Issue Specific Security Policies

Policy Violations: Penalties are defined for violation.

Policy review & Modifications: Policy is periodically
reviewed and modified if required.

Limitations of Liability: It includes statement of liability.
A Structure and Framework of
Compressive Security Policy
It outlines the overall information security strategy.
Sphere of Security:- Foundation of Good Security
framework. Defines controls between information and
systems, between systems and networks and between
networks and Internet.
In this sphere the information security is implemented in
three layers;
Policies
People(Security education, training and awareness)
Technology.
Continue

Security Education Training & Awareness
(SETA)
Awareness about protecting system resources.
Develop skills and knowledge by which user can
perform their jobs more securely.
It builds in-depth knowledge in
designing,implemention, and operating security
programs for organizations.
SETA Program:-
Security Education: This can be achieved by
investigating the available courses.


Continue
Security Training:- It gives detailed information
and hands-on practice for employees.
Profession agencies.
Security Awareness:- It keeps the users up to
date regarding information security through
newsletter, posters and bulletin boards.
Policy Infrastructure
The foundation for information security is
Information Security Policies and Standards
The major information security functions are:
1.Information protection.
2.Control the access to information.
3.Monitor the users.
Policy Design Life Cycle:-
Policy provides a framework for the
management of security across the enterprise.


Continue
Identify the Information Security goals.
The policy should include standards, procedures
and guidelines.
All these should be made aware to users so that
they can perform their jobs securely.
Users actions are secured and complete
information security can be achieved.
Security Policy
Access to
network resource
will be granted
through a unique
user ID and
password
Passwords
should include
one non-alpha
and not found
in dictionary
Passwords
will be 8
characters
long
Design Processes
This policy life cycle can be designed using 10 step approach.

Design Processes
Step 1: Collect Background Information.
- Obtain existing policies.
- Identify what levels of control is required on
the access of information.
- Decide who should design the policies.
Step 2: Perform Risk Assessment.
- Validate Policy against risk.
- Identify Complex Functions.
- Identify difficult processes.
- Identify Confidential data.
- Assess the vulnerabilities.

Continue
Step 3: Create a Policy Review Board
- Determine policy development process.
- Write the initial draft.
- Send the draft to the Review board.
- Modify the draft by incorporating suggestion.
- Resolve the issue face to face.
- Submit the reviewed draft policy to the cabinet.
Step 4: Develop the Information Security Plan
- Determine Organizational goals.
- Define roles and responsibilities.
- Notify user community about direction in policy.
Continue
Step 4:
- Establish a foundation for compliance, risk
assessment and audit for information security.
Step 5: Develop IS Policies, Standards and
Guidelines.
Step 6: Implement Policies and Standards
- Notify and distribute the policies among users.
- Obtain agreement with policies before accessing
the confidential systems.
- Enforce controls to meet the policies.
Continue
Step 7: Awareness & Training.
- Makes the system users aware of behavior.
- Train Users.

Step 8: Monitor for Compliance.
- Security Management is required for
establishing controls on information.
- Implement the User Contracts(code of conduct)
- Establish effective authorization approval.
- conduct internal review and audit process.
Continue.
Step 9: Evaluate Policy Effectiveness.
- Evaluate policy if there are problems.
- Document the policy properly.
- Report it to the management.
Step 10: Modify the Policy.
- Upcoming Technology.
- New type of Threats.
- New goals.
- Change in law & organization standard.
- Unsuccessful existing policy.

PDCA Model
The PDCA stands for Plan, Do, Check & Act.

Security Policy, Standards & Practices
BS7799, ISO/IEC 17799 : The most common security
models in IT Code of Practice known as British Standard
7799.
This code of practice adopted as International Standard
by the ISO and then known as ISO/IEC 17799 in 2000
as a framework for Information Security.
It has few drawbacks:-
- Did not define justification for the code of practice.
- Does not have the required correctness of a technical
standard.
Continue.
Objectives of the ISO/IEC 17799:
- Security Policies
- Organization of Information Security.
- Asset Management.
- Physical & Environmental Security.
- Controlling the System Access.
- Business Continuity Planning.
- Compliance with the standard.
ISO 27001 ISMS Tool Kit
ISO reserves 27000 series for IS Matters.
It defines IS as preservation of CIA.
It defines MS(Management System) as organization,
policies, planning activities, responsibilities, practices,
procedures, processes and resources.
This standard includes the guidelines and basic
principles for initiating, implementing, maintaining and
improving ISMS.
It also provides guidance for the development of
organizational security standards.

ISO 27001
Steps of Implementing ISO 27001:
Step 1: Establish ISMS
- Define scope and boundaries.
- Define location, assets & technology.
- Define Justification for any exclusion.
- Define ISMS policy.
Step 2: Implement & Operate ISMS.
- Enforce a risk treatment plan that identifies the
correct actions, resources & responsibilities for
managing IS risks.

Continue
- Implement the controls.
Step 3: Monitor & Review ISMS.
- Detect the errors in the result.
- Identify the security breaches.
- Check whether the security actions are performed as
expected.
Step 4: Maintain & Improve ISMS.
- Incorporate the identified improvement in ISMS.
- Take appropriate corrective actions from the lessons
learnt from the security incidents of other organizations.
- Notify interested members regarding actions.