Security Policies and

Implementation Issues

Week 6 - Chapter 8
IT Security Policy Framework Approaches

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Key Concepts
 Different methods and best practices for
approaching a security policy framework
 Importance of defining roles,
responsibilities, and accountability for
personnel
 Separation of duties (SoD)
 Importance of governance and compliance

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 2
All rights reserved.
 Information Systems Security
Policy Frameworks

Choosing the right framework is not easy

Use a simplified security policy framework domain

model

Flexible frameworks fit governance and compliance

planning requirements

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 3
All rights reserved.
 IT Security Policy Framework
Domain Model

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 4
All rights reserved.
 Risk IT
Framework
Process Model

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 5
All rights reserved.
 Roles
Head of information
management

Data stewards

Data custodians

Data administrators

Data security administrators

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 6
All rights reserved.
 Roles and Responsibilities
 Executive Management
• Responsible for governance and compliance
requirements, funding, and policy support
 Chief Information Officer (CIO)/Chief Security
Officer (CSO)
• Responsible for policy creation, reporting,
funding, and support
 Chief Financial Officer (CFO)/Chief Operating
Officer (COO)
• Responsible for data stewardship, owners of the
data
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Security Policies and Implementation Issues www.jblearning.com Page 7
All rights reserved.
 Roles and Responsibilities
(Continued)
 System Administrators/Application
Administrators
• Responsible for custodianship of the data,
maintaining the quality of the data, and
executing the policies and procedures pertaining
to the data, like backup, versioning, updating,
downloading, and database administration
 Security Administrator
• Responsible for granting access and assess
threats to the data, IA program
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Security Policies and Implementation Issues www.jblearning.com Page 8
All rights reserved.
 Committees

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 9
All rights reserved.
 Separation of Duties (SoD)
 Layered security approach
 SoD duties fall within each IT domain
 Applying SoD can and will reduce both
fraud and human errors

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 10
All rights reserved.
 Information Technology (IT)
Security Controls
 IT security controls are a function of IT
infrastructure that an organization has in its
control and the regulatory and business
objectives that need to be controlled
• You can have too many IT security controls,
impeding the organization from operating at
optimal capacity, thus reducing its revenue
potential

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 11
All rights reserved.
 Information Technology (IT)
Security Controls (Continued)
 Generic IT security controls as a function of
a business model
• Deploy a layered security approach
• Use SoD approach
- This applies to transactions within the domain of
responsibility
• Conduct security awareness training annually

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 12
All rights reserved.
 Information Technology (IT)
Security Controls (Continued)
 Apply the three lines of defense model
• First line: The business unit
• Second line: The risk management team
• Third line: Use independent auditors

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 13
All rights reserved.
 Importance of Governance and
Compliance
 Implementing a governance framework can
allow organization to identify and mitigate
risks in orderly fashion
• Can be a cost reduction move for organizations
as they can easily respond to audit requests
 A well-defined governance and compliance
framework provides a structured approach
 Can provide a common language

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 14
All rights reserved.
 Importance of Governance and
Compliance (Continued)
 Is also a best-practice model for organizations
of all shapes and sizes
 Controls and risks become measurable with a
framework
• Organizations with a governance and compliance
framework can operate more efficiently
 If you can measure the organization against a
fixed set of standards and controls, you have
won

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 15
All rights reserved.
 Security Policy Framework: Six
Business Risks

Strategic Compliance Financial

Operational Reputational Other

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 16
All rights reserved.
 Similarities Between GRC and
ERM
Defines risk in terms of
business threats

Applies flexible frameworks

Eliminates redundant
controls, policies, and efforts

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 17
All rights reserved.
 Similarities Between GRC and
ERM (Continued)

Proactively enforces
policy

Seeks line of sight into the

entire population of risks

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 18
All rights reserved.
 Differences Between GRC and
ERM
• Focuses on technology, a series
of tools and centralized policies
GRC

• Focuses on value delivery

ERM • Takes a broad look at risk based
on adoption driven by leadership

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 19
All rights reserved.
 Summary
 Information systems security policy
frameworks and IT security controls
 Difference between GRC and ERM
 Business risks associated with security
policy framework
 Roles and responsibilities associated with
information systems security policy
framework and SoD

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 20
All rights reserved.
 Security Policies and
Implementation Issues

Week 6 – Chapter 9
User Domain Policies

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Key Concepts
 Reasons for governing users with policies
 Regular and privileged users
 Acceptable use policy (AUP) and
privileged-level access agreement (PAA)
 Security awareness policy (SAP)
 Differences between public and private
User Domain policies

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 22
All rights reserved.
 The User as the Weakest Link in the
Security Chain

People that use computers have different skill levels, thus

have different perceptions on information security

Social engineering can occur at any time within any

organization

Human mistakes often occur and can lead to security

breaches

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 23
All rights reserved.
 The User as the Weakest Link in the
Security Chain

One of the most significant threats come from within an

organization from an “Insider”

Applications have weaknesses that are not known and

these weaknesses can be exploited by users either
knowingly or unknowingly

Security awareness training can remove this weakest link

in the security chain

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 24
All rights reserved.
 Different Types of Users Within an
Organization

System Security
Employees
admins personnel

Guests and
Contractors Vendors general
public

Control
partners

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 25
All rights reserved.
 Contingent and System Accounts
Contingent Need unlimited rights to install, configure, repair, and
Accounts recover networks and applications, and to restore data
Credentials are prime targets for hackers

IDs are not assigned to individuals until a disaster

recovery event is declared

System Need elevated privileges to start, stop, and manage

Accounts system services
Accounts can be interactive or non-interactive

System accounts are also referred to as “service

accounts”

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 26
All rights reserved.
 User Access Requirements

Users require different access

Users require information from

different systems

Data has different security

controls

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 27
All rights reserved.
 Differences and Similarities in User
Domain Policies

Similarities
• Private organizations may follow public-
compliance laws depending on their governance
requirements
• Public organizations may be small is size and
thus have similar control over their user
populations

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 28
All rights reserved.
 Differences and Similarities in User
Domain Policies

Differences
• Public organizations must follow Sarbanes Oxley
Compliance (SOX), Health Insurance Portability
and Accountability Act (HIPAA), and other
compliance laws
• Private organizations are often smaller and
easier to control from a user standpoint
• Private organizations may not follow public-
compliance laws
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Security Policies and Implementation Issues www.jblearning.com Page 29
All rights reserved.
 Acceptable Use Policy (AUP)
 Attempts to protect an organization’s
computers and network
 Addresses password management
 Addresses software licenses
 Addresses intellectual property management
 Describes e-mail etiquette
 Describes the level of privacy an individual
should expect when using an organization’s
computer or network
 Describes noncompliance consequences
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Security Policies and Implementation Issues www.jblearning.com Page 30
All rights reserved.
 Privileged-Level Access Agreement
(PAA)
 Acknowledges the risk associated with
elevated access in the event the credentials
are breached or abused
 Asks user to promise to use access only for
approved organization business
 Asks user to promise not to attempt to “hack”
or breach security
 Asks user to promise to protect any output from
these credentials such as reports, logs, files,
and downloads
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Security Policies and Implementation Issues www.jblearning.com Page 31
All rights reserved.
 Security Awareness Policy (SAP)
 Addresses:
• Basic principles of information security
• Awareness of risk and threats
• Dealing with unexpected risk
• Reporting suspicious activity, incidents, and
breaches
• Building a culture that is security and risk
aware

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 32
All rights reserved.
 Roles and Responsibilities: Who
Needs Training?
All Users

Executive Managers

Program and Functional Managers

IT Security Program Managers

Auditors

IT Function Management and Operations Personnel

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 33
All rights reserved.
 Best Practices for User Domain
Policies
Attachments—Never
Encryption—Always Layered defense—Use
open an e-mail
encrypt sensitive data an approach that
attachment from a
that leaves the confines establishes overlapping
source that is not trusted
of a secure server layers of security
or known

Least privilege—
Patch management—All
Individuals should only Unique identity—All
network devices should
have the access users must use unique
have the latest security
necessary to perform credentials
patches
their responsibilities

Virus protection—Virus
and malware prevention
must be installed on
every desktop and laptop
computer

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 34
All rights reserved.
 Lease Access Privilege and Best Fit
Access Privilege

Least Access
Best Fit Privileges
Privileges

Customizes access to the Customizes access to the

individual group or class of users

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 35
All rights reserved.
 Who Develops User Policies
 Chief financial officer (CFO)
 Chief operations officer (COO)
 Information security manager
 IT manager
 Marketing and sales manager
 Unit manager
 Materials manager
 Purchasing manager
 Inventory manager

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 36
All rights reserved.
 Summary
 Different user types and user access
requirements in an organization
 SAP, AUP, and PAA
 Roles and responsibilities associated with
user policies
 User policies in public and private
organizations

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 37
All rights reserved.