Professional Documents
Culture Documents
Nyp Infosecurity Management Lecture 3
Nyp Infosecurity Management Lecture 3
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 1
All Rights Reserved.
Objectives
◦ To understand a policy and procedure framework
◦ To draft policies and procedures for an organisation
◦ To understand and explain the current InfoSecurity
management guidelines and standards
Topics
◦ Organization Policy and Procedure Framework
◦ Security Policies Implementation
◦ Different Types of Security Policy
◦ Security Policy Compliance and Review
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 2
All Rights Reserved.
The output of the risk management
process is an input for making
A. Business plans
B. Audit charters
C. Security policy decisions
D. Software design decisions
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 3
All Rights Reserved.
Organization Policy and Procedure Framework
Security Policy Implementation
Different Types of Security Policy
Security Policy Compliance and Review
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 4
All Rights Reserved.
Corporate Governance
IT Governance
Information
Security
Governance
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 5
All Rights Reserved.
Value
Delivery
Stakeholder
Strategic Risk
Value
Alignment Management
Drivers
Performance Resource
Measurement Management
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 6
All Rights Reserved.
Stakeholders
◦ Board of directors, CEO, process owners, IT suppliers and
auditors
Strategic Alignment
◦ Linkage of Business and IT plans
Value Delivery
◦ IT delivers the promised benefits against the strategy
Risk Management
◦ Risks are assessed and mitigated
Resource Management
◦ Optimisation of knowledge and infrastructure
Performance Measurement
◦ tracks and monitors strategy implementation
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 7
All Rights Reserved.
Risk Management
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 9
All Rights Reserved.
Industrial Standards
◦ ISO 27002 / ISO17799:2005 / BS7799 –
Information Security Management System
Guidelines and general principles for initiating,
implementing, maintaining, and improving information
security management in an organization
Guidelines
◦ COBIT
◦ Technology Risk Management Guidelines for
Financial Institutions, MAS, Singapore
◦ NIST Special Publications Series csrc.nist.gov
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 10
All Rights Reserved.
1. Security Policy
2. Organization of Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information Systems Acquisition, Development and
Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Compliance
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 11
All Rights Reserved.
Organization Policy and Procedure Framework
Security Policy Implementation
Different Types of Security Policy
Security Policy Compliance and Review
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 12
All Rights Reserved.
Policies ensure that proper control of
information assets is implemented
Policies will avoid legal liability
Most importantly, policies will enhance the
security control placed on the organisation’s
information assets
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 13
All Rights Reserved.
Management participation in PPG creation
and enforcement is crucial to the whole effort
in securing information assets
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Each of the following should serve on a
security policy development team except?
A. Member of management who can enforce
the policy
B. Member of the legal staff
C. Representative from a IT security vendor
D. Senior level administrator
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Security Policies
◦ High level statement of enterprise beliefs, goals,
and objectives, and the general means for their
attainment for a specified subject area
◦ High level plans that describe the goals of the
procedure
◦ Key ideas :
Brief
Use general terms
Use simple sentences
◦ Example – Wireless@NYP Policy
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Procedures
◦ Spell out the specific steps of how the policy, the
supporting standards and guidelines will actually be
implemented.
◦ Description of tasks that must be completed in a
specific order
◦ Example
Wireless LAN Client Configuration Guide for Windows 7
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Guidelines
◦ General statements designed to achieve the objective of the
policy by providing a framework within which to implement
procedures
◦ Example - Risk Management Guide for Information Technology
Systems by NIST
Standards
◦ Mandatory activities, actions, rules, or regulations designed to
provide policies with the support structure and specific
direction they require to be meaningful and effective
◦ Example – ISO 27002 information security management
system standard
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 18
All Rights Reserved.
Policies Procedures
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Standards, guidelines, and procedures are
separate yet linked documents from the
general policies (especially the senior-level
statement)
◦ It serves a different function and focuses on a
different audience
◦ Physical distribution of the policies is easier
◦ Security controls for confidentiality are different for
each policy type
◦ A modular approach to a policy document will keep
the revision time and costs down
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 20
All Rights Reserved.
Need to have a top-level corporate
information security policy
Scope: everything related to IT security
Generally 3 categories of policies
◦ General policy
Create overall information security vision of an
organisation
◦ Topic-specific policies
Address specific area of concern, e.g. internet security
policy
◦ Application-specific policies
To protect particular applications or systems (if any)
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 21
All Rights Reserved.
Policies should be approved by management,
published, and communicated throughout the
organization in a form that is relevant,
accessible, and understandable to the
intended reader.
◦ Distribution via manuals, the intranet, handbooks,
or awareness classes
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Each of the following is a guideline for developing a
security policy except?
A. Notify users in advance that a new security policy is
being developed and explain why the policy is
needed
B. Provide a sample to the people affected by the
policy with an opportunity to review and comment
C. Prior to deployment, give all users at least two
weeks to review and comment
D. Require all users to approve the policy before it is
implemented
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Security Policies should state
◦ A definition of information security
◦ Its overall objectives and scope
◦ The importance of security as an enabling mechanism
for information sharing.
◦ A statement of management intention, supporting the
goals and principles of information security.
◦ A brief explanation of specific security policies,
standards, and compliance requirements.
◦ Definition of general and specific responsibilities for
information security management, including security
incident reporting.
◦ References to documentation that may support the
policy.
e.g., the topic-specific policies or application-specific
policies.
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Senior management is responsible for its
creation to establish overall security policy of
the organization, as well as assigns
responsibilities for implementation and
compliance with the policy
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 25
All Rights Reserved.
Components include :
◦ Topic
Defines the goals of the policy.
Most general policies concentrate on protecting the confidentiality,
integrity, availability, and authenticity of the information resource.
May establish which type of information is valuable and should be
protected.
◦ Scope
To specify the boundary of the topic.
e.g., “all information wherever stored and however generated.”, “The
policy is intended for all employees.”, “Personnel with access to top-
secret information.”
◦ Responsibilities
Spells out the roles played by management, staff and who should be
responsible for day-to-day administration of the policy.
◦ Compliance
Who is responsible for ensuring compliance?
What happens when policy is violated?
Not to create mandatory sanctions, give management leeway in
resolving issues on a case-by-case basis.
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 26
All Rights Reserved.
Narrowly focused on one issue at a time
Components include:
◦ Thesis statement
To establish a policy on a specific topic
Goals and objectives should be identified
◦ Relevance
To establish to whom the policy is to be applied to
Where, how and when the policy is applicable
◦ Responsibilities
To establish who is responsible in this policy
Use job functions whenever possible
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Components include (cont):
◦ Compliance
May include description of undesirable behaviour
Who is responsible for monitoring compliance.
◦ Additional Information
Contact information of relevant individuals (by job
title), readers can contact for more information.
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Focus on one specific system or application.
Along with topic-specific policies, usually the final
element of the overall organization security policy.
Deals with issues such as :
◦ Who has the authority to read or modify application data?
◦ Under what circumstances can the data be accessed?
◦ How is remote access controlled?
Good policies contain rules which are based on the
business and mission objectives and are in-line
with the General and/or Topic-specific policies.
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Know the stuff you are talking about.
◦ Essential to be familiar with the technology underlying the
information asset
◦ Enlist the help of domain expert
Be aware of the language used in the policy
◦ Use the active voice
◦ Keep sentences clear and precise
◦ Know your subject
◦ Use the established style
Make use of good templates from credible sources
◦ http://www.sans.org/security-resources/policies/
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Organization Policy and Procedure Framework
Security Policy Implementation
Different Types of Security Policy
Security Policy Compliance and Review
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 31
All Rights Reserved.
Common types of security policies are
◦ Privacy Policy (Privacy Statement)
◦ Authentication & Network Security
◦ Internet Security Policies
◦ Email Security Policies
◦ Viruses, Worms and Trojan Horses
◦ Acceptable Use Policy
◦ Policy on the use of mobile devices
◦ Software Management Policies
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Network Security
◦ Network Planning
◦ Network Addressing
Consider mobile computers vs desktops
VLANs
◦ Policies for expanding the network
◦ VPNs and Extranets
◦ Authorization of services
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Authentication
◦ Login requirements and procedures
◦ Login banners
Consider nondisclosure agreement
◦ Login controls
Use of two-factor authentication for certain
information classification
Login reporting
◦ Session restrictions
Restrict login times, or rules to follow when logging
into sensitive systems
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
◦ User account management
Usernames
Creation and removal
◦ Special privileges
Should not violate existing policies
Special handling procedures
Passwords
◦ Define valid passwords
◦ Storage of passwords
Escrow service
◦ Special passwords, e.g. duress passwords
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Access Controls
◦ Well-defined for each system/application
Telecommuting
◦ Employee equipment (esp. notebooks)
◦ Remote access data security guidelines
Remote Access Facilities
◦ Connection mode
Dial-up or Internet tunneling
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
“Doorway” to the Internet
Need to consider 2 very important issues
◦ Creation of ‘doorway’
◦ Services allowed to pass through the ‘doorway’
Architecture issues
◦ DMZ
◦ Defense in-depth
Need to consider allowable services
◦ e.g. DNS, HTTP/HTTPS, FTP, LDAP, Ech, FTP, etc
Always changing due to dynamic Internet
landscape
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Constantly updated to reflect current needs
and restrictions
Administrative responsibilities
◦ Maintenance
◦ Outsourcing agreements, esp. with ISP
◦ Enforcement
User responsibilities
◦ Training
◦ Aware of responsibilities of Internet use
◦ Transmission of sensitive information
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Web access to network & infrastructure
◦ CGI-based web applications
◦ Servlets, applets and dynamic content
◦ Ensure risks to these applications are minimized
when open for web access
Content control (for internet access)
◦ Manage through information classification
User access to the web
◦ Legal issues regarding disallowed sites
◦ Work vs personal browsing
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Modems and backdoors
◦ Cover 3G broadband modem use and connections
to other entities
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Administration of email
◦ Right to monitor email
◦ Archival of email
◦ Scanning of email for virus and other reasons
◦ Size of email (performance)
Use of email for confidential communication
◦ Encryption
◦ Digital signing
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Usually a sub-section of Internet Security
policy
Prevalence of mobile computers, media has
“opened doors” to threats from VWTH.
Need to establish :
◦ type of virus protection
◦ System integrity checks
◦ Rules on removable media
◦ Rules for using third-party software
User involvement with virus
◦ Specify penalties for users found dealing with it.
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Encryption policy
◦ Specify when, where, what and how to use
encryption that is acceptable to the organization.
◦ Changes as encryption technology evolves
Software development policies
◦ Development roles and responsibilities
◦ Software access control
◦ Software testing and documentation
◦ Configuration management
◦ Software escrow
◦ Intellectual property
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
All Rights Reserved. S2
Organization Policy and Procedure Framework
Security Policy Implementation
Different Types of Security Policy
Security Policy Compliance and Review
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 44
All Rights Reserved.
Publishing and notification of policies to staff
◦ Make it easily accessible, e.g. intranet
◦ Part of staff induction
◦ Regular staff updates, either through training
sessions or web-based training
Monitor, Control and Remedies
◦ Establish legality of the right to monitor and
prosecution
◦ Install appropriate controls (where available) to
enforce policies
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 45
All Rights Reserved.
Logging of events
Handling of Inconsistencies
◦ Establish authority empowered to handle
disciplinary
◦ Establish procedures on preservation of evidence
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 46
All Rights Reserved.
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 47
All Rights Reserved.
Important activity to keep policies relevant
and up-to-date
Consider the following as input to the policy
review process
◦ Results of security audit and/or risk assessment
◦ Business intelligence and information from
management
◦ Network and system administrators
Set up review committee
◦ All stakeholders
◦ A legal counsel, if possible
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 48
All Rights Reserved.
What you’ve learnt
Organization Policy and Procedure Framework
Security Policy Implementation
Different Types of Security Policy
Security Policy Compliance and Review
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 49
All Rights Reserved.
1. Writing Information Security Policies, Scott Barman. New Riders,
2002.
2. Information Security Policies, Procedures and Standards, Thomas
R.Peltier. Auerbach, 2002
3. The CSSLP Prep Guide: Mastering the Certified Secure Software
Lifecycle Professional, Ronald L.Krutz and Alexander J. Fry. John
Wiley & Sons, 2009
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 50
All Rights Reserved.