Professional Documents
Culture Documents
Chapter - 5 Cybersecurity Policy
Chapter - 5 Cybersecurity Policy
Cybersecurity Policy
1
Outline
• Introduction to Cybersecurity Policy
• Cybersecurity Policy definition
• Why Cybersecurity Policy?
• Methods of Improving Awareness of Security Policy
• Key elements of a policy
• Types of security policy
• Other categories of security policy
2
Cybersecurity Policy
• Security is a multilayered process.
• After a risk assessment is completed, policies will fall quickly
in place.
• Security policy can be determined based on feedback from
risk assessment.
• The risk assessment should help drive policy creation on
items such as these:
– Passwords
– Patch management
– Employee hiring and termination practices
– Backup practices and storage requirements
– Security awareness training
– Antivirus
– System setup and configuration 3
Cybersecurity Policy
CISSP definition
• The term cybersecurity policy has more than one meaning.
• Policy is senior management's directives to:
– create a computer security program,
– to protect the corporation’s assets,
– establish its goals, and
– assign responsibilities.
• The term policy is also used to refer to the specific security
rules for particular systems.
• Additionally, policy may refer to specific managerial
decisions:
– setting an organization's e-mail privacy policy or
– fax security policy.
4
Cybersecurity Policy: Definition…
• The policy defines the corporation’s high-level information
security beliefs.
• In these terms, a policy can then be described as a high-level
statement of a company’s security:
– beliefs,
– goals, and
– objectives,
– as well as the general means for their realization for a specified
subject area.
• In general, policies are:
– brief,
– technical, and
– solution independent documents.
5
Cybersecurity Policy: Definition…
• Security policy:
– defines the main security objectives and outlines
– defines security framework of an organization.
– identifies the major functional areas of data processing and
– clarifies and defines all relevant terminology.
6
Why Cybersecurity Policy?
9
Cybersecurity Policy…
• It should address:
– Prevention of misuse
– Detection (through regular checking)
– Investigation (through monitoring and audit)
– Procedures used to prevent security problems
(unauthorised access)
– Staff responsibilities (to prevent misuse)
– Disciplinary procedures (for breaches of security)
11
Methods of Improving Awareness of Security
Policy
• Introduction of Training
• Staff Access to Guidance
– Full staff meeting
– Training
– A leaflet distributed to all staff
– Policy posted on Intranet or bulletin board
– Posters displayed throughout the building
– Emails sent to all staff
Cybersecurity Policy
TARGET GROUPS
• Individuals that have access to systems, including end users.
13
Cybersecurity Policy
TARGET GROUPS…
• Individuals with information security implementation and
operational responsibilities
– e.g., mission/business owners, information system owners,
– common control providers, information owners,
– system administrators, information system security officers
14
Types of security policy
• Many organizations employ several types of security policies
to define or outline their overall security strategy.
• An organizational security policy focuses on issues relevant
to every aspect of an organization.
• An issue-specific security policy focuses on a specific
– network service,
– department,
– function, or
– other aspect that is distinct from the organization as a whole.
• A system-specific security policy focuses on:
– individual systems or types of systems and
– recommends approved hardware and software,
– outlines methods for locking down a system, and
– even mandates firewall or 15
– other specific security controls.
Cybersecurity Policy (CISSP)
• Organizations should have the following three different
types of policy:
– Program policy,
– Issue- Specific policy, and
– System Specific policy.
16
Program Policy
• The program/master security policy can be thought of as a
blue print for the whole organization’s security program.
– It is the strategic plan for implementing security in the
organization.
17
Program Policy…
• An organization's program policy should:
• Set Organizational Strategic Directions:
– This may include defining the goals of the program.
– For instance, in an organization responsible for maintaining
large mission-critical databases:
• reduction in errors,
• data loss,
• data corruption, and
• recovery might be specifically stressed.
18
Program Policy…
• An organization's program policy should:
• Assign Responsibilities:
– Responsibilities should be assigned to the computer security
organization/department for direct program implementation and
– other responsibilities should be assigned to related offices
• Be Updated Frequently:
– More frequent modification is required as changes in technology and
related factors take place.
21
System-Specific Policy
• A system-specific policy is concerned with a specific or individual
computer system.
– It is meant to present the approved software, hardware, and hardening
method for that specific system.
22
System-Specific Policy…
• Example:
– Routers and switches
– Intrusion prevention and detection systems
– Firewalls, Servers
– Storage technology
– Wireless routers and access points
23
System-Specific Policy…
• System specific policy should • It should also address the
address potential security issues of following issues of the system:
the system during: – Configuration requirements of the
system
– Procurement of the system
– Access control requirements of the
– Installation of the system system
– Configuration of the system – Testing issues of the system
– System log management
– Deployment of the system – Supporting components of the
– Operation of the system system
– Maintenance of the systems – System related contingency plan
– Backup and recovery issues of the
– Disposal or destruction of the system
system – Configuration requirement
– Monitoring requirement
– …
24
All Policies
• All three types of policy should be:
• Supplemented:
– because policy may be written at a broad/high level,
– organizations also develop standards, guidelines, and procedures that offer
users, managers, and others a clear approach to implement policy and
meeting organizational goals.
• Visible:
– Visibility aids implementation of policy by helping to ensure policy is fully
communicated throughout the organization.
• Supported by Management:
– Without management support, the policy will become an empty token of
management's "commitment" to security.
• Consistent:
– Other directives, laws, organizational culture, guidelines, procedures, and
organizational mission should be considered.
25
Cybersecurity Policy…
• In general, cybersecurity policy is much like a strategic plan:
– because they outline what should be done
– but don’t specifically dictate how to accomplish the stated goals.
– regulatory,
– advisory, and
– informative.
27
Regulatory Policy
• A regulatory policy is required whenever industry or legal
standards are applicable to your organization.
• This policy is security policies that an organization must
implement due to compliance, regulation, or other legal
requirements.
• These policies are used to make sure that the organization
complies with local, state, and federal laws.
• An example regulatory policy might state:
– Because of recent changes to Federal Gov’t law, The Company will now
keep records of employee inventions and patents for 10 years;
– all email messages and any backup of such email associated with patents
and inventions will be stored for one year.
28
Advisory Policy
• Advisory policies are those policies that define a required
behavior with authorizations.
29
Advisory Policy…
30
Informative
• Informative policies are those which are not enforceable,
but can be regulated.
31
Informative policy...
• An informative policy is designed to provide information or
knowledge about a specific subject, such as:
– company goals,
– mission statements, or
– how the organization interacts with partners and customers.
• An informative policy provides:
– support,
– research, or
– background information relevant to the specific elements of the
overall policy.
• It is developed for education.
• Its goal is to inform and educate employees.
32
Security Standards, Baselines, and Guidelines
35
Cybersecurity Procedure…
• A procedure is the most specific of security documents.
• A procedure is a detailed, in-depth, step-by-step document
that details exactly what is to be done.
• Procedures are tied to specific technologies and devices.
• As an example:
– your company has replaced its Checkpoint firewall with a Cisco PIX.
– Although the policies and standards dictating the firewalls role in your
organization probably will not change,
– the procedure for configuration of the firewall will.
36
Cybersecurity Baseline
• A baseline specifies the minimum level of security required.
• All systems in the organization must comply with that
minimum.
• To determine:
– which systems meet the baseline and which don’t,
– an evaluation must be done,
• in a regular basis, and
• when major changes are done.
37
Cybersecurity Baseline…
38
Cybersecurity Guidelines
• A guideline points to a statement in a policy or procedure by
which to determine a course of action.
Policy
Standard
Baseline
Guideline
Procedure
42
Relationship among policies, standards, procedures, baselines,
and guidelines
43
Summary
• A security policy is a high-level document that dictates the top
managements security vision, objectives, scopes, and
responsibilities.
• A standard is a set of obligatory rules that support the security
policy.
• A security baseline is the threshold that all the systems in the
organization must comply with.
• A guideline is a set of flexible recommendations and best
practices.
• A procedure is a detailed, step-by-step documents that illustrates
how to make a specific task.
44
Additional resource on
Security Policy CISM
45
Establish and Maintain Information Security Policies
(CISM)
• The cornerstone of an effective information security
architecture is a well written policy statement.
• This is the source from which all other directives, standards,
procedures, guidelines, and other supporting documents will
spring.
• A policy performs two roles,
– Internal
– External.
• The internal portion tells employees what is expected of them and
how their actions will be judged.
• The external portion tells the world how the enterprise is run.
46
Cybersecurity Policy (CISM)
• Security and privacy policies and procedures must have
three elements to be effective.
• They must be documented, communicated, and current.
• There are three types of policies, and you will use each type at
different times in your information security program and
throughout the organization to support the business process or
mission.
• The three types of policies are:
– Global (Tier 1):
– Topic-specific (Tier 2):
– Application-specific policies (Tier 3):
47
Cybersecurity Policy…
50
Global (Tier 1) Policy …
• Topic
– The topic portion of the policy defines what specifically the policy
is going to address
• Convey two important elements
– the topic (it should have something to do with the title of the
policy) and
– the hook, why the reader should continue to read the policy.
51
Global (Tier 1) Policy …
• Scope
– The scope can be used to broaden or narrow either the topic or the
audience.
• In an information security policy statement we could say,
“Information is an asset and the property of the company and all employees
are responsible for protecting that asset.”
• In this sentence we have broadened the audience to include all
employees.
• We can also say something like,
“Business information is an essential asset of the company.
– This is true of all business information within the company regardless of how it
is created, distributed, or stored and whether it is typed, handwritten, printed,
filmed, computer-generated, or spoken.
– Here the writer broadened the topic to include all types of information assets.
52
Global (Tier 1) Policy …
• Responsibilities
• Typically, this section of the policy will identify who is responsible for
what.
• When writing, it is better to identify the “who” by job title and not by
name.
• Here again the Office Administrator’s Reference Guide can be of
great assistance.
• The policy will want to identify what is expected from each of the
stakeholders.
53
Global (Tier 1) Policy …
• Compliance or Consequences
• When business units or employees are found to be in a noncompliant
situation, the policy must spell out the consequences of these actions.
• For business units or departments, if they are found in noncompliance,
they are generally subject to an audit item and will have to prepare a
formal compliance response.
• For an employee, being found in noncompliance with a company
policy will mean they are in violation of the organization’s employee
standards of conduct and will be subject to consequences described in
the employee discipline policy.
54
Topic-Specific Policy (Tier 2)
• Whereas the global policy (Tier 1) is intended to address the broad
organization wide issues, the topic-specific policy is developed to
focus on areas of current relevance and concern to the organization.
• Management may find it appropriate to issue a policy on:
– how an organization will approach Internet usage or
– the use of the company-provided e-mail system.
• The global policy (Tier 1) is usually broad enough that it does not
require modification over time, whereas the topic-specific (Tier 2)
policies are likely to require more frequent revisions as changes in
technology and other factors dictate.
55
Topic-Specific Policy (Tier 2)…
• Topic-specific policies will be created most often by an organization.
• Whereas the Tier 1 policies are approved by the Information Security
Steering Committee, the topic-specific (Tier 2) may be issued by a
single senior manager or director.
• It includes:
• Thesis statement:
– This is similar to the topic section discussed in the Tier 1 policies, but it also
adds more information to support the goals and objectives of the policy and
management’s directives.
– “company-approved” software, which might be “any software not approved,
purchased, screened, managed, and owned by the organization.”
56
Topic-Specific Policy (Tier 2)…
• Relevance
– The Tier 2 policy also needs to establish to whom the policy
applies.
– the policy will want to clarify where, how, and when the policy is
applicable.
– Example
• Is the policy only enforced when employees are in the work-site
campus or will it extend to off-site activities?
• Responsibilities
• The assignment of roles and responsibilities is also included in Tier 2
policies.
• For example, the policy on company-approved software will have to identify
the process to get software approved. This would include the authority (by
job title) authorized to grant approval and a reference to where this process
57
is documented.
Topic-Specific Policy (Tier 2)…
• Compliance
– For a Tier 2 policy, it may be appropriate to describe, in some
detail, the infractions that are unacceptable, and the consequences
of such behavior.
• Supplementary Information
– For any Tier 2 policy, the appropriate individuals in the
organization to contact for additional information, guidance, and
compliance should be indicated.
58
CISM
59
Application-Specific Policy (Tier 3)…
• Global-level (Tier 1) and topic-specific (Tier 2) policies address
policy on a broad level.
• They usually encompass the entire enterprise.
• The application-specific (Tier 3) policy focuses on one specific
system or application.
• The final element will be the translation of Tier 1 and Tier 2
policies down to the application and system level.
• Many security issue decisions apply only at the application or
system level.
• Some examples of these issues include:
– Who has the authority to read or modify data?
– Under what circumstances can data be read or modified?
60
– How is remote access to be controlled?
Application-Specific Policy (Tier 3)…
• As you prepare to create Tier 3 policies, keep in mind the
following concepts:
– Understand the overall business objectives or mission of the
enterprise.
– Understand the mission of the application or system.
– Establish requirements that support both sets of objectives.
61
Policy Components (CISM)
62
Development of Procedures and Guidelines
That Support the Information Security Policy
63
Procedure writing process
64
65
66