Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Policy

Published byDeshaun Gorges Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Policy"— Presentation transcript:

1 Information Security Policy
INFORMATION SECURITY MANAGEMENT Lecture 4: Information Security Policy You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

2 Principles of Information Security Management
Include the following characteristics that will be the focus of the current course (six P’s): Planning Policy Programs Protection People Project Management Chapters 2 & 3 Chapter 4 These differ from general IT and management communities Extend basic characteristics for general leadership and management and this is the focus of the current course.

3 Introduction “The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems” Policy is the essential foundation of an effective information security program

4 Policy Explains the will of the organization’s management in controlling the behavior of employees

5 Policy – Biggest Threat to Endpoint Security?
78% consider negligent or careless employees who do not follow security policies to be biggest threat to endpoint security 50% did not receive any security or policy awareness training "I wouldn’t go so far to say they don’t care – mostly - but I’d also point out that organizations probably haven’t done a good job of helping them understand why they should care"

6 Bulls-eye Model

7 Policy, Standards, and Practices
Policy & Types Enterprise Issue-specific Systems-specific Standards Practices

8 Enterprise Information Security Policy (EISP)
Sets strategic direction, scope, and tone for organization’s security efforts Assigns responsibilities for various areas of information security Examples:

9 EISP Elements Overview of the corporate philosophy on security
Information about information security organization and information security roles Responsibilities for security that are shared by all members of the organization Responsibilities for security that are unique to each role within the organization

10 Example ESIP Components
Statement of purpose Information technology security elements Need for information technology security Information technology security responsibilities and roles Reference to other information technology standards and guidelines

11 Issue-Specific Security Policy (ISSP)
Provides detailed, targeted guidance Protects organization from inefficiency and ambiguity Indemnifies the organization against liability for an employee’s inappropriate or illegal system use

12 Issue-Specific Security Policy (cont’d.)
Every organization’s ISSP should: Examples at UNCW: Abuse

13 ISSP - Topics Email and internet use Minimum system configurations
Prohibitions against hacking Home use of company-owned computer equipment Use of personal equipment on company networks Use of telecommunications technologies Use of photocopy equipment

14 Components of the ISSP Statement of Purpose
Authorized Access and Usage of Equipment Prohibited Usage of Equipment Systems management Violations of policy Policy review and modification Limitations of liability

15 Implementing the ISSP Common approaches

16 System-Specific Security Policy
System-specific security policies (SysSPs) frequently do not look like other types of policy SysSPs can be separated into:

17 Managerial Guidance SysSPs
Created by management to guide the implementation and configuration of technology Applies to any technology that affects the confidentiality, integrity or availability of information Informs technologists of management intent Example: Lifecycle Replacement

18 Technical Specifications SysSPs
System administrators’ directions on implementing managerial policy General methods of implementing technical controls Access control lists Configuration rules

19 Technical Specifications SysSPs (cont’d.)
Access control lists Include the user access lists, matrices, and capability tables that govern the rights and privileges Enable administrations to restrict access according to user, computer, time, duration, or even a particular file Examples: Access to Information Resources and Data

20 Technical Specifications SysSPs (cont’d.)
Access control lists regulate: Administrators set user privileges

21 Technical Specifications SysSPs: Case Study
Disaster at a University: A Case Study in Information Security Overview Issue People Involved Approach and Resolution Outcomes Conclusion

22 Guidelines for Effective Policy
For policies to be effective, they must be properly:

23 Developing Information Security Policy
It is often useful to view policy development as a two-part project Design and develop the policy (or redesign and rewrite an outdated policy) Establish management processes to perpetuate the policy within the organization

24 Developing Information Security Policy (cont’d.)
Policy development projects should be Well planned Properly funded Aggressively managed to ensure that it is completed on time and within budget The policy development project can be guided by the SecSDLC process

25 SecSDLC Process of Policy Development
Investigation phase Obtain support from senior management Clearly articulate the goals of the policy project Acquire a capable project manager Develop a detailed outline of and sound estimates for project cost and scheduling

26 Developing Information Security Policy (cont’d.)
Analysis phase should produce New or recent risk assessment or IT audit documenting the current information security needs of the organization Key reference materials Including any existing policies

27 Developing Information Security Policy (cont’d.)
Design phase includes How the policies will be distributed How verification of the distribution will be accomplished

28 Developing Information Security Policy (cont’d.)
Implementation phase includes Writing the policies Policy distribution Maintenance Phase Maintain and modify the policy as needed Built-in reporting mechanism Periodic review

29 Alternative Approaches: The Information Securities Policy Made Easy Approach
Gathering key reference materials Defining a framework for policies Preparing a coverage matrix Making critical systems design decisions Structuring review, approval, and enforcement processes

30 Alternative Approaches: Guide for Developing Security Plans for Federal Information Systems
NIST Special Publication , Rev. 1 reinforces a business process-centered approach to policy management Policies are living documents Good management practices for policy development and maintenance make for a more resilient organization

31 Alternative Approaches: Guide for Developing Security Plans for Federal Information Systems
Policy requirements An individual responsible for reviews A schedule of reviews A method for making recommendations for reviews An indication of policy and revision date Management of Information Security, 3rd ed.

32 A Final Note on Policy Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy.

33 Next Class Chapter 5 – Security Programs Case Studies Assessment 1
We will be covering the cases during lecture. Be prepared to discuss your assigned case and read the other cases Assessment 1

Download ppt "Information Security Policy"

Similar presentations

1 Policy Webinar Series: Organizational Structure, Governance and Insurance Jessica Brodey April 22, 2008.

1 Policy Webinar Series: Organizational Structure, Governance and Insurance Jessica Brodey April 22, 2008.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
Information Security Policy

Information Security Policy
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Policies and Standards

Information Security Policies and Standards
Each problem that I solved became a rule which

Each problem that I solved became a rule which
Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT

Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Security Policies Group 1 - Week 8 policy for use of technology.

Security Policies Group 1 - Week 8 policy for use of technology.
Imran Ghaznavi Course Code: MGT557 COMSATS Strategic Human Resource Management.

Imran Ghaznavi Course Code: MGT557 COMSATS Strategic Human Resource Management.
Network security policy: best practices

Network security policy: best practices
Information Security Policy

Information Security Policy
@ Industrial Engineering by Bopaya Bidanda David I. Cleland.

@ Industrial Engineering by Bopaya Bidanda David I. Cleland.
CSE 4482: Computer Security Management: Assessment and Forensics

CSE 4482: Computer Security Management: Assessment and Forensics
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Guide to Firewalls and VPNs, 3rd Edition

Guide to Firewalls and VPNs, 3rd Edition
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google