Professional Documents
Culture Documents
Policies and Procedures in Information Security
Policies and Procedures in Information Security
Policies and Procedures in Information Security
Information Security
Lecture 11
Information Security Policy
Objectives
Upon completion of this material you should be able to:
Define information security policy and understand its central role in a
successful information security program
Describe the three major types of information security policy and
explain what goes into each type
Develop various types various types of information security policies
2
Management of Information Security, 3rd ed.
Introduction
Policy is the essential foundation of an effective information
security program
Policy maker sets the tone and emphasis on the importance of
information security
Objectives
Reduced risk
Compliance with laws and regulations
Assurance of operational continuity, information integrity, and
confidentiality
3
Management of Information Security, 3rd ed.
Why Policy?
Policies are the least expensive means of control and often the
most difficult to implement
Basic rules for shaping a policy
Policy should never conflict with law
Policy must be able to stand up in court if challenged
Policy must be properly supported and administered
4
Management of Information Security, 3rd ed.
Why Policy? (cont’d.)
Bulls-eye model
Networks: threats first meet the organization’s network
Systems: computers and manufacturing systems
Applications: all applications systems
5
Management of Information Security, 3rd ed.
GOALS OF POLICY (REFER to ECH
Book)
6
Management of Information Security, 3rd ed.
Types of information security policy
7
Management of Information Security, 3rd ed.
Policy, Standards and Practices
Policy : A plan or course of action that influences decisions
must be properly disseminated, read, understood, agreed-to, and
uniformly enforced
require constant modification and maintenance
Standards
A more detailed statement of what must be done to comply with
policy
Practices/ Procedures
Guidelines explain how employees will comply with policy
8
Management of Information Security, 3rd ed.
Policies, Standards & Practices
10
Management of Information Security, 3rd ed.
EISP Elements
1. corporate philosophy on security
2. information security organization and information security
roles
11
Management of Information Security, 3rd ed.
Example ESIP Components
• Statement of purpose
• Information technology security elements
• Need for information technology security
• Information technology security responsibilities and roles
• Reference to other information technology standards and
guidelines
12
Management of Information Security, 3rd ed.
b) Issue-Specific Security Policy (ISSP)
• Provides detailed, targeted guidance
• Instruction for secure use of a technology systems
• Begins with introduction to fundamental technological philosophy of
the organization
• Protects organization from inefficiency and ambiguity
• Documents how the technology-based system is controlled
• Identifies the processes and authorities that provide this control
• Indemnifies the organization against liability for an employee’s
inappropriate or illegal system use
13
Management of Information Security, 3rd ed.
Issue-Specific Security Policy- contd
ISSP topics
Email and internet use
Minimum system configurations
Prohibitions against hacking
Home use of company-owned computer equipment
Use of personal equipment on company networks
Use of telecommunications technologies
Use of photocopy equipment
14
Management of Information Security, 3rd ed.
Components of the ISSP
Statement of Purpose
Scope and applicability
Definition of technology addressed
Responsibilities
Authorized Access and Usage of Equipment
User access
Fair and responsible use
Protection of privacy
15
Management of Information Security, 3rd ed.
Components of the ISSP - contd
Prohibited Usage of Equipment
Disruptive use or misuse
Criminal use
Offensive or harassing materials
Copyrighted, licensed or other intellectual property
Other restrictions
Systems management
Management of stored materials
Employer monitoring
Virus protection
Physical security
Encryption
16
Management of Information Security, 3rd ed.
Components of the ISSP - contd
Violations of policy
Procedures for reporting violations
Penalties for violations
Policy review and modification
Scheduled review of policy and procedures for modification
Limitations of liability
Statements of liability or disclaimers
17
Management of Information Security, 3rd ed.
c) System-Specific Security Policy
System-specific security policies (SysSPs) frequently do not
look like other types of policy
may function as standards or procedures to be used when
configuring or maintaining systems
SysSPs can be separated into
Management guidance
Technical specifications
Or combined in a single policy document
18
Management of Information Security, 3rd ed.
Managerial Guidance SysSPs
Created by management to guide the implementation and
configuration of technology
Applies to any technology that affects the confidentiality,
integrity or availability of information, e.g. firewall
configuration
Informs technologists of management intent
19
Management of Information Security, 3rd ed.
Technical Specifications SysSPs
System administrators’ directions on implementing managerial policy
Each type of equipment has its own type of policies
General methods of implementing technical controls
Access control lists
Configuration rules
Access control lists
Include the user access lists, matrices, and capability tables that govern the rights and
privileges
A similar method that specifies which subjects and objects users or groups can access
is called a capability table
These specifications are frequently complex matrices, rather than simple lists or tables
Enable administrations to restrict access according to user, computer, time, duration,
or even a particular file
20
Technical Specifications SysSPs - contd
21
Management of Information Security, 3rd ed.
Technical Specifications SysSPs - contd
Configuration rules
Specific configuration codes entered into security systems
Guide the execution of the system when information is passing through it
Many security systems require specific configuration scripts
telling the systems what actions to perform on each set of
information they process
23
Management of Information Security, 3rd ed.
Technical Specifications SysSPs (cont’d.)
24
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
Guidelines for Effective Policy
policies must be properly:
Developed using industry-accepted practices
Distributed or disseminated using all appropriate methods
Reviewed or read by all employees
Understood by all employees
Formally agreed to by act or assertion
Uniformly applied and enforced
25
Management of Information Security, 3rd ed.
Policy Development steps
1. Investigation (goals, support, particiption)
2. Analysis (risk assessment)
3. Design (components, dissemination)
4. Implement (detailed specification)
5. Maintenance
6. Distribution
26
The Information Securities Policy Made Easy Approach (cont’d.)
Lest you believe that the only reason to have policies is to avoid
litigation, it is important to emphasize the preventative nature of
policy
Policies exist, first and foremost, to inform employees of what is and is
not acceptable behavior in the organization
Policy seeks to improve employee productivity, and prevent potentially
embarrassing situations
28
Management of Information Security, 3rd ed.
Implementing Security Education, Training and Awareness
Programs
SETA program
Designed to reduce accidental security breaches
Consists of three elements: security education, security training, and
security awareness
Awareness, training, and education programs offer two major
benefits:
Improving employee behavior
Enabling the organization to hold employees accountable for their
actions
29
Management of Information Security, 3rd ed.
Implementing SETA Programs (cont’d.)
Purpose of SETA is to enhance security:
By building in-depth knowledge, to design, implement, or operate
security programs for organizations and systems
By developing skills and knowledge so that computer users can
perform their jobs while using IT systems more securely
By improving awareness of the need to protect system resources
30
Management of Information Security, 3rd ed.
Implementing SETA Programs (cont’d.)
32
Management of Information Security, 3rd ed.
Security Training
Involves providing detailed information and hands-on instruction
To develop user skills to perform their duties securely
develop customized training or outsource
Customizing training for users
By functional background
General user
Managerial user
Technical user
By skill level
Novice
Intermediate
Advanced
33
Management of Information Security, 3rd ed.
Security Awareness
One of the least frequently implemented, but most effective security methods is
the security awareness program
Security awareness programs:
Set the stage for training by changing organizational attitudes to realize the importance of
security and the adverse consequences of its failure
Remind users of the procedures to be followed
Refrain from using technical jargon
Define learning objectives, state them clearly, and provide sufficient detail and coverage
Keep things light
Don’t overload the users
Help users understand their roles in InfoSec
Utilize in-house communications media
Make the awareness program formal
Provide good information early, rather than perfect information late
34
Management of Information Security, 3rd ed.
Security Awareness (cont’d.)
Effective training and awareness programs make employees accountable for their actions
Dissemination and enforcement of policy become easier when training and awareness
programs are in place
Demonstrating due care and due diligence can help indemnify the institution against lawsuits
Many security awareness components are available at little or no cost
Others can be very expensive
Examples of security awareness components
Videos
Posters and banners
Lectures and conferences
Computer-based training
Newsletters
Brochures and flyers
Trinkets (coffee cups, pens, pencils, T-shirts)
Bulletin boards
35
Management of Information Security, 3rd ed.
Security Awareness (cont’d.)
Organizations can establish Web pages or sites dedicated to
promoting information security awareness
The challenge lies in updating the messages frequently enough to
keep them fresh
Tips on creating and maintaining an educational Web site
See what’s already out there
Plan ahead
Keep page loading time to a minimum
Seek feedback
Spend time promoting your site
36
Management of Information Security, 3rd ed.
• Thank You