Nyp Infosecurity Management Lecture 3

Topic 3
Copyright © 2018 Nanyang Polytechnic. School of Information Technology IT3111 ISecMg 2018
S2 1
All Rights Reserved.
 Objectives
◦ To understand a policy and procedure framework
◦ To draft policies and procedures for an organisation
◦ To understand and explain the current InfoSecurity
management guidelines and standards
 Topics
◦ Organization Policy and Procedure Framework
◦ Security Policies Implementation
◦ Different Types of Security Policy
◦ Security Policy Compliance and Review
S2 2
The output of the risk management
process is an input for making
A. Business plans
B. Audit charters
C. Security policy decisions
D. Software design decisions
S2 3
 Organization Policy and Procedure Framework
 Security Policy Implementation
 Different Types of Security Policy
 Security Policy Compliance and Review
S2 4
Corporate Governance
IT Governance
Information
Security
Governance
S2 5
Value
Delivery
Stakeholder
Strategic Risk
Value
Alignment Management
Drivers
Performance Resource
Measurement Management
S2 6
 Stakeholders
◦ Board of directors, CEO, process owners, IT suppliers and
auditors
 Strategic Alignment
◦ Linkage of Business and IT plans
 Value Delivery
◦ IT delivers the promised benefits against the strategy
 Risk Management
◦ Risks are assessed and mitigated
 Resource Management
◦ Optimisation of knowledge and infrastructure
 Performance Measurement
◦ tracks and monitors strategy implementation
S2 7
Risk Management
Information Security Policy
Detailed Security Policies,

Procedures and Guidelines
Implementation - Security Controls

S2 8
 Information Security Policy
◦ A high-level mission statement from management
stating objectives and commitment from organization
 Detailed policies and procedures
◦ Rules and instructions specifically describe how
information assets are protected.
 Guidelines
◦ Good recommendations which are not mandatory
 Security Controls
◦ Enforcement of policies and procedures
◦ Detect and react to non-conformance of policies &
procedures
S2 9
 Industrial Standards
◦ ISO 27002 / ISO17799:2005 / BS7799 –
Information Security Management System
 Guidelines and general principles for initiating,
implementing, maintaining, and improving information
security management in an organization
 Guidelines
◦ COBIT
◦ Technology Risk Management Guidelines for
Financial Institutions, MAS, Singapore
◦ NIST Special Publications Series csrc.nist.gov
S2 10
1. Security Policy
2. Organization of Information Security
3. Asset Management
4. Human Resources Security
5. Physical and Environmental Security
6. Communications and Operations Management
7. Access Control
8. Information Systems Acquisition, Development and
Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Compliance
S2 11
S2 12
 Policies ensure that proper control of
information assets is implemented
 Policies will avoid legal liability
 Most importantly, policies will enhance the
security control placed on the organisation’s
information assets
S2 13
 Management participation in PPG creation
and enforcement is crucial to the whole effort
in securing information assets
 ISO 27002 Section 3 states that :

“Management should set a clear policy
direction and demonstrate support for, and
commitment to, information security through
the issue and maintenance of an information
security policy across the organization.”
All Rights Reserved. S2
Each of the following should serve on a
security policy development team except?
A. Member of management who can enforce
the policy
B. Member of the legal staff
C. Representative from a IT security vendor
D. Senior level administrator
 Security Policies
◦ High level statement of enterprise beliefs, goals,
and objectives, and the general means for their
attainment for a specified subject area
◦ High level plans that describe the goals of the
procedure
◦ Key ideas :
 Brief
 Use general terms
 Use simple sentences
◦ Example – Wireless@NYP Policy
 Procedures
◦ Spell out the specific steps of how the policy, the
supporting standards and guidelines will actually be
implemented.
◦ Description of tasks that must be completed in a
specific order
◦ Example
 Wireless LAN Client Configuration Guide for Windows 7
 Guidelines
◦ General statements designed to achieve the objective of the
policy by providing a framework within which to implement
procedures
◦ Example - Risk Management Guide for Information Technology
Systems by NIST
 Standards
◦ Mandatory activities, actions, rules, or regulations designed to
provide policies with the support structure and specific
direction they require to be meaningful and effective
◦ Example – ISO 27002 information security management
system standard
 Standards are mandatory; while guidelines are

recommendations.
S2 18
Policies Procedures
Standards & Guidelines
 Standards, guidelines, and procedures are
separate yet linked documents from the
general policies (especially the senior-level
statement)
◦ It serves a different function and focuses on a
different audience
◦ Physical distribution of the policies is easier
◦ Security controls for confidentiality are different for
each policy type
◦ A modular approach to a policy document will keep
the revision time and costs down
S2 20
 Need to have a top-level corporate
information security policy
 Scope: everything related to IT security
 Generally 3 categories of policies
◦ General policy
 Create overall information security vision of an
organisation
◦ Topic-specific policies
 Address specific area of concern, e.g. internet security
policy
◦ Application-specific policies
 To protect particular applications or systems (if any)
S2 21
 Policies should be approved by management,
published, and communicated throughout the
organization in a form that is relevant,
accessible, and understandable to the
intended reader.
◦ Distribution via manuals, the intranet, handbooks,
or awareness classes
Each of the following is a guideline for developing a
security policy except?
A. Notify users in advance that a new security policy is
being developed and explain why the policy is
needed
B. Provide a sample to the people affected by the
policy with an opportunity to review and comment
C. Prior to deployment, give all users at least two
weeks to review and comment
D. Require all users to approve the policy before it is
implemented
 Security Policies should state
◦ A definition of information security
◦ Its overall objectives and scope
◦ The importance of security as an enabling mechanism
for information sharing.
◦ A statement of management intention, supporting the
goals and principles of information security.
◦ A brief explanation of specific security policies,
standards, and compliance requirements.
◦ Definition of general and specific responsibilities for
information security management, including security
incident reporting.
◦ References to documentation that may support the
policy.
 e.g., the topic-specific policies or application-specific
policies.
 Senior management is responsible for its
creation to establish overall security policy of
the organization, as well as assigns
responsibilities for implementation and
compliance with the policy
S2 25
 Components include :
◦ Topic
 Defines the goals of the policy.
 Most general policies concentrate on protecting the confidentiality,
integrity, availability, and authenticity of the information resource.
 May establish which type of information is valuable and should be
protected.
◦ Scope
 To specify the boundary of the topic.
 e.g., “all information wherever stored and however generated.”, “The
policy is intended for all employees.”, “Personnel with access to top-
secret information.”
◦ Responsibilities
 Spells out the roles played by management, staff and who should be
responsible for day-to-day administration of the policy.
◦ Compliance
 Who is responsible for ensuring compliance?
 What happens when policy is violated?
 Not to create mandatory sanctions, give management leeway in
resolving issues on a case-by-case basis.
S2 26
 Narrowly focused on one issue at a time
 Components include:
◦ Thesis statement
 To establish a policy on a specific topic
 Goals and objectives should be identified
◦ Relevance
 To establish to whom the policy is to be applied to
 Where, how and when the policy is applicable
◦ Responsibilities
 To establish who is responsible in this policy
 Use job functions whenever possible
 Components include (cont):
◦ Compliance
 May include description of undesirable behaviour
 Who is responsible for monitoring compliance.
◦ Additional Information
 Contact information of relevant individuals (by job
title), readers can contact for more information.
 Focus on one specific system or application.
 Along with topic-specific policies, usually the final
element of the overall organization security policy.
 Deals with issues such as :
◦ Who has the authority to read or modify application data?
◦ Under what circumstances can the data be accessed?
◦ How is remote access controlled?
 Good policies contain rules which are based on the
business and mission objectives and are in-line
with the General and/or Topic-specific policies.
 Know the stuff you are talking about.
◦ Essential to be familiar with the technology underlying the
information asset
◦ Enlist the help of domain expert
 Be aware of the language used in the policy
◦ Use the active voice
◦ Keep sentences clear and precise
◦ Know your subject
◦ Use the established style
 Make use of good templates from credible sources
◦ http://www.sans.org/security-resources/policies/
S2 31
 Common types of security policies are
◦ Privacy Policy (Privacy Statement)
◦ Authentication & Network Security
◦ Internet Security Policies
◦ Email Security Policies
◦ Viruses, Worms and Trojan Horses
◦ Acceptable Use Policy
◦ Policy on the use of mobile devices
◦ Software Management Policies
 Network Security
◦ Network Planning
◦ Network Addressing
 Consider mobile computers vs desktops
 VLANs
◦ Policies for expanding the network
◦ VPNs and Extranets
◦ Authorization of services
 Authentication
◦ Login requirements and procedures
◦ Login banners
 Consider nondisclosure agreement
◦ Login controls
 Use of two-factor authentication for certain
information classification
 Login reporting
◦ Session restrictions
 Restrict login times, or rules to follow when logging
into sensitive systems
◦ User account management
 Usernames
 Creation and removal
◦ Special privileges
 Should not violate existing policies
 Special handling procedures
 Passwords
◦ Define valid passwords
◦ Storage of passwords
 Escrow service
◦ Special passwords, e.g. duress passwords
 Access Controls
◦ Well-defined for each system/application
 Telecommuting
◦ Employee equipment (esp. notebooks)
◦ Remote access data security guidelines
 Remote Access Facilities
◦ Connection mode
 Dial-up or Internet tunneling
 “Doorway” to the Internet
 Need to consider 2 very important issues
◦ Creation of ‘doorway’
◦ Services allowed to pass through the ‘doorway’
 Architecture issues
◦ DMZ
◦ Defense in-depth
 Need to consider allowable services
◦ e.g. DNS, HTTP/HTTPS, FTP, LDAP, Ech, FTP, etc
 Always changing due to dynamic Internet
landscape
 Constantly updated to reflect current needs
and restrictions
 Administrative responsibilities
◦ Maintenance
◦ Outsourcing agreements, esp. with ISP
◦ Enforcement
 User responsibilities
◦ Training
◦ Aware of responsibilities of Internet use
◦ Transmission of sensitive information
 Web access to network & infrastructure
◦ CGI-based web applications
◦ Servlets, applets and dynamic content
◦ Ensure risks to these applications are minimized
when open for web access
 Content control (for internet access)
◦ Manage through information classification
 User access to the web
◦ Legal issues regarding disallowed sites
◦ Work vs personal browsing
 Modems and backdoors
◦ Cover 3G broadband modem use and connections
to other entities
 Administration of email
◦ Right to monitor email
◦ Archival of email
◦ Scanning of email for virus and other reasons
◦ Size of email (performance)
 Use of email for confidential communication
◦ Encryption
◦ Digital signing
 Usually a sub-section of Internet Security
policy
 Prevalence of mobile computers, media has
“opened doors” to threats from VWTH.
 Need to establish :
◦ type of virus protection
◦ System integrity checks
◦ Rules on removable media
◦ Rules for using third-party software
 User involvement with virus
◦ Specify penalties for users found dealing with it.
 Encryption policy
◦ Specify when, where, what and how to use
encryption that is acceptable to the organization.
◦ Changes as encryption technology evolves
 Software development policies
◦ Development roles and responsibilities
◦ Software access control
◦ Software testing and documentation
◦ Configuration management
◦ Software escrow
◦ Intellectual property
S2 44
 Publishing and notification of policies to staff
◦ Make it easily accessible, e.g. intranet
◦ Part of staff induction
◦ Regular staff updates, either through training
sessions or web-based training
 Monitor, Control and Remedies
◦ Establish legality of the right to monitor and
prosecution
◦ Install appropriate controls (where available) to
enforce policies
S2 45
 Logging of events
 Handling of Inconsistencies
◦ Establish authority empowered to handle
disciplinary
◦ Establish procedures on preservation of evidence
S2 46
S2 47
 Important activity to keep policies relevant
and up-to-date
 Consider the following as input to the policy
review process
◦ Results of security audit and/or risk assessment
◦ Business intelligence and information from
management
◦ Network and system administrators
 Set up review committee
◦ All stakeholders
◦ A legal counsel, if possible
S2 48
What you’ve learnt
S2 49
1. Writing Information Security Policies, Scott Barman. New Riders,
2002.
2. Information Security Policies, Procedures and Standards, Thomas
R.Peltier. Auerbach, 2002
3. The CSSLP Prep Guide: Mastering the Certified Secure Software
Lifecycle Professional, Ronald L.Krutz and Alexander J. Fry. John
Wiley & Sons, 2009
S2 50

Nyp Infosecurity Management Lecture 3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nyp Infosecurity Management Lecture 3

Uploaded by

Copyright:

Available Formats

Topic 3

Information Security Policy

Detailed Security Policies,

Implementation - Security Controls

 ISO 27002 Section 3 states that :

 Standards are mandatory; while guidelines are

Standards & Guidelines

You might also like