Resources > Expert Security Answers

   SHON HARRIS   
  Ask Shon Harris Your Security Question    

   
» How to create an enterprise-wide portal policy
   
» QUESTION POSED ON: 13 July 2006
It seems that a blind eye is being turned to removable storage devices because of their portability and ability to transfer large amounts of data (such as over 25 million veterans' personal data). Not many places seem to understand the true risks that removable storage devices pose. So I question, if you're responsible for information security, where do you draw the line between convenience and strict security guidelines?
   
»
EXPERT RESPONSE
You can use a couple of policy types with internal intranet portals and external portals facing the Internet. The most common policy is a privacy policy for Internet facing portals. This policy outlines the types of data an organization collects from their site visitors and reviews what was done with this data. It is not necessarily something the security group or any department should write or post without the approval of management and corporate legal counsel. Now you may be asking yourself why this should be. The answer is simple, because this policy is more than just a tool to inform your site's visitors that you collect data from them, it can be a legal tool as well. For example, say your organization posted an inaccurate policy stating that user information is never disclosed or shared in any way, but your organization passes potential sales leads or customer information to other partners. This is a violation of your policy. Having an inaccurate security policy could help someone who is suing your company or it could help the prosecution if your company violated any federal or state privacy laws.

This commonly occurs when someone within a company writes their own policy terminology, posts it on a Web page or at the bottom of their email signature and doesn't communicate with the organization's legal council on the matter. A company should also have a privacy statement on its site that is validated by their lawyers to ensure that a misstatement is not used because it could be detrimental to the company down the road.

NIST has developed the following standard pertaining privacy policies:

  • http://www.nist.gov/public_affairs/privacy.htm

Privacy portal policy examples:

  • http://www.ftc.gov/ftc/privacy.htm
  • http://www.aging.state.ca.us/CDA_Privacy_Policy.html
  • http://about.aol.com/aolnetwork/aol_pp

You may be referring to another type of policy that outlines what can be posted on a portal, who is allowed to submit items to it, how the submissions should be supplied and approved, and what types of items management will not allow on the portal, etc.

I am not familiar with any specific standard on this type of policy. It would just be an issue-specific policy with the focus of what can and cannot be done to the company portal, who can do it and what the ramifications for non-compliance are. I have listed some issue-specific policy resources below.

If you are looking for a good example on a portal policy, please review the following site: http://security.sdsc.edu/policy/PortalPolicy.html. This may encompass what you are trying to accomplish with this type of policy.

Issue-specific policy resources:

  • http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter5-printable.html
  • http://www.ncisse.org/publications/cissecd/Papers/S2P02.pdf
  • http://www.windowsecurity.com/whitepaper/
    Computer_and_Information_Security_Policy_.html
  • http://www.infosecwriters.com/text_resources/policies/Issue_Specific_antivirus1.doc
  • http://www.sans.org/y2k/sec_policy.htm#6
   
   

© 2007 Logical Security, Inc.