INFORMATION SECURITY  MANAGEMENT
This presentation is the property of its rightful owner.
Sponsored Links
1 / 38

INFORMATION SECURITY MANAGEMENT PowerPoint PPT Presentation


  • 101 Views
  • Uploaded on
  • Presentation posted in: General

INFORMATION SECURITY MANAGEMENT. Lecture 4: Information Security Policy. You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra. Principles of Information Security Management. Chapters 2 & 3. Chapter 4.

Download Presentation

INFORMATION SECURITY MANAGEMENT

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Information security management

INFORMATION SECURITY MANAGEMENT

Lecture 4:

Information Security Policy

You got to be careful if you don’t know where you’re going,

because you might not get there. – Yogi Berra


Principles of information security management

Principles of Information Security Management

Chapters 2 & 3

Chapter 4

http://csrc.nist.gov/publications/PubsTC.html

Include the following characteristics that will be the focus of the current course (six P’s):

  • Planning

  • Policy

  • Programs

  • Protection

  • People

  • Project Management


Introduction

Introduction

“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems”

Policy is the essential foundation of an effective information security program


Policy

Policy

  • Explains the will of the organization’s management in controlling the behavior of employees

  • Policies are the least expensive means of control and often the most difficult to implement


Bulls eye model

Bulls-eye Model


Policy standards and practices

Policy, Standards, and Practices

  • Policy & Types

    • Enterprise

    • Issue-specific

    • Systems-specific

  • Standards

  • Practices


Enterprise information security policy eisp

Enterprise Information Security Policy (EISP)

  • Sets strategic direction, scope, and tone for organization’s security efforts

  • Assigns responsibilities for various areas of information security


Eisp elements

EISP Elements

  • Overview of the corporate philosophy on security

  • Information about information security organization and information security roles

    • Responsibilities for security that are shared by all members of the organization

    • Responsibilities for security that are unique to each role within the organization


Example uncw security policy

Example: UNCW Security Policy

CISO EISP:

  • Enterprise Information Security Policy

    Additional Examples:

  • http://uncw.edu/policies/it.html

  • http://doit.maryland.gov/support/pages/securitypolicies.aspx


Example esip components

Example ESIP Components

  • Statement of purpose

  • Information technology security elements

  • Need for information technology security

  • Information technology security responsibilities and roles

  • Reference to other information technology standards and guidelines


Issue specific security policy issp

Issue-Specific Security Policy (ISSP)

  • Provides detailed, targeted guidance

  • Protects organization from inefficiency and ambiguity

  • Protects organization from inefficiency and ambiguity (cont’d.)

  • Indemnifies the organization against liability for an employee’s inappropriate or illegal system use


Issue specific security policy cont d

Issue-Specific Security Policy (cont’d.)

  • Every organization’s ISSP should:

    • Address specific technology-based systems

    • Require frequent updates

    • Contain an issue statement on the organization’s position on an issue


Issp topics

ISSP - Topics

  • Email and internet use

  • Minimum system configurations

  • Prohibitions against hacking

  • Home use of company-owned computer equipment

  • Use of personal equipment on company networks

  • Use of telecommunications technologies

  • Use of photocopy equipment


Example of issp

Example of ISSP

CISO ISSP:

Acceptable Use of Systems Policy


Components of the issp

Components of the ISSP

  • Statement of Purpose

  • Authorized Access and Usage of Equipment

  • Prohibited Usage of Equipment

  • Systems management

  • Violations of policy

  • Policy review and modification

  • Limitations of liability


Implementing the issp

Implementing the ISSP

  • Common approaches

    • Several independent documents

    • A single comprehensive document

    • A modular document that unifies policy creation and administration


System specific security policy

System-Specific Security Policy

  • System-specific security policies (SysSPs) frequently do not look like other types of policy

  • SysSPs can be separated into:

    • Management guidance

    • Technical specifications

    • Or combined


Managerial guidance syssps

Managerial Guidance SysSPs

  • Created by management to guide the implementation and configuration of technology

  • Applies to any technology that affects the confidentiality, integrity or availability of information

  • Informs technologists of management intent


Technical specifications syssps

Technical Specifications SysSPs

  • System administrators’ directions on implementing managerial policy

  • General methods of implementing technical controls

    • Access control lists

    • Configuration rules


Technical specifications syssps cont d

Technical Specifications SysSPs (cont’d.)

  • Access control lists

    • Include the user access lists, matrices, and capability tables that govern the rights and privileges

    • Enable administrations to restrict access according to user, computer, time, duration, or even a particular file


Technical specifications syssps cont d1

Technical Specifications SysSPs (cont’d.)

  • Access control lists regulate who, what, when, where and how

    • Restricting what users can access, e.g. printers, files, communications, and applications

  • Administrators set user privileges

    • Read, write, create, modify, delete, compare, copy


Technical specifications syssps cont d2

Technical Specifications SysSPs (cont’d.)

  • Configuration rules

    • Specific configuration codes entered into security systems

  • Rule policies are more specific to system operation than ACLs

    • May or may not deal with users directly


Technical specifications syssps cont d3

Technical Specifications SysSPs (cont’d.)

Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process


Technical specifications syssps cont d4

Technical Specifications SysSPs (cont’d.)

  • Often organizations create a single document combining elements of both management guidance and technical specifications SysSPs


Technical specifications syssps case study

Technical Specifications SysSPs:Case Study

Disaster at a University:

A Case Study in Information Security

Overview

Issue

People Involved

Approach and Resolution

Outcomes

Conclusion


Guidelines for effective policy

Guidelines for Effective Policy

  • For policies to be effective, they must be properly:

    • Developed

    • Distributed or disseminated

    • Reviewed or read

    • Understood

    • Formally agreed to

    • Uniformly applied and enforced


Developing information security policy

Developing Information Security Policy

  • It is often useful to view policy development as a two-part project

    • Design and develop the policy (or redesign and rewrite an outdated policy)

    • Establish management processes to perpetuate the policy within the organization


Developing information security policy cont d

Developing Information Security Policy (cont’d.)

  • Policy development projects should be

    • Well planned

    • Properly funded

    • Aggressively managed to ensure that it is completed on time and within budget

  • The policy development project can be guided by the SecSDLC process


Secsdlc process of policy development

SecSDLC Process of Policy Development

  • Investigation phase

    • Obtain support from senior management

    • Clearly articulate the goals of the policy project

    • Acquire a capable project manager

    • Develop a detailed outline of and sound estimates for project cost and scheduling


Developing information security policy cont d1

Developing Information Security Policy (cont’d.)

  • Analysis phase should produce

    • New or recent risk assessment or IT audit documenting the current information security needs of the organization

    • Key reference materials

      • Including any existing policies


Developing information security policy cont d2

Developing Information Security Policy (cont’d.)

  • Design phase includes

    • How the policies will be distributed

    • How verification of the distribution will be accomplished


Developing information security policy cont d3

Developing Information Security Policy (cont’d.)

  • Implementation phase includes

    • Writing the policies

    • Policy distribution

  • Maintenance Phase

    • Maintain and modify the policy as needed

    • Built-in reporting mechanism

    • Periodic review


Automated tools

Automated Tools

Figure 4-10 The VigilEnt policy center

http://www.informationshield.com/vpcmain.html

Source: Course Technology/Cengage Learning


Alternative approaches the information securities policy made easy approach

Alternative Approaches: The Information Securities Policy Made Easy Approach

  • Gathering key reference materials

  • Defining a framework for policies

  • Preparing a coverage matrix

  • Making critical systems design decisions

  • Structuring review, approval, and enforcement processes


Alternative approaches guide for developing security plans for federal information systems

Alternative Approaches: Guide for Developing Security Plans for Federal Information Systems

  • NIST Special Publication 800-18, Rev. 1 reinforces a business process-centered approach to policy management

  • Policies are living documents

  • Good management practices for policy development and maintenance make for a more resilient organization


Information security management

Alternative Approaches: Guide for Developing Security Plans for Federal Information Systems

Management of Information Security, 3rd ed.

  • Policy requirements

    • An individual responsible for reviews

    • A schedule of reviews

    • A method for making recommendations for reviews

    • An indication of policy and revision date


A final note on policy

A Final Note on Policy

Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy.


Next class

Next Class

  • Read Chapter 5 – Security Programs

  • Case Studies

    • In lieu of discussion, we will be covering the cases during lecture. Be prepared to discuss your assigned case and read the other cases

  • Assessment 1

  • Topic Paper Presentation – Howard/Vince


  • Login