Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber security Policy development and implementation

Published byMitchell Hines Modified over 5 years ago

Similar presentations

Presentation on theme: "Cyber security Policy development and implementation"— Presentation transcript:

1 Cyber security Policy development and implementation
by Erlan Bakiev, Ph.D.

2 Information security policy
The development of an information security policy involves more than mere policy formulation and implementation. Unless organizations explicitly recognize the various steps required in the development of a security policy, they run the risk of developing a policy that is: poorly thought out incomplete redundant and irrelevant will not be fully supported by the users.

3 Major threats The analysis indicate that the major threat to organizations’ information security is caused by careless insider employees who intentionally or unintentionally misuse the information assents So: What processes organizations should follow in the developing an effective information security policy? This class defines a model for the Formulation Implementation Enforcement of an information security policy in an organization

4 Insider employees The insider employees who intentionally or unintentionally misuse the information assents are among the top ranked threats in organizations Most e-crimes: Unauthorized access to corporate info 63 % Unintentional exposure of private or sensitive data 57% Virus, worms or other malicious code 37% Theft or intellectual property 32%

5 Challenges in developing policy
The lack of guidance as to how to develop security policy contents (commercial policies) The processes of developing and implementing an information security policy Therefore, policy statements developed may not directly attributed to the risks they are designed to nullify.

6 Challenges in developing policy
There is a gap in the current security policy development methods. The literature doesn’t offer comprehensive methodology or mechanisms that show in detail the process of developing an information security policy

7 Table 1: List of categories identified
Category label Number of tags Cumulative 1. Information security policy construction 85 85 2. Management support 3.Information security policy compliance and

8 Risk assessment There are several steps in risk assessment:
The assets that the organization needs to protect must be identified A list of all threats that can cause harm to the organizations’ assets is identified The likelihood of of threats that can cause exercising system vulnerability is determined The threats and vulnerabilities which cause a security failure and the associated impacts are assessed in terms of organization’s loss of integrity, availability and confidentiality The controls that must be implemented in order to mitigate the risks are identified

9 Information Security Policy Construction
Activities of constructing a security policy: Directives from executive management with high level security policy These policies are transformed to organizational standards and guidelines Organizational standards are detailed statements of what should be done, not how to do it. The detailed information security policies are supported by lower level security policies also called procedures. Procedures provide the step-by-step detailed instructions of how to carryout requirements of an information security policy.

10 Information Security Policy Implementation
Implementation is the most difficult part of this process. The The introduction of a new information security policy brings changes in the way employees behave in handling organizational information. The whole idea in implementation is to gain support from the organization’s community to accept changes. By educating and training Awareness Raise awareness of the responsibilities Emphasize recent actions against employees for security policy violations

11 Information Security Policy compliance and enforcement
A number of theories have been developed underlying employees’ behavioral intention towards the compliance of information security policies. General Deterrence Theory (GDT) It predicts that the increase in the severity of punishment on those who violate the rules of the organization reduce some criminal acts Theory of Planned Behavior (TPB) It explains the intention of an individual to perform a given behavior (social pressures)

12 Information security policy monitoring, review and assessment
The need to periodically or non-periodically review and update the security policy is indispensable to the organization. The information security policy should be evaluated and reviewed on regular basis to make sure that the latest threats, new regulations and government policies are kept up to date. An automated system of review scheduling which timely alerts when a major change to the existing security practices have occurred is advised

13 Management support The first step in composing a security policy is to get the top management’s opinions on how they understand security in the organization. Without executive support, policies are just words. To have meaning, they must be given the right priority and be enforced. Management plays key role in approving the policy and making sure that there is enough budget to cover all resources required.

14 Employee support Employee support consists of end-users who carry out different activities in an organization. The end-user community needs to be part of the development effort to ensure that the multidisciplinary nature of the organization is incorporated in the information security policy development process. The practice the information security policy requirements

15 International security standards
International standards such as ISO are good starting point to implement the information security policy which therefore improves an organization’s information security. The idea of using international standards as a baseline framework because they increase trust with the organization’s stakeholders. An international security standard that has been approved by security experts can definitely provide the basis requirements to start developing an information security policy.

16 Regulations requirements
The main reason to develop information security policy is to mitigate the various security risks that organizations face Organizations must first identify and understand all regulatory requirements that dictate the creation of such policies before writing the information security policy. It is necessary that organizations obtain legal advice to ensure that their policies are legally binding and the employees violating such policies will be legally liable of their behavior.

17 Information security policy stakeholders
The development of an effective security policy requires a combination of different skills emanating from different stakeholders experiences recommend the involvement of ICT Specialists and security specialists in the policy development process because they have technical knowledge of the systems that the information security policy intends to protect as well as the security of these systems. The human resource department should review and/or approve the security policy based on how the policy relates to organization’s existing policies.

18 Conclusion What processes organizations need to follow in developing and implementing an effective information policy? The proposed model provides the different dimensions that a specific organization needs to take into account during the information security policy development and implementation process. It ensures both comprehensive and sustainable information security policies.

Download ppt "Cyber security Policy development and implementation"

Similar presentations

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Information Security Policies and Standards

Information Security Policies and Standards
The 10 Deadly Sins of Information Security Management

The 10 Deadly Sins of Information Security Management
Session 3 – Information Security Policies

Session 3 – Information Security Policies
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Security Policies Jim Stracka www.pentasafe.com. The Problem Today.

Security Policies Jim Stracka The Problem Today.
Dr E Kritzinger – UNISA SACSAW 2011. Cyber Awareness Implementation Plan (CAIP) for schools.

Dr E Kritzinger – UNISA SACSAW Cyber Awareness Implementation Plan (CAIP) for schools.
1 CREATING A LEARNING ORGANIZATION AND AN ETHICAL ORGANIZATION STRATEGIC MANAGEMENT BUAD 4980.

1 CREATING A LEARNING ORGANIZATION AND AN ETHICAL ORGANIZATION STRATEGIC MANAGEMENT BUAD 4980.
Basics of OHSAS Occupational Health & Safety Management System

Basics of OHSAS Occupational Health & Safety Management System
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.

SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Environmental Management System Definitions

Environmental Management System Definitions
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.

Prepared By: Razif Razali 1 TMK 264: COMPUTER SECURITY CHAPTER SIX : ADMINISTERING SECURITY.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc. 2007.

Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Copyright © Houghton Mifflin Company. All rights reserved.8-1 Chapter 8 Developing an Effective Ethics Program.

Copyright © Houghton Mifflin Company. All rights reserved.8-1 Chapter 8 Developing an Effective Ethics Program.

Similar presentations

Ads by Google