1 / 35

Security Policy Basics

Security Policy Basics. Chuck Kesler, MBA, CISSP, CISM Chief Information Security Officer Pendo.io. Agenda. Policy Foundations Policy Alignment Policy Development Policy Implementation. Policy Foundations. What is a policy?.

williamsandrew
Download Presentation

Security Policy Basics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Policy Basics Chuck Kesler, MBA, CISSP, CISM Chief Information Security Officer Pendo.io

  2. Agenda • Policy Foundations • Policy Alignment • Policy Development • Policy Implementation

  3. Policy Foundations

  4. What is a policy? • Defines management intent for addressing risks and/or regulatory requirements • Designed to stand the test of time • Approved by executive leadership

  5. Other documents that support policies • Standards, procedures, and guidelines are used to support policies. They are often managed in a similar fashion to policies, but there are some key differences: • Standards support policy by providing more detailed technical specifications and requirements; may be developed and managed at lower levels in the organization, and need to be changed more frequently than policy • Procedures are repeatable, step-by-step instructions for implementing one or more aspects of a policy • Guidelines are user-focused tips that support the objectives of a policy, but do not necessarily need to be followed to the letter

  6. How policies fit in with other security controls NOTE: It is almost always the case policies, procedures, standards, and guidelines will be used to underpin the implementation of other Physical, Technical, and Administrative controls

  7. How controls work together • Effective implementation of policy usually requires accompanying Technical and/or Physical controls; for example: • A policy on passwords should be accompanied by a Technical control to ensure users set passwords with the appropriate complexity and length. • A policy on limiting access to sensitive areas of a facility (e.g. a data center) should be accompanied by a Physical control to ensure that doors to those rooms are locked and include mechanisms such as badge readers and video cameras to control, monitor, and audit who enters.

  8. Foundations for successful policy • Tone from the top • Without leadership support, most policies will fail • Enterprise risk management • Policy should be aligned with the organization’s risk appetite • Policy decisions should be driven by risk assessments • Broad-based input and support • The ”ivory tower” approach for issuing policy will fail • Policy should be aligned with business objectives and constraints • Add value, don’t just check a box • Think about how the policy helps the business (e.g. right-sized risk reduction) • Regulatory compliance may be necessary, but shouldn’t be the sole driver

  9. Common pitfalls • Rolling out policies without executive support • Policies that are difficult for the average person to understand/follow • Policies that can’t be consistently or easily monitored and enforced • Using policy templates without adapting to your organization • What works for someone else may not work for you • Remember, policies that are not being followed and enforced likely will result in audit findings • From an audit perspective, it may be better to not have a policy at all than to have one that’s not being followed!

  10. Policy Alignment

  11. Aligning with the business Requirements Constraints Financial Operational Technology People • Regulatory • Legal • Contractual

  12. Aligning with regulations and frameworks • Depending on the industry, there are multiple regulations and frameworks that policies should be mapped against. Some examples include: • NIST Cybersecurity Framework • NIST SP800-53 (e.g. for FISMA and FedRAMP compliance) • ISO 27001/27002 • HIPAA • GDPR • PCI

  13. Seek input from key stakeholders & experts Internal External (as appropriate) Shareholders External Auditors Suppliers Peer Organizations Subject Matter Experts Customers Consider others impacted by the organization’s products/services • Board of Directors • CEO & Executive Management • Compliance & Internal Auditors • Engineering & Development • Operations • Sales & Marketing • Finance • IT • HR

  14. Governance • Develop a governance committee to review and ratify policies • Include both security and privacy • Include representatives from all major stakeholder groups • …but don’t make it so big that it can’t function! • Meet with a regular cadence that is appropriate for the business • Provide a means for remote attendance • Should also review and approve exceptions • …and decide what exceptions can be delegated to others in the organization • Record and publish meeting minutes • Strive for transparency

  15. The CISO’s role in policy making • The CISO should: • Understand and be part of the business, not behave as if above the business • Help educate the business on information security risks • Help calibrate the organization’s ”moral compass” on data privacy • Work and negotiate with stakeholders to explore options • Act as a “choice architect” to help the organization select the right options • Not be afraid to take a stand against truly egregious or negligent behavior • The CISO should not: • Expect to win every battle… there will be differences of opinion • Always take a hard line and refuse to budge… you will be marginalized

  16. Policy Development

  17. Three keys to writing effective policies • Readability • Structure • SMART Content

  18. Policy readability • Write with the audience in mind • Tone and wording should be familiar • Don’t go overboard with legalese • Legally precise language is desirable, but can be daunting for the average person to read and understand • Keep them to a manageable length • For example, individual policies should take 5 minutes or less to read • Remember: if the policy can’t be easily understood, it probably won’t be followed!

  19. Policy structure • Consistent structure can enhance policy readability • Common elements to include: • Scope • Purpose • Policy statements • Roles and responsibilities • Exceptions • Revision history • Approvals • Definitions (including Glossary to make maintenance easier)

  20. SMART policy content • The SMART model provides a good guide for developing meaningful policy content: • Specific: the policy addresses specific, clearly defined issues • Measurable: there is a means to measure the effectiveness of the policy • Achievable: the policy can be implemented in a reasonable manner • Relevant: the policy addresses the needs and risks of the business • Timely: the time required to implement the policy is appropriate • Consider phasing in difficult-to-meet requirements over time!

  21. Policy Implementation

  22. Policy implementation lifecycle Recognize this? Yes, it’s a classic Plan-Do-Check-Act Deming Cycle!

  23. Policy implementation lifecycle MANAGEMENT-FOCUSED WORKFORCE-FOCUSED

  24. 1. Develop • Summarizing key points from earlier discussion: • Align with and seek input from stakeholders • Ensure readability and enforceability (e.g. with SMART principles) • Use governance processes to review and ratify

  25. 2. Announce • Avoid surprises – set the stage before rolling out new policies • Develop a communications plan to cover high level topics such as: • What will be happening (including any accompanying technical controls) • Why is it happening • Who is affected • When it will be happening • Where more information can be found • Use the organization’s communications channels to get the word out • Newsletters, email blasts, posters, in-person help desk kiosks, screen savers, intranet sites, etc. are great ways to communicate

  26. 3. Publish • Use a central, well-known repository for storing and publishing policies • Often kept on the organization’s intranet • Should not be Internet-accessible without a login • Must be available to all who must abide by the policy • Policy repository should maintain a revision history • Follow good change management practices • If a breach occurs, regulatory investigators may require the organization to show the version of a policy that was in force at a specific data in the past • Supporting standards, procedures, and guidelines should be published in a similar fashion

  27. 4. Educate • Policies can’t be followed if the workforce doesn’t understand them! • The level of required understanding may differ across the workforce • Awareness may be sufficient for those who only need a basic knowledge of the policy and any accompanying controls • Formal training will be needed for anyone whose job duties or daily activities will be changed in a substantial way • Plans for awareness and training will need to be developed before rolling out the policy • Completion of awareness and training activities needs to be tracked and monitored by management

  28. 5. Enforce • Policies should also be accompanied by mechanisms to enforce them • Define roles and responsibilities for enforcement • Consider using RACI chart (Responsible, Accountable, Consulted, Informed) • Goals, metrics, and KPIs should be used to monitor progress, e.g.: • Goal: require the use of multi-factor authentication • Metric: number of users enrolled in multi-factor authentication • KPI: % of users enrolled in multi-factor authentication (is going up or down?) • Have a mechanism to consider and approve exceptions • Must be done at an appropriate level in the organization • Define penalties for failure to comply • Tie to HR processes

  29. 6. Feedback • Continuous improvement is a must • No policy is perfect out of the gate; collect data and feedback to learn what’s working and what’s not • Risks, regulations, and other requirements evolve over time; monitor these and be prepared to incorporate changes • Rule of thumb: review all policies on a 1 to 3 year cycle • Document the next review date in the policies • May have different review cycles for different policies based on risks • Use the same governance processes and practices that are used for developing new policies

  30. Summary – key takeaways • Policies usually succeed or fail based on the “tone from the top” • Policies should underlie all other security controls • Ensure policies are aligned with the business • Write policies in a way that they can be understood and followed • Regularly review and update policies • Enforce policies with reasonable consequences for failure to comply • Remember that auditors will hold the organization accountable for its policies

  31. Summary – next steps • Within the next month • Review your inventory current policies and note those that are out of date • Within the next quarter • Map policies back to your compliance requirements and note any gaps • If you don’t already have one, stand up a governance committee • Within the next six months • Begin addressing identified gaps with new or revised policies

  32. References - articles • https://www.sans.org/reading-room/whitepapers/policyissues/building-implementing-information-security-policy-509 • https://www.sans.org/security-resources/policies/ • https://frsecure.com/blog/differentiating-between-policies-standards-procedures-and-guidelines/ • https://www.csoonline.com/article/2124114/it-strategy/strategic-planning-erm-how-to-write-an-information-security-policy.html • https://resources.infosecinstitute.com/key-elements-information-security-policy/ • https://adeliarisk.com/13-fantastic-resources-writing-information-security-policy/

  33. References – example policies • https://policylibrary.gatech.edu/information-technology • http://policies.vpfa.fsu.edu/policies-and-procedures/technology/information-security-policy/ • https://policies.iu.edu/categories/information-it.html • https://www.wisconsin.edu/uw-policies/news/information-security-policies-and-procedures/

  34. References - books • Landroll, Douglas J. Information Security Policies, Procedures, and Standards: A Practitioner's Reference. CRC Press. 2016. • Peltier, Thomas R. Information Security Policies, Procedures, and Standards. Auerbach Publications. 2002.

  35. Thank you! Chuck Kesler, MBA, CISSP, CISM CISO Pendo.io Email: chuck@pendo.io Twitter: @chuck_kesler

More Related