Security Policies and Implementation Issues

Slides:



Advertisements
Similar presentations
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Advertisements

Agenda COBIT 5 Product Family Information Security COBIT 5 content
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures
Data Classification & Privacy Inventory Workshop
Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.
Information Systems Controls for System Reliability -Information Security-
Internal Auditing and Outsourcing
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
NIST Special Publication Revision 1
GRC - Governance, Risk MANAGEMENT, and Compliance
Chapter Three IT Risks and Controls.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Roles and Responsibilities
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Presented by : Miss Vrindah Chaundee
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
ISO/IEC 27001:2013 Annex A.8 Asset management
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
AUDIT OF INTERNAL CONTROL Day V Sessions I & II. Session Overview Periodical audit of existence of internal control in order to examine its effectiveness.
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
The Power of Recommendations Dainius Jakimavičius National Audit Office of Lithuania Vilnius, April 23, 2013.
Chapter 1: Security Governance Through Principles and Policies
Dr. Bhavani Thuraisingham Information Security and Risk Management June 5, 2015 Lecture #5 Summary of Chapter 3.
Privacy and Personal Information. WHAT YOU WILL LEARN: What personal information is. General guidelines for the collection of personal information. Your.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Federal Information Security Management Act (F.I.S.M.A.) [ Justin Killian ]
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
Module 6: Business Application Software Audit Chapter 1: Business Application Software Audit 1.
© ITT Educational Services, Inc. All rights reserved. IS4680 Security Auditing for Compliance Unit 1 Information Security Compliance.
© 2016 Chapter 6 Data Management Health Information Management Technology: An Applied Approach.
An Information Security Management System
Strategies in the Game of
Information Security Policy
Data Security and Privacy Overview: NJDOE’s Approach to Cybersecurity
New A.M. Best Cyber Questionnaire
Information Security Principles and Practices
IS4550 Security Policies and Implementation
IS4550 Security Policies and Implementation Unit 7 Risk Management
Kode Etik dan IA Standard Dr Rilla Gantino, SE., AK., MM
IS4680 Security Auditing for Compliance
Matthew Christian Dave Maddox Tim Toennies
FOIA, Privacy & Records Management Conference 2009
IS4550 Security Policies and Implementation Unit 5 User Policies
IS4550 Security Policies and Implementation
IS4680 Security Auditing for Compliance
IS4550 Security Policies and Implementation
IS4550 Security Policies and Implementation
County HIPAA Review All Rights Reserved 2002.
IS4550 Security Policies and Implementation
Canadian Auditing Standards (CAS)
Cybersecurity ATD technical
Chapter 1: Information Security Fundamentals
IS4680 Security Auditing for Compliance
Security Policies and Implementation Issues
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

Security Policies and Implementation Issues Chapter 6 IT Security Policy Frameworks

10/15/2019 Learning Objective Describe the components and basic requirements for creating a security policy framework.

Key Concepts Key building blocks of security policy framework 10/15/2019 Key Concepts Key building blocks of security policy framework Types of documents for a security policy framework Information systems security (ISS) and information assurance considerations Process to create a security policy framework

Policy and Standards Library Framework 10/15/2019 Policy and Standards Library Framework

Policy Framework Components 10/15/2019 Policy Framework Components Defines how an organization performs and conducts business functions and transactions with a desired outcome Policy An established method implemented organization-wide Standards Steps required to implement a process Procedures A parameter within which a policy, standard, or procedure is suggested Guidelines

10/15/2019 Common Frameworks Control Objectives for Information and related Technology (COBIT) ISO/IEC 27000 series National Institute of Standards and Technology (NIST) Special Publications Example: SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations

Access Control Policy Branch 10/15/2019 Access Control Policy Branch Access Control Policy Branch of a Policy and Standards Library

External and Internal Factors Affecting Policies 10/15/2019 External and Internal Factors Affecting Policies Policies must align with the business model or objective to be effective External factors Regulatory and governmental initiatives Internal factors Culture, support, and funding

Creating a Security Policy Framework 10/15/2019 Creating a Security Policy Framework Set a budget Assemble a team Select a basic framework Set a budget Assemble a team Select a commonly accepted framework as a foundation - COBIT, ISO/ISC 27000 series, NIST SPs Use a content management system, if possible Cross-reference your security documents with standards Coordinate development with other departments in the organization

Creating a Security Policy Framework (Continued) 10/15/2019 Creating a Security Policy Framework (Continued) Use a content management system Cross-reference standards Coordinate with other departments Set a budget Assemble a team Select a commonly accepted framework as a foundation - COBIT, ISO/ISC 27000 series, NIST SPs Use a content management system, if possible Cross-reference your security documents with standards Coordinate development with other departments in the organization

Roles Related to a Policy and Standards Library 10/15/2019 Roles Related to a Policy and Standards Library CISO Information resources manager Information resources security officer Owners of information resources CISO - Establishes and maintains security and risk management programs for information resources Information resources manager - Maintains policies and procedures that provide for security and risk management of information resources Information resources security officer - Directs policies and procedures designed to protectinformation resources; identifies vulnerabilities,develops security awareness program Owners of information resources - Responsible for carrying out the program that uses the resources. This does not imply personal ownership. These individuals may be regarded as program managers or delegates for the owner. Custodians of information resources - Provide technical facilities, data processing, and other support services to owners and users of information resources Technical managers (network and system administrators) - Provide technical support for security of information resources Internal auditors - Conduct periodic risk-based reviews of information resources security policies and procedures Users - Have access to information resources in accordance with the owner-defined controls and access rules

Roles Related to a Policy and Standards Library (Continued) 10/15/2019 Roles Related to a Policy and Standards Library (Continued) Custodians of information resources Technical managers Internal auditors Users CISO - Establishes and maintains security and risk management programs for information resources Information resources manager - Maintains policies and procedures that provide for security and risk management of information resources Information resources security officer - Directs policies and procedures designed to protectinformation resources; identifies vulnerabilities,develops security awareness program Owners of information resources - Responsible for carrying out the program that uses the resources. This does not imply personal ownership. These individuals may be regarded as program managers or delegates for the owner. Custodians of information resources - Provide technical facilities, data processing, and other support services to owners and users of information resources Technical managers (network and system administrators) - Provide technical support for security of information resources Internal auditors - Conduct periodic risk-based reviews of information resources security policies and procedures Users - Have access to information resources in accordance with the owner-defined controls and access rules

Case Studies on Security Policy Framework Creation 10/15/2019 Case Studies on Security Policy Framework Creation Case Study Private Sector Health care w/7,000 devices Incomplete inventory No easy way to classify assets HIPAA Used NIST SP 800-53 to establish the framework Public Sector State of Tennessee Used ISO/IEC 17799 (27002) Policies and frameworks covered all information asset owned, leased, or controlled by the State of Tennessee Target Corporation 1,797 US and 127 Canadian stores December 2013 point-of-sale (PoS) data breach 40 million credit card records stolen 70 million records containing PII Largest data breaches of its kind

Information Assurance and Information Systems Security 10/15/2019 Information Assurance and Information Systems Security Security Policy Framework IA ISS Information Assurance Protecting information during processing and use The 5 Pillars Implementation of appropriate accounting and other integrity controls Development of systems that detect and thwart attempts to perform unauthorized activity ISS Protecting information and the systems that store and process the information Automation of security controls, where possible Assurance of a level of uptime of all systems

Information Systems Security Considerations Unauthorized Access to and Use of the System Unauthorized Disclosure of the Information Disruption of the System or Services Modification of Information Destruction of Information Resources

10/15/2019 Summary Considerations for information assurance and information security Process to create a security policy framework Factors that affect polices and the best practices to maintain policies

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.