Having the right security documentation for your Windows-based network should be a top priority. Once you've designed the proper foundation for the security of your Windows desktop environment, the next step is putting the right security policies in place. Follow these proven techniques for ensuring success with this process and making sure they're actually working to your advantage.
Before you start assigning policies, you need to know where your business is at risk. Enacting policies that are good in name only is wasting time. It could even get your organization into hot water by presenting false information on what you are doing. Based on the outcome of your information risk assessment, on both technical and operational issues, you will likely need the following desktop-centric policies:
- Change Management
- Mobile Device Synchronization and Handling
- Patch Management
- Remote Access
- Removal of Computer Equipment
- Security Testing
- Security Awareness and Training
- System Logging and Monitoring
- User Authorization
- Wireless Networks
The next step is to determine what needs to be documented. Take some time to think through the security issues related to managing your desktops, and start putting together your minimum security standards and necessary policies. This isn't something, however, that you should take on by yourself. If you work for a relatively small organization where you are the chief cook and the bottle washer when it comes to IT, security and compliance, talk these things over with someone in management. If you are in a larger organization, this type of security standardization and policy development should be handled by a security, compliance or IT governance committee. It likely won't work any other way.
Once you are ready to write out what you expect, I highly recommend bringing some formal structure to your security policy documents. The following security policy template has been shown to work well:
- Introduction: An overview of what you're covering, such as patch management, malware protection, system maintenance and monitoring, vulnerability testing and so on.
- Purpose: The high-level goal(s) and strategy of the policy.
- Scope: The systems (i.e., desktops, all Windows systems, office applications, etc.), users and departments that are covered.
- Exceptions: Specific systems (i.e., Windows XP and older systems), users and departments that are not covered by the policy.
- Roles and responsibilities: The people involved and what's expected of them in support of the policy.
- Policy statement: A place to state your actual policy. Be sure to make it clear that "this is how we do things here".
- Procedures: Detailed steps that outline how you're actually carrying out the policy and how it's being enforced. You might want to consider documenting your procedures in a separate document if they are more than a few sentences in length.
- Compliance metrics: The procedures and means used to measure compliance with the policy.
- Review and evaluation: When the policy will be reviewed and evaluated for accuracy, applicability, etc.
- Sanctions:Specific consequences for policy violations, such as, "X will happen on the first offense, Y for second offense, and Z for the third offense". (This is where the value of having a security committee, or at least management buy-in and support, becomes obvious.)
- References: Laws, regulations, and frameworks, such as state breach notification laws, HIPAA, PCI DSS, ISO/IEC 27002 and so on.
- Related documents: Other policies, guidelines, standards (such as the ones I've mentioned previously) and documents that pertain to the policy.
- Revisions: The ongoing changes to the policy document (i.e., who, what, when, why).
- Notes: Notes, findings, lessons learned, etc., that can help with future policy management.
The bottom line with security policies is to make them simple yet concise, outline what's expected and keep everyone informed. Also, don't forget to make sure they're actually enforced. The most important thing of all, however, is to just get rolling. If you're diligent and disciplined, you can build out your desktop security-related documentation in no time. You'll have the essentials in place, and you'll be ready to take on any new desktop software that comes your way.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, author and professional speaker at Atlanta-based Principle Logic LLC. With over 23 years of experience in the industry, he specializes in performing independent security assessments revolving around minimizing information risks. Beaver has authored/co-authored 10 books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go.
This was first published in June 2009