Professional Documents
Culture Documents
Information Security
Information Security
Planning for Security: Information Security Planning and Governance, Information Security
Policy, Standards, and Practices, the Information Security Blueprint Security Education,
Training, and AwarenessProgram, Continuity Strategies
· Strategic planning sets the long-term direction to be taken by the organization and each
of its component parts.
· Strategic planning should guide organizational efforts and focus resources toward
specific, clearly defined goals.
· After an organization develops a general strategy, it generates an overall strategic plan
by extending that general strategy into plans for major divisions.
· Each level of each division then translates those plan objectives into more specific
objectives for the level below.
· To execute this broad strategy, the executive team must first define individual
responsibilities
Planning Levels:
· operational plan: The documented product of operational planning; a plan for the
organization’s intended operational efforts on a day-to-day basis for the next several
months.
· operational planning: The actions taken by management to specify the short-term goals
and objectives of the organization in order to obtain specified tactical goals, followed by
estimates and schedules for the allocation of resources necessary to achieve those
goals and objectives.
· tactical plan: The documented product of tactical planning; a plan for the organization’s
intended tactical efforts over the next few years.
· tactical planning: The actions taken by management to specify the intermediate goals
and objectives of the organization in order to obtain specified strategic goals, followed by
estimates and schedules for the allocation of resources necessary to achieve those
goals and objectives.
· The primary focus of the Chief Information Security Officer (CISO) and the information
security management team is to develop a strategic plan aligned with the organization's
information security objectives. This plan, rooted in the enterprise information security
policy (EISP), outlines how the organization will implement its information security
charter. The strategic plan is a dynamic document that evolves from higher-level
corporate strategy to more detailed plans at lower organizational levels. It encompasses
both general and specific strategies, translating into tactical and operational plans as it
moves down the organizational hierarchy. It's crucial for information security to support
the strategic plans of all business units, even when this may conflict with the efficiency
and effectiveness goals of the IT department, which focuses on the delivery of
information and resources.
governance “The set of responsibilities and practices exercised by the board and executive
management with the goal of providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s
resources are used responsibly.”
· Strategic direction
· Establishment of objectives
· Measurement of progress toward those objectives
· Verification that risk management practices are appropriate
· Validation that the organization’s assets are used properly
Effective information security management relies on policies as the foundation for planning,
design, and deployment across all communities of interest. Policies provide guidance on how
issues should be addressed and how technologies should be used. Unlike standards,
procedures, and practices, policies don't detail equipment or software operation but focus on
governing behavior. Policies must align with the law, withstand legal challenges, and be
effectively administered through dissemination and documented acceptance to mitigate
organizational liability. Recognizing information security as primarily a management challenge,
policies are a crucial and cost-effective tool, requiring minimal resources for creation and
dissemination compared to technical controls.
Management must define three types of security policy, according to Special Publication (SP)
800-14 of the National Institute of Standards and Technology (NIST):
Policy: Employees must use strong passwords on their accounts. Passwords must be changed
regularly and protected against disclosure.
Standard: Passwords must be at least 10 characters long and incorporate at least one
lowercase letter, one uppercase letter, one numerical digit (0–9), and one special character
permitted by our system (&%$#@!). Passwords must be changed every 90 days, and must not
be written down or stored on insecure media
Guidelines: In order to create strong yet easy-to-remember passwords, consider the following
recommendations from NIST SP 800-118: Guide to Enterprise Password Management
• Mnemonic Method. A user selects a phrase and extracts a letter of each word in the phrase
(such as the first letter or second letter of each word), adding numbers or special characters or
both. • Example: “May the force be with you always, young Jedi” becomes Mtfbwya-yJ
· Altered Passphrases. A user selects a phrase and alters it to form a derivation of that
phrase. This method supports the creation of long, complex passwords.
· Passphrases can be easy to remember due to the structure of the password: it is usually
easier for the human mind to comprehend and remember phrases within a coherent
structure than a string of random letters, numbers, and special characters.
· • Example: Never Give Up! Never Surrender! becomes Nv.G.Up!-Nv.Surr!
· • Combining and Altering Words. A user can combine two or three unrelated words and
change some of the letters to numbers or special characters.
· • Example: Jedi Tribble becomes J3d13bbl
EISP Elements Although the specifics of EISPs vary among organizations, most EISP
documents should include the following elements:
· • E-mail
· • Use of the Internet and World Wide Web
· • Specific minimum configurations of computers to defend against worms and viruses
· • Prohibitions against hacking or testing organization security controls
· • Home use of company-owned computer equipment
· • Use of personal equipment on company networks (BYOD: bring your own device)
· • Use of telecommunications technologies, such as fax and phone
· • Use of photocopy equipment
· • Use of portable storage devices such as USB memory sticks, backpack drives, game
players, music players, and any other device capable of storing digital files
· • Use of cloud-based storage services that are not self-hosted by the organization or
engaged under contract; such services include Google Drive, Dropbox, and Microsoft
Live
Statement of Policy:Clearly defines the policy's purpose, scope, responsible parties, and
addressed technologies and issues.
Authorized Access and Usage of Equipment:Specifies who can use technology, its
permissible use for business operations, and outlines fair and responsible use principles,
including legal considerations.
Policy Review and Modification:Establishes procedures and a timetable for periodic policy
review, ensuring alignment with organizational needs and technological changes.
Limitations of Liability:Clarifies that the organization is not liable for illegal activities conducted
by employees using company technologies, and may assist in the prosecution of violators.
access control list (ACL) Specifications of authorization that govern the rights and privileges of
users to a particular information asset. ACLs include user access lists, matrices, and capabilities
tables.
access control matrix An integration of access control lists (focusing on assets) and capability
tables (focusing on users) that results in a matrix with organizational assets listed in the column
headings and users listed in the row headings. The matrix contains ACLs in columns for a
particular device or asset and capability tables in rows for a particular user.
capabilities table A lattice-based access control with rows of attributes associated with a
particular subject (such as a user).
configuration rules The instructions a system administrator codes into a server, networking
device, or security device to specify how it operates.
Policy Management :
v Policy Management Essentials:Policies are dynamic documents that require active
management. Proper distribution, understanding, agreement, uniform application, and ongoing
management are crucial for policy effectiveness
v .Responsible Manager:A designated policy administrator, responsible for policy oversight,
revisions, and communication, even if not highly technically proficient. Input from both technical
experts and business-focused managers is valuable during revisions.
v Schedule of Reviews:Policies should undergo periodic reviews, typically at least annually, to
ensure currency and effectiveness. A defined schedule should be part of the policy document.
v Review Procedures:Establish mechanisms for comfortable recommendations and revisions.
Anonymous submission options may encourage honest feedback, particularly for controversial
policies. All comments should be examined, and improvements approved by management should
be implemented.
v Policy and Revision Date:Include the date of origin and revision dates in policies to avoid
confusion. Some policies may need expiration dates (sunset clause), especially for short-term
business associations.
v Automated Policy Management:Emerging software solutions, like VigilEnt Policy Center,
automate aspects of policy management, from writing and approval workflow to tracking
readership and knowledge assessments. These tools enhance policy communication,
understanding, and updates in dynamic organizational environments.