FOR

RUSecure comprises a suite of three separately licensed products to help you to plan and implement security policies. It is based on the international standard ISO 17799 (Information Technology: Code of Practice for Information Security Management). The three products are: Information Security Policies Templates, Security Online Support System and Information Security Officer's Manual.

Information Security Policies Templates (ISPT) provides 'off-the-shelf' security policies that may be easily customized. Explanatory notes cover the reasoning behind the policies and refer to ISO 17799. The way in which these policies are presented is easy to understand and relate to your own business processes. They are designed to help you avoid the pitfalls into which inappropriate, ineffective, or badly thought-out policies may lead. ISPT enables the security policy maker within a company to construct a complete, well-integrated, consistent and yet customized security policy manual quickly.

Security Online Support System (SOS) delivers information security policies direct to the end user, rather than being aimed at the policy maker. It provides specific guidance to simplify policy compliance and implementation. SOS builds on the policies in ISPT to provide a way of delivering those policies, along with very specific advice on how to comply with them, to the user community within a company.

Information Security Officer's Manual (ISOM) is a computer-based reference tool for information security professionals. It is designed to provide guidance for setting up a corporate information security strategy. It helps you conduct periodic risk assessments and investigate incidents. It also covers business continuity planning.

These three products are not programs - they are document files that are delivered in a variety of formats including Adobe Acrobat, Microsoft Word 97, and Microsoft Windows Help. You don't need a full copy of Microsoft Word to access the Word documents as you can download a free Word viewer from Microsoft's web site. You need Acrobat Reader (which is also free) to view the Acrobat files, and Microsoft Internet Explorer 5.0 (or later) to view the compiled help files. In some cases the documents are duplicated in two formats: Acrobat and Word. This is because it is easier to cut and paste the policies from Word, whereas Acrobat gives a better and more consistent presentation. Also, should you wish, you can modify the original Word document, whereas Acrobat files cannot be changed, which can also be an advantage sometimes.

ISPT is supplied in both Acrobat and Word format and is 520 pages long if it were printed out as an A4 document. Either version can be easily searched and both contain hypertext links to make cross-references easy to find. Each policy template is short (typically 30 to 50 words) and in plain English. There is then a full-page explanation of the policy detailing the reasoning behind it, and references to the specific relevant section of the ISO 17799 standard. You can, of course, modify these templates to suit your own circumstances and requirements, or cut and paste them into your own security policy document. The explanation of the reasoning behind each is important if you intend to modify the policy.

SOS is basically the same policies that are contained in ISPT but presented in a way that is more friendly to end users than to security managers. It is delivered as a compiled help file and makes use of color, graphics and cartoon characters to present the security policies in a more interesting manner. It is designed so that end users can easily obtain advice about information security issues without the barrier that is often perceived in approaching the security manager for advice. SOS provides much detailed advice that is not contained in ISPT. For example, it advises deploying a firewall on all computers directly connected to public telecom networks via modems etc., and to use dial-back security, rather than just telling you what the risks are.

You can edit the policy text to suit your own company's requirements, but not the explanations and advice. The installation options for SOS allow you to point the workstation clients to a central file server as a repository for the security policy database to ensure that everyone is working from the same policies. Notebooks or other computers that may be connected only occasionally to the network can download the policies from this central server but store them locally so that they are always available.

ISOM is supplied as a compiled help file and is easy to search for advice on information security matters. It assumes no previous knowledge of security issues and explains everything in plain English from basics. Much of what it says will be common sense to experienced information security managers but, just as a dictionary is still useful to an experienced writer, the ISOM helps resolve decisions about the finer points of risk assessment and the implementation of secure computer-based systems. It also covers the risks associated with notebook and portable computers, and business continuity planning. The risk assessment section, for example, uses a flow chart to take you through the entire risk assessment process. There is also advice on security auditing, access control, and on dealing with security-related incidents.

If you want to try out any of these products, you can download evaluation versions from the vendor's web site. The evaluation version has two restrictions. Firstly, while all the threats are identified, only 25 percent of the safeguards are presented. Secondly, while all the information security policies are provided and are viewable, they cannot be edited. The full versions can be supplied on CD-ROM or purchased electronically over the Internet.

The prices given are for a corporate-wide license for ISPT and a single-user license for ISOM, while SOS is licensed on per-user basis on a rapidly reducing scale as the number of users increases. Although the three products complement each other to provide a complete solution for security policies, you could argue that, if you buy SOS, you don't need ISPT. To some extent this is true, but what you don't get with SOS are the references to the ISO 17799 standard. Meanwhile, the ISOM is more of a strategic reference document for the information security officer.
   

SC On-Line
SC Magazine
www.scmagazine.com