1. 95-8411-1 95-841 Information Assurance Policy Tim Shimeall (tjs@cert.org)

2. 95-8411-2 Information Assurance Policy Seminar course: Participation is Essential Sessions (after week 4) 50% lecture, 50% discussion Building, developing, evaluating IA policy Grading: –Course presentation: 30% (see sign-up list) –Course participation: 30% (when not presenting) –Final paper/project: 40% (topic related policy)

3. 95-8411-3 Presentations Instructors will cover the background material Student presenters will apply it to case study or other realistic scenario Student audience will evaluate application and critique resulting policies Presenters grade NOT based on critique results, but on level of discussion and on effectiveness at presenting applicable policy Plan on 90 minutes, including discussion

4. 95-8411-4 Course Content Introduction and case study Policy development Policy evaluation Building policy for case study (with instructor as stakeholder) Larger issues (legislation and governance) Course summary

5. 95-8411-5 What is Information Assurance Policy? Detailed statement regarding permissible and prohibited behavior with respect to information assets to assure confidentiality, integrity and availability of those assets Behavior: –loading, using, disseminating data –Acquiring, using, distributing software –Acquiring, using, retiring hardware –In general: anything being done by, on or with any information processing asset Asset: data, software, device, network, person

6. 95-8411-6 Why Information Assurance Policy?(1) Communications Privacy Accountability Authorization Encryption Firewall Configuration Disaster Recovery Auditing Backups Authentication Access Controls Redundancy Resources Integrity Risk Reduction Purchasing Guidelines

7. 95-8411-7 Why Information Assurance Policy (2)? Policy Stakeholders Management Top management (CXO) Users Others (clients, partners) Network AdminSystem Admin Database Admin Human Resources Legal

8. 95-8411-8 Why Information Assurance Policy(3)? Janet works in accounting department of a mid-size organization Changed password: wrote the new one on a note; stuck the note to her monitor Later noticed that someone had used her account but didn’t notice any obvious damage Had heard it was bad idea to write passwords down and leave them around Remembered that an employee had been fired for some policy violation Did not report the incident.

9. 95-8411-9 Why Information Assurance Policy?(4) Tim is a security administrator working for you in a 2000-member organization. Detects a password sniffer running on his organization’s principal server, and on a obsolete desktop used for lighting control. In a directory called “…”, he finds a file with 300 user ids and passwords for his site. He reports to you his findings and asks for more time before reporting incident.

10. 95-8411-10 Why Information Assurance Policy?(5) Staffing? New Product? New Infrastructure? Firewalls? Training?

11. Why Information Assurance (6) You work as a helpdesk manager, reporting to the CIO, for a medium sized company An employee-owned smartphone was compromised while on travel, and through that compromise, about 3,000 customer billing records were accessed. What should you recommend to the CIO? 95-8411-11

12. Going Forward From Here Policy and Technology are inherently linked Policy implements and enables authority We will discuss a variety of policy aspects 95-8411-12 Developing Costing Managing Deploying User Network Site Confidentiality Integrity Availability Legislation and Governance