Elements of security policy style, Part 4

In this short series of articles, I am updating materials I wrote for Chapter 28 (“Security Policy Guidelines”) of “The Computer Security Handbook, 4th Edition”. This column provides suggestions on the use of hypertext for presenting security policies.

Perhaps the most valuable contribution from electronic publication of policies is the availability of hypertext. Hypertext allows a reader to jump to a different section of text and then come back to the original place easily. On paper, forward and backward references are cumbersome, and most readers do not follow such links unless they are particularly keen on the extra information promised in the reference. In electronic files, however, additional information may be as easy to obtain as placing the cursor over a link and clicking.

The most important function of hypertext for policy documents is to provide definitions of technical terms and explanations of the reasons for specific policies.

Some users are more comfortable with printed policies. Hypertext, like other formats of text, generally permits users to print out their own copies of all or part of their policy documentation. Many of the tools also allow annotations by users on their own copy of a file.

HTML

The most widely used hypertext format today is HTML. A simple click of the mouse in a Web browser branches to a different page. More sophisticated programming allows the use of frames and, with Java or ActiveX, pop-up windows. Links can also be used to open new windows so several pages are visible at once. All of these techniques allow the user to move freely through a text with full control over the degree of detail they wish to pursue.

Rich Text Format (RTF) and Proprietary Word-Processor Files

Some people prefer to use word-processor files for hypertext. As long as everyone uses the same word-processing software, this approach can work acceptably. For example, it is usually possible to insert a hyperlink to a section of a single document, to a location in a different file on disk, or to a page on the Web. Some word processors, such as Microsoft Word and Corel WordPerfect, allow one to insert pop-up comments; floating the cursor over highlighted text brings up a text box that can provide definitions and commentary.

RTF is a general format for interchanging documents among word processors, but the results are not always comparable. For example, a comment created using Microsoft Word shows up as a pop-up box with a word or phrase highlighted in the text; the same comment and marker read from an RTF file by Corel WordPerfect shows up as a balloon symbol in the left margin of the document.

Portable Document Format (PDF)

Adobe Acrobat’s PDF provides all the hyperlinking that HTML offers, but it does so in a form that can be controlled more easily. The free Acrobat reader is available for multiple operating systems. PDF documents can easily be locked so no unauthorized changes can be made. Unlike HTML and word-processor documents, PDF files can be constructed to provide near-perfect reproduction of their original appearance even if not all the fonts used by the author are present on the target computer system.

Help Files

Help files also provide hypertext capability. In Windows, one can create help files using utilities such as Help & Manual from EC Software or AnetHelpTool. Windows help files can be distributed easily to any Windows user because they are relatively small, and they are loaded almost instantly by the Help subsystem. In addition, users are permitted to add their own notes to such documents and can easily print out sections if they wish.