Stephen S. Yau 1CSE465-591 Fall 2006 IA Policies.

Slides:



Advertisements
Similar presentations
Information Security Policy
Advertisements

Auditing Concepts.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works
ISA 562 Summer Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.
Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Information Systems Security Officer
Stephen S. Yau 1CSE Fall 2006 Personnel Security.
Information System Security Engineering and Management
Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Fraud Prevention and Risk Management
Computer Security: Principles and Practice
National Smartcard Project Work Package 8 – Security Issues Report.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
SEC835 Database and Web application security Information Security Architecture.
General Awareness Training
Security Policies University of Sunderland CSEM02 Harry R. Erwin, PhD.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
Evolving IT Framework Standards (Compliance and IT)
HIPAA PRIVACY AND SECURITY AWARENESS.
Protective Measures at NATO Headquarters Ian Davis Head, Information Systems Service NATO Headquarters Brussels, Belgium.
SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Chapter 5 Internal Control over Financial Reporting
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 14 – Human Factors.
Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Information Systems Security Operational Control for Information Security.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
1 User Policy (slides from Michael Ee and Julia Gideon)
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Environmental Management System Definitions
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
©Dr. Respickius Casmir Network Security Best Practices – Session 2 By Dr. Respickius Casmir.
Privacy Act United States Army (Managerial Training)
James Fox Shane Stuart Danny Deselle Matt Baldwin Acceptable Use Policies.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Information Security tools for records managers Frank Rankin.
The NIST Special Publications for Security Management By: Waylon Coulter.
Information Security Policy Development for Management By Peter McCarthy.
1.  1. Introduction  2. Policy  3. Why Policy should be developed.  4. www policies 2.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
BTEC NAT Unit 15 - Organisational Systems Security ORGANISATIONAL SYSTEMS SECURITY Unit 15 Lecture 7 EMPLOYMENT CONTRACTS & CODES OF CONDUCT.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Auditing Concepts.
Information Security Policy
Data and database administration
IS4680 Security Auditing for Compliance
Chapter 3: IRS and FTC Data Security Rules
Spencer County Public Schools Responsible Use Policy for Technology and Related Devices Spencer County Public Schools has access to and use of the Internet.
INFORMATION SYSTEMS SECURITY and CONTROL
Drew Hunt Network Security Analyst Valley Medical Center
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Stephen S. Yau 1CSE Fall 2006 IA Policies

Stephen S. Yau 2CSE Fall 2006 What Is an IA Policy? IA policies are high-level statements of goals of the procedures for information assurance. IA policies are high-level statements of goals of the procedures for information assurance. Define which actions are required, which are permitted and which are allowed, not guidelines, procedures or controls Define which actions are required, which are permitted and which are allowed, not guidelines, procedures or controls Top level policies are often determined by management with significant input from IT personnel: they represent the corporate goals and principals Top level policies are often determined by management with significant input from IT personnel: they represent the corporate goals and principals Important to distribute policies to those responsible for following policies and/or implement policy enforcement method Important to distribute policies to those responsible for following policies and/or implement policy enforcement method

Stephen S. Yau 3CSE Fall 2006 What Is an IA Policy? (cont.) Policy and Enforcement Mechanism Policy and Enforcement Mechanism Every security policy statement should have an enforcement mechanism Every security policy statement should have an enforcement mechanism Critical to make employees aware of policies affecting their actions, and their violations may result in reprimand, suspension, or firing. Critical to make employees aware of policies affecting their actions, and their violations may result in reprimand, suspension, or firing. The fact that individual employees have been made aware should be documented, e. g., an employee signs a statement that the employee has attended a training session The fact that individual employees have been made aware should be documented, e. g., an employee signs a statement that the employee has attended a training session Enforcement mechanism may be technological (e. g., firewall), or a process (e. g., security audit) Enforcement mechanism may be technological (e. g., firewall), or a process (e. g., security audit)

Stephen S. Yau 4CSE Fall 2006 What is a Security Policy? A statement that partitions the states of the system into a set of authorized, or secure states and a set of unauthorized or nonsecure states. A statement that partitions the states of the system into a set of authorized, or secure states and a set of unauthorized or nonsecure states. IA policies include security policies IA policies include security policies A security policy sets the context in which we can define a secure system, but what is secure under a policy may not be secure under a different policy A security policy sets the context in which we can define a secure system, but what is secure under a policy may not be secure under a different policy T1: ch4.1 T2: ch4.1

Stephen S. Yau 5CSE Fall 2006 Importance of IA Policies  Assure proper implementation of controls  Dictate configuration of control mechanisms (i.e. firewall, IDS, etc)  Guide product selection (e.g. no product made by a foreign company, laptops not permitted, etc.)  Demonstrate management support  Clearly define appropriate behavior of employees  Can achieve higher level security than without policies  Avoid liability for company and management

Stephen S. Yau 6CSE Fall 2006 Threats Countered Policies indicates the organization is aware of proper operations against: Policies indicates the organization is aware of proper operations against: Disregard for public law Disregard for public law Institutional violation of copyright laws Institutional violation of copyright laws Violation of privacy laws Violation of privacy laws Negligence Negligence Failure to use measures commonly found in other “like” organizations Failure to use measures commonly found in other “like” organizations Failure to exercise due diligence by computer professionals (computer malpractice) Failure to exercise due diligence by computer professionals (computer malpractice) Failure to enforce policies Failure to enforce policies

Stephen S. Yau 7CSE Fall 2006 An Example Acceptable Use Policy (AUP) for employees to access Internet on corporate systems Acceptable Use Policy (AUP) for employees to access Internet on corporate systems Defines which employees can and cannot use corporate systems for accessing Internet. Defines which employees can and cannot use corporate systems for accessing Internet. Define penalties for violations Define penalties for violations Enforcement: website blocking, activity logging and audit, individual workstation audit, etc. Enforcement: website blocking, activity logging and audit, individual workstation audit, etc.

Stephen S. Yau 8CSE Fall 2006 Establishing IA Policies Step 1: Secure strong management support Step 2: Gather key data Relevant policies Relevant policies Relevant statutes Relevant statutes Research on what other organizations are doing Research on what other organizations are doing Step 3: Define framework Determine overall goal of policy statement Determine overall goal of policy statement List areas to be covered List areas to be covered Start with basic essentials and add additional areas as required Start with basic essentials and add additional areas as required

Stephen S. Yau 9CSE Fall 2006 Establishing IA Policies (cont.) Step 4: Structure effective review, approval, implementation, and enforcement procedures Determine who need to coordinate and get them involved early Determine who need to coordinate and get them involved early Know who are going to approve the policy and ensure they understand information is an asset Know who are going to approve the policy and ensure they understand information is an asset Cross reference with HR policies Cross reference with HR policies Step 5: Perform risk assessment/analysis or audit Step 6: Make sure policy is written in same style as existing policies

Stephen S. Yau 10CSE Fall 2006 Establishing IA Policies (Cont.) Number of IA policies Number of IA policies Number of areas identified in your objectives Number of areas identified in your objectives One policy document for each system and subsystem within your business objectives, e.g. , anti-virus protection, and Internet usage. One policy document for each system and subsystem within your business objectives, e.g. , anti-virus protection, and Internet usage. No limit on length of a policy, clarity of policy definition is most important No limit on length of a policy, clarity of policy definition is most important IA policies must be coherent and enforceable IA policies must be coherent and enforceable In 1991 National Research Council Report on “Computers at Risk”, the prosecutors stated they turn down many cases because it is not clear what is allowed and what is not In 1991 National Research Council Report on “Computers at Risk”, the prosecutors stated they turn down many cases because it is not clear what is allowed and what is not

Stephen S. Yau 11CSE Fall 2006 List of Policy Areas Confidentiality Policies Confidentiality Policies Deal only with confidentiality Deal only with confidentiality Also called an information flow policy Also called an information flow policy Integrity Policies Integrity Policies Deal only with integrity Deal only with integrity Describe the conditions and manner in which data can be altered Describe the conditions and manner in which data can be altered T1: ch 4.1, 5.1, 6.1 T2:ch4.1, 5.1, 6.1

Stephen S. Yau 12CSE Fall 2006 List of Policy Areas (cont.) Administrative Security Policies Administrative Security Policies Policies related to administration of information systems Policies related to administration of information systems Typically exist before a system development process begins Typically exist before a system development process begins Usually focus on responsibilities of all members within IA team, and have legal implications. Usually focus on responsibilities of all members within IA team, and have legal implications. Access Control Policies Access Control Policies Decide who can access what information under what condition Decide who can access what information under what condition Ensure “separation of duty” and “least privilege” Ensure “separation of duty” and “least privilege”

Stephen S. Yau 13CSE Fall 2006 List of Policy Areas (cont.) An example policy for Dial-in & Dial-out access control on gateways : An example policy for Dial-in & Dial-out access control on gateways : All telephone access to the network shall be centrally protected by authentication controls. Modems shall be configured for dial-in or dial-out access, but not both. Network Administrator shall provide procedures to grant access to modem services. Users shall not install modems at any other locations on the network without appropriate authorization.

Stephen S. Yau 14CSE Fall 2006 List of Policy Areas (cont.) Audit Trails and Logging Policies Audit Trails and Logging Policies Define rules on how the system behavior will be recorded Define rules on how the system behavior will be recorded Audit trails are usually continuous record about routine activities Audit trails are usually continuous record about routine activities Logs are usually event-oriented record Logs are usually event-oriented record Essential when something bad happens since these records will help us know who/what cause the problem Essential when something bad happens since these records will help us know who/what cause the problem

Stephen S. Yau 15CSE Fall 2006 List of Policy Areas (cont.) Documentation Policies Documentation Policies Defines rules about Defines rules about What kinds of information should be documented? What kinds of information should be documented? Who can modify the documents? Who can modify the documents? Under what situations can some of the documents be disclosed? and to whom? Under what situations can some of the documents be disclosed? and to whom? Important to ensure privacy and integrity of the system Important to ensure privacy and integrity of the system

Stephen S. Yau 16CSE Fall 2006 List of Policy Areas (cont.) Evidence Collection and Preservation Policies Evidence Collection and Preservation Policies Define rules about computer incident investigation : Define rules about computer incident investigation : What information should be collected and how to collect it? What information should be collected and how to collect it? How to store collected information to best present it later in a court? How to store collected information to best present it later in a court? Computer forensics always conflict with personal privacy and the policies should clearly draw the line Computer forensics always conflict with personal privacy and the policies should clearly draw the line

Stephen S. Yau 17CSE Fall 2006 List of Policy Areas (cont.) Information Security Policy Information Security Policy Set forth mechanisms by which information stored on organization’s information systems and utilized by organization’s employees is secured and protected Set forth mechanisms by which information stored on organization’s information systems and utilized by organization’s employees is secured and protected State rights and obligations of organization to manage, protect, secure, and control various information that could be accessed through organization's information system State rights and obligations of organization to manage, protect, secure, and control various information that could be accessed through organization's information system

Stephen S. Yau 18CSE Fall 2006 List of Policy Areas (cont.) Information Security Policy (cont.) Information Security Policy (cont.) Help maintain data integrity and accuracy, and provide authorized individuals timely and reliable access to needed data. Also assure that unauthorized individuals are denied access to computing resources or other means to retrieve, modify or transfer information Help maintain data integrity and accuracy, and provide authorized individuals timely and reliable access to needed data. Also assure that unauthorized individuals are denied access to computing resources or other means to retrieve, modify or transfer information Ensure organization to meet its record-keeping and reporting obligations as required by state and federal laws simultaneously, comply with various statutes and policies protecting rights and privacy of individuals Ensure organization to meet its record-keeping and reporting obligations as required by state and federal laws simultaneously, comply with various statutes and policies protecting rights and privacy of individuals

Stephen S. Yau 19CSE Fall 2006 List of Policy Areas (cont.) National Information Assurance (IA) Certification & Accreditation (C&A) Process Policy National Information Assurance (IA) Certification & Accreditation (C&A) Process Policy Issued and maintained by National Security Telecommunications and Information Systems Security Committee (NSTISSC) Issued and maintained by National Security Telecommunications and Information Systems Security Committee (NSTISSC) Applies to all Federal civilian agencies Applies to all Federal civilian agencies Establish minimum national standards for certifying and accrediting national security systems Establish minimum national standards for certifying and accrediting national security systems Help Information System (IS) manager, Designated Approving Authority (DAA), certification agent, and user representative to reach an agreement that IS meets documented security requirements and will continue to maintain accredited security posture throughout system life cycle Help Information System (IS) manager, Designated Approving Authority (DAA), certification agent, and user representative to reach an agreement that IS meets documented security requirements and will continue to maintain accredited security posture throughout system life cycle

Stephen S. Yau 20CSE Fall 2006 List of Policy Areas (cont.) Personnel Security Policies & Guidance Personnel Security Policies & Guidance Define rules to do background checking and screening before hiring Define rules to do background checking and screening before hiring Make agreement with employees before they start working Make agreement with employees before they start working Reduce risks of human errors, theft, fraud or misuse of facilities Reduce risks of human errors, theft, fraud or misuse of facilities Ensure that users are aware of information security threats and concerns, and are equipped to support organization’s security policies in the course of their normal work Ensure that users are aware of information security threats and concerns, and are equipped to support organization’s security policies in the course of their normal work

Stephen S. Yau 21CSE Fall 2006 References Matt Bishop,, Addison- Wesley, 2004, ISBN: (textbook1) Matt Bishop, Introduction to Computer Security, Addison- Wesley, 2004, ISBN: (textbook1) Matt Bishop, Computer Security: Art and Science, Addison- Wesley, 2002, ISBN: (textbook2) Matt Bishop, Computer Security: Art and Science, Addison- Wesley, 2002, ISBN: (textbook2) M. Merkow, J. Breithaupt, Information Security: Principles and Practices, Prentice Hall, August 2005, 448 pages, ISBN M. Merkow, J. Breithaupt, Information Security: Principles and Practices, Prentice Hall, August 2005, 448 pages, ISBN R. J. Anderson, Computer Engineering: A Guide to Building Dependable Distributed Systems, Wiley, 2001, ISBN: R. J. Anderson, Computer Engineering: A Guide to Building Dependable Distributed Systems, Wiley, 2001, ISBN: