際際滷

際際滷Share a Scribd company logo

Information security policy_2011

Download as PPT, PDF
C
codka

The document discusses developing effective information security policies through a multi-step process. It begins with defining different types of policies like enterprise, issue-specific, and systems-specific policies. It then outlines the key phases to developing policies which include investigation, analysis, design, implementation, and maintenance. Specific guidance is provided for each phase, such as conducting a risk assessment in investigation and specifying enforcement in design. Effective policy development requires planning, funding, participation from stakeholders, and periodic reviews.

1 of 40
Downloaded 337 times
MCM2613/MCS1433 IT Security Management Policy, Standards, and Practice
Introduction This chapter focuses on information security policy: What it is How to write it How to implement it How to maintain it Policy Essential foundation of effective information security program:
Why Policy? A quality information security program begins and ends with policy Policies are least expensive means of control and often the most difficult to implement Some basic rules must be followed when shaping a policy: Never conflict with law Stand up in court Properly supported and administered Contribute to the success of the organization Involve end users of information systems
Figure 4-1 The Bulls-eye Model
Policy Centric Decision Making Bulls-eye model layers: Policies: first layer of defense Networks: threats first meet organizations network Systems: computers and manufacturing systems Applications: all applications systems
Policies, Standards, & Practices
Policy, Standards, and Practices Policy: plan or course of action that influences and determines decisions Standards: more detailed statement of what must be done to comply with policy Practices, procedures and guidelines: explain how employees will comply with policy For policies to be effective, they must be: Properly disseminated Read Understood Agreed-to
Policy, Standards, and Practices (Continued) Policies require constant modification and maintenance To produce a complete information security policy, management must define three types of information security policy (NIST 800-14): Enterprise information security program policy Issue-specific information security policies Systems-specific information security policies
Enterprise Information Security Policy (EISP) Sets strategic direction, scope, and tone for organizations security efforts Assigns responsibilities for various areas of information security Guides development, implementation, and management requirements of information security program
EISP Elements EISP documents should provide : An overview of corporate philosophy on security Information about information security organization and information security roles Responsibilities for security shared by all members of the organization Responsibilities for security unique to each role within the organization
Components of the EISP Statement of Purpose: What the policy is for Information Technology Security Elements: Defines information security Need for Information Technology Security: justifies importance of information security in the organization Information Security Responsibilities and Roles: Defines organizational structure References Information Technology standards and guidelines
Example EISP Protection Of Information: Information must be protected in a manner commensurate with its sensitivity, value, and criticality Use Of Information: Company X information must be used only for business purposes expressly authorized by management Information Handling, Access, And Usage: Information is a vital asset and all accesses to, uses of, and processing of Company X information must be consistent with policies and standards
Example EISP (Continued) Data And Program Damage Disclaimers: Company X disclaims any responsibility for loss or damage to data or software that results from its efforts to protect the confidentiality, integrity, and availability of the information handled by computers and communications systems Legal Conflicts Exceptions To Policies Policy Non-Enforcement Violation Of Law Revocation Of Access Privileges Industry-Specific Information Security Standards Use Of Information Security Policies And Procedures Security Controls Enforceability
Issue-Specific Security Policy (ISSP) Every organizations ISSP should: Address specific technology-based systems Require frequent updates Contain an issue statement on the organizations position on an issue ISSP topics could include: E-mail use, Internet and World Wide Web use, Specific minimum configurations of computers to defend against worms and viruses, Prohibitions against hacking or testing organization security controls, Etc.
Typical ISSP Components Statement of Purpose Scope and Applicability Definition of Technology Addressed Responsibilities Authorized Access and Usage of Equipment User Access Fair and Responsible Use Protection of Privacy Prohibited Usage of Equipment Disruptive Use or Misuse Criminal Use Offensive or Harassing Materials Copyrighted, Licensed or other Intellectual Property Other Restrictions
Components of the ISSP (Continued) Systems Management Management of Stored Materials Employer Monitoring Virus Protection Physical Security Encryption Violations of Policy Procedures for Reporting Violations Penalties for Violations Policy Review and Modification Scheduled Review of Policy and Procedures for Modification Limitations of Liability Statements of Liability or Disclaimers
Implementing ISSP Common approaches: Number of independent ISSP documents Single comprehensive ISSP document Modular ISSP document that unifies policy creation and administration Recommended approach is modular policy, which provides a balance between issue orientation and policy management
油
Systems-Specific Policy (SysSP) Systems-Specific Policies (SysSPs) frequently do not look like other types of policy They may often be created to function as standards or procedures to be used when configuring or maintaining systems SysSPs can be separated into: Management guidance Technical specifications Combined in a single policy document
Management Guidance SysSPs Created by management guides the implementation and configuration of technology Applies to any technology that affects the confidentiality, integrity or availability of information Informs technologists of management intent
Technical Specifications SysSPs System administrators directions on implementing managerial policy Each type of equipment has its own type of policies Two general methods of implementing such technical controls: Access control lists Configuration rules
Access Control Lists Include user access lists, matrices, and capability tables that govern rights and privileges Can control access to file storage systems, object brokers or other network communications devices ACLs enable administrations to restrict access according to user, computer, time, duration, etc. Capability Table: similar method that specifies which subjects and objects users or groups can access Specifications are frequently complex matrices, rather than simple lists or tables
Configuration Rules Configuration rules are specific configuration codes entered into security systems to guide execution of system when information is passing through it Rule-based policies are more specific to system operation than ACLs and may or may not deal with users directly Many security systems require specific configuration scripts telling systems what actions to perform on each set of information processed
Combination SysSPs Often organizations create a single document combining elements of both Management Guidance and Technical Specifications SysSPs While this can be confusing, it is very practical Care should be taken to articulate required actions carefully as procedures are presented
Guidelines for Policy Development Often useful to view policy development as a two-part project Design and develop policy (or redesign and rewrite outdated policy) Establish management processes to perpetuate policy within organization The former is an exercise in project management, while the latter requires adherence to good business practices
The Policy Project Policy (re)development projects should be well planned, properly funded, and aggressively managed to ensure completion on time and within budget Policy development project can be guided by the SecSDLC process Investigation Analysis Design Implementation Maintenance
Investigation Phase The policy development team should: Obtain support from senior management (CIO) Clearly articulate goals of policy project Gain participation of correct individuals affected by recommended policies Be composed from Legal, Human Resources and end-users Assign project champion with sufficient stature and prestige Acquire a capable project manager Develop detailed outline of and sound estimates for the cost and scheduling of the project
Analysis Phase Analysis phase should include the following activities: New or recent risk assessment or IT audit documenting the current information security needs of the organization Key reference materialsincluding any existing policies
Design Phase Design phase should include: How policies will be distributed How verification of distribution will be accomplished Specifications for any automated tools Revisions to feasibility analysis reports based on improved costs and benefits as design is clarified
Implementation Phase Implementation Phase: writing the policies Make certain policies are enforceable as written Policy distribution is not always as straightforward Effective policy Is written at a reasonable reading level Readability statistics Attempts to minimize technical jargon and management terminology
Readability Statistics Example
Maintenance Phase Maintain and modify policy as needed to ensure that it remains effective as a tool to meet changing threats Policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously Periodic review should be built in to the process
The Information Security Policy Made Easy Approach (ISPME) Gathering Key Reference Materials Defining A Framework For Policies Preparing A Coverage Matrix Making Critical Systems Design Decisions Structuring Review, Approval, And Enforcement Processes Refer to the huge checklist!!
Figure 4-11 Coverage Matrix
ISPME Checklist Perform risk assessment or information technology audit to determine your organization's unique information security needs Clarify what policy means within your organization so that you are not preparing a standard, procedure, or some other related material Ensure that roles and responsibilities related to information security are clarified, including responsibility for issuing and maintaining policies Convince management that it is advisable to have documented information security policies
ISPME Next Steps Post Polices To Intranet Or Equivalent Develop A Self-Assessment Questionnaire Develop Revised user ID Issuance Form Develop Agreement To Comply With Information Security Policies Form Develop Tests To Determine If Workers Understand Policies Assign Information Security Coordinators Train Information Security Coordinators
ISPME Next Steps (Continued) Prepare And Deliver A Basic Information Security Training Course Develop Application Specific Information Security Policies Develop A Conceptual Hierarchy Of Information Security Requirements Assign Information Ownership And Custodianship Establish An Information Security Management Committee Develop An Information Security Architecture Document
SP 800-18: Guide for Developing Security Plans NIST Special Publication 800-18 offers another approach to policy management Policies: Documents that constantly change/grow Must be properly disseminated (distributed, read, understood and agreed to) and managed
SP 800-18: Guide for Developing Security Plans (Continued) Good management practices for policy development and maintenance make for a more resilient organization In order to remain current and viable, policies must have: Individual responsible for reviews Schedule of reviews Method for making recommendations for reviews Indication of policy and revision date
A Final Note on Policy It is important to emphasize the preventative nature of policy Policies exist first, and foremost, to inform employees of what is and is not acceptable behavior in the organization Policy seeks to improve employee productivity, and prevent potentially embarrassing situations

Recommended

Information security
Information securityInformation security
Information security
avinashbalakrishnan2
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
Community IT Innovators
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-system
intellisenseit
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
Whitman_Ch02.pptx
Whitman_Ch02.pptxWhitman_Ch02.pptx
Whitman_Ch02.pptx
Siphamandla9
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
Nada G.Youssef
Introduction to NISTs Risk Management Framework (RMF)
Introduction to NISTs Risk Management Framework (RMF)Introduction to NISTs Risk Management Framework (RMF)
Introduction to NISTs Risk Management Framework (RMF)
Donald E. Hester
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
RSAArcher
Cyber security training
Cyber security trainingCyber security training
Cyber security training
Wilmington University
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju

More Related Content

What's hot (20)

Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
Community IT Innovators
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-system
intellisenseit
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
Whitman_Ch02.pptx
Whitman_Ch02.pptxWhitman_Ch02.pptx
Whitman_Ch02.pptx
Siphamandla9
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
Nada G.Youssef
Introduction to NISTs Risk Management Framework (RMF)
Introduction to NISTs Risk Management Framework (RMF)Introduction to NISTs Risk Management Framework (RMF)
Introduction to NISTs Risk Management Framework (RMF)
Donald E. Hester
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
RSAArcher
Cyber security training
Cyber security trainingCyber security training
Cyber security training
Wilmington University
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
Basic Security Training for End Users
Basic Security Training for End UsersBasic Security Training for End Users
Basic Security Training for End Users
Community IT Innovators
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-system
intellisenseit
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
information security management
information security managementinformation security management
information security management
Gurpreetkaur838
Whitman_Ch02.pptx
Whitman_Ch02.pptxWhitman_Ch02.pptx
Whitman_Ch02.pptx
Siphamandla9
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
Nada G.Youssef
Introduction to NISTs Risk Management Framework (RMF)
Introduction to NISTs Risk Management Framework (RMF)Introduction to NISTs Risk Management Framework (RMF)
Introduction to NISTs Risk Management Framework (RMF)
Donald E. Hester
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
RSAArcher
Cyber security training
Cyber security trainingCyber security training
Cyber security training
Wilmington University
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
Legal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information SecurityLegal, Ethical, and Professional Issues In Information Security
Legal, Ethical, and Professional Issues In Information Security
Carl Ceder
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a

Similar to Information security policy_2011 (20)

Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
alokkesh
Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practices
phanleson
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
GrazynaBroyles24
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
AlliedConSapCourses
File000169
File000169File000169
File000169
Desmond Devendran
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Bonagiri Rajitha
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
Ch14 Policies and Legislation
Ch14 Policies and LegislationCh14 Policies and Legislation
Ch14 Policies and Legislation
Information Technology
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
charlesgarrett
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
IT-Toolkits.org
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
AbuHanifah59
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptx
ManushiKhatri
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Tammy Clark
How to set up your security policy
How to set up your security policyHow to set up your security policy
How to set up your security policy
Tim Wulgaert
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
phanleson
Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting Audits
Information Technology
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
SARJERAO Sarju
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
alokkesh
Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practices
phanleson
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
GrazynaBroyles24
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
AlliedConSapCourses
File000169
File000169File000169
File000169
Desmond Devendran
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Importanceofasecuritypolicy 13281642117262-phpapp01-120202003227-phpapp01 (1)
Bonagiri Rajitha
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
sdfghj21
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
Ch14 Policies and Legislation
Ch14 Policies and LegislationCh14 Policies and Legislation
Ch14 Policies and Legislation
Information Technology
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
charlesgarrett
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
IT-Toolkits.org
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
AbuHanifah59
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptx
ManushiKhatri
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Tammy Clark
How to set up your security policy
How to set up your security policyHow to set up your security policy
How to set up your security policy
Tim Wulgaert
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
phanleson
Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting Audits
Information Technology

Information security policy_2011

  • 1. MCM2613/MCS1433 IT Security Management Policy, Standards, and Practice
  • 2. Introduction This chapter focuses on information security policy: What it is How to write it How to implement it How to maintain it Policy Essential foundation of effective information security program:
  • 3. Why Policy? A quality information security program begins and ends with policy Policies are least expensive means of control and often the most difficult to implement Some basic rules must be followed when shaping a policy: Never conflict with law Stand up in court Properly supported and administered Contribute to the success of the organization Involve end users of information systems
  • 4. Figure 4-1 The Bulls-eye Model
  • 5. Policy Centric Decision Making Bulls-eye model layers: Policies: first layer of defense Networks: threats first meet organizations network Systems: computers and manufacturing systems Applications: all applications systems
  • 7. Policy, Standards, and Practices Policy: plan or course of action that influences and determines decisions Standards: more detailed statement of what must be done to comply with policy Practices, procedures and guidelines: explain how employees will comply with policy For policies to be effective, they must be: Properly disseminated Read Understood Agreed-to
  • 8. Policy, Standards, and Practices (Continued) Policies require constant modification and maintenance To produce a complete information security policy, management must define three types of information security policy (NIST 800-14): Enterprise information security program policy Issue-specific information security policies Systems-specific information security policies
  • 9. Enterprise Information Security Policy (EISP) Sets strategic direction, scope, and tone for organizations security efforts Assigns responsibilities for various areas of information security Guides development, implementation, and management requirements of information security program
  • 10. EISP Elements EISP documents should provide : An overview of corporate philosophy on security Information about information security organization and information security roles Responsibilities for security shared by all members of the organization Responsibilities for security unique to each role within the organization
  • 11. Components of the EISP Statement of Purpose: What the policy is for Information Technology Security Elements: Defines information security Need for Information Technology Security: justifies importance of information security in the organization Information Security Responsibilities and Roles: Defines organizational structure References Information Technology standards and guidelines
  • 12. Example EISP Protection Of Information: Information must be protected in a manner commensurate with its sensitivity, value, and criticality Use Of Information: Company X information must be used only for business purposes expressly authorized by management Information Handling, Access, And Usage: Information is a vital asset and all accesses to, uses of, and processing of Company X information must be consistent with policies and standards
  • 13. Example EISP (Continued) Data And Program Damage Disclaimers: Company X disclaims any responsibility for loss or damage to data or software that results from its efforts to protect the confidentiality, integrity, and availability of the information handled by computers and communications systems Legal Conflicts Exceptions To Policies Policy Non-Enforcement Violation Of Law Revocation Of Access Privileges Industry-Specific Information Security Standards Use Of Information Security Policies And Procedures Security Controls Enforceability
  • 14. Issue-Specific Security Policy (ISSP) Every organizations ISSP should: Address specific technology-based systems Require frequent updates Contain an issue statement on the organizations position on an issue ISSP topics could include: E-mail use, Internet and World Wide Web use, Specific minimum configurations of computers to defend against worms and viruses, Prohibitions against hacking or testing organization security controls, Etc.
  • 15. Typical ISSP Components Statement of Purpose Scope and Applicability Definition of Technology Addressed Responsibilities Authorized Access and Usage of Equipment User Access Fair and Responsible Use Protection of Privacy Prohibited Usage of Equipment Disruptive Use or Misuse Criminal Use Offensive or Harassing Materials Copyrighted, Licensed or other Intellectual Property Other Restrictions
  • 16. Components of the ISSP (Continued) Systems Management Management of Stored Materials Employer Monitoring Virus Protection Physical Security Encryption Violations of Policy Procedures for Reporting Violations Penalties for Violations Policy Review and Modification Scheduled Review of Policy and Procedures for Modification Limitations of Liability Statements of Liability or Disclaimers
  • 17. Implementing ISSP Common approaches: Number of independent ISSP documents Single comprehensive ISSP document Modular ISSP document that unifies policy creation and administration Recommended approach is modular policy, which provides a balance between issue orientation and policy management
  • 18.
  • 19. Systems-Specific Policy (SysSP) Systems-Specific Policies (SysSPs) frequently do not look like other types of policy They may often be created to function as standards or procedures to be used when configuring or maintaining systems SysSPs can be separated into: Management guidance Technical specifications Combined in a single policy document
  • 20. Management Guidance SysSPs Created by management guides the implementation and configuration of technology Applies to any technology that affects the confidentiality, integrity or availability of information Informs technologists of management intent
  • 21. Technical Specifications SysSPs System administrators directions on implementing managerial policy Each type of equipment has its own type of policies Two general methods of implementing such technical controls: Access control lists Configuration rules
  • 22. Access Control Lists Include user access lists, matrices, and capability tables that govern rights and privileges Can control access to file storage systems, object brokers or other network communications devices ACLs enable administrations to restrict access according to user, computer, time, duration, etc. Capability Table: similar method that specifies which subjects and objects users or groups can access Specifications are frequently complex matrices, rather than simple lists or tables
  • 23. Configuration Rules Configuration rules are specific configuration codes entered into security systems to guide execution of system when information is passing through it Rule-based policies are more specific to system operation than ACLs and may or may not deal with users directly Many security systems require specific configuration scripts telling systems what actions to perform on each set of information processed
  • 24. Combination SysSPs Often organizations create a single document combining elements of both Management Guidance and Technical Specifications SysSPs While this can be confusing, it is very practical Care should be taken to articulate required actions carefully as procedures are presented
  • 25. Guidelines for Policy Development Often useful to view policy development as a two-part project Design and develop policy (or redesign and rewrite outdated policy) Establish management processes to perpetuate policy within organization The former is an exercise in project management, while the latter requires adherence to good business practices
  • 26. The Policy Project Policy (re)development projects should be well planned, properly funded, and aggressively managed to ensure completion on time and within budget Policy development project can be guided by the SecSDLC process Investigation Analysis Design Implementation Maintenance
  • 27. Investigation Phase The policy development team should: Obtain support from senior management (CIO) Clearly articulate goals of policy project Gain participation of correct individuals affected by recommended policies Be composed from Legal, Human Resources and end-users Assign project champion with sufficient stature and prestige Acquire a capable project manager Develop detailed outline of and sound estimates for the cost and scheduling of the project
  • 28. Analysis Phase Analysis phase should include the following activities: New or recent risk assessment or IT audit documenting the current information security needs of the organization Key reference materialsincluding any existing policies
  • 29. Design Phase Design phase should include: How policies will be distributed How verification of distribution will be accomplished Specifications for any automated tools Revisions to feasibility analysis reports based on improved costs and benefits as design is clarified
  • 30. Implementation Phase Implementation Phase: writing the policies Make certain policies are enforceable as written Policy distribution is not always as straightforward Effective policy Is written at a reasonable reading level Readability statistics Attempts to minimize technical jargon and management terminology
  • 32. Maintenance Phase Maintain and modify policy as needed to ensure that it remains effective as a tool to meet changing threats Policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously Periodic review should be built in to the process
  • 33. The Information Security Policy Made Easy Approach (ISPME) Gathering Key Reference Materials Defining A Framework For Policies Preparing A Coverage Matrix Making Critical Systems Design Decisions Structuring Review, Approval, And Enforcement Processes Refer to the huge checklist!!
  • 35. ISPME Checklist Perform risk assessment or information technology audit to determine your organization's unique information security needs Clarify what policy means within your organization so that you are not preparing a standard, procedure, or some other related material Ensure that roles and responsibilities related to information security are clarified, including responsibility for issuing and maintaining policies Convince management that it is advisable to have documented information security policies
  • 36. ISPME Next Steps Post Polices To Intranet Or Equivalent Develop A Self-Assessment Questionnaire Develop Revised user ID Issuance Form Develop Agreement To Comply With Information Security Policies Form Develop Tests To Determine If Workers Understand Policies Assign Information Security Coordinators Train Information Security Coordinators
  • 37. ISPME Next Steps (Continued) Prepare And Deliver A Basic Information Security Training Course Develop Application Specific Information Security Policies Develop A Conceptual Hierarchy Of Information Security Requirements Assign Information Ownership And Custodianship Establish An Information Security Management Committee Develop An Information Security Architecture Document
  • 38. SP 800-18: Guide for Developing Security Plans NIST Special Publication 800-18 offers another approach to policy management Policies: Documents that constantly change/grow Must be properly disseminated (distributed, read, understood and agreed to) and managed
  • 39. SP 800-18: Guide for Developing Security Plans (Continued) Good management practices for policy development and maintenance make for a more resilient organization In order to remain current and viable, policies must have: Individual responsible for reviews Schedule of reviews Method for making recommendations for reviews Indication of policy and revision date
  • 40. A Final Note on Policy It is important to emphasize the preventative nature of policy Policies exist first, and foremost, to inform employees of what is and is not acceptable behavior in the organization Policy seeks to improve employee productivity, and prevent potentially embarrassing situations

Editor's Notes

  • #20: Differentiate ESSP and SysPS
  • #25: Charging is higher in this way
  • #27: The most important think is budget this is related to sySP because of development of the organization Strategy of the company needs to take ESPS and than developing of the system is required to use SySP only specific information system
  • #31: When you right use simple word
  • #36: You have to convince your management using EPS CICT published in the enternet
  • #39: Download SP800-28 inside 480 for
  • #41: Three type policies Industarial Education Government Please compare whether they have similar components EISP Elements
AboutCopyright
息 2025 際際滷