Week (6) Session (1)

Computer science Department

Executive Master in Cyber Security

Cybersecurity Policies
& Issues
EMCS-602

Spring2021
2020-2021
 Focus of This Session
Break
FTC AND FILs HIPAA Security Rule

FFIEC

HIPAA Security Policies

GLBA

Week (6) Session (1) 2

 Outline

Compliance Laws and Information Security Policy Requirements

IT Security Policy Framework Approaches

How to Design, Organize, Implement, and Maintain IT Security

Policies

Week (6) Session (1) 3

 Computer science Department
Executive Master in Cyber Security

Slides from Security Policies

and Implementation Issues
(CHAPTER 3)

Compliance Laws and Information Security Policy

Requirements
Pressures on Security Policies

FIGURE 3-1 Pressures on security policies.

Week (6) Session (1) 5

 What Are U.S. Compliance Laws? (1 of 2)

Full disclosure

Key concepts Limited use of personal data

contained in U.S.
compliance laws
Opt-in/opt-out

affecting
information
Data privacy

security policies Informed consent

Public interest

Week (6) Session (1) 6

 What Are U.S. Compliance Laws? (2 of 2)
▪ Federal Information Security Management Act
(FISMA)
▪ Health Insurance Portability and Accountability Act
(HIPAA)
▪ HITECH
▪ Gramm-Leach-Bliley Act (GLBA)
▪ Sarbanes-Oxley (SOX) Act
▪ Family Educational Rights and Privacy Act (FERPA)
▪ Children’s Internet Protection Act (CIPA)

Week (6) Session (1) 7

Federal Information Security Management Act (FISMA)
▪ Requires government
agencies to adopt a common
set of information security
standards
▪ Creates mandatory
requirements to ensure the
integrity, confidentiality,
and availability of data
▪ Any organization that
processes data for the
government may be required
to follow same standards
Week (6) Session (1)
NIST outlines security
standards and processes:
• Inventory
• Categorize by risk level
• Security controls
• Risk assessment
• System security plan
• Certification and
accreditation
• Continuous monitoring
8
 Health Insurance Portability and Accountability Act
(HIPAA) (1 of 2)

▪ Protects a person’s privacy Covered entities:

▪ Anyone who handles health
records must adhere to
HIPAA
▪ Includes doctor’s offices,
hospitals, clinics, and
insurance companies
• Healthcare providers—Doctors,
hospitals, clinics, and others
• Health plans—Those that pay
the cost for the medical care,
such as insurance companies
• Healthcare clearinghouses—
Those that process and
facilitate billing
• “Business associates”—
Vendors and subcontractors of
any covered entity

Week (6) Session (1) 9

Health Insurance Portability and Accountability Act (HIPAA) (2 of 2)

For security policies to be HIPAA-compliant, they must

include:
▪ Administrative safeguards
▪ Formal security policies and procedures that map to HIPAA
security standards
▪ Physical safeguards
▪ Physical security of computer systems and the physical health
records
▪ Technical safeguards
▪ Controls that use technology to protect information assets
▪ Risk assessment
▪ A standard requirement of a risk-based management
approach to information security
Week (6) Session (1) 10
Health Information Technology for Economics and Clinical Health
(HITECH) Act

Enhanced HIPAA in 2009

Imposes data breach notification requirements for unauthorized

uses and disclosure of unsecured or unencrypted protected
health information (PHI)

Expanded HIPAA compliance requirements to business associates

of medical providers

Week (6) Session (1) 11

 Gramm-Leach-Bliley Act (GLBA) (1 of 2)

▪ Applies to any organization

that lends, exchanges,
transfers, invests, or
safeguards money or securities
▪ Not focused on technology
▪ Was meant to repeal existing
laws so that banks, investment
companies, and other financial
services companies could
merge
▪ Section 501(b) outlines
information security
requirements for the privacy
of customer information

Week (6) Session (1) 12

 Gramm-Leach-Bliley Act (GLBA) (2 of 2)

For security policies to be GLBA-compliant, they must

include:
▪ Governance
▪ Includes designating someone in an organization as
accountable for information security, such as CISO or CIO
▪ Information security risk assessment
▪ Information security strategy
▪ Security controls implementation
▪ Security monitoring
▪ Security monitoring and updating

Week (6) Session (1) 13

 Sarbanes-Oxley (SOX) Act
▪ Enacted in reaction to a
series of accusations of
corporate fraud
▪ Some companies accused of
“cooking the accounting
books” or making illegal
loans to their top executives
▪ Describes how a company
should report earnings,
valuations, corporate
responsibilities, and
executive compensation
Week (6) Session (1)
Frameworks used by
external auditors as well to
certify SOX compliance:
• Committee of Sponsoring
Organizations (COSO)
• Control Objectives for
Information and related
Technology (COBIT)
14
Family Educational Rights and Privacy Act (FERPA) (1 of 2)

Applies to educational institutions such as colleges and universities

Any educational institution must protect privacy of its student

records and must provide students access to their own records

Gives students a way to correct errors and control disclosure of

their records

Law broadly defines education records as any information related

to the educational process that can uniquely identify the student

Week (6) Session (1) 15

 Family Educational Rights and Privacy Act (FERPA) (2 of 2)

For security policies to be FERPA-compliant, they must include:

▪ Awareness
▪ School must post its FERPA security policies and provide awareness of
them
▪ Permission
▪ School must have recorded permission to share student’s education
records
▪ Directory information
▪ School can make directory information (such as name, address, telephone
number, and date of birth) about student publicly available, but must
provide the student with a chance to opt out of such public disclosure
▪ Exclusions
▪ School can share information without permission for legitimate education
evaluation reasons as well as for health and safety reasons

Week (6) Session (1) 16

 Children’s Internet Protection Act (CIPA)
Schools and libraries that receive federal funding must block pornographic and
explicit sexual material on their computers to limit children’s exposure
For security policies to be CIPA-compliant, they must include:
▪ Awareness
▪ School or library must post CIPA security policies and provide awareness of them
▪ Internet filters
▪ Only targeted material intended by CIPA is blocked
▪ Unblocking
▪ There must be a process to allow the filter to be unblocked or disabled for adults
▪ Education
▪ Education for children on Internet safety and on cyberbullying and how to respond

Week (6) Session (1) 17

 Whom Do the Laws Protect?

Individuals A number of laws focus on protecting an individual’s private information

Shareholders When investors believe a company’s financials and risks are properly
managed, they feel they can make informed judgments
Promotes a healthy economy

The public Term reflects idea that an organization has an obligation to the general
interest public beyond their self-interest

National Cyberterrorism threatens not only the company being targeted but also
security the country’s critical infrastructure

Week (6) Session (1) 18

 Aligning Security Policies and Controls with Regulations

Business Security
Inventory Security policies
requirements framework

Security control Monitoring and

Evidence
mapping testing

Week (6) Session (1) 19

 Aligning Security Policies and Controls with Regulations

Inventory—Make sure you have a solid inventory of hardware, software, and

information. You need know to where the information is collected, stored, and
processed.
Business requirements—Your business is ultimately accountable to regulators.
Ensure the business understands the data handling requirements of each
regulation. Ensure that there is an acceptable use policy for the handling of
different kinds of data. For example, is the customer presented with an opt-in
or opt-out check box? Even these simple choices may have regulatory
implications.
Security policies—Security policies need to reflect these business
requirements. It’s equally important to establish a core set of principles. These
core principles allow you to educate the business and address a significant
number of regulations.
Security framework—The selection of a security framework allows you to show
regulators that you are using best practices. Use widely accepted standards,
procedures, and guidelines.

Week (6) Session (1) 20

 Aligning Security Policies and Controls with Regulations

Security control mapping—When you build security controls, be sure to map

them to the related policy or policies. Policies also map to regulations. Security
control mappings are important to demonstrate coverage of regulatory
requirements. They show the importance of each security control. Ideally, you
also want to map security controls to the security framework. This will provide
a comprehensive end-to-end overview of security.
Monitoring and testing—Your organization must monitor and test any security
control related to regulatory compliance. You should try to monitor and test all
security controls. If you cannot, prioritize the controls starting with the most
important ones.
Evidence—At some point you will be required to provide regulators with
evidence. Regulators want to see a well-thought-out approach to compliance.
The security policies, framework, and control mapping is a good start. The
mapping demonstrates a thorough understanding and intent to comply. Your
monitoring and testing efforts also provide evidence that things are working as
planned.

Week (6) Session (1) 21

Security Policies and Controls Mapping to Frameworks

FIGURE 3-2 Security policies and controls mapping to frameworks.

Week (6) Session (1) 22

 Some Important Industry Standards

Payment Card Industry Data Security Standard (PCI DSS)

• Protects payment card information

Clarified Statement on Standards for Attestation Engagements No. 18

(SSAE18)
• Created by American Institute of Certified Public Accountants (AICPA)
• Audit examines an organization’s control environment; replaces SAS 70

Information Technology Infrastructure Library (ITIL)

• A series of books that describe IT practices and procedures.

Week (6) Session (1) 23

 PCI DSS standard

▪ There are six control objectives within the PCI DSS standard. To be
compliant, you need to include these control objectives in your security
policies and controls. These control objectives are:
• Build and maintain a secure network—Refers to having specific
firewall, system password, and other security network layer controls.
• Protect cardholder data—Specifies how cardholder data is stored and
protected. Also sets rules on the encryption of the data.
• Maintain a vulnerability management program—Specifies how to
maintain secure systems and applications, including the required use of
antivirus software.

Week (6) Session (1) 24

 PCI DSS standard

▪ There are six control objectives within the PCI DSS standard. To be
compliant, you need to include these control objectives in your security
policies and controls. These control objectives are:
• Implement strong access control measures—Refers to restricting
access to cardholder data on a need-to know basis. It requires physical
controls in place and individual unique IDs when accessing cardholder
data.
• Regularly monitor and test networks—Requires monitoring access to
cardholder. Also requires periodic penetration testing of the network.
• Maintain an information security policy—Requires that security
policies reflect the PCI DSS requirements. Requires these policies are
kept current and an awareness program is implemented.

Week (6) Session (1) 25

 International Laws

General Data Protection Regulation (GDPR)

• Applies to any organization that collects data from EU residents;

primary goal is to protect personal data

European Telecommunications Standards

Institute (ETSI)
• Establishing cybersecurity standards for all of Europe

Asia-Pacific Economic Framework (APEC)

• Consists of nine principles regarding personal privacy

Week (6) Session (1) 26

 Computer science Department
Executive Master in Cyber Security

Slides from Security Policies

and Implementation Issues
(CHAPTER 8)

IT Security Policy Framework Approaches

IT Security Policy Framework Approaches (1
of 4)

Your industry
Choosing an
IT security
policy
Your management view of risk

framework
depends on: Bias within your organization

Week (6) Session (1) 28

Simplified IT Security Policy Framework Domain Model

FIGURE 8-1 Simplified IT security policy framework domain model.

Week (6) Session (1) 29
The Importance of Transparency with Regard to Customer Data

Steps to selecting industry frameworks to consider:

Review industry regulatory requirements

Look to your auditors and regulators for guidance

Select frameworks that have maintained broad support in the industry

over time

Week (6) Session (1) 30

IT Security Policy Framework Approaches (2 of 4)

• A framework for validating internal controls and managing

COSO enterprise risks. Heavily focused on financial operations
and risk management

• A framework and supporting tool set that align business

COBIT and control requirements with technical issues. Maps to
many major frameworks such as COSO, ISO, and ITIL

ISO International • The ISO standards related to information security and IT

Organization for risk are widely accepted as the leading international
Standardization (ISO) standards

Week (6) Session (1) 31

 IT Security Policy Framework Approaches (3 of 4)

ITIL Information Technology • A widely accepted international framework and set of

Infrastructure Library (ITIL) best practices for delivering IT services

NIST National Institute of • Provides Federal Information Processing Standards

Standards and Technology (FIPS), required by FISMA
(NIST)

PCI DSS Payment Card • A security framework for any organization that
Security Standards Council accepts, stores, or processes credit cards

CIS Critical Security Controls for • First developed in 2008 by the SANS Institute, now
Effective Cyber Defense managed by the Center for Internet Security

Week (6) Session (1) 32

 IT Security Policy Framework Approaches (4 of 4)

▪ These frameworks are:

▪ Commonly adopted across an industry and define the best
practices of an organization
▪ Best practices are typically the common practices and the
professional care expected for an industry
▪ Flexible and modular
▪ A single organization could adopt the following:
▪ COSO for financial controls and enterprise risk management
structure
▪ COBIT for IT controls, governance, and risk management
▪ ITIL for IT services management
▪ PCI DSS for processing credit cards
▪ ISO for broad IT daily operations
▪ CIS as a broad-based cyberdefense framework
Week (6) Session (1) 33
 Computer science Department
Executive Master in Cyber Security

Slides from Security Policies

and Implementation Issues
(CHAPTER 7)

How to Design, Organize, Implement, and

Maintain IT Security Policies
 Document Organization Considerations
▪ Although there are many ways to organize a library of
policies, one thing they all have in common is the need
for a numbering scheme
▪ A numbering scheme helps you organize the material by
topic; it becomes a quick reference point for people to
use to refer to specific content
▪ You can create your own numbering scheme or use an
existing one
▪ Should you decide to use an existing framework like
ISO/IEC 27002, you can begin with the taxonomy it
provides

Week (6) Session (1) 35

A Possible Policy and Standards Library Taxonomy

FIGURE 7-2 A possible policy and standards library taxonomy.

Week (6) Session (1) 36
Control Standards Branch Out from the Access Control (IS-POL-
800) Framework Policy

FIGURE 7-3 Control standards branch out from

the Access Control (IS-POL-800) framework policy.
Week (6) Session (1) 37
 Baseline Standards and Procedures Provide Additional Branches of
the Library Tree

FIGURE 7-4 Baseline standards and procedures provide additional branches of the library tree.

Week (6) Session (1) 38

Guidelines Provide Additional Branches of the Library Tree

FIGURE 7-5 Guidelines provide additional branches of the library tree.

Week (6) Session (1) 39

 Computer science Department
Executive Master in Cyber Security

Slides from Security Policies

and Implementation Issues
(CHAPTER 10)

IT Infrastructure Security Policies

 Anatomy of an Infrastructure Policy
Three ways to organize policies:

Functional area

Layers of security

Domain

Week (6) Session (1) 41

 Workstation Domain Policies
Control Standards
• Device management
• User permissions
• Align with functional responsibilities

Baseline Standards
• Specific technology requirements for each device
• Review standards from vendors or organizations

Procedures
• Step-by-step configuration instructions

Guidelines
• Acquisitions (e.g., preferred vendors)
• Guidelines on active content and mobile code

Week (6) Session (1) 42

 Mobile Device Domain Policies
Bring your own device (BYOD)

• Employees bring whatever device they may have purchased and can connect,
at least to a guest network

Choose your own device (CYOD)

• The organization provides a list of approved devices

Company-owned and personally enabled (COPE)

• The company provides personal devices, most often phones, to employees

who can then also utilize the devices for personal use

Week (6) Session (1) 43

 LAN Domain Policies
Control Standards
• Firewalls
• Denial of service (DoS) protection
• Wi-Fi security control
• Align with functional responsibilities
Baseline Standards
• Specific technology requirements for each device
• Network segmentation and traffic monitoring
• Review standards from vendors or organizations
Procedures
• Step-by-step configuration
• Response to audit processing failures
• Firewall port/protocol alerts
• Monitoring Wi-Fi APs
• Audit record retention
Guidelines
• Acquisitions (e.g., preferred vendors)
• Description of threats and countermeasures
Week (6) Session (1) 44
 LAN-to-WAN Domain Policies
Control Standards
• Access control to the Internet
• Traffic filtering

Baseline Standards
• Specific technology requirements for perimeter devices

Procedures
• Step-by-step configuration
• Patch management

Guidelines
• DMZ, IDS/IPS, content filtering

Week (6) Session (1) 45

 WAN Domain Policies
Control Standards
• WAN management
• Domain Name Services
• Router security
• Protocols
• Web services
Baseline Standards
• Review standards from vendors or organizations
Procedures
• Step-by-step configuration of routers and firewalls
• Change management
Guidelines
• When and how web services may be used
• DNS management within the LAN and WAN environments

Week (6) Session (1) 46

 Remote Access Domain Policies
Control Standards
• VPN connections
• Multifactor authentication

Baseline Standards
• VPN gateway options
• VPN client options
• RADIUS server security requirements standard

Procedures
• Step-by-step VPN configuration and debugging

Guidelines
• Description of threats
• Security of remote computing environments, such as working from
home

Week (6) Session (1) 47

System/Application Domain Policies
Control Standards
• Classifying assets
• Assigning accountability
• Logical or physical access control
• Align with functional responsibilities
Baseline Standards
• Specific technology requirements for each device
• Public Key Infrastructure Certification Authority (CA) Standard
• Approved Cryptographic Algorithms and Key Lengths Standard
• Physical Security Baseline Standards
• Developer Coding Standards
Procedures
• Step-by-step configuration
• Change management
Guidelines
• Acquisitions (e.g., preferred vendors)
• Description of threats and countermeasures
Week (6) Session (1) 48
Telecommunications Domain Policies
Control Standards
• Protect with FIPS encryption
• Segregation of data and voice networks
Baseline Standards
• Specific technology requirements for each device
• Smartphone enterprise server configuration requirements
standard
• Use of Bluetooth communications standard
• VoIP security product requirements standard
• Use of other wireless
Procedures
• Step-by-step configuration
• Details for reporting a lost or stolen employer-issued smartphone
Guidelines
• May include VoIP systems architecture and security guidelines

Week (6) Session (1) 49

Best Practices for IT Infrastructure Security Policies (1
of 3)

Select a framework, such as ISO or COBIT

Develop requirements and standards based on the framework

Review and adapt

Week (6) Session (1) 50

Best Practices for IT Infrastructure Security Policies (2
of 3)

Make policies/standards available to all

Keep content cohesive

Keep content coherent

Maintain the same “voice” throughout

Week (6) Session (1) 51

Best Practices for IT Infrastructure Security Policies (3
of 3)

Add only necessary information

Stay on message

Make your library searchable

Federate ownership to where it best belongs

Week (6) Session (1) 52

 Cloud Security Policies
International Organization for Standardization (ISO) 27017 applies the guidance of ISO
27002 to the cloud and adds seven new controls:
▪ CLD.6.3.1—Agreement on shared or divided security responsibilities between the
customer and cloud provider
▪ CLD.8.1.5—How assets are returned or removed from the cloud when the contract is
terminated
▪ CLD.9.5.1—Cloud provider must separate the customer’s virtual environment from other
customers or outside parties
▪ CLD.9.5.2—Customer and the cloud provider both must ensure the virtual machines are
hardened
▪ CLD.12.1.5—States it is solely the customer’s responsibility to define and manage
administrative operations
▪ CLD.12.4.5—The cloud provider’s capabilities must enable the customer to monitor
their own cloud environment
▪ CLD.13.1.4—The virtual network environment must be configured so that it at least
meets basic standards

Week (6) Session (1) 53

 Summary
▪ U.S. compliance laws and their ▪ Core principles of policy and standards
importance design
▪ Aligning security policies and controls ▪ Implementing policies and libraries
with regulations
▪ Policy change control board purpose
▪ Industry self-regulation through leading
practices
and roles
▪ Industry standards ▪ Business drivers for policy and
standards changes
▪ International laws
▪ Best practices for policy management
▪ Different methods and best practices and maintenance
for approaching a security policy
framework ▪ Elements of an infrastructure security
▪ Importance of defining roles, policy
responsibilities, and accountability for ▪ Policies associated with various
personnel domains of a typical IT infrastructure
▪ Separation of duties
▪ Best practices in creating and
▪ Importance of governance and compliance maintaining IT policies
Week (6) Session (1) 54
We will come back
After (_) minutes
 Resources
▪ DHHS created an online tool (Breach Portal) that allow
CEs to quickly notify the DHHS of any cybersecurity
breach. The tool can be accessed at the following link,
https://ocrportal.hhs.gov/ocr/breach/wizard_breach.j
sf?faces-redirect=true.
▪ DHHS has a public online portal that lists all the
breach cases being investigated and archived at
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Week (6) Session (1) 56

 Building: 61
Room:

Contact:

Email address:
-----@kau.edu.sa

Week (6) Session (1)