1. Policy, Regulation, and Ethics Policy Systems and procedures must meet policy requirements. Regulation Organizations must comply with requirements of the laws to which it is subject. Ethics Organizations may choose to generate desired ethical behavior.

2. How Security, Regulation, and Ethics Are Related? All three complement each other. A minimum is defined by regulatory requirements. Policies help ensure that these requirements and met and in fact, more is done where it is deemed appropriate and cost effective. Promotion of ethical behavior is likely to generate desired behavior, aligned with meeting regulatory requirements and honoring policies. Environment where ethical behavior is stressed could foster a sense of duty. People may tend to do the right thing, beyond the law and policies.

3. Organization and Accountability Organization structure should ideally represent accountability consistent with roles of personnel. Accountability for information security is typically assigned to information security director who may report to CEO or CIO or Other top level executive This role must be managed in a multidisciplinary context because issues of information security are multidisciplinary.

4. Security Policies Policy: A high level document independent of all functions, roles, powers, and personalities. Security policy: A formal statement of the rules by which people who are given access to organization’s technology and information assets must abide. Standards: Tend to enforce and tried and tested practices. Procedures: Describe, where necessary, specific ways of securing information assets. Guidelines: Provide examples and interpretation of the policy and related standards to facilitate policy implementation.

5. Purposes of a Security Policy Informs users, staff, and managers of obligations concerning protection of information technology and assets. Provides a baseline to provide assurance for compliance with the policy. Provides a basis for determine what security tools to use to adequately protect information assets.

6. Characteristics of a Policy Tenure: Generally, a policy should have a long tenure, during which it may not change much. Requisite variety: Each policy must have requisite variety. All anticipated requirements to provide control must be addressed in a policy. Feasibility: Policies must go through the test if feasibility. Understandability: Policy must be written so that it is easy to understand. Balance: Policy must balance the need for security with functionality and usability of information systems.

7. Content Areas of an Information Security Policy Purpose Scope Policy Definitions Responsibilities Administration and interpretations Amendments/termination of the policy References to applicable policies and standards Exceptions Violations/enforcement

8. AreaDescription of content within the area PurposeNarrates why this policy is written and how it will benefit the organization. ScopeTo whom does the policy apply is clarified in this area. PolicyThis is the core of policy – the statement(s) that describe the policy. DefinitionsIf the policy includes certain terms, these are defined in this area. This allows for a very specific interpretation of the policy, irrespective of how these terms are used in the profession. ResponsibilitiesIdentifies who is responsible for enforcement of the policy. If more than one party is responsible, a clear identification of responsibility of each party with respect to the policy enforcement should be included. Administration and interpretations Identifies who is responsible to answer questions regarding this policy, to maintain records regarding the policy issues and how they were resolved, and to document violations of the policy and their resoluton. Amendments/Termination of the policy This part states that (1) the organization reserves the right to modify, amend or terminate the policy at any time and (2) the policy does not constitute a contract between the organization and its employees. References to applicable standards This section lists policies related to the policy. ExceptionsHere, the policy identifies how to request an exception to the policy, what information should the request provide, and to whom it should be addressed. Typically, all exception requests are handled in accordance with an information security exception policy. Violations/EnforcementSpecifies where to report any know violations of the policy, and what consequences could result from such violations. For example, consequences may result in immediate suspension of user privileges, a disciplinary action, or reporting the case to appropriate law enforcement agencies.

9. Classification of Policies Various alternative classifications are possible. Information security policies may be categorized: Using components of an information system. In terms of physical security and logical security. As system specific or issue specific.

10. Policy Development Process The process must mirror risk management processes. Identify critical information systems processes and assets. Understand what risks each information asset faces. Identify the asset’s vulnerabilities and anticipate types of threat the asset might be subject to. Identify control and security measures to protect the information asset. Develop a policy that provide cost effective protection measures. Periodically, review the policy in light of changes in the organization and its environment.

11. Regulatory Requirements Regulations exist in the area of information assets protection, and must be met. Such regulations typically define the threshold needs to protect information assets. Compliance of such requirements provides an assurance that the entity is meeting needs for protection of information assets at the levels required by law. At the same time, compliance helps the entity protect its information assets and prosecute those who compromise the security.

12. Regulatory Requirements and Security Objectives Information assets protection Authentication Integrity of logic Integrity of communication Confidentiality and privacy System availability Computer crimes

13. Objectives, vulnerabilities, and regulation Security objective Selected VulnerabilitiesIllustrative regulatory requirements Information assets protection Theft Software piracy Computer Software Copyright Act of 1980 Digital Millenium Copyright Act (1998) AuthenticationImpersonation Spoofing Session hijacking Man-in-the-middle attack Electronic signature legislation Digital signature laws Integrity of logic (programs) Malicious code Buffer overflow Uniform Commercial Code Integrity of communication Website defacement Active wiretap Falsification of message The Electronic Communications Privacy Act of 1986 Confidentiality and privacy Eavesdropping Passive wiretap Right to Financial Privacy Act of 1978 The Gramm-Leach-Bliley Act (1999) Children’s Online Privacy Prevention Act [COPPA] (1998) Health Insurance Portability and Accountability Act [HIPAA] (1996) System availabilityConnection flooding Denial of Service (DNS) attack Distributed Denial of Service Computer Fraud and Abuse Act (1984, 1986, 1996)

14. Ethical Behaviour in Organizations Ethics: The principles of conduct individuals and groups use in making and implementing choices. Principles of moral conduct are the foundation for ethical behavior. Ethical behavior may have implications for information security.

15. Business Ethics An organization is a group of individuals with shared values and goals. Business as an organization should deserve its place within the society. Organizational legitimacy is a result of the degree of congruence between social values associated with or implied by the firm’s activities and the norms of acceptable behavior in the larger social system to which they belong. Individuals as employees should ask questions concerning consequences of an action, serving others’ rights, consistency of decisions with basic values, and feasibility of their actions in the world as it is.

16. Developing Information Management Policies Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement ePolicies typically include: Ethical computer use policy Information privacy policy Acceptable use policy E-mail privacy policy Internet use policy Anti-spam policy

17. ETHICAL COMPUTER USE POLICY Ethical computer use policy – contains general principles to guide computer user behavior The ethical computer user policy ensures all users are informed of the rules and, by agreeing to use the system on that basis, consent to abide by the rules

18. ETHICAL COMPUTER USE POLICY

19. INFORMATION PRIVACY POLICY The unethical use of information typically occurs “unintentionally” when it is used for new purposes For example, social insurance numbers started as a way to identify government retirement benefits and are now used as a sort of universal personal ID Information privacy policy - contains general principles regarding information privacy

20. INFORMATION PRIVACY POLICY Information privacy policy guidelines 1. Adoption and implementation of a privacy policy 2. Notice and disclosure 3. Choice and consent 4. Information security 5. Information quality and access

21. ACCEPTABLE USE POLICY Acceptable use policy (AUP) – a policy that a user must agree to follow in order to be provided access to a network or to the Internet An AUP usually contains a nonrepudiation clause Nonrepudiation – a contractual stipulation to ensure that e-business participants do not deny (repudiate) their online actions

22. ACCEPTABLE USE POLICY

23. E-MAIL PRIVACY POLICY Organizations can mitigate the risks of e-mail and instant messaging communication tools by implementing and adhering to an e-mail privacy policy E-mail privacy policy – details the extent to which e-mail messages may be read by others

24. E-MAIL PRIVACY POLICY

26. INTERNET USE POLICY Internet use policy – contains general principles to guide the proper use of the Internet

27. MONITORING TECHNOLOGIES Monitoring – tracking people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed Key logger or key trapper software Hardware key logger Cookie Adware Spyware Web log Clickstream

28. EMPLOYEE MONITORING POLICIES Employee monitoring policies – explicitly state how, when, and where the company monitors its employees

29. Assurance Considerations Policy development, implementation, and enforcement Is the policy current? Is it enforced? Are violations and exceptions to the policy tracked and reported? Who acts on such violations? Are such actions proper? Overall, is the policy effective? Compliance with regulations Is an integrated approach used, where legal, technological and operational aspects are considered together? Or is the compliance a patch work? Who is responsible for compliance? Are the compliance solutions documented? Are changes in the regulatory requirements monitored? Is the whistle-blower system effective? Ethical behavior Does the organization have a code of conduct? What structure is in place to nurture ethical behavior in the organization? Who is accountable for promoting organization-wide ethical conduct? What programs are in place to achieve the objective? Are they effective?

30. 30 Physical Access Security  Establishing Perimeters  Implementing and Maintaining a System, Equipment, Procedures  Defensive Depth, Universal Application  Monitoring / Detection / Response  Common Intrusion Techniques

31. 31 What is a Perimeter?  Controlled border External: Public / First Level. May be outside of building. Second: Building Access. May include elevators and stairways. Multiple interior: authorization related to function- based “need to know”

32. 32 Systems, Equipment, Procedures  System components: hardware, software, devices, data, personnel (operators and staff)  Equipment: readers, tokens, cameras and video recorders, screen monitors, barriers (turnstiles, man-traps)  Procedures: operator, equipment maintenance, log review, token issuance, authorization maintenance. System upgrading. Guards.

33. 33 Defensive Depth  Multiple barriers to breach: make an intruder work harder  Multiple levels, multiple techniques  Multiple levels of monitoring and detection  Introduce random supplemental checks

34. 34 Universal Application  Every time  Every person  Every control point  Weekdays, nights and weekends  Especially no “official piggybacking”  Why: keeps the “bright line” between authorized and unauthorized

35. 35 Monitoring/Detection/Response  Monitoring: what conditions, when  Detection: manual, automatic, alarms; who is notified?  Response: √ Who, what, when √ How contacted √ Logistics and SLA  Failure in any area “breaks the chain” of response

36. 36 Common Intrusion Techniques  “Piggy-backing”  Poor housekeeping of access privileges Terminated employees Transferred employees  “I have a delivery for Mr./Ms. X.”  Concealment within interior protected areas  Exploitation of known system flaws

37. 37 WHAT YOU ALREADY KNOW  Good Things: Card readers and physical access control systems Cameras Locked doors  Bad Things: Piggybacking Easy-to-guess passwords Asleep at the console  No need to hear that again

38. 38 WHAT YOU MAY NOT KNOW...  Facilities & Security co-dependencies  How they affect the enterprise risk picture  How formal risk assessment techniques developed for other industries are emerging as tools to reduce critical facilities risks

39. 39 SO WHAT? WHO CARES? Poor Facilities/Security/IT/BCP coordination =  Wasted resources  Risk picture not fully understood  Risks not fully addressed Copyright 2004 Strategic Facilities Inc. All rights reserved CEOs, CFOs, CIOs, CHAIRMEN AND DIRECTORS CARE ABOUT THESE THINGS......AND SO DO REGULATORS

40. 40 SECURITY & FACILITIES  SECURITY NEEDS FACILITIES  Surveillance & Access Control need power  Cameras need light  Guard force needs decent environment just like everyone else  FACILITIES NEEDS SECURITY  Extra eyes and ears to for building problems  Help screen visiting technicians  Reduce tampering with building systems

41. 41 RELIABILITY  RELIABILITY What is the probability that a system will operate correctly? Over what mission time? Severity of failure is part of the risk conversation, not the reliability conversation Duration of failure is also a separate variable

42. 42  HOW SYSTEMS FAIL Independently due to internal, local failure Due to a “common cause” effect; that is, something that affects entire system at once Natural or man-made disaster, for example; tend to be high severity, low frequency Human error is most frequent common- cause failure mode; often less severe than disasters  Applies to Facilities, Security, IT, BCP

43. 43 1. When confronting a risk, ask yourself:  How often is it likely to occur?  How bad will its impact be if it does occur? 2. Then, compare this risk to others you face:  Is it likely to occur more or less frequently?  Is its likely impact more or less severe than others? 3. Apply this approach consistently across IT, Facilities and Security RECOMMENDATIONS & CONCLUSIONS

44. 44 4. When evaluating a risk reduction measure:  What does it require of other sectors - e.g., if it’s a Facilities measure, what do IT and Security need to do to make it work?  Who will do those things and how?  Same question for Security and IT initiatives 5. Then, look across sectors...  What other exposures are out there?  Who should address them? MORE RECOMMENDATIONS & CONCLUSIONS