BCA_LECTURE_08

Information Security Policies

1
 General - background
• How to establish security requirements
–Risk assessments
–Legal, statutory requirements
–Business requirements for Information
processing
• Select controls from a standard
• Controls to be considered to be common practice
–Information security policy
–Allocation of responsibilities
–Awareness and training
–Technical vulnerability management
–Incident reporting
2
 Critical Success factors for addressing
InfoSec in organisations

• Info sec policy, objectives

• Architectural approach
• Management commitment / support
• Understand info sec requirements
• Budget for info sec
• Awareness and training
• Effective incident reporting system
• Measurement system

3
 12 Key control areas
1. Risk assessment and treatment
2. Information Security policy
3. Organization / management of Info Sec
4. Assets classification and control (management)
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information Systems acquisition, development and
maintenance
10. Information Security Incident Management
11. Business Continuity Management
12. Compliance
4
 Security policy
INFORMATION SECURITY POLICY

Objective: To provide management direction and

support for information security.

a. Information Security Policy Document

Control …should state mngt commitment
Implementation guidance….definition
Other information: ….distribution

b. Review of the Information Security Policy

5
 Security policy
Information security policy
c. a brief explanation of the security policies, principles,
standards and compliance requirements of particular
importance to the organization, for example:

 compliance with legislative and contractual requirements;

 security education requirements;
 prevention and detection of viruses and other malicious
software;
 business continuity management;
 consequences of security policy violations;

d. a definition of general and specific responsibilities for

information security management, including reporting
security incidents;
6
 Security policy
Information security policy

e.references to documentation which may

support the policy, e.g. more detailed security
policies and procedures for specific
information systems or security rules users
should comply with.

This policy should be communicated

throughout the organization to users in a form
that is relevant, accessible and
understandable to the intended reader.
7
 Organization Information Security
INTERNAL ORGANIZATION
Objective: To manage information security within the
organization
• establish management framework
• management with leadership to
– approve the information security policy,
– assign security roles
– co-ordinate implementation of security
• Establish a source of specialist information security
advice if needed
• need multi-disciplinary approach to information
security

8
 Organization Information Security
INTERNAL ORGANIZATION
 Management commitment to information security
 Information security co-ordination.
 Allocation of information security responsibilities
 Authorization process for information processing facilities
 Confidentiality agreements
 Contact with authorities
 Contact with special interest groups
 Independent review of information security......

EXTERNAL PARTIES
 Identification of risks related to external parties
 Addressing security when dealing with customers
 Addressing security in third party agreements

9
 Asset Management

RESPONSIBILITY FOR ASSETS

Objective: To achieve and maintain appropriate protection of

organizational assets.-> be accounted for, have owner
• assign responsibility for maintenance of appropriate controls

• may delegate responsibility for implementing controls

• Owners should be identified for all assets and the responsibility
for the maintenance of appropriate controls should be
assigned.

Inventory of assets
Ownership of assets
Acceptable use of assets
10
 Asset Management

INFORMATION CLASSIFICATION
Objective: To ensure that information receives an appropriate
level of protection.

• Classify information to indicate

– need,
– priorities
– degree of protection

• varying degrees of sensitivity, criticality

• define appropriate set of protection levels, communicate need
for special handing measures.
Classification guidelines
Information labelling and handling
11
 Human Resources Security
PRIOR TO EMPLOYMENT
Objective: To ensure that employees, contractors and third party
users understand their responsibilities, and are suitable for the
roles they are considered for, and to reduce the risk of theft,
fraud or misuse of facilities.
• Address security responsibilities at the requirement stage,
include in contracts, monitored during employment
• screen potential recruits adequately (sensitive jobs)
• All to sign confidentiality agreement.
Roles and responsibilities
Screening
Terms and conditions of employment

12
 Human Resources Security

DURING EMPLOYMENT
Objective: To ensure that employees, contractors and third party
users are aware of information security threats and concerns,
their responsibilities and liabilities, and are equipped to support
organizational security policy in the course of their normal work,
and to reduce the risk of human error.

An adequate level of awareness, education, and training in

security procedures and the correct use of information processing
facilities should be provided…

Management responsibilities
Information security awareness, education, and training
Disciplinary process

13
Human Resources Security

TERMINATION OR CHANGE OF EMPLOYMENT

Objective: To ensure that employees, contractors
and third party users exit an organization or change
employment in an orderly manner.
Change of responsibilities and employments within
an organization should be managed

Termination responsibilities
Return of assets
Removal of access rights

14
Physical and environmental security
SECURE AREAS

Objective: To prevent unauthorized access, damage

and interference to business premises and
information.
• house critical/sensitive business information
processing facilities in secure areas,
• physically protected from unauthorized access or
damage or interference.
• The protection should be commensurate with the
identified risks.
• clear desk and clear screen policy
15
Physical and environmental security
EQUIPMENT SECURITY

Objective: To prevent loss, damage or compromise

of assets and interruption to business activities.
• Protect equipment physically from security threats
and environmental hazards.
• to reduce risk of unauthorized access to data, to
protect against loss or damage.
• also consider equipment sitting and disposal

• Special controls to safeguard e.g. electrical supply

16
Communications and operations management

OPERATIONAL PROCEDURES AND RESPONSIBILITIES

Objective: To ensure the correct and secure operation of
information processing facilities.
• Establish responsibilities and procedures for
management and operation of all information processing
facilities.
• development of operating instructions and incident
response procedures
• Implement segregation of duties to reduce risk of
negligent or deliberate system misuse

17
Communications and operations management

• Operational Procedures and Responsibilities

• Third Party Service Delivery Management
• System Planning and Acceptance
• Protection Against Malicious and Mobile Code
• Back-Up
• Network Security Management
• Media Handling
• Exchange of Information
• Electronic Commerce Services
• Monitoring

18
Access control

BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Objective: To control access to information.
• Control access to information, and business
processes on basis of business and security
requirements.
• take account of policies for information
dissemination and authorization.

19
Access control

USER ACCESS MANAGEMENT

Objective: To prevent unauthorized access to
information systems.
• Need formal procedures to control allocation
of access rights to information systems and
services.
• initial registration of new users to final de-
registration of users who no longer require
access
• control allocation of privileged access rights
20
Access control

USER RESPONSIBILITIES
Objective: To prevent unauthorized user
access.
• co-operation of authorized users is essential
for effective security.
• make users aware of responsibilities e.g.
passwords use and security of user equipment.

21
Access control

NETWORK ACCESS CONTROL

Objective: Protection of networked services.
• Control access to internal and external
networked services
• to ensure that network users do not
compromise the security of network services
have:
– appropriate interfaces
– appropriate authentication mechanisms
– control of user access

22
Access control

• OPERATING SYSTEM ACCESS CONTROL

• APPLICATION AND INFORMATION

ACCESS CONTROL

• MOBILE COMPUTING AND TELEWORKING

23
INFORMATION SYSTEMS ACQUISITION,
DEVELOPMENT AND MAINTENANCE
SECURITY REQUIREMENTS OF INFORMATION
SYSTEMS
Objective: To ensure that security is built into
information systems.
• includes infrastructure, business applications
and user-developed applications.
• Identify and justify all security requirements
during requirements phase agreed and
documented (before development)

24
INFORMATION SYSTEMS ACQUISITION,
DEVELOPMENT AND MAINTENANCE
SECURITY IN DEVELOPMENT AND SUPPORT
PROCESSES
Objective: To maintain the security of application
system software and information.
• strictly control project and support environments.

• Managers responsible for application systems also

responsible for the security of the project or support
environment.

TECHNICAL VULNERABILITY MANAGEMENT

25
INFORMATION SECURITY INCIDENT
MANAGEMENT
REPORTING INFORMATION SECURITY EVENTS AND
WEAKNESSES
• Reporting information security events
• Reporting security weaknesses

MANAGEMENT OF INFORMATION SECURITY

INCIDENTS AND IMPROVEMENTS
• Responsibilities and procedures
• Learning from information security incidents
• Collection of evidence

26
Business continuity management

INFORMATION SECURITY ASPECTS OF BUSINESS

CONTINUITY MANAGEMENT
Objective: To counteract interruptions to business
activities and to protect critical business processes
from the effects of major failures or disasters.
• Business continuity management: to reduce
disruption from disasters/security failures to
acceptable level
• Analyze consequences of disasters, security failures
and loss of service.
• Develop and implement contingency plans
• Maintain and practice plans.

27
Compliance

COMPLIANCE WITH LEGAL REQUIREMENTS

Objective: To avoid breaches of any criminal
and civil law, statutory, regulatory or
contractual obligations and of any security
requirements.
• may be statutory, regulatory and contractual
security requirements for design, operation,
use and management of information systems.
• Seek advice on specific legal requirements
from the organization's legal advisers

28
 Compliance

COMPLIANCE WITH SECURITY POLICIES AND

STANDARDS AND TECHNICAL COMPLIANCE
Objective: To ensure compliance of systems with
organizational security policies and standards.
• Review security of information systems regularly.

• Perform reviews against appropriate security policies

and technical platforms
• audit information systems for compliance with
security implementation standards.

29
Compliance

INFORMATION SYSTEMS AUDIT CONSIDERATIONS

Objective: To maximize the effectiveness of
and to minimize interference to/from the
system audit process.
• controls to safeguard operational systems
and audit tools during system audits.
• Protect integrity and prevent misuse of audit
tools.

30