Presentation is loading. Please wait.

Presentation is loading. Please wait.

CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 4 Security Policy, Standard, and Practices.

Published byGregory Dickerson Modified over 9 years ago

Similar presentations

Presentation on theme: "CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 4 Security Policy, Standard, and Practices."— Presentation transcript:

1 CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 4 Security Policy, Standard, and Practices

2 CC3020N Fundamentals of Security Management Slide 2 Learning Objectives –To define information security policy –To understand its central role in a successful information security program –To know the three major types of information security policy –To develop, implement, and maintain various types of information security policies

3 CC3020N Fundamentals of Security Management Slide 3 Introduction Information security policy –What is it? –How to write it? –How to implement it? –How to maintain it?

4 CC3020N Fundamentals of Security Management Components of Information Security

5 CC3020N Fundamentals of Security Management NSTISSC Security Model

6 CC3020N Fundamentals of Security Management Introduction (cont.) Policy is the essential foundation of an effective information security program. Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.” Slide 6

7 CC3020N Fundamentals of Security Management Slide 7 Why Policy? A quality information security program begins and ends with policy. Policies are the least expensive means of control and often the most difficult to implement. Some basic rules must be followed when shaping a policy: –Never conflict with law. –Stand up in court. –Properly supported and administered. –Contribute to the success of the organization. –Involve end users of information systems.

8 CC3020N Fundamentals of Security Management Slide 8 The Bulls-eye Model

9 CC3020N Fundamentals of Security Management Slide 9 Policy Centric Decision Making Bulls-eye model layers –Policies — first layer of defense –Networks — threats first meet the organization’s network. –Systems — computers and manufacturing systems –Applications — all applications systems Policies are important reference documents for internal audits and for the resolution of legal disputes about management's due diligence, and policy documents can act as a clear statement of management's intent.

10 CC3020N Fundamentals of Security Management Slide 10 Policies, Standards, & Practices

11 CC3020N Fundamentals of Security Management Slide 11 Policy, Standards, and Practices (cont.) Policy is a plan or course of action that influences and determine decisions. Standards are a more detailed statement of what must be done to comply with Policy Practices. Procedures and Guidelines explain how employees will comply with policy. For policies to be effective, they must be: –Properly disseminated, read, understood, and agreed-to

12 CC3020N Fundamentals of Security Management Policy, Standards, and Practices (cont.) Policies require constant modification and maintenance. In order to produce a complete information security policy, management must define three types of information security policy: –Enterprise Information Security Policy –Issue-Specific Information Security Policies –Systems-Specific Information Security Policies Slide 12

13 CC3020N Fundamentals of Security Management Slide 13 Enterprise Information Security Policy (EISP) Sets strategic direction, scope, and tone for organization’s security efforts. Assigns responsibilities for various areas of information security. Guides development, implementation, and management requirements of information security program.

14 CC3020N Fundamentals of Security Management Slide 14 EISP Elements EISP documents should provide : –An overview of the corporate philosophy on security –Information on the information security organization and information security roles Responsibilities for security that are shared by all members of the organization Responsibilities for security that are unique to each role within the organization

15 CC3020N Fundamentals of Security Management Slide 15 Example EISP – CCW (CCW: Charles Cresson Wood) http://www.informationshield.com/aboutccw.htm http://www.informationshield.com/aboutccw.htm Protection of Information: Information must be protected in a manner commensurate with its sensitivity, value, and criticality. Use of Information: Company X information must be used only for the business purposes expressly authorized by management. Information Handling, Access, and Usage: Information is a vital asset and all accesses to, uses of, and processing of Company X information must be consistent with policies and standards. http://www.informationshield.com/?c1=se&source=google&kw=ccw

16 CC3020N Fundamentals of Security Management Slide 16 Example EISP – CCW (cont.) Data and Program Damage Disclaimers: Company X disclaims any responsibility for loss or damage to data or software that results from its efforts to protect the confidentiality, integrity, and availability of the information handled by computers and communications systems. Legal Conflicts: Company X information security policies were drafted to meet or exceed the protections found in existing laws and regulations, and any Company X information security policy believed to be in conflict with existing laws or regulations must be promptly reported to information security management.

17 CC3020N Fundamentals of Security Management Slide 17 Example EISP – CCW (cont.) Exceptions to Policies: Exceptions to information security policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a standard risk acceptance form has been prepared by the data owner or management, and where this form has been approved by both information security management and internal audit management. Policy Non-Enforcement: Management's non-enforcement of any policy requirement does not constitute its consent.

18 CC3020N Fundamentals of Security Management Slide 18 Example EISP – CCW (cont.) Violation of Law: Company X management must seriously consider prosecution for all known violations of the law. Revocation of Access Privileges: Company X reserves the right to revoke a user's information technology privileges at any time. Industry-Specific Information Security Standards: Company X information systems must employ industry- specific information security standards.

19 CC3020N Fundamentals of Security Management Slide 19 Example EISP – CCW (cont.) Use of Information Security Policies and Procedures: All Company X information security documentation including, but not limited to, policies, standards, and procedures, must be classified as “Internal Use Only,” unless expressly created for external business processes or partners. Security Controls Enforceability: All information systems security controls must be enforceable prior to being adopted as a part of standard operating procedure.

20 CC3020N Fundamentals of Security Management Slide 20 Issue-Specific Security Policy (ISSP) Provides detailed, targeted guidance to instruct the organization in secure use of technology systems, and begins with introduction to fundamental technological philosophy of the organization. Serves to protect employee and organization from inefficiency and ambiguity; documents how the technology-based system is controlled; and identifies the processes and authorities that provide this control.

21 CC3020N Fundamentals of Security Management Issue-Specific Security Policy (ISSP) (cont.) ISSP Should: –Address specific technology-based systems. –Require frequent updates. –Contain an issue statement on the organization’s position on an issue. Slide 21

22 CC3020N Fundamentals of Security Management Slide 22 Issue-Specific Security Policy (ISSP) (cont.) ISSP topics could include: –electronic mail –use of the Internet and the World Wide Web –specific minimum configurations of computers to defend against worms and viruses –prohibitions against hacking or testing organization security controls –home use of company-owned computer equipment –use of personal equipment on company networks –use of telecommunications technologies, and use of photocopy equipment

23 CC3020N Fundamentals of Security Management Slide 23 Components of the ISSP Statement of Purpose –Scope and applicability –Definition of technology addressed –Responsibilities Authorized Access and Usage of Equipment –User access –Fair and responsible use –Protection of privacy

24 CC3020N Fundamentals of Security Management Slide 24 Systems-Specific Policy (SysSP) Systems-Specific Policies (SysSPs) frequently do not look like other types of policy. They may often be created to function as standards or procedures to be used when configuring or maintaining systems. SysSPs can be separated into: –Management guidance –Technical specifications –Combined in a single policy document

25 CC3020N Fundamentals of Security Management Slide 25 Management Guidance SysSPs Created by management to guide the implementation and configuration of technology. Applies to any technology that affects the confidentiality, integrity or availability of information. Informs technologists of management’s intent.

26 CC3020N Fundamentals of Security Management Slide 26 Technical Specifications SysSPs System administrator’s directions on implementing managerial policy Each type of equipment has its own type of policies. There are two general methods of implementing such technical controls: –Access Control Lists –Configuration Rules

27 CC3020N Fundamentals of Security Management Slide 27 Access Control Lists (ACLs) Include the user access lists, matrices, and capability tables that govern the rights and privileges. In general, ACLs enable administrations to restrict access according to user, computer, time, duration, or even a particular file.

28 CC3020N Fundamentals of Security Management Slide 28 Access Control Lists (ACLs) (cont.) In general, ACLs regulate: –Who can use the system? –What authorized users can access ? –When authorized users can access the system ? –Where authorized users can access the system from ? –How authorized users can access the system ? –Restricting what users can access, e.g., printers, files, communications, and applications ?

29 CC3020N Fundamentals of Security Management Slide 29 Access Control Lists (ACLs) (cont.) Administrators set user privileges, such as: –Read –Write –Create –Modify –Delete –Compare –Copy

30 CC3020N Fundamentals of Security Management Slide 30 Windows XP ACLs

31 CC3020N Fundamentals of Security Management Slide 31 Configuration Rules Configuration rules are the specific configuration codes entered into security systems to guide the execution of the system when information is passing through it.

32 CC3020N Fundamentals of Security Management Slide 32 Firewall Configuration Rules

33 CC3020N Fundamentals of Security Management Slide 33 Intrusion Detection System (IDS) Configuration Rules

34 CC3020N Fundamentals of Security Management Slide 34 Guidelines for Policy Development It is often useful to view policy development as a two-part project –First designs and develops the policy (or redesigns and rewrites an outdated policy) –Second establishes management processes to perpetuate the policy within the organization The former is an exercise in project management, while the latter requires adherence to good business practices.

35 CC3020N Fundamentals of Security Management Slide 35 Investigation Phase The policy development team should –Obtain support from senior management and active involvement of IT management, specifically the CIO. –Clearly articulate goals of policy project. –Gain participation of correct individuals affected by the recommended policies. –Be composed of end users and members from Legal and Human Resources. –Assign a project champion with sufficient stature and prestige. –Acquire a capable project manager. –Develop a detailed outline of and sound estimates for the cost and scheduling of the project.

36 CC3020N Fundamentals of Security Management Slide 36 Analysis Phase The analysis phase should include the following activities/documents –New or recent risk assessment or IT audit documenting the current information security needs of the organization –Key reference materials including any existing policies

37 CC3020N Fundamentals of Security Management Slide 37 Design Phase The design phase should include –How the policies will be distributed. –How verification of the distribution will be accomplished. –Specifications for any automated tools. –Revisions to feasibility analysis reports based on improved costs and benefits as the design is clarified.

38 CC3020N Fundamentals of Security Management Slide 38 Implementation Phase The policy development team writes the policies. Make certain the policies are enforceable as written. Policy distribution is not always as straightforward. Effective policy is written at a reasonable reading level, and attempts to minimize technical jargon and management terminology.

39 CC3020N Fundamentals of Security Management Slide 39 Maintenance Phase Maintain and modify the policy as needed to ensure that it remains effective as a tool to meet changing threats. The policy should have a built-in mechanism through which users can report problems with the policy, preferably anonymously. Periodic review should be built into the process.

40 CC3020N Fundamentals of Security Management Slide 40 The Information Security Policy Made Easy Approach (ISPME) http://www.informationshield.com/?c1=se&source=goo gle&kw=ccw Gathering key reference materials Defining a framework for policies Preparing a coverage matrix Making critical systems design decisions Structuring review, approval, and enforcement processes

41 CC3020N Fundamentals of Security Management Slide 41 Coverage Matrix

42 CC3020N Fundamentals of Security Management Slide 42 ISPME Checklist 1.Perform a risk assessment or information technology audit to determine your organization's unique information security needs. 2.Clarify what the word “policy” means within your organization so that you are not preparing a “standard,” “procedure,” or some other related material. 3.Ensure that roles and responsibilities related to information security are clarified, including responsibility for issuing and maintaining policies. 4.Convince management that it is advisable to have documented information security policies. 5.Identify the top management staff who will be approving the final information security document and all influential reviewers.

43 CC3020N Fundamentals of Security Management Slide 43 ISPME Checklist (cont.) 6.Collect and read all existing internal information security awareness material, and make a list of the included bottom-line messages. 7.Conduct a brief internal survey to gather ideas that stakeholders believe should be included in a new or updated information security policy. 8.Examine other policies issued by your organization, such as those from Human Resources management, to identify prevailing format, style, tone, length, and cross- references. 9.Identify the audience to receive information security policy materials, and determine whether they will each get a separate document or a separate page on an intranet site.

44 CC3020N Fundamentals of Security Management Slide 44 ISPME Next Steps Post polices to intranet or equivalent. Develop a self-assessment questionnaire. Develop revised user ID issuance form. Develop agreement to comply with information security policies form. Develop tests to determine if workers understand policies. Assign information security coordinators. Train information security coordinators.

45 CC3020N Fundamentals of Security Management Slide 45 SP 800-18: Guide for Developing Security Plans http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18- Rev1-final.pdf The NIST (National Institute of Standards and Technology) Special Publication 800-18 offers another approach to policy management. These policies are living documents that constantly change and grow. These documents must be properly disseminated (distributed, read, understood, and agreed to) and managed. Good management practices for policy development and maintenance make for a more resilient organization.

46 CC3020N Fundamentals of Security Management Slide 46 SP 800-18: Guide for Developing Security Plans (cont.) In order to remain current and viable, policies must have: –An individual responsible for reviews –A schedule of reviews –A method for making recommendations for reviews –An indication of policy and revision date

47 CC3020N Fundamentals of Security Management Slide 47 A Final Note on Policy Least you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy. Policies exist first, and foremost, to inform employees of what is and is not acceptable behavior in the organization. Policy seeks to improve employee productivity, and prevent potentially embarrassing situations.

48 CC3020N Fundamentals of Security Management Slide 48 Summary Introduction Why Policy Enterprise Information Security Policy Issue-Specific Security Policy System-Specific Policy Guidelines for Policy Development

Download ppt "CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 4 Security Policy, Standard, and Practices."

Similar presentations

Configuration Management

Configuration Management
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Information Security Policy

Information Security Policy
information Security Blueprint

information Security Blueprint
Information Security Policy

Information Security Policy
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Auditing Computer Systems

Auditing Computer Systems
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Information Security Policies and Standards

Information Security Policies and Standards
Each problem that I solved became a rule which

Each problem that I solved became a rule which
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Security Policies Group 1 - Week 8 policy for use of technology.

Security Policies Group 1 - Week 8 policy for use of technology.
ISA 220 – Quality Control for Audits of Historical Financial Information

ISA 220 – Quality Control for Audits of Historical Financial Information
Network security policy: best practices

Network security policy: best practices
Photocopies Occasionally need uncontrolled copies

Photocopies Occasionally need uncontrolled copies

Similar presentations

Ads by Google