computers either directly consume or run to give you various functionalities.<\/p>\n

[hypertext is well-suited for this. Look at knuth, other notes, etc.]<\/p>\n

Come on, you might say. Sure, this is writing that should be read by people, but literature? Well, let\u2019s consider some of the defining components of literature.<\/p>\n

\u2022 Technically well written. Even (especially?) the oddball stuff (James Joyce and E. E. Cummings come to mind) are written by people with a real mastery of the language used.<\/p>\n

\u2022 It can remind you of the best parts in life or show you those you never knew existed.<\/p>\n

\u2022 Leaves a lasting impression.<\/p>\n

\u2022 It teaches.<\/p>\n

\u2022 It is a joy to read.<\/p>\n

I claim that there is nothing about literature that you wouldn\u2019t want to imbue into a security policy. Indeed, your audience is nearly identical as well \u2013 here is a group of well-educated people who love to read. And since it\u2019s obvious that most people don\u2019t understand security \u2013 here you get to entertain, teach, leave a lasting impression, and as a bonus you even get paid significantly more than other writers!<\/p>\n

I think the long history of dry, dull, poorly written and unkempt security policies arises from where they come from. In the beginning it was mostly governmental employees and extraordinarily technical people who deeply understood computers. Neither set has a legacy of producing deathless prose. Furthermore I believe that this is a significant part of the problem with our ignorant user base \u2013 we treat them as second class citizens who waste our time doing idiotic things and further slap them in the face with poorly written policies that are probably ill-designed and out of date the minute they were written.<\/p>\n

This is not easy stuff. Unique challenges are ahead, like putting a high-level look at biz issues and tech that transcends changes below.<\/p>\n

It also\u00a0means that, fundamentally, there must be different ways of expressing different notions and ideas. It requires teamwork, cooperation, and a steely eyed gaze to the future. And it takes a lot of different heads to put the thing together; surely when John Donne wrote “no woman is an island” he was expounding on security policies.<\/p>\n

Plus, whenever a new medium of expression appears there is a burst of activity as people explore the possibilities. Here is your chance to be a pioneer as well as a good person.<\/p>\n

Beauty & Quality<\/strong><\/p>\n

To be clear, I\u2019m not simply talking about a literate and functional approach to writing policy. I\u2019m actually referring, quite literally, to creating a beautiful, aesthetic piece of work that can be appreciated as real art; to use the framework of security policies and procedures as an art form. I believe that when a policy is constructed it can combine some of the wonderful elements of improvisational jazz along with literature and technology to product something that transcends function and provides a beautiful form as well.<\/p>\n

There are books on style in language (e.g. The Elements of Style by Strunk & White), programming (e.g. Elements of Programming Style by Plauger & Kernighan), but nothing to my knowledge on style and elegance in writing security policies.<\/p>\n

Certainly when critiquing art, or when attempting to recognizing quality great care should be taken. Zen and the Art of Motorcycle Maintenance is a remarkable, and remarkably odd book that makes some moves in this direction. On the surface it\u2019s a tale of a father, son, and a motorcycle journey, but at the heart of it it takes the question of quality dead on, and, in doing so, of course, dooms itself to failure. At one point he says \u201cquality is what you like\u201d, and I think that security policies are the same. Unique, individual, and monumental in importance.<\/p>\n

Many people seem to feel that if you follow certain rules and procedures; if you follow the rules of the game, then a quality piece of work will ensure. I think the important thing is the expression itself; if you are happy with the means and medium you\u2019ve chosen and put perspiration and inspiration into it, the end result should be more than satisfactory. Anyone who has read a stultifyingly boring policy would at least appreciate the care and effort that you could put into it. And to those naysayers who believe that engineers or security mavens can\u2019t create art, I\u2019d point to Wallace Stevens, an executive for Hartford Accident and Indemnity, who created some of the greatest poems in the 20th century.<\/p>\n

I couldn\u2019t bear having a talk about art without some in it; here’s an extraordinary poem written by an extraordinary man, Wallace Stevens, who was an insurance executive by day, and exquisite writer by night.<\/p>\n

October, 1921<\/p>\n

The Snow Man<\/em><\/p>\n

One must have a mind of winter<\/em>
\n To regard the frost and the boughs<\/em>
\n Of the pine-trees crusted with snow;<\/em><\/p>\n

And have been cold a long time<\/em>
\n To behold the junipers shagged with ice,<\/em>
\n The spruces rough in the distant glitter<\/em><\/p>\n

Of the January sun; and not to think<\/em>
\n Of any misery in the sound of the wind,<\/em>
\n In the sound of a few leaves,<\/em><\/p>\n

Which is the sound of the land<\/em>
\n Full of the same wind<\/em>
\n That is blowing in the same bare place<\/em><\/p>\n

For the listener, who listens in the snow,<\/em>
\n And, nothing himself, beholds<\/em>
\n Nothing that is not there and the nothing that is.<\/em><\/p>\n

I’ve never read any of Wallace’s corporate writing, but I would think that he could all teach us a thing or two on how to communicate and coin a phrase both within and without the business world. \u00a0“One must have a mind of winter” – that’s simply transcendent.<\/p>\n

I feel obliged to note that I\u2019m not crying out for a resurgence\u2026 umm\u2026 perhaps there is no \u201cre\u201d in there\u2026 in poetry within security policies. As Christopher Alexander writes in A Pattern Language:<\/p>\n

The difference between prose and poetry is not that different languages are used, but that the same language is used differently. In an ordinary English sentence, each word has one meaning, and the sentence too, has one simple meaning. In a poem, the meaning is far more dense. Each word carries several meanings; and the sentence as a whole carries an enormous density of interlocking meanings, which together illuminate the whole.<\/em><\/p>\n

Dynamism today<\/strong><\/p>\n

I should note that any policy or strategy that doesn\u2019t take the dynamic nature of computing and organizations today into account is going to be inherently flawed.<\/p>\n

I\u2019ll even go farther. I think questions like \u201chow many computers are on the network\u201d or \u201cwho is using the network\u201d, or “are we secure” (ironic, that one, here, eh?), if asked in a traditional form, are nonsensical for any but absolutely trivial organizations. Not only do people not know how many computers they have, they certainly don\u2019t know how many are on the network at any given time\u2026 and how do you account for a someone plugged into a conference room, or a contractor, or the cell phone user checking her email? M&A’s, reorganizations, the ebb and flow of employees, contractors, and third party folks create a living, breathing entity that one has to account for in the written policy, or you’re dead.<\/p>\n

Doing a job well<\/strong><\/p>\n

Writing a good policy is hard. Creating something that will last, something that is meaningful, that transcends the medium, is very difficult.<\/p>\n

I’ve always loved the word and the writing form of essay, which (as I understand it) comes from the French word essai, and as popularized by another brilliant writer, Michel Montaigne; it means something akin to effort, or trial. An essay has something of yourself imbued in it, and\u00a0attempts to go beyond the norm, to create a sort of fusion of yourself and the topic at hand in an attempt to create something better than both.<\/p>\n

There are reasons to try to rise above; pride, but not arrogance, in ones work. Making the world a better place when you\u2019re gone. Making a name for yourself. Laying the foundations for others. But perhaps the best is teaching – giving back to the world after you’ve taken for a lifetime.<\/p>\n

I recently went to Italy, and was struck by the Roman Coliseum – what an astonishing piece of work. Nearly 2000 years old, we\u2019re still building stadiums in the same way, just not as well or with such permanence. Would you rather build Riverfront or the Coliseum? Perhaps if we approached\u00a0security policies with this mindset we’d all benefit.<\/p>\n

We need more. More training,\u00a0schooling, writing about policies and not simply boilerplates for more of the same. We also need new labels for policy professionals. Policy architect, designer, specialists, engineers… I like the sound of a policy engineer!<\/p>\n

No matter what, as security folks let’s hold our heads high, rise above, and usher in a new age, a golden age, of security policies.<\/p>\n

 <\/p>\n

\"http:\/\/www.theshellshop.co.uk\/sites\/theshellshop.co.uk\/files\/imagecache\/product_full\/S-AFRICAN-HEART-COCKLE-GT.jpg\"
cocklemania!<\/figcaption><\/figure>\n

* According to wikipedia.com, a cockle “is a small, edible, saltwater clam, a mollusc in the family Cardiidae.”
\nNo one seems to really know where the phrase warming one’s cockles came from, although some theorize that they’re sort of heart shaped, like this fine specimen of cockletude.<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

References<\/strong><\/p>\n

[Fites 1989] M. Fites, P. Kratz, and A. Brebner, “Control and Security of Computer Information Systems”, Computer Science Press, 1989.<\/p>\n

[IAB-RFC2196, 1997] Internet Activities Board, “Site Security Handbook\u201d, RFC 2196, IAB, September 1997.<\/p>\n

[Bernstein, 1998] Peter L Bernstein, \u201cAgainst the Gods, The Remarkable Story of Risk\u201d, 1998.<\/p>\n

[Knuth, 1974] Donald E. Knuth, \u201cComputer Programming as an Art\u201d, Communications of the ACM, December 1974.<\/p>\n

[Denning, 1992] Peter J. Denning, \u201cWhat is Software Quality?\u201d, Communications of the ACM, Jan 1992.<\/p>\n

[Alexander, 1977] Christopher Alexander, et al, \u201cA Pattern Language\u201d, Oxford University Press, 1977.<\/p>\n

Wallace Stevens, the Snowman:<\/p>\n

Original text: Harmonium (New York: Alfred A. Knopf, [September 7], 1923): 24. York University Library Special Collections 734\u2028First publication date: October 1921 \u2028Publication date note: Poetry 19 (October 1921)<\/p>\n","protected":false},"excerpt":{"rendered":"

Security Policies Let us\u00a0praise, slay, and bury security policies together. A security policy is perhaps the best way to deal with the security monster. It concerns itself with business and organizational issues, and is designed to assist the organization succeed in spite of human nature. I sometimes not-so-glibly say that a security policy is simply […]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[96,211,33,19,4,6,35],"tags":[295,293,294,296,318,297],"class_list":["post-1072","post","type-post","status-publish","format-standard","hentry","category-art","category-audit","category-dinosaur","category-philosophy","category-security","category-tech","category-work","tag-frippery","tag-odes","tag-poems","tag-policies","tag-security","tag-weird"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1072","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1072"}],"version-history":[{"count":4,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1072\/revisions"}],"predecessor-version":[{"id":1077,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/1072\/revisions\/1077"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}