Recently in Policy writing Category

One of the hardest incident types for an incident handler to address are incidents in which a properly authenticated and duly authorized user decides to misuse her privileges.

Imagine a situation in which an employee has access to human resources records for legitimate reasons.

As an information security professional charged with protecting that information, the assessment if someone should be granted access (and if so, under which conditions) must be made by the information owner and not by me. In the example, if the owner of the HR database decides that a user has legitimate access, it is my job to provision that access in a controlled fashion.

I have just started to consolidate several best practices and operational procedures for handling confidential information. I am using the results of this effort to set a confidential information handling policy. It seems that the policy itself may turn out to be very simple:

1. Confidential information may only be collected, stored and processed if a need to do so exists, and if that need cannot be satisfied in any other way.
2. Confidential information must be destroyed when it is no longer needed.
3. Confidential information must be handled with due care.
4. When loss of or unauthorized access to information has been detected, or if it is suspected, the Information Security Officer must be notified and an information security incident will be declared.

Is there anything I need to address at the policy-level? Obviously, at the level of the supporting standard, the requirements for due care must be established in more detail, but this seems to mostly cover it.

A 0day with an automatic discovery and dissemination tool shouldn't be a surprise to anyone. The fact that it's hit hundreds of thousands of sites in less than a couple of weeks is slightly surprising, though it mainly means that the bad guys are moving fast. Is this just the next step in Internet security, where we have new 0day vulnerabilities sweeping through web servers on a regular basis?
Source: Network Security Blog

Observations like this once more seem to reconfirm that the bad guys are increasingly focusing on OSI layer 7 and above. While not to be ignored, simply putting up a firewall to keep unwanted traffic out, and an IDS to make sure the firewall is working well (or an IPS, if you prefer) is not sufficient.

One of the responsibilities assigned to me in my current position is the development and implementation of a comprehensive information security policy. In line with the premise that what you do not know about, you cannot protect, I started with drafting an information classification policy.

In researching that policy at other organizations, most of the examples that I found focused on the well-known categories: public, sensitive, and confidential, or variations on that theme.