Chapter 4: Security Policy Documents & Organizational Security Policies

2 Objectives  Compose a statement of authority  Develop and evaluate policies related to the information security policies documents objectives and ownership  Create and asses policies associated with the management of security-related activities  Assess and manage the risks inherent in working with third parties

3 Composing a Statement of Authority  The statement should be issued by an authority figure such as a CEO, President… Buy-in from top management is a must It provides adequate credibility to the policy for all employees

4 Composing a Statement of Authority Cont. The statement is an introduction to the policy  It sets the tone for the document Statement of authority & statement of culture  Exposes the values of the company and security measures to be deployed to protect them An attempt at “recruiting” employees to act in a secure fashion to protect the company

5 Composing a Statement of Authority Cont. The goal of the statement of authority: to deliver a clear message about the importance of information security for all employees  If the message is not clear, employees will either act erroneously by mistake or will disregard the whole document altogether The statement is a teaching tool  It should be created, promoted and used as such

6 Composing a Statement of Authority Cont. The statement should reflect the company culture in both format and content  Information security is first and foremost cultural and behavioral  Employees need to identify and embrace with the company culture  It is made easier if the documents that are part of the security policy are clearly in accordance with the company policy

7 Security Policy Document Policy  States the need for written information security policies as well as who is responsible for creating, approving, enforcing & reviewing policies These responsibilities must be clearly stated in the document so that no phase of the process is “abandoned” or ignored Strong leadership is always a part of successful information security policies

8 Security Policy Document Policy Cont. Emphasizes management’s approach and commitment to information security  No Information policy can be successful without full and unequivocal support from Management It’s a policy about needing and having policies!

9 Federal Law & Information Security Policy  Many private sector industries are federally regulated: Financial Sector:  GLBA (Gramm-Leach-Bliley Act)  SOX (Sarbanes-Oxley, which affects publicly-traded companies) Healthcare:  HIPAA (Health Insurance Portability & Accountability Act Educational Institutions:  FERPA (Family Educational Rights & Privacy Act)

10 Federal Law & Information Security Policy Cont. Some organizations may fall under several federal mandates  If necessary, companies should hire 3 rd -party experts to identify under which mandates a company falls ISO can be mapped to several federal mandate regulations  Here again, it may be advantageous to hire 3 rd - party compliance experts to guide and support the company’s compliance team

11 Security Policy Document Policy Cont. The Information Security Policy Document policy should reference federal and state regulations to which the organization is subject  It is important to integrate those regulations in the policies written for and deployed by the company  The first step towards compliance is awareness!

12 The Need for an Employee Version of the Security Policies  Whole document can be too complex & intimidating The goal is to create a guide of what is acceptable and what is not. Making the document too complex defeats that purpose  The goal is for employees to read, understand and act according to the policies The policies are useless without adequate employee support

13 The Need for an Employee Version of the Security Policies Cont. Employees should only be given those policies that apply to them  Need-to-know and the concept of least privilege apply here as well! Acceptable Use Agreement should be drafted and distributed to all employees  It should include (but is not limited to): An Internet use policy An use policy

14 The Need for an Employee Version of the Security Policies Cont. Remind all employees that information cannot be protected if they don’t all buy in and adopt the policies that regulate the company  Again, information security is behavioral and cultural  There is no technical device that a company can deploy to protect the confidentiality, integrity and availability of data if employees are not also enrolled in actively protecting the company’s data

15 Policies are Dynamic Organizations change, either directly or indirectly. Their policies must also change to reflect this dynamic situation Scheduled, regular reviews should take place  Change drivers are events within an organization that affect culture, procedures, activities, responsibilities, and more Change drivers must be identified and analyzed

16 Policies are Dynamic Cont. Change drivers may introduce new activities and/or vulnerabilities  Identified change drivers should trigger new risk & vulnerability assessments  Companies should also have regularly scheduled risk and vulnerability assessments  For separation of duties purposes, vulnerability assessments should be conducted by 3 rd -party consultants

17 Policies are Dynamic Cont. Who is responsible for this document?  The ISO, or a member of Upper Management What “ownership” means:  Developing, maintaining & reviewing policies Policy owner does not approve policies. A higher level of the company is responsible. Information Security Policy Document defines both ownership and authority

18 Policies are Dynamic Cont. Decisions should include:  Who is in charge of security management?  What is the scope of their enforcement authority?  When should third-party expertise be brought in?

19 Managing Organizational Security Three topics on which to focus:  Information Security Infrastructure  Identification of risks from 3 rd -party consultants  Security Requirements for outsourcing

20 Managing Organizational Security Cont. Designing & maintaining a secure environment requires input from representatives of each department of the company:  Management  IT (developers, network engineers, administrators)  HR  Legal & Financial services Collaboration of all these parties is required to create and maintain a successful information security policy

21 Managing Organizational Security Cont. Designing & maintaining a secure environment requires input from representatives of each department of the company:  Management  IT (developers, network engineers, administrators)  HR  Legal & Financial services

22 Managing Organizational Security Cont. Who is a third-party?  Business partners  Vendors  Contractors (including temporary workers)

Managing Organizational Security Cont. Physical Security  Protecting the network from attacks from the outside is recommended, but a company should not forget to protect the physical security of the servers Why bother to hack when you can steal?

24 Managing Organizational Security Cont. If physical access for 3 rd -party is allowed, proper control must be deployed to:  Select who gets physical access  To which areas is physical access granted  Has due diligence been extended to verify the integrity and credibility of those 3 rd -party contractors?

25 Outsourcing Is a Growing Trend  Outsourcing is seen by some as a business tool used to lower costs. It also comes with risks: Is the work being outsourced out of the country?  If so, to which country?  How is security handled in the culture of that country?  How effectively are Intellectual Property laws enforced and respected in that country?

26 Outsourcing Is a Growing Trend Cont.  Is the data secure during transmission? Is the data transferred electronically?  What secure protocols are used? Is the data physically sent overseas?  What courier system is used?  How reliable/reputable/dependable is this courier system?

27 Outsourcing Is a Growing Trend Cont.  Is the data securely stored while away from the corporate network? What security controls are deployed at the periphery of the target network? What access control methods are used on the target control? What auditing methods are used on the target network?

28 Outsourcing Is a Growing Trend Cont.  How do you conduct due diligence on a company located halfway across the world? Is this company foreign-owned, or a subsidiary of a US- owned corporation? Is this company reputable? Has the company sent a representative on-site to verify the information provided to them?

29 Summary  Standards such as the ISO exist to help organizations better define appropriate ways to protect their information assets.  Written policies are not enough, and the proper security infrastructures must be deployed.  A multidisciplinary approach to security that involves all departments will result in a unified security posture that can be adopted by the whole company.  Because companies are not static, also must policies evolve with the company. In order to achieve a higher level of protection, it is recommended that companies would hire security experts.