Information Systems Security Policies & ISO 17799 Maria Karyda, PhD mka@aegean.gr Laboratory of Information and Communication Systems Security Department of Information and Communication Systems Engineering University of the Aegean Karlovassi, Samos, GR-83200, GREECE
Overview Information Systems Security Policies What is a Security Policy? Why do we need them? How can we design a Policy and what should we include? What makes a Security Policy effective? Information Security Management Standards How can the ISO 17799 assist us? IPICS – Chios, July 2005
Information Systems Security Practices Information Systems Risk Management aims to minimize risk at acceptable levels by implementing risk analysis and management methods (e.g. OCTAVE, CRAMM, SBA) baseline security is also an option Information Systems Security Policy most common security management practice based on risk evaluation results based on standards and best practices IPICS – Chios, July 2005
What is a Security Policy? High level statements describing the security goals, priorities and the management intention with regard to information systems security, as well as the ways to achieve these goals. Written in one or more documents. IPICS – Chios, July 2005
Information Systems Security Policies Design Implement Publish Enforce Monitor compliance Evaluate Review Amend and update IPICS – Chios, July 2005
Who is involved? Security experts System / network administrators design, review and update the policy System / network administrators implement security controls, guidelines Management set security goals provide resources Users follow security procedures Auditors monitor compliance IPICS – Chios, July 2005
Related Concepts Law and Regulations Security Requirements e.g. Data Protection, Intellectual Property Management Security Requirements confidentiality, availability, privacy, integrity, non repudiation Best practices and Security Standards Security, countermeasures, guidelines and procedures IPICS – Chios, July 2005
Why do we need a security policy? -1- Provides a comprehensive framework for the selection and implementation of security measures Communication means among different stakeholders Management of resources people, skills, money, time Conveys the importance of security to all members of the organization IPICS – Chios, July 2005
Why do we need a security policy? -2- Helps create a “security culture” Shared beliefs and values concerning security Legal obligation Helps promote “trust relationships” between the organizations and its business partners / clients IPICS – Chios, July 2005
Designing a Security Policy: security goals elicitation Risk evaluation Other sources of security requirements: management legal framework contractual obligations users and administrators business partners and clients IPICS – Chios, July 2005
Designing a Security Policy: Issues to be addressed Goal and security targets Scope Assets covered by the Policy data, software, hardware, locations, processes etc. Roles and responsibilities Compliance monitoring incentives, penalties etc. Time IPICS – Chios, July 2005
What kind of Security Policies are there? Computer-oriented Security Policies Information Security Policies that implement access control (Discretionary Access Control, Mandatory Access Control) operating systems networks application Human-oriented Security Policies scope: department, organization applied by IS users IPICS – Chios, July 2005
Security Policies Structure -1- Individual Security Policies application or system (e.g. email policy) “use policies” + effective for isolated systems and autonomous applications - high complexity, fragmented IS security management IPICS – Chios, July 2005
Security Policies Structure -2- Comprehensive Security Policies one document addressing all applications, processes and systems - big volume, not easy to use - contain high level security guidelines IPICS – Chios, July 2005
Security Policies Structure -3- Modular Security Policies comprehensive document with multiple annexes containing specific (e.g. per application or system) policies can be in hypertext form IPICS – Chios, July 2005
ISO/IEC 17799 First Edition: 01-12-2000 Prepared by the British Standards Institution (as BS 7799) and was adopted by Joint Technical Committee ISO/IEC JTC 1, Information Technology, in parallel with its approval by national bodies of ISO and IEC. “Information technology — Code of practice for information security management” New Edition: June 2005 IPICS – Chios, July 2005
Security Policies Content -1- (based on ISO 17799-2000) I. Organizational Security “Information security is a business responsibility shared by all members of the management team.” Information security infrastructure management should approve the information security policy, assign security roles and co-ordinate the implementation of security across the organization co-operation and collaboration of managers, users, administrators, application designers, auditors and security staff, and specialist skills in areas such as insurance IPICS – Chios, July 2005
Security Policies Content -2- (based on ISO 17799) II. Asset classification and control Asset accountability Accountability should remain with the owner of the asset. Responsibility for implementing controls may be delegated. Information classification Information should be classified to indicate the need, priorities and degree of protection, depending on varying degrees of sensitivity and criticality. IPICS – Chios, July 2005
Security Policies Content -3- (based on ISO 17799) III. Personnel security Security in job definition and resourcing User training Users should be trained in security procedures and the correct use of information processing facilities to minimize possible security risks. Responding to security incidents and malfunctions Weaknesses, malfunctions Learning from incidents Disciplinary process IPICS – Chios, July 2005
Examples* “The Terms and Conditions of Employment of the Organization are to include requirements for compliance with Information Security” “All staff must have previous employment and other references carefully checked” “All employees must comply with the Information Security Policy of the Organization. Any Information Security incidents resulting from non-compliance will result in immediate disciplinary action” * RUSecureTM Information Security Policies IPICS – Chios, July 2005
Examples* “The Organization is committed to providing regular and relevant Information Security awareness communications to all staff by various means, such as electronic updates, briefings, newsletters etc.” “Periodic training for the Information Security Officer is to be prioritized to educate and train in the latest threats and Information Security Techniques” “The Organization is committed to providing training to all users of new systems to ensure that their use is both efficinet and does not compromise Information Security” * RUSecureTM Information Security Policies IPICS – Chios, July 2005
Security Policies Content -4- (based on ISO 17799) IV. Physical and environmental security Secure areas Security perimeter, entry controls Protection provided should be commensurate with the identified risks Equipment security Safety IPICS – Chios, July 2005
Examples* “A formal Hardware Inventory of all equipment is to be maintained and kept up-to-date at all times” “All information system hardware faults are to be reported promptly and recorded in a hardware fault register” * RUSecureTM Information Security Policies IPICS – Chios, July 2005
Security Policies Content -5- (based on ISO 17799) V. Communications & operations management Operational procedures and responsibilities Incident management procedures Segregation of duties Separation of development and operational facilities System planning and acceptance Capacity planning, performance requirements, system acceptance Protection against malicious software Back ups, logging Network management Media handling tapes, disks, cassettes Information exchange between organizations Policy on the use of e-mail or fax Electronic commerce security IPICS – Chios, July 2005
Examples* Policy statement on the use of fax: “Sensitive or confidential information may only be faxed were more secure methods of transmission are not feasible. Both the owner of the information and the intended recipient must authorize the transmissions beforehand” Policy statement on media handling: “Only personnel who are authorized to install or modify software shall use removable media to transfer data to/from the organization's network. Any other persons shall require specific authorization” * RUSecureTM Information Security Policies IPICS – Chios, July 2005
Security Policies Content -6- (based on ISO 17799) VI. Access control User access management Access rights, passwords User responsibilities Network access control Network segregation Operating system access control Application access control Monitoring system access and use Mobile computing and teleworking IPICS – Chios, July 2005
Examples* User access management: “Access to all systems must be authorized by the owner of the system and such access, including the appropriate access rights, or privileges, must be recorded in an Access Control List. Such records are to be regarded as Highly Confidential documents and safeguarded accordingly” Operating system access control “Access to operating system commands is to be restricted to those who are authorized to perform systems administration/management functions. Even then, such access must be operated under dual control requiring the specific approval of senior management” *RUSecureTM Information Security Policies IPICS – Chios, July 2005
Security Policies Content -7- (based on ISO 17799) VII. Systems development and maintenance Security requirements of systems “built-in” security Security in application systems Message authentication, hash algorithms, cryptography Cryptographic controls To protect the confidentiality, authenticity or integrity of information (encryption, digital signatures, key management) IPICS – Chios, July 2005
Examples* “All new hardware installations are to be planned formally and notified to all interested parties ahead of the proposed installation date. Information security requirements are to be circulated for comment to all interested parties, well in advance of installation” “All equipment must be fully and comprehensively tested and formally accepted by users before being transferred to the live environment” *RUSecureTM Information Security Policies IPICS – Chios, July 2005
Security Policies Content -8- (based on ISO 17799) VIII. Business continuity management “To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.” Analyze the consequences of disasters, security failures and loss of service. Develop and implement contingency plans to ensure that business processes can be restored within the required time-scales. Such plans should be maintained and practiced to become an integral part of all other management processes. Business continuity management should include controls to identify and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations. IPICS – Chios, July 2005
Security Policies Content -9- (based on ISO 17799) IX. Compliance Compliance with legal requirements Data protection and privacy of personal information Intellectual property rights (IPR) Regulation of cryptographic controls Compliance with security policy IPICS – Chios, July 2005
Examples* “Persons responsible for Human Resources Management are to prepare guidelines to ensure that all employees are aware of the key aspects Copyright legislation, in so far as these requirements impact on their duties” “All employees are required to fully comply with the organisation’s Information Security Policies. The monitoring of such compliance is the responsibility of management” *RUSecureTM Information Security Policies IPICS – Chios, July 2005
Critical factors for successful application -1- Alignment with business goals Management support Organizational culture Address specific security requirements User awareness, training and education Review and evaluation procedures Gradual introduction, change management IPICS – Chios, July 2005
Critical factors for successful application -2- Clear, easy to understand Easily accessible Complete Up-to-date Extendable Applicable Technology independent IPICS – Chios, July 2005
Security Policies Review Scheduled reviews e.g. once every 18 months Occasional when major changes occur (e.g. network configuration, new applications) Review results utilized for evaluating and updating the Security Policy IPICS – Chios, July 2005
Conclusions There is no “out of the box” security solution Customize Security Policies content, structure, security guidelines Utilize best practice, Information Security Standards Effective implementation context-dependent IPICS – Chios, July 2005