1 / 22

Information Security Policy

Information Security Policy. ACP - New York Capital Region Chapter February 10, 2010 Presenter: Dan Didier DDidier@NetSecureIA.com In association with M.A. Polce Consulting. Security Policy Drivers. What’s driving your business to develop an information security policy?

jayden
Download Presentation

Information Security Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Policy ACP - New York Capital Region Chapter February 10, 2010 Presenter: Dan DidierDDidier@NetSecureIA.com In association with M.A. Polce Consulting

  2. Security Policy Drivers • What’s driving your business to develop an information security policy? • Audience input, please…

  3. Established Compliance Drivers • Basel II - (international banking) • BSA - (anti-money laundering) • E-SIGN - (electronic signature) • FACTA - (identity theft) • FISMA - (federal govt.) • GLBA - (banking) • Identity Theft Red Flags Rule - (finance / creditors) • HIPAA - (healthcare) • NCUA Part 748 • Patriot Act • PCI • SOX Are there really this many???

  4. Recently Established Compliance Drivers • MASS. CMR - (data security law) • Breach and Notification Laws (per state) • NYS Security Breach Notification Act • NYS Social Security Number Protection Law • HITECH – (Health Information Technology for Economic and Clinical Health Act) • NYS Internet Security and Privacy Act

  5. More Drivers…Protecting Critical Assets Against: • Immediate loss of business due to unavailability • Long-term loss of business due to loss of trustworthiness and reputation • Loss of stock value • Financial liability for breach of contract • Legal liability for contributory negligence • Loss of management credibility • Embarrassment of employees • Lowered employee morale • Increased employee turnover • Difficulty hiring competent staff • Incitement to abuse of security policies

  6. Information Security Life Cycle

  7. What is the goal of an Information Security Policy? • An effective information security policy is designed to support the control objectives as defined by management to meet the assurance requirements of achieving business objectives and preventing, detecting, and correcting undesired events. • An information security policy enables high-level business requirements by protecting sensitive information with defined policy, controls, standards, and procedures for configuring and managing security.

  8. How is an Information Security Policy Implemented? • Through the creation of an information security policy, an organization establishes clear guidelines necessary to implement secure business processes as defined by the key business stakeholders. • These guidelines are leveraged throughout the information security life cycle and help to define the specific policy, standards, procedures, and guidelines in each of the respective areas.

  9. Policies, Standards, and Procedures There are three key questions: • What is a Policy? • What is a Standard? • What is a Procedure?

  10. Policy • Is defined by management / key stakeholders • Is a brief document, including • To whom and what the policy applies • The need for adherence (compliance / security) • A general description • Consequences of non-adherence

  11. Standards • Defined by directors or department-level managers • Standards define what must be done to implement security: • roles and responsibilities of security personnel • protection against malware • information and software exchange mechanisms • user responsibilities • acceptable use • mobile computing • access control • compliance • government regulation • industry standards

  12. Procedures • Defined by directors or department-level managers, implemented by target workforce. • Procedures specifically outline how security controls must be implemented and managed. • Procedures should support the accompanying standards, ensuring that standards are followed and tasks are documented (auditable) to achieve full compliance. • This component provides many of the critical details that can either make or break and effective information security policy.

  13. Obtaining Management Support… • A policy without support is useless. Consider the statement: do as I say, not as I do. • Management is wholly responsible for all ramifications of failing to properly address industry, compliance, and business requirements. • Management is also responsible for assuring the continuity of policy compliance for all external service providers. There is no transfer of liability when organizational tasks are outsourced; the originating organization and its management are ultimately responsible for ensuring compliance.

  14. …Obtaining Management support • Cost can be identified fairly easily • Benefits may be difficult to quantify • An effective program requires the support, credibility, and advocacy of management. This needs to be obtained and maintained. • Management must be kept informed, spoken to in their language, and shown proof of impact.

  15. Keep Management Informed • Enable Mgmt with just enough information to: • Understand security concerns • Make informed decisions • Be knowledgeable on the topic • Provide reports that meld into existing communication mechanisms including progress reports and briefings. • Provide updates that highlight progress and accomplishments. • Whenever possible, use metrics to quantify progress.

  16. Speak Management’s Language • Provide relevant and accurate information: • Avoid overstating of threats and fears. • Do not provide a false sense of security. • Present reasonable solutions along with problems and concerns • Remember the budget; include costs and benefits • Remember the ecology; relationship between users and systems • Remember that resistance is often based on expending funds on something perceived as a low priority; however, the cost of one incident may be quite expensive.

  17. Policy Enforcement… • without proper enforcement mechanisms, a policy may be worth little more than the paper it was printed on. • A policy needs “teeth” to be effective and for the workforce to respect and abide by it. • However, avoid using “standard” policy language: “Failure to comply with this policy may result in disciplinary action, up to and including termination.”

  18. Better Policy Enforcement • Avoid ambiguity and explain to the workforce what may happen with increasing levels of severity: • Warning from management • Official warning from personal file • Revoking privileges such as Internet/email • Require additional training • Suspension without pay • Termination

  19. To Do and not To Do • A policy must not be written solely to have a policy; it must support the business process and also be supported by it. • A policy must be considered a living, breathing document. It must be updated as business requirements and processes change. • A policy must be incorporated into the information security life cycle. • A policy must be initiated, mandated, and supported by management.

  20. Similarities of BCP and Information Security Policy • Common drivers for developing a BCP • Regulatory compliance • Business partner requirements • High-level of reliance on IT • Past experiences with system failures or catastrophic events (Blackout of 2004) • Common goals for a BCP • Minimize the impact of incidents • Reduce risk • Interpret potential threats and develop defenses • Integrate and enable business

  21. Supporting BCP with Policy • Define policies, procedures and standards for: • Controlling access to data during the recovery process (document access/secuity requirements, etc). • Identifying and documenting information that must be protected. • Implementing security to accommodate the likely increase in use of mobile devices during recovery. • Physical access controls for temporary locations. • Backup tape (media) controls (both during non-disaster and disaster recovery periods). • 3rd party recovery vendors and access to sensitive data/information .

  22. Questions?

More Related