chapter 4 security policy documents organizational security policies n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 4: Security Policy Documents & Organizational Security Policies PowerPoint Presentation
Download Presentation
Chapter 4: Security Policy Documents & Organizational Security Policies

Loading in 2 Seconds...

play fullscreen
1 / 29

Chapter 4: Security Policy Documents & Organizational Security Policies - PowerPoint PPT Presentation


  • 133 Views
  • Uploaded on

Chapter 4: Security Policy Documents & Organizational Security Policies. Objectives. Compose a statement of authority Develop and evaluate policies related to the information security policies documents objectives and ownership

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Chapter 4: Security Policy Documents & Organizational Security Policies' - vevina


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
objectives
Objectives
  • Compose a statement of authority
  • Develop and evaluate policies related to the information security policies documents objectives and ownership
  • Create and asses policies associated with the management of security-related activities
  • Assess and manage the risks inherent in working with third parties
composing a statement of authority
Composing a Statement of Authority
  • The statement should be issued by an authority figure such as a CEO, President…
    • Buy-in from top management is a must
    • It provides adequate credibility to the policy for all employees
composing a statement of authority cont
Composing a Statement of Authority Cont.
  • The statement is an introduction to the policy
    • It sets the tone for the document
  • Statement of authority & statement of culture
    • Exposes the values of the company and security measures to be deployed to protect them
  • An attempt at “recruiting” employees to act in a secure fashion to protect the company
composing a statement of authority cont1
Composing a Statement of Authority Cont.
  • The goal of the statement of authority: to deliver a clear message about the importance of information security for all employees
    • If the message is not clear, employees will either act erroneously by mistake or will disregard the whole document altogether
  • The statement is a teaching tool
    • It should be created, promoted and used as such
composing a statement of authority cont2
Composing a Statement of Authority Cont.
  • The statement should reflect the company culture in both format and content
    • Information security is first and foremost cultural and behavioral
    • Employees need to identify and embrace with the company culture
    • It is made easier if the documents that are part of the security policy are clearly in accordance with the company policy
security policy document policy
Security Policy Document Policy
  • States the need for written information security policies as well as who is responsible for creating, approving, enforcing & reviewing policies
    • These responsibilities must be clearly stated in the document so that no phase of the process is “abandoned” or ignored
    • Strong leadership is always a part of successful information security policies
security policy document policy cont
Security Policy Document Policy Cont.
  • Emphasizes management’s approach and commitment to information security
    • No Information policy can be successful without full and unequivocal support from Management
  • It’s a policy about needing and having policies!
federal law information security policy
Federal Law & Information Security Policy
  • Many private sector industries are federally regulated:
    • Financial Sector:
      • GLBA (Gramm-Leach-Bliley Act)
      • SOX (Sarbanes-Oxley, which affects publicly-traded companies)
    • Healthcare:
      • HIPAA (Health Insurance Portability & Accountability Act
    • Educational Institutions:
      • FERPA (Family Educational Rights & Privacy Act)
federal law information security policy cont
Federal Law & Information Security Policy Cont.
  • Some organizations may fall under several federal mandates
    • If necessary, companies should hire 3rd-party experts to identify under which mandates a company falls
  • ISO 17799 can be mapped to several federal mandate regulations
    • Here again, it may be advantageous to hire 3rd-party compliance experts to guide and support the company’s compliance team
security policy document policy cont1
Security Policy Document Policy Cont.
  • The Information Security Policy Document policy should reference federal and state regulations to which the organization is subject
    • It is important to integrate those regulations in the policies written for and deployed by the company
    • The first step towards compliance is awareness!
the need for an employee version of the security policies
The Need for an Employee Version of the Security Policies
  • Whole document can be too complex & intimidating
    • The goal is to create a guide of what is acceptable and what is not. Making the document too complex defeats that purpose
  • The goal is for employees to read, understand and act according to the policies
    • The policies are useless without adequate employee support
the need for an employee version of the security policies cont
The Need for an Employee Version of the Security Policies Cont.
  • Employees should only be given those policies that apply to them
    • Need-to-know and the concept of least privilege apply here as well!
  • Acceptable Use Agreement should be drafted and distributed to all employees
    • It should include (but is not limited to):
      • An Internet use policy
      • An Email use policy
the need for an employee version of the security policies cont1
The Need for an Employee Version of the Security Policies Cont.
  • Remind all employees that information cannot be protected if they don’t all buy in and adopt the policies that regulate the company
    • Again, information security is behavioral and cultural
    • There is no technical device that a company can deploy to protect the confidentiality, integrity and availability of data if employees are not also enrolled in actively protecting the company’s data
policies are dynamic
Policies are Dynamic
  • Organizations change, either directly or indirectly. Their policies must also change to reflect this dynamic situation
      • Scheduled, regular reviews should take place
    • Change drivers are events within an organization that affect culture, procedures, activities, responsibilities, and more
      • Change drivers must be identified and analyzed
policies are dynamic cont
Policies are Dynamic Cont.
  • Change drivers may introduce new activities and/or vulnerabilities
    • Identified change drivers should trigger new risk & vulnerability assessments
    • Companies should also have regularly scheduled risk and vulnerability assessments
    • For separation of duties purposes, vulnerability assessments should be conducted by 3rd-party consultants
policies are dynamic cont1
Policies are Dynamic Cont.
  • Who is responsible for this document?
    • The ISO, or a member of Upper Management
  • What “ownership” means:
    • Developing, maintaining & reviewing policies
  • Policy owner does not approve policies. A higher level of the company is responsible.
  • Information Security Policy Document defines both ownership and authority
policies are dynamic cont2
Policies are Dynamic Cont.
  • Decisions should include:
    • Who is in charge of security management?
    • What is the scope of their enforcement authority?
    • When should third-party expertise be brought in?
managing organizational security
Managing Organizational Security
  • Three topics on which to focus:
    • Information Security Infrastructure
    • Identification of risks from 3rd-party consultants
    • Security Requirements for outsourcing
managing organizational security cont
Managing Organizational Security Cont.
  • Designing & maintaining a secure environment requires input from representatives of each department of the company:
    • Management
    • IT (developers, network engineers, administrators)
    • HR
    • Legal & Financial services
  • Collaboration of all these parties is required to create and maintain a successful information security policy
managing organizational security cont1
Managing Organizational Security Cont.
  • Designing & maintaining a secure environment requires input from representatives of each department of the company:
    • Management
    • IT (developers, network engineers, administrators)
    • HR
    • Legal & Financial services
managing organizational security cont2
Managing Organizational Security Cont.
  • Who is a third-party?
    • Business partners
    • Vendors
    • Contractors (including temporary workers)
managing organizational security cont3
Managing Organizational Security Cont.
  • Physical Security
    • Protecting the network from attacks from the outside is recommended, but a company should not forget to protect the physical security of the servers
      • Why bother to hack when you can steal?
managing organizational security cont4
Managing Organizational Security Cont.
  • If physical access for 3rd-party is allowed, proper control must be deployed to:
    • Select who gets physical access
    • To which areas is physical access granted
    • Has due diligence been extended to verify the integrity and credibility of those 3rd-party contractors?
outsourcing is a growing trend
Outsourcing Is a Growing Trend
  • Outsourcing is seen by some as a business tool used to lower costs. It also comes with risks:
    • Is the work being outsourced out of the country?
      • If so, to which country?
      • How is security handled in the culture of that country?
      • How effectively are Intellectual Property laws enforced and respected in that country?
outsourcing is a growing trend cont
Outsourcing Is a Growing Trend Cont.
  • Is the data secure during transmission?
    • Is the data transferred electronically?
      • What secure protocols are used?
    • Is the data physically sent overseas?
      • What courier system is used?
      • How reliable/reputable/dependable is this courier system?
outsourcing is a growing trend cont1
Outsourcing Is a Growing Trend Cont.
  • Is the data securely stored while away from the corporate network?
    • What security controls are deployed at the periphery of the target network?
    • What access control methods are used on the target control?
    • What auditing methods are used on the target network?
outsourcing is a growing trend cont2
Outsourcing Is a Growing Trend Cont.
  • How do you conduct due diligence on a company located halfway across the world?
    • Is this company foreign-owned, or a subsidiary of a US-owned corporation?
    • Is this company reputable?
    • Has the company sent a representative on-site to verify the information provided to them?
summary
Summary
  • Standards such as the ISO 17799 exist to help organizations better define appropriate ways to protect their information assets.
  • Written policies are not enough, and the proper security infrastructures must be deployed.
  • A multidisciplinary approach to security that involves all departments will result in a unified security posture that can be adopted by the whole company.
  • Because companies are not static, also must policies evolve with the company. In order to achieve a higher level of protection, it is recommended that companies would hire security experts.