Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tips For Writing a Security Policy

Published byClaud Taylor Modified over 6 years ago

Similar presentations

Presentation on theme: "Tips For Writing a Security Policy"— Presentation transcript:

1 Tips For Writing a Security Policy
510076 Tips For Writing a Security Policy Patrick Botz IBM Lab Services, Security Architecture Consulting and Implementation

2 Agenda Security Process What’s a Security Policy? Creating Elements of
Managing

3 Independent Verification of Policy and Implementation
Roles / Input Process Outputs 3rd party Management Technical Independent Verification of Policy and Implementation Official report to execs Compliance w/ Policy Suggest policy change Technical Security Off,Operators System administrator Monitor Compliance With Your Policy Audit analysis Report anomalies Take action Technical Security Officer System administrator Monitor Accuracy of Implementation Periodic reports Technical Security Officer System administrator Implement Policy System secured according to policy Written policy Management support Widely communicated CIO, CEO, IT Director Lawyers Technical Security Policy Security Requirements Organization Industry Government General Requirements documented

4 Security Requirements
Independent Verification Policy and Implementation Planning & Definition Phase Monitor Compliance With Your Policy Monitor Accuracy of Implementation Implement Policy Security Policy Organization’s security is defined here! Security Requirements

5 What’s A Security Policy?

6 Trust & Responsibility: Who, What, When, Where, How, Why
Defines appropriate and acceptable behavior for various employee roles when using or accessing business assets in a particular way for a particular purpose. Trust & Responsibility: Who, What, When, Where, How, Why

7 What’s A Security Policy?
QUESTION How do you secure FTP?

8 What’s A Security Policy? Detail
Individual policies will reference two or more of the following components Employee Roles Actors People Entities E.g. accounting dept, engineering, finance dept, VP of Human Resources Business Assets Real and Electronic In a particular way e.g. create, delete, use, change, payroll application, etc… For a particular purpose e.g. print payroll checks, answer customer question, answer employee question, debug application, add a new employee, etc…

9 What’s A Security Policy?
Business assets need to be secured regardless of Where they reside Real or Electronic Security policies define what it means for a particular asset to be secured A complete security policy goes way beyond computer systems! In the absence of a policy, it is impossible to determine if, or measure how well, a business asset is secured Unfortunately system auditors do it all the time!

10 VS Security Policy Access Security
What assets may be accessed from the internet? What Internet sites may/not be accessed from the intranet By whom and for what reasons? Corporate Security I/T Security VS Networking Security Access Security System Risk: PC virus introduction Risk: Mail exchange<-> mail flooding Risk: Web server <-> web graffiti

11 What’s A Security Policy?
Policies are abstract. They reference: Business assets Customer lists, human resources information, product development info, etc… Actions Read, change, copy, create, delete, etc… Purposes Print payroll checks How Payroll app, direct access, CAD/CAM app, source code management app, etc… Procedures are concrete What most people think of as policies are actually procedures for enforcing some policy Procedures reference libraries, databases, directories, stream files, etc... PUBLIC *EXCLUDE is a procedure, not a policy. It is one procedure that is used to enforce one or more policies Security policies define what it means for a particular asset to be secured It is impossible to determine if, or measure how well, a business asset is secured in the absence of security policies

12 What’s A Security Policy
Policy P5 is enforced by procedures E1,2,4. Given E1, it is hard (if not possible) to determine which policy that measure is enforcing. E.g. E2 = Joe can’t use FTP, doesn’t tell you which business assets Joe is allowed or not allowed to use. E1 E8

13 What’s A Security Policy
Policy P3 = FTP will only be started under special circumstances and only for system administrators use in debugging application or systems problems. E1 E8

14 Security Policy Verses Implementation Procedures/GuideLines
Given E1, it is hard (if not possible) to determine which policy that measure is enforcing. For example, E2 = “Joe can’t use FTP” E2 doesn’t tell you what Joe is allowed to access in which way for which purposes E2 is just one way that some policy is enforced P5 = People in accounting can only read financial data using acctg applications in order to perform their duties Joe is in accounting department E1 = All financial databases are PUBLIC *EXCLUDE E4 = FAPP1 and FAPP2 adopt enough authority to read financial data E2 = Joe is shut out of FTP because he shouldn’t be able to directly access data anyway.

15 What’s A Security Policy? Details
Ambiguous Phrases and Questions “I have a secure system” “XXXXXX is the most secure system in the world” “How do I secure FTP?” Correct answer to this question is: You security policy tells you WHAT policies you need to enforce Mr. Security expert can tell you HOW to best enforce those policies! “How do I secure iSeries Access?” “Have you secured the system?” Security policies are the ONLY way to define what “secure” means Well known regulations such as HIPPA and SOX Define POLICY that you must enforce For the most part they do not dictate how you must enforce those policies It is impossible to determine if a business asset is secured without defining or knowing the security policies that affect those assets No one can tell you “how to secure FTP” if you don’t first tell them who is allowed to access which assets in which way for which purposes.

16 What’s A Security Policy? Details
A Security Policy is your organization’s written security plan Without one, there is no way to measure whether or not you have “secured” your system Defines the “WHAT” of your security Should not be specific to HOW the policy is implemented What is valued Required processes Includes all security related processes not just those that can be implemented on computer systems Manual processes e.g. how the access code for the computer room door will be communicated to employee’s with a need to know) Policy includes a process for requesting and approving implementation that deviates from policy Risk management and analysis techniques applied

17 What’s A Security Policy?
QUESTION How do you secure FTP? Answer It depends on your particular security policies There are many ways to enforce a particular policy or set of policies The exact method of enforcement depends on who, if anyone, may be allowed to access which particular resources for which purposes.

18 Creating A Security Policy

19 Independent Verification of Policy and Implementation
Roles / Input Process Outputs 3rd party Management Technical Independent Verification of Policy and Implementation Official report to execs Compliance w/ Policy Suggest policy change Technical Security Off,Operators System administrator Monitor Compliance With Your Policy Audit analysis Report anomalies Take action Technical Security Officer System administrator Monitor Accuracy of Implementation Periodic reports Technical Security Officer System administrator Implement Policy System secured according to policy Written policy Management support Widely communicated CIO, CEO, IT Director Lawyers Technical Security Policy Security Requirements Organization Industry Government General Requirements documented

20 Creating A Policy Process
Sell & Inform Designate a policy development team and a leader/owner of the process Determine objectives and scope Gather/Generate Input Write Draft Review/Preview Draft Publish Policy Implement/Enforce Policy Monitor Policy Go To Step 4

21 Creating A Policy Sell Sell the need for explicit policy to management
Management buy-in critical for a successful policy! Management must be involved in defining the organization’s security! Organizational requirements Industry regulations Visa Etc.. Government regulation HIPAA SOX California Law CEO/CIO/CFO normally have ultimate responsibility but delegate lower Technical roles should participate -- not drive -- this part of the process!

22 Creating A Policy Inform & Educate
Management and Stakeholders Make a clear distinction between policy and enforcement of policy Ensure all stakeholders know and understand their role in the security process Management and/or corporate officers are responsible for policy Morally and, increasingly, legally Security Administrators Often a “go-between” for multiple system administrators and CIO/management System Administrators responsible for IMPLEMENTING policy Policy implementation is described in terms of procedures Lawyers Ensure policies conform to any regulatory and/industry standards (e.g. SOX, HIPPA) Employees TRAIN/Educate! Plans and purposes Solicit input Make part of the team

23 Creating A Policy Inform & Educate
People view security as an impediment to their jobs or as a way for management to control their behavior. Risk and the amount of risk that is acceptable is different for each person Fear and loathing Company culture is also a factor Soliciting employee input is one way to overcome these issues Use representative sample of employees

24 Creating A Policy Select a Team, Leader, and Scope
Can’t be done alone! Need a policy owner! Preferably manager/corporate officer! Determine the applicable scope team will cover Corporate Security I/T Security Networking Security System

25 Creating A Policy Gather/Generate Input
Identify Business Assets NOT computer resources/objects Identify Employee Roles Get input from employees on which assets they use or believe they need to access Understand what they need to accomplish, not what privileges or access they believe they need Identify business relationships between roles and assets Identify risks to business assets Identify business impact of each risk Estimate probability of risk Get input from your auditors!

26 Creating A Policy Gather/Generate Input
Example Worksheet Business Asset Employee Roles Type of Access Purpose of Access Risks All business assets All Minimum necessary To accomplish management authorized and assigned tasks Acctg data, apps Acctg Dept, CFO and direct reports Through acctg apps only To perform management authorized tasks Competitor advantage, Insider trading Privacy Personal Passwords Change Change only their own passwords every 90 days. At least 25 characters, etc… Unauthorized access, competitor advantage, Customer confidence, privacy Loss of business

27 Creating A Policy Write
SOMETHING is better than NOTHING Start at the highest level and get more specific, for example Employees may only access business assets that are required to perform their job Accounting data may only be accessed by accounting department employees through accounting applications – no direct access of accounting data is allowed Only accounting department employees responsible for payroll processing may access the payroll applications Only employees in the accounting department responsible for accounts receivable may use the accounts receivable application Work on related sets of policies Delegate areas of expertise Policies which are too strict will undermine the level of security you’re trying to achieve!

28 Creating A Policy Review/Publish/Implement/Verify
Review policies Management Legal Affected Employees Publish After review and approval Publish policies Implementation plan Implement Verify Internally using auditing tools Externally by 3rd party Feed information/data from verification into the beginning of the policy generation process

29 VS Remember! Creating A Policy
Access Security Policies that are TOO STRICT will hinder productivity and probably REDUCE the level of SECURITY achieved!

30 Elements of A Security Policy

31 Elements of Security Policy
Written Policy Acceptable Use Monitoring Enforcement Define assets to be protected Roles In the Organization Capabilities and privileges allowed for each role Policy Deviation Process Security related events and assets requiring monitoring Manual Process/ workflow for security relevant tasks i.e. password policy New user Password resets Requirements

32 Elements of Policy Wide ranging! Use Security Policy Templates
Available from many sources See additional information slide Commonly Included: Acceptable Use Network Security Generic system processes/requirements E.g. Password composition and change intervals Processes (e.g. manager must send an to system administrator to create new userIDs, reset passwords) Archiving Anti-Virus Penalties and Enforcement Deviation Process Etc., etc., etc., etc., etc….

33 Elements of Policy Example Policy Statement Format Title Policy
Commentary Related Policies Audience Security Environments

34 Elements of Policy Example Information Technology Acceptable Use
Employee Use of Information Technology Assets Policy: Employees are allowed to access IT business assets on a need-to-know basis and only for purposes associated with their job role. Commentary: This policy applies to all information technology business assets including hardware, software, and data stored on any media – including paper. Related Policies: Corporate Instruction x.x.x, Information Security Program directive y.y, IT security policy z.z.z Audience: All employees and job roles Applicable Environments: All Measurement Can an employee in an engineering role access customer account data?

35 Elements of Policy Additional Policy Statement Examples
Related security policy IT Policy 1 (see previous page) 1.1 Back office employees can use customer account information. 1.2 Computer System Operators can use XYZ reporting application. 1.3 Computer Security Admins can use security admin tools. 1.4 Help Desk employees can manage passwords. 1.5 Security Admins can manage or monitor user accounts. 1.6 System Operators can monitor operating system resources. 1.7 System Admins can manage operating system resources. 1.8 IT Developers can inquire customer account information or operating system resources for the purpose of support production. 1.9 IT Developers can manage customer account information for the purpose of production emergency. 1.10 Corporate Management can inquire customer account information.

36 Managing A Security Policy

37 Independent Verification of Policy and Implementation
Roles / Input Process Outputs 3rd party Management Technical Independent Verification of Policy and Implementation Official report to execs Compliance w/ Policy Suggest policy change Technical Security Off,Operators System administrator Monitor Compliance With Your Policy Audit analysis Report anomalies Take action Technical Security Officer System administrator Monitor Accuracy of Implementation Periodic reports Technical Security Officer System administrator Implement Policy System secured according to policy Written policy Management support Widely communicated CIO, CEO, IT Director Lawyers Technical Security Policy Security Requirements Organization Industry Government General Requirements documented

38 Managing Policy Policies must be enforceable, implementable, understandable, balance security verses productivity Determine whether to manage one large document or smaller ones Policies are living document(s) How will you manage policy document(s) Individual document files Change Control 3rd party products for purely managing policies exist Policy implementation must verified periodically (at least yearly) Deviations documented, accepted, remedied, or policy changed New requirements, regulations, and risks

39 Summary

40 Summary Defining policy is the 1st and most important step of the security process No process = No security Policy definition is a process itself Policy is unique to each organization Policies are living document(s) Something is better than nothing!

41 What’s A Security Policy?
QUESTION How do you secure FTP?

42 Additional Information
Google +”security policy” +tips +”security policies” +tips +”security policy” +template(s) SANS Institute - The SANS Security Policy Project Policy_Primer.pdf (application/pdf Object) Quiz: Security awareness for end users Information Security Policies Made Easy, Version 10 Developing a policy your company can adhere to

43 STG Lab Services www.ibm.com/eserver/services
A 14 year track record…proven methods & techniques, worldwide results STG Lab Services To learn more about how STG Lab Services can help you attain your sales objectives, see us in the Solutions Center or contact a Lab Services Opportunity Manager: System i (WW, AG) Mark Even, (507) , Pete Cornell, (507) , System p Stephen Brandenburg, (301) , Greg Mallare, (727) , System x Michael Karchov, (919) , Mike Sigl, (425) , System z Jerry Koger (623) , System Storage (WW, AG) Kevin Bogart, (919) , Optimization Studies (WW, AG) Marlin Maddy, (877) , Solutions Mohsen Nikbakhshian, (301) , AP System i, z System p, x Storage US contact for AP Jenny Chen, , Zhe Xu, x306, Jin-Ming Liu, (507) , Europe SWE & NEE IOT’s Benoit Sirot. , Gerard Barneaud. , The STG Lab Service teams can be engaged through technical support and STG sales teams. Business Partners can use Lab Services for acquiring skills by working side-by-side with Lab Services on their own solution, or skills from Lab Services can be subcontracted by the Business Partner on their own engagements. Lab Services has a proven track record of revenue influence in its engagements in the delivery of emerging products and technology, which in turn enables early client success and satisfaction. Lab Services also provides services in niche and mature/end of life markets on important products and/or technologies used by a limited number of clients, where skills may not be available through other service providers. For more information on STG Lab Service offerings or if you wish to discuss a specific example, please visit the Lab Services pedestal in the Solution Center, or contact one of the listed Opportunity Managers.

44 STG Lab Services Workshops in Open Sessions – given by Thomas Barlen
iSeries / System i Security Overview and Implementation, 3 days QI71V0NL - Amsterdam ( The Netherlands ) / 12, 13 & 14 June QI71V0BE - Brussels ( Belgium ) / 16, 17 & 18 October Simplifying Sign on Processes and Eliminating Passwords with Single Sign On, 3 days QI72V0BE - Brussels ( Belgium ) / 18, 19 & 20 September QI72V0NL - Amsterdam ( The Netherlands ) / 6, 7 & 8 November Protecting Sensitive Information in your Database with i5/OS Encryption, 3 days QI73V0NL - Amsterdam ( The Netherlands ) / 11, 12, 13 September Details : on the IBM Training stand ibm.com/training/be/nl/iseriesworkshops

45 Trademarks and Disclaimers
8 IBM Corporation All rights reserved. References in this document to IBM products or services do not imply that IBM intends to make them available in every country. Trademarks of International Business Machines Corporation in the United States, other countries, or both can be found on the World Wide Web at Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. Information is provided "AS IS" without warranty of any kind. The customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here. Prices are suggested U.S. list prices and are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative or Business Partner for the most current pricing in your geography. Photographs shown may be engineering prototypes. Changes may be incorporated in production models.

Download ppt "Tips For Writing a Security Policy"

Similar presentations

CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
How to Document A Business Management System

How to Document A Business Management System
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
© 2010 IBM Corporation Tivoli Storage Manager v6.2 What’s New? Presenter Name, Title Date (DD MMM YYYY)

© 2010 IBM Corporation Tivoli Storage Manager v6.2 What’s New? Presenter Name, Title Date (DD MMM YYYY)
© 2010 IBM Corporation ® IBM Software Group Assistive Technology As applied to the workplace Niamh Foley.

© 2010 IBM Corporation ® IBM Software Group Assistive Technology As applied to the workplace Niamh Foley.
© 2014 IBM Corporation IBM Tivoli Storage Manager Virtual Appliance Smarter Data Protection for Cloud Environments Cyrus Niltchian, Product Management.

© 2014 IBM Corporation IBM Tivoli Storage Manager Virtual Appliance Smarter Data Protection for Cloud Environments Cyrus Niltchian, Product Management.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
© 2014 IBM Corporation The insights to transform the business with speed and conviction Kevin Redmond Head of Information Management Central & Eastern.

© 2014 IBM Corporation The insights to transform the business with speed and conviction Kevin Redmond Head of Information Management Central & Eastern.
Conditions and Terms of Use

Conditions and Terms of Use
INTERNAL CONTROL OVER FINANCIAL REPORTING

INTERNAL CONTROL OVER FINANCIAL REPORTING
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
IBM Software Group AIM Enterprise Platform Software IBM z/Transaction Processing Facility Enterprise Edition 1.1.0 © IBM Corporation 2005 TPF Users Group.

IBM Software Group AIM Enterprise Platform Software IBM z/Transaction Processing Facility Enterprise Edition © IBM Corporation 2005 TPF Users Group.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
© 2011 IBM Corporation January 2011 Pam Denny, IBM V7 Reporting.

© 2011 IBM Corporation January 2011 Pam Denny, IBM V7 Reporting.
IBM Software Group AIM Core and Enterprise Solutions IBM z/Transaction Processing Facility Enterprise Edition 1.1.0 Any references to future plans are.

IBM Software Group AIM Core and Enterprise Solutions IBM z/Transaction Processing Facility Enterprise Edition Any references to future plans are.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
IBM Software Group AIM Enterprise Platform Software IBM z/Transaction Processing Facility Enterprise Edition 1.1.0 © IBM Corporation 2005 TPF Users Group.

IBM Software Group AIM Enterprise Platform Software IBM z/Transaction Processing Facility Enterprise Edition © IBM Corporation 2005 TPF Users Group.

Similar presentations

Ads by Google