Unit 4 SPG

UNIT 4
INFORMATION SECURITY POLICY
Objectives
 Upon completion of this material you should be able to:
 Define information security policy and understand its central

role in a successful information security program
 Describe the three major types of information security policy
and explain what goes into each type
 Develop various types various types of information security
policies
Management of Information Security, 3rd ed.

INTRODUCTION
 Policy is the essential foundation of an effective information
security program
 Policy maker sets the tone and emphasis on the importance of
information security
 Objectives
 Reduced risk
 Compliance with laws and regulations
 Assurance of operational continuity, information integrity,
and confidentiality

WHY POLICY?
 Policies are the least expensive means of control and often the
most difficult to implement
 Basic rules for shaping a policy
 Policy should never conflict with law
 Policy must be able to stand up in court if challenged
 Policy must be properly supported and administered

WHY POLICY? (CONT’D.)
 Bulls-eye model
 Networks: threats first meet the organization’s network
 Systems: computers and manufacturing systems
 Applications: all applications systems 5

WHY POLICY? (CONT’D.)
Policies are important reference documents
 For internal audits
 For the resolution of legal disputes about management's due
diligence
 Policy documents can act as a clear statement of management's
intent
Types of information security policy
 Enterprise information security program policy
 Issue-specific information security policies
 Systems-specific policies

POLICY, STANDARDS, AND PRACTICES
 Policy : A plan or course of action that influences decisions

 must be properly disseminated, read, understood, agreed-to,
and uniformly enforced
 require constant modification and maintenance
 Standards
 A more detailed statement of what must be done to comply
with policy
 Practices
 Procedures and guidelines explain how employees will
comply with policy
7

POLICIES, STANDARDS, & PRACTICES
8
Figure 4-2 Policies, standards and practices
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
ENTERPRISE INFORMATION SECURITY
POLICY (EISP)
 Sets strategic direction, scope, and tone for organization’s
security efforts
 Assigns responsibilities for various areas of information security
 Guides development, implementation, and management

requirements of information security program

EISP ELEMENTS
1. corporate philosophy on security

2. information security organization and information security
roles
10

EXAMPLE ESIP COMPONENTS
 Statement of purpose
 Information technology security elements
 Need for information technology security
 Information technology security responsibilities and roles
 Reference to other information technology standards and
guidelines
11

ISSUE-SPECIFIC SECURITY POLICY
(ISSP)
 Provides detailed, targeted guidance
 Instructionfor secure use of a technology systems
 Begins with introduction to fundamental technological
philosophy of the organization
 Protects organization from inefficiency and ambiguity
 Documents how the technology-based system is controlled
 Identifies the processes and authorities that provide this
control
 Indemnifies the organization against liability for an
employee’s inappropriate or illegal system use
12

ISSUE-SPECIFIC SECURITY POLICY- CONTD
 ISSP topics
 Email and internet use
 Minimum system configurations
 Prohibitions against hacking
 Home use of company-owned computer equipment
 Use of personal equipment on company networks
 Use of telecommunications technologies
 Use of photocopy equipment
13

COMPONENTS OF THE ISSP
 Statement of Purpose
 Scope and applicability
 Definition of technology addressed
 Responsibilities
 Authorized Access and Usage of Equipment

 User access
 Fair and responsible use
 Protection of privacy
14

COMPONENTS OF THE ISSP - CONTD
 Prohibited Usage of Equipment
 Disruptive use or misuse
 Criminal use
 Offensive or harassing materials
 Copyrighted, licensed or other intellectual property
 Other restrictions
 Systems management
 Management of stored materials
 Employer monitoring
 Virus protection
 Physical security
15
 Encryption

COMPONENTS OF THE ISSP - CONTD
 Violations of policy
 Procedures for reporting violations
 Penalties for violations
 Policy review and modification

 Scheduled review of policy and procedures for modification
 Limitations of liability
 Statements of liability or disclaimers
16

SYSTEM-SPECIFIC SECURITY POLICY
 System-specific security policies (SysSPs) frequently do not

look like other types of policy
 may function as standards or procedures to be used when configuring
or maintaining systems
 SysSPs can be separated into
 Management guidance
 Technical specifications
 Or combined in a single policy document
17

MANAGERIAL GUIDANCE SYSSPS
 Created by management to guide the implementation
and configuration of technology
 Applies to any technology that affects the
confidentiality, integrity or availability of information,
e.g. firewall configuration
 Informs technologists of management intent
18

TECHNICAL SPECIFICATIONS SYSSPS
 System administrators’ directions on implementing managerial
policy
 Each type of equipment has its own type of policies
 General methods of implementing technical controls

 Access control lists
 Configuration rules
19

TECHNICAL SPECIFICATIONS SYSSPS - CONTD
 Access control lists

 Include the user access lists, matrices, and capability tables
that govern the rights and privileges
 A similar method that specifies which subjects and objects
users or groups can access is called a capability table
 These specifications are frequently complex matrices, rather
than simple lists or tables
 Enable administrations to restrict access according to user,
computer, time, duration, or even a particular file
20

 Access control lists regulate

 Who can use the system
 What authorized users can access
 When authorized users can access the system
 Where authorized users can access the system from
 How authorized users can access the system
 Restricting what users can access, e.g. printers, files,
communications, and applications
 Administrators set user privileges
 Read, write, create, modify, delete, compare, copy
21

22
Figure 4-5 Windows XP ACL
 Configuration rules
 Specific configuration codes entered into security systems
 Guide the execution of the system when information is
passing through it
 Many security systems require specific configuration scripts
telling the systems what actions to perform on each set of
information they process
23

TECHNICAL SPECIFICATIONS SYSSPS
(CONT’D.)
Figure 4-6 Firewall configuration rules

24

GUIDELINES FOR EFFECTIVE POLICY
 policies must be properly:

 Developed using industry-accepted practices
 Distributed or disseminated using all appropriate methods
 Reviewed or read by all employees
 Understood by all employees
 Formally agreed to by act or assertion
 Uniformly applied and enforced
25

DEVELOPMENT STEPS
 Investigation (goals, support, particiption)
 Analysis (risk assessment)
 Design (components, dissemination)
 Implement (detailed specification)
 Maintenance
 Distribution
26
POLICY COMPREHENSION
Figure 4-9 Readability statistics
27

AUTOMATED TOOLS
28
Figure 4-10 The VigilEnt policy center

THE INFORMATION SECURITIES POLICY
MADE EASY APPROACH
 Gathering key reference materials
 Defining a framework for policies
 Preparing a coverage matrix
 Making critical systems design decisions
 Structuring review, approval, and enforcement processes
29

THE INFORMATION SECURITIES POLICY
MADE EASY APPROACH (CONT’D.)
30
Figure 4-11 A sample coverage matrix

A FINAL NOTE ON POLICY
 Lest you believe that the only reason to have policies is to avoid
litigation, it is important to emphasize the preventative nature of
policy
 Policies exist, first and foremost, to inform employees of what is and
is not acceptable behavior in the organization
 Policy seeks to improve employee productivity, and prevent
potentially embarrassing situations
31

SUMMARY
 Introduction
 Why Policy?
 Enterprise Information Security Policy
 Issue-Specific Security Policy
 System-Specific Policy
 Guidelines for Policy Development
32

NEXT
 Ch 5: Developing the security program
33
OBJECTIVES
 Completion of this material will enable you to:

 Explain the organizational approaches to information security
 List and describe the functional components of an information security
program
 Determine how to plan and staff an organization’s information security
program based on its size
 Evaluate the internal and external factors that influence the activities and
organization of an information security program
 List and describe the typical job titles and functions performed in the
information security program
 Describe the components of a security education, training, and awareness
program and explain how organizations create and manage these
programs
34

Some organizations use security program to describe the entire
INTRODUCTION

set of personnel, plans, policies, and initiatives related to
information security
 The term “information security program” is used here to describe the
structure and organization of the effort that contains risks to the
information assets of the organization
35

ORGANIZING
 Variables involvedFOR SECURITY
in structuring an information security
program
 Organizational culture
 Size
 Security personnel budget
 Security capital budget
 As organizations increase in size:

 Their security departments are not keeping up with increasingly
complex organizational infrastructures
36

ORGANIZING
 FOR
Information security SECURITY
departments tend to(CONT’D.)
form internal groups
 To meet long-term challenges and handle day-to-day security
operations
 Functions are likely to be split into groups
 Smaller organizations typically create fewer groups
 Perhaps having only one general group of specialists
37

ORGANIZING
 FOR SECURITY
Very large organizations (> 10,000 (CONT’D.)
computers
 Security budgets often grow faster than IT budgets
 Even with a large budgets, the average amount spent on
security per user is still smaller than any other type of
organization
 Small organizations spend more than $5,000 per user on security; very
large organizations spend about 1/18th of that, roughly $300 per user
 Does a better job in the policy and resource management
areas
 Only 1/3 of organizations handled incidents according to an
IR plan
38

ORGANIZING
 FOR SECURITY (CONT’D.)
Large organizations
 Have 1,000 to 10,000 computers
 Security approach has often matured, integrating planning and policy
into the organization’s culture
 Do not always put large amounts of resources into security
 Considering the vast numbers of computers and users often involved
 They tend to spend proportionally less on security
39

SECURITY
One approachIN LARGE
separates ORGANIZATIONS
functions into four areas:
 Functions performed by non-technology business units outside of IT
 Functions performed by IT groups outside of information security
area
 Functions performed within information security department as
customer service
 Functions performed within the information security department as
compliance
40

SECURITY IN LARGE ORGANIZATIONS - CONTD
 The CISO has responsibility for information security

functions
 Should be adequately performed somewhere within the
organization
 The deployment of full-time security personnel
depends on:
 Sensitivityof the information to be protected
 Industry regulations
 General profitability
 The more money the company can dedicate to its
personnel budget
 The more likely it is to maintain a large information security
41
staff
SECURITY IN LARGE ORGANIZATIONS
(CONT’D.)
Figure 5-1 Example of information security staffing in a large organization 42

SECURITY IN LARGE ORGANIZATIONS
(CONT’D.)
43
Figure 5-2 Example of information security staffing in a very large organization

SECURITY IN MEDIUM-SIZED ORGANIZATIONS
 Have between 100 and 1000 computers
 Have a smaller total budget
 Have same sized security staff as the small organization, but
a larger need
 Must rely on help from IT staff for plans and practices
 Ability to set policy, handle incidents, and effectively allocate
resources is worse than any other size
 May be large enough to implement a multi-tiered approach to
security
 With fewer dedicated groups and more functions assigned to each
group
 Tend to ignore some security functions
44

SECURITY IN MEDIUM-SIZED
ORGANIZATIONS (CONT’D.)
Figure 5-3 Example of information security staffing in a medium-sized organization
45

SECURITY IN SMALL ORGANIZATIONS
 Have between 10 and 100 computers

 Have a simple, centralized IT organizational model
 Spend disproportionately more on security
 Information security is often the responsibility of a single
security administrator
 Have little in the way of formal policy, planning, or security
measures
 Often outsource Web presence or ecommerce
 Security training and awareness is commonly conducted on a
1-on-1 basis
 Policies (when they exist) are often issue-specific
 Threats from insiders are less likely
 Every employee knows every other employee 46

SECURITY IN SMALL ORGANIZATIONS
(CONT’D.)
Figure 5-4 Example of information security staffing in a smaller organization
47

PLACING INFORMATION SECURITY
 In large organizations
 InfoSec is often located within the information technology
department
 Headed by the CISO who reports directly to the top computing
executive, or CIO
 An InfoSec program is sometimes at odds with the
goals and objectives of the IT department as a whole,
because the goals and objectives of the CIO and the
CISO may come in conflict
 Itis not difficult to understand the current movement to
separate information security from the IT division
 The challenge is to design a reporting structure for the
InfoSec program that balances the needs of each of the 48
communities of interest
PLACING INFORMATION SECURITY,
OPTION 1: INFORMATION TECHNOLOGY
49
Figure 5-5 Wood’s Option 1: Information security reports to information technology department
Source: From Information Security Roles and
Management of Information Security, 3rd ed. Responsibilities Made Easy, used with permission.
PROS/CONS
Widespread use
 Close to CEO
 Within IT dept
 Conflict of interest
 Security is not just a technological issue
50
OPTION 2: SECURITY DEPT
51
Figure 5-6 Wood’s Option 2: Information security reports to broadly defined security department
PROS/CONS
Also popular
 In a dept that focuses on security
 Preventive viewpoint
 Cultural differences
 Resource allocation disparity
52
OPTION 3: ADMINISTRATIVE SERVICES
53
Figure 5-7 Wood’s Option 3: Information security reports to administrative services department
PROS/CONS
 Close to CEO
 Focus on people
 Disparity with the other concerns
54
OPTION 4: INSURANCE AND RISK MGMT
55
Figure 5-8 Wood’s Option 4: Information security reports to insurance and risk management department
OPTION 5: STRATEGY AND PLANNING
56
Figure 5-9 Wood’s Option 5: Information security reports to strategy and planning department
COMPONENTS OF THE SECURITY PROGRAM
 Organization’s information security needs

 Unique to the culture, size, and budget of the organization
 Determining what level the information security program operates on
depends on the organization’s strategic plan
 Also the plan’s vision and mission statements
 The CIO and CISO should use these two documents to formulate the mission
statement for the information security program
57

INFORMATION SECURITY ROLES AND
TITLES
58
Figure 5-10 Information security roles

IMPLEMENTING SECURITY EDUCATION,
TRAINING, AND AWARENESS PROGRAMS
 SETA program
 Designed to reduce accidental security breaches
 Consists of three elements: security education, security training, and
security awareness
 Awareness, training, and education programs offer two major
benefits:
 Improving employee behavior
 Enabling the organization to hold employees accountable for their
actions
59

IMPLEMENTING SETA
PROGRAMS (CONT’D.)
 Purpose of SETA is to enhance security:
 By building in-depth knowledge, to design, implement, or operate
security programs for organizations and systems
 By developing skills and knowledge so that computer users can
perform their jobs while using IT systems more securely
 By improving awareness of the need to protect system resources
60

IMPLEMENTING SETA
PROGRAMS (CONT’D.)
Table 5-3 Framework of security education, training and awareness
61
Source: National Institute of Standards and Technology.
An Introduction to Computer Security: The NIST
Handbook. SP 800-12.
Management of Information Security, 3rd ed. http://csrc.nist.gov/publications/nistpubs/800-12/.
SECURITY EDUCATION
 Employees within information security may be encouraged to
seek a formal education
 Ifnot prepared by their background or experience
 A number of institutions of higher learning, including colleges and
universities, provide formal coursework in information security
62

SECURITY EDUCATION (CONT’D.)
63
Figure 5-11 Information security knowledge map

SECURITY TRAINING
 Involves providing detailed information and hands-on
instruction
 To develop user skills to perform their duties securely
 developcustomized training or outsource
 Customizing training for users
 By functional background
 General user
 Managerial user
 Technical user
 By skill level
 Novice
 Intermediate
 Advanced
64

SECURITY
 AWARENESS
One of the least frequently implemented, but most effective
security methods is the security awareness program
 Security awareness programs:
 Set the stage for training by changing organizational attitudes to
realize the importance of security and the adverse consequences of its
failure
 Remind users of the procedures to be followed
65

SECURITY
 Refrain fromAWARENESS (CONT’D.)
using technical jargon
 Define learning objectives, state them clearly, and provide sufficient
detail and coverage
 Keep things light
 Don’t overload the users
 Help users understand their roles in InfoSec
 Utilize in-house communications media
 Make the awareness program formal
 Provide good information early, rather than perfect information late
66

SECURITY
 AWARENESS
Effective training and awareness (CONT’D.)
programs make employees
accountable for their actions
 Dissemination and enforcement of policy become easier when
training and awareness programs are in place
 Demonstrating due care and due diligence can help indemnify
the institution against lawsuits
67

SECURITY
Many securityAWARENESS (CONT’D.)
awareness components are available at little or no
cost
 Others can be very expensive
 Examples of security awareness components
 Videos
 Postersand banners
 Lectures and conferences
 Computer-based training
68

SECURITY AWARENESS (CONT’D.)
 Examples of security awareness components (cont’d.)
 Newsletters
 Brochures and flyers
 Trinkets (coffee cups, pens, pencils, T-shirts)
 Bulletin boards
69

SECURITY AWARENESS
 Organizations (CONT’D.)
can establish Web pages or sites
dedicated to promoting information security awareness
 The challenge lies in updating the messages frequently
enough to keep them fresh
 Tips on creating and maintaining an educational Web
site
 See what’s already out there
 Plan ahead
 Keep page loading time to a minimum
 Seek feedback
 Spend time promoting your site
70

SUMMARY
 Introduction
 Organizing for security
 Placing information security within an organization
 Components of the security program
 Information security roles and titles
 Implementing security education, training, and awareness

programs
71

Unit 4 SPG

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit 4 SPG

Uploaded by

Copyright:

Available Formats

UNIT 4

INFORMATION SECURITY POLICY

 Define information security policy and understand its central

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

 Policy : A plan or course of action that influences decisions

Management of Information Security, 3rd ed.

 Guides development, implementation, and management

Management of Information Security, 3rd ed.

1. corporate philosophy on security

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

 Authorized Access and Usage of Equipment

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

 Policy review and modification

Management of Information Security, 3rd ed.

 System-specific security policies (SysSPs) frequently do not

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

 General methods of implementing technical controls

Management of Information Security, 3rd ed.

 Access control lists

Management of Information Security, 3rd ed.

 Access control lists regulate

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

Figure 4-6 Firewall configuration rules

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

 policies must be properly:

Management of Information Security, 3rd ed.

Figure 4-9 Readability statistics

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

 Preparing a coverage matrix

 Making critical systems design decisions

 Structuring review, approval, and enforcement processes

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

Management of Information Security, 3rd ed.

 Enterprise Information Security Policy

 Issue-Specific Security Policy

 Guidelines for Policy Development

Management of Information Security, 3rd ed.

 Completion of this material will enable you to:

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

 As organizations increase in size:

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

Management of Information Security, 3rd ed.

 The CISO has responsibility for information security

Figure 5-1 Example of information security staffing in a large organization 42

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

Management of Information Security, 3rd ed.

Figure 5-3 Example of information security staffing in a medium-sized organization