Policies and Procedures in Information Security

Policies and Procedures in
Information Security
Lecture 11
Information Security Policy
Objectives
Upon completion of this material you should be able to:
Define information security policy and understand its central role in a
successful information security program
Describe the three major types of information security policy and
explain what goes into each type
Develop various types various types of information security policies
2
Management of Information Security, 3rd ed.
Introduction
Policy is the essential foundation of an effective information
security program
Policy maker sets the tone and emphasis on the importance of
information security
Objectives
Reduced risk
Compliance with laws and regulations
Assurance of operational continuity, information integrity, and
confidentiality
3
Why Policy?
Policies are the least expensive means of control and often the
most difficult to implement
Basic rules for shaping a policy
Policy should never conflict with law
Policy must be able to stand up in court if challenged
Policy must be properly supported and administered
4
Why Policy? (cont’d.)
Bulls-eye model
Networks: threats first meet the organization’s network
Systems: computers and manufacturing systems
Applications: all applications systems
5
GOALS OF POLICY (REFER to ECH
Book)
6
Types of information security policy
A. Enterprise information security program policy

B. Issue-specific information security policies
C. Systems-specific policies
7
Policy, Standards and Practices
Policy : A plan or course of action that influences decisions
must be properly disseminated, read, understood, agreed-to, and
uniformly enforced
require constant modification and maintenance
Standards
A more detailed statement of what must be done to comply with
policy
Practices/ Procedures
Guidelines explain how employees will comply with policy
8
Policies, Standards & Practices
Figure 4-2 Policies, standards and practices

9
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
a) Enterprise Information Security Policy
(EISP)
Sets strategic direction, scope, and tone for organization’s security
efforts
Assigns responsibilities for various areas of information security
Guides development, implementation, and management
requirements of information security program
10
EISP Elements
1. corporate philosophy on security
2. information security organization and information security
roles
11
Example ESIP Components
• Statement of purpose
• Information technology security elements
• Need for information technology security
• Information technology security responsibilities and roles
• Reference to other information technology standards and
guidelines
12
b) Issue-Specific Security Policy (ISSP)
• Provides detailed, targeted guidance
• Instruction for secure use of a technology systems
• Begins with introduction to fundamental technological philosophy of
the organization
• Protects organization from inefficiency and ambiguity
• Documents how the technology-based system is controlled
• Identifies the processes and authorities that provide this control
• Indemnifies the organization against liability for an employee’s
inappropriate or illegal system use
13
Issue-Specific Security Policy- contd
ISSP topics
Email and internet use
Minimum system configurations
Prohibitions against hacking
Home use of company-owned computer equipment
Use of personal equipment on company networks
Use of telecommunications technologies
Use of photocopy equipment
14
Components of the ISSP
Statement of Purpose
Scope and applicability
Definition of technology addressed
Responsibilities
Authorized Access and Usage of Equipment
User access
Fair and responsible use
Protection of privacy
15
Components of the ISSP - contd
Prohibited Usage of Equipment
 Disruptive use or misuse
 Criminal use
 Offensive or harassing materials
 Copyrighted, licensed or other intellectual property
 Other restrictions
Systems management
 Management of stored materials
 Employer monitoring
 Virus protection
 Physical security
 Encryption
16
Components of the ISSP - contd
Violations of policy
Procedures for reporting violations
Penalties for violations
Policy review and modification
Scheduled review of policy and procedures for modification
Limitations of liability
Statements of liability or disclaimers
17
c) System-Specific Security Policy
System-specific security policies (SysSPs) frequently do not
look like other types of policy
may function as standards or procedures to be used when
configuring or maintaining systems
SysSPs can be separated into
Management guidance
Technical specifications
Or combined in a single policy document
18
Managerial Guidance SysSPs
Created by management to guide the implementation and
configuration of technology
Applies to any technology that affects the confidentiality,
integrity or availability of information, e.g. firewall
configuration
Informs technologists of management intent
19
Technical Specifications SysSPs
System administrators’ directions on implementing managerial policy
Each type of equipment has its own type of policies
General methods of implementing technical controls
Access control lists
Configuration rules
Access control lists
 Include the user access lists, matrices, and capability tables that govern the rights and
privileges
 A similar method that specifies which subjects and objects users or groups can access
is called a capability table
 These specifications are frequently complex matrices, rather than simple lists or tables
 Enable administrations to restrict access according to user, computer, time, duration,
or even a particular file
20
Technical Specifications SysSPs - contd
Access control lists regulate

Who can use the system
What authorized users can access
When authorized users can access the system
Where authorized users can access the system from
How authorized users can access the system
Restricting what users can access, e.g. printers, files, communications,
and applications
Administrators set user privileges
Read, write, create, modify, delete, compare, copy
21
Figure 4-5 Windows XP ACL

22
Configuration rules
Specific configuration codes entered into security systems
Guide the execution of the system when information is passing through it
Many security systems require specific configuration scripts
telling the systems what actions to perform on each set of
information they process
23
Technical Specifications SysSPs (cont’d.)
Figure 4-6 Firewall configuration rules
24
Guidelines for Effective Policy
policies must be properly:
Developed using industry-accepted practices
Distributed or disseminated using all appropriate methods
Reviewed or read by all employees
Understood by all employees
Formally agreed to by act or assertion
Uniformly applied and enforced
25
Policy Development steps
1. Investigation (goals, support, particiption)
2. Analysis (risk assessment)
3. Design (components, dissemination)
4. Implement (detailed specification)
5. Maintenance
6. Distribution
26
The Information Securities Policy Made Easy Approach (cont’d.)
Figure 4-11 A sample coverage matrix

27
A Final Note on Policy
Lest you believe that the only reason to have policies is to avoid
litigation, it is important to emphasize the preventative nature of
policy
Policies exist, first and foremost, to inform employees of what is and is
not acceptable behavior in the organization
Policy seeks to improve employee productivity, and prevent potentially
embarrassing situations
28
Implementing Security Education, Training and Awareness
Programs
SETA program
Designed to reduce accidental security breaches
Consists of three elements: security education, security training, and
security awareness
Awareness, training, and education programs offer two major
benefits:
Improving employee behavior
Enabling the organization to hold employees accountable for their
actions
29
Implementing SETA Programs (cont’d.)
Purpose of SETA is to enhance security:
By building in-depth knowledge, to design, implement, or operate
security programs for organizations and systems
By developing skills and knowledge so that computer users can
perform their jobs while using IT systems more securely
By improving awareness of the need to protect system resources
30
Implementing SETA Programs (cont’d.)
Table 5-3 Framework of security education, training and awareness
Source: National Institute of Standards and Technology.

An Introduction to Computer Security: The NIST
Handbook. SP 800-12. 31
Management of Information Security, 3rd ed. http://csrc.nist.gov/publications/nistpubs/800-12/.
Security Education
Employees within information security may be encouraged to
seek a formal education
If not prepared by their background or experience
A number of institutions of higher learning, including colleges and
universities, provide formal coursework in information security
32
Security Training
Involves providing detailed information and hands-on instruction
To develop user skills to perform their duties securely
develop customized training or outsource
Customizing training for users
By functional background
General user
Managerial user
Technical user
By skill level
Novice
Intermediate
Advanced
33
Security Awareness
One of the least frequently implemented, but most effective security methods is
the security awareness program
Security awareness programs:
 Set the stage for training by changing organizational attitudes to realize the importance of
security and the adverse consequences of its failure
 Remind users of the procedures to be followed
Refrain from using technical jargon
Define learning objectives, state them clearly, and provide sufficient detail and coverage
Keep things light
Don’t overload the users
Help users understand their roles in InfoSec
Utilize in-house communications media
Make the awareness program formal
Provide good information early, rather than perfect information late
34
Security Awareness (cont’d.)
Effective training and awareness programs make employees accountable for their actions
Dissemination and enforcement of policy become easier when training and awareness
programs are in place
Demonstrating due care and due diligence can help indemnify the institution against lawsuits
Many security awareness components are available at little or no cost
Others can be very expensive
Examples of security awareness components
Videos
Posters and banners
Lectures and conferences
Computer-based training
Newsletters
Brochures and flyers
Trinkets (coffee cups, pens, pencils, T-shirts)
Bulletin boards
35
Security Awareness (cont’d.)
Organizations can establish Web pages or sites dedicated to
promoting information security awareness
The challenge lies in updating the messages frequently enough to
keep them fresh
Tips on creating and maintaining an educational Web site
See what’s already out there
Plan ahead
Keep page loading time to a minimum
Seek feedback
Spend time promoting your site
36
• Thank You

Policies and Procedures in Information Security

Uploaded by

Copyright:

Available Formats

You might also like

Policies and Procedures in Information Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Policies and Procedures in Information Security

Uploaded by

Copyright:

Available Formats

Policies and Procedures in

A. Enterprise information security program policy

Figure 4-2 Policies, standards and practices

Access control lists regulate

Figure 4-5 Windows XP ACL

Figure 4-6 Firewall configuration rules

Figure 4-11 A sample coverage matrix

Table 5-3 Framework of security education, training and awareness

Source: National Institute of Standards and Technology.

You might also like