Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Policies and Implementation Issues

Published byCordelia Simmons Modified over 5 years ago

Similar presentations

Presentation on theme: "Security Policies and Implementation Issues"— Presentation transcript:

1 Security Policies and Implementation Issues
Chapter 6 IT Security Policy Frameworks

2 10/15/2019 Learning Objective Describe the components and basic requirements for creating a security policy framework.

3 Key Concepts Key building blocks of security policy framework
10/15/2019 Key Concepts Key building blocks of security policy framework Types of documents for a security policy framework Information systems security (ISS) and information assurance considerations Process to create a security policy framework

4 Policy and Standards Library Framework
10/15/2019 Policy and Standards Library Framework

5 Policy Framework Components
10/15/2019 Policy Framework Components Defines how an organization performs and conducts business functions and transactions with a desired outcome Policy An established method implemented organization-wide Standards Steps required to implement a process Procedures A parameter within which a policy, standard, or procedure is suggested Guidelines

6 10/15/2019 Common Frameworks Control Objectives for Information and related Technology (COBIT) ISO/IEC series National Institute of Standards and Technology (NIST) Special Publications Example: SP , “Recommended Security Controls for Federal Information Systems and Organizations

7 Access Control Policy Branch
10/15/2019 Access Control Policy Branch Access Control Policy Branch of a Policy and Standards Library

8 External and Internal Factors Affecting Policies
10/15/2019 External and Internal Factors Affecting Policies Policies must align with the business model or objective to be effective External factors Regulatory and governmental initiatives Internal factors Culture, support, and funding

9 Creating a Security Policy Framework
10/15/2019 Creating a Security Policy Framework Set a budget Assemble a team Select a basic framework Set a budget Assemble a team Select a commonly accepted framework as a foundation - COBIT, ISO/ISC series, NIST SPs Use a content management system, if possible Cross-reference your security documents with standards Coordinate development with other departments in the organization

10 Creating a Security Policy Framework (Continued)
10/15/2019 Creating a Security Policy Framework (Continued) Use a content management system Cross-reference standards Coordinate with other departments Set a budget Assemble a team Select a commonly accepted framework as a foundation - COBIT, ISO/ISC series, NIST SPs Use a content management system, if possible Cross-reference your security documents with standards Coordinate development with other departments in the organization

11 Roles Related to a Policy and Standards Library
10/15/2019 Roles Related to a Policy and Standards Library CISO Information resources manager Information resources security officer Owners of information resources CISO - Establishes and maintains security and risk management programs for information resources Information resources manager - Maintains policies and procedures that provide for security and risk management of information resources Information resources security officer - Directs policies and procedures designed to protectinformation resources; identifies vulnerabilities,develops security awareness program Owners of information resources - Responsible for carrying out the program that uses the resources. This does not imply personal ownership. These individuals may be regarded as program managers or delegates for the owner. Custodians of information resources - Provide technical facilities, data processing, and other support services to owners and users of information resources Technical managers (network and system administrators) - Provide technical support for security of information resources Internal auditors - Conduct periodic risk-based reviews of information resources security policies and procedures Users - Have access to information resources in accordance with the owner-defined controls and access rules

12 Roles Related to a Policy and Standards Library (Continued)
10/15/2019 Roles Related to a Policy and Standards Library (Continued) Custodians of information resources Technical managers Internal auditors Users CISO - Establishes and maintains security and risk management programs for information resources Information resources manager - Maintains policies and procedures that provide for security and risk management of information resources Information resources security officer - Directs policies and procedures designed to protectinformation resources; identifies vulnerabilities,develops security awareness program Owners of information resources - Responsible for carrying out the program that uses the resources. This does not imply personal ownership. These individuals may be regarded as program managers or delegates for the owner. Custodians of information resources - Provide technical facilities, data processing, and other support services to owners and users of information resources Technical managers (network and system administrators) - Provide technical support for security of information resources Internal auditors - Conduct periodic risk-based reviews of information resources security policies and procedures Users - Have access to information resources in accordance with the owner-defined controls and access rules

13 Case Studies on Security Policy Framework Creation
10/15/2019 Case Studies on Security Policy Framework Creation Case Study Private Sector Health care w/7,000 devices Incomplete inventory No easy way to classify assets HIPAA Used NIST SP to establish the framework Public Sector State of Tennessee Used ISO/IEC (27002) Policies and frameworks covered all information asset owned, leased, or controlled by the State of Tennessee Target Corporation 1,797 US and 127 Canadian stores December 2013 point-of-sale (PoS) data breach 40 million credit card records stolen 70 million records containing PII Largest data breaches of its kind

14 Information Assurance and Information Systems Security
10/15/2019 Information Assurance and Information Systems Security Security Policy Framework IA ISS Information Assurance Protecting information during processing and use The 5 Pillars Implementation of appropriate accounting and other integrity controls Development of systems that detect and thwart attempts to perform unauthorized activity ISS Protecting information and the systems that store and process the information Automation of security controls, where possible Assurance of a level of uptime of all systems

15 Information Systems Security Considerations
Unauthorized Access to and Use of the System Unauthorized Disclosure of the Information Disruption of the System or Services Modification of Information Destruction of Information Resources

16 10/15/2019 Summary Considerations for information assurance and information security Process to create a security policy framework Factors that affect polices and the best practices to maintain policies

Download ppt "Security Policies and Implementation Issues"

Similar presentations

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.

The Role of Risk Management and Assurance in Effective Organizational Governance Urton Anderson The University of Texas at Austin.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
NIST Special Publication Revision 1

NIST Special Publication Revision 1
GRC - Governance, Risk MANAGEMENT, and Compliance

GRC - Governance, Risk MANAGEMENT, and Compliance
Chapter Three IT Risks and Controls.

Chapter Three IT Risks and Controls.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Roles and Responsibilities

Roles and Responsibilities

Similar presentations

Ads by Google