SPG U4 2

Types of information security policy
– Enterprise information security

program policy (EISP)
– Issue-specific information security
policies (ISSP)
– Systems-specific security policies
(SysSP)
1
Management of Information Security, 3rd ed.
Enterprise Information Security
Policy (EISP)
• Sets strategic direction, scope,

and tone for organization’s
security efforts
• Assigns responsibilities for various
areas of information security
• Guides development,
implementation, and management
requirements of information
security program
2
EISP Elements
1. corporate philosophy on security
2. information security organization
and information security roles
3. Fully articulated responsibilities
for security that are shared by all
members of organization
4. Fully articulated responsibilities
for security that are unique to
each role within organization
3
ESIP Components
• Statement of purpose
• Information technology security
elements
• Need for information technology
security
• Information technology security
responsibilities and roles
• Reference to other information
technology standards and
guidelines
4
Issue-Specific Security Policy
(ISSP)
• Provides detailed, targeted guidance
– Instruction for secure use of a technology
systems
– Begins with introduction to fundamental
technological philosophy of the organization
• Protects organization from inefficiency and
ambiguity
– Documents how the technology-based system is
controlled
– Identifies the processes and authorities that
provide this control
• Indemnifies the organization against liability
for an employee’s inappropriate or illegal
system use 5
Issue-Specific Security Policy- contd
• ISSP topics
– Email and internet use
– Minimum system configurations
– Prohibitions against hacking
– Home use of company-owned
computer equipment
– Use of personal equipment on
company networks
– Use of telecommunications
technologies
– Use of photocopy equipment 6
Elements of the ISSP
• Statement of Purpose
– Scope and applicability
– Definition of technology addressed
– Responsibilities
• Authorized Access and Usage of
Equipment
– User access
– Fair and responsible use
– Protection of privacy
7
Elements of the ISSP - contd
• Prohibited Usage of Equipment
– Disruptive use or misuse
– Criminal use
– Offensive or harassing materials
– Copyrighted, licensed or other intellectual
property
– Other restrictions
• Systems management
– Management of stored materials
– Employer monitoring
– Virus protection
– Physical security
– Encryption 8
Elements of the ISSP - contd
• Violations of policy
– Procedures for reporting violations
– Penalties for violations
• Policy review and modification
– Scheduled review of policy and
procedures for modification
• Limitations of liability
– Statements of liability or disclaimers
9
System-Specific Security Policy
• System-specific security policies
(SysSP) frequently do not look like
other types of policy
– may function as standards or procedures
to be used when configuring or
maintaining systems
• SysSPs can be separated into
– Management guidance
– Technical specifications
– Or combined in a single policy document
10
Managerial Guidance SysSPs
• Created by management to guide the
implementation and configuration of
technology
• Applies to any technology that affects
the confidentiality, integrity or
availability of information, e.g. firewall
configuration
• Informs technologists of management
intent
11
Technical Specifications SysSPs
• System administrators’ directions
on implementing managerial policy
• Each type of equipment has its
own type of policies
• General methods of implementing
technical controls
– Access control lists
– Configuration rules
12
Technical Specifications SysSPs - contd
• Access control lists
– Include the user access lists, matrices, and
capability tables that govern the rights and
privileges
– A similar method that specifies which
subjects and objects users or groups can
access is called a capability table
– These specifications are frequently complex
matrices, rather than simple lists or tables
– Enable administrations to restrict access
according to user, computer, time, duration,
or even a particular file
13
• Access control lists regulate

– Who can use the system
– What authorized users can access
– When authorized users can access the system
– Where authorized users can access the
system from
– How authorized users can access the system
– Restricting what users can access, e.g.
printers, files, communications, and
applications
• Administrators set user privileges
– Read, write, create, modify, delete, compare,
copy
14
• Configuration rules
– Specific configuration codes entered into
security systems
• Guide the execution of the system when
information is passing through it
• Many security systems require specific
configuration scripts telling the
systems what actions to perform on
each set of information they process
15
Policy, Standards, and Practices
• Policy : A plan or course of action that
influences decisions
– must be properly disseminated, read,
understood, agreed-to, and uniformly enforced
– require constant modification and
maintenance
• Standards
– A more detailed statement of what must be
done to comply with policy
• Practices
– Procedures and guidelines explain how
employees will comply with policy
16
Policies, Standards, & Practices
Figure 4-2 Policies, standards and practices 17

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Guidelines for Effective Policy
• policies must be properly:

– Developed using industry-accepted
practices
– Distributed or disseminated using all
appropriate methods
– Reviewed or read by all employees
– Understood by all employees
– Formally agreed to by act or assertion
– Uniformly applied and enforced
18
Development steps
• Investigation (goals, support,

particiption)
• Analysis (risk assessment)
• Design (components,
dissemination)
• Implement (detailed specification)
• Maintenance
• Distribution
19
Organizing for Security
• Variables involved in structuring

an information security program
– Organizational culture
– Size
– Security personnel budget
– Security capital budget
• As organizations increase in size:
– Their security departments are not
keeping up with increasingly complex
organizational infrastructures
20
Security in Large Organizations
• One approach separates functions
into four areas:
– Functions performed by non-technology
business units outside of IT
– Functions performed by IT groups
outside of information security area
– Functions performed within information
security department as customer service
– Functions performed within the
information security department as
compliance
21
Security in Large Organizations - contd
• The CISO has responsibility for
information security functions
– Should be adequately performed somewhere
within the organization
• The deployment of full-time security
personnel depends on:
– Sensitivity of the information to be protected
– Industry regulations
– General profitability
• The more money the company can
dedicate to its personnel budget
– The more likely it is to maintain a large
information security staff
22
Security in Medium-Sized Organizations
• Have between 100 and 1000 computers
– Have a smaller total budget
– Have same sized security staff as the small
organization, but a larger need
– Must rely on help from IT staff for plans and
practices
– Ability to set policy, handle incidents, and
effectively allocate resources is worse than
any other size
– May be large enough to implement a multi-
tiered approach to security
• With fewer dedicated groups and more functions
assigned to each group
– Tend to ignore some security functions 23
Security in Small Organizations
• Have between 10 and 100 computers
– Have a simple, centralized IT organizational
model
– Spend disproportionately more on security
– Information security is often the responsibility of
a single security administrator
– Have little in the way of formal policy, planning,
or security measures
– Often outsource Web presence or ecommerce
– Security training and awareness is commonly
conducted on a 1-on-1 basis
– Policies (when they exist) are often issue-
specific
– Threats from insiders are less likely
• Every employee knows every other employee
24
Placing Information Security
• In large organizations
– InfoSec is often located within the information
technology department
• Headed by the CISO who reports directly to the top
computing executive, or CIO
• An InfoSec program is sometimes at odds
with the goals and objectives of the IT
department as a whole, because the goals
and objectives of the CIO and the CISO may
come in conflict
– It is not difficult to understand the current
movement to separate information security from
the IT division
– The challenge is to design a reporting structure
for the InfoSec program that balances the needs
of each of the communities of interest 25

SPG U4 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SPG U4 2

Uploaded by

Copyright:

Available Formats

Types of information security policy

– Enterprise information security

• Sets strategic direction, scope,

• Access control lists regulate

Figure 4-2 Policies, standards and practices 17

• policies must be properly:

• Investigation (goals, support,

• Variables involved in structuring

You might also like