Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security Policy Framework. Policies IT Security Policy Framework Policies Standards.

Similar presentations


Presentation on theme: "IT Security Policy Framework. Policies IT Security Policy Framework Policies Standards."— Presentation transcript:

1 IT Security Policy Framework

2 Policies

3 IT Security Policy Framework Policies Standards

4 IT Security Policy Framework Policies Standards Procedures

5 IT Security Policy Framework Policies Standards Procedures Guidelines

6 Policy A written statement from an authority declaring a course of action for the sake of expediency

7 Policy A written statement from an authority declaring a course of action for the sake of expediency. – Example: Policy dictates that all employees will read and sign the AUP before receiving access to the computing system.

8 Standard A detailed level of attainment.

9 Standard A detailed level of attainment. – IT standards ensure that consistent security controls are adopted.

10 Standard A detailed level of attainment. – IT standards ensure that consistent security controls are adopted. – Example: The Common Criteria have established standards for hardware and software security.

11 Procedures A description of the process used to accomplish a task.

12 Procedures A description of the process used to accomplish a task. – Example: A procedure checklist is used to perform and verify backups.

13 Guidelines A suggested course of action which can be specific or general.

14 Guidelines A suggested course of action which can be specific or general. – Example: The guidelines for a secure password include but are not limited to...

15 IT Policy Framework Purpose The purpose is to achieve an acceptable level of risk.

16 Data Classification Standards US Government Private enterprise

17 US Government Executive order (2009)

18 US Government Executive order (2009) – Top secret

19 US Government Executive order (2009) – Top secret – Secret

20 US Government Executive order (2009) – Top secret – Secret – Confidential

21 US Government Executive order (2009) – Top secret – Secret – Confidential – Unclassified information

22 Top Secret Would cause grave damage to national security if it were disclosed.

23 Secret Would cause serious damage to national security if it were disclosed.

24 Confidential Would cause damage to national security if it were disclosed.

25 Unclassified – Public domain information is considered unclassified and is not part of the classification standard.

26 Guidelines Yes there are guidelines for separating information into the appropriate categories.

27 Unclassified Would you believe there are classifications for unclassified information?

28 Unclassified Poses no threat to national security if exposed.

29 Controlled Unclassified For official use only.

30 Alternative classifications

31 Top Secret

32 Alternative classifications Top Secret Secret

33 Alternative classifications Top Secret Secret Confidential

34 Alternative classifications Top Secret Secret Confidential Restricted

35 Alternative classifications Top Secret Secret Confidential Restricted Protected

36 Alternative classifications Top Secret Secret Confidential Restricted Protected Unclassified

37 Private Enterprise Data Classification* *(Kim, Solomon)

38 Private Enterprise Data Classification* *(Kim, Solomon) Private

39 Private Enterprise Data Classification* *(Kim, Solomon) Private Confidential

40 Private Enterprise Data Classification* *(Kim, Solomon) Private Confidential Internal use only

41 Private Enterprise Data Classification* *(Kim, Solomon) Private Confidential Internal use only Public domain data

42 *Private Data about people, – Example: health care records, compliance laws like HIPAA – Payroll information – Employee records (use encryption for these records)

43 Confidential Information owned by the enterprise – Customer lists – Pricing information – Intellectual property – Internal use only information – Proprietary technology (encryption)

44 Internal Use Only Information shared internally by an organization. – Most internal communications are not intended to be shared.

45 Public Domain Data Shared with the public – Web site content – White papers

46 Alternative Confidential Restricted Protected Unclassified (public)

47 Alternative Confidential – Substantially would undermine the financial viability of the organization.

48 Alternative Restricted – Cause a substantial loss of earning potential. Advantage to competitors

49 Alternative Protected – Cause financial loss

50 Data Classification Challanges Perfection is the enemy of the good! – If you insist on perfection, your system will be difficult to implement. – Employees must be properly educated in order to classify data effectively.

51 Data Classification Challenges Perfection is the enemy of the good! – If too complex it will fail due to lack of use – You are better served by keeping your classification scheme simple (no more complex than is necessary)

52 Data Classification Challenges Perfection is the enemy of the good! – Development and implementation of a data classification scheme will require resources. – If its complex, it will likely be expensive to implement

53 Implementation Tips Understand what is achievable – any data classification policy must become less complex as more individuals become involved in implementing the policy.

54 Implementation Tips Those who have something at stake should be involved in the data classification policy development.

55 Implementation Tips Provide appropriate education and visibility. – Any data classification scheme should be posted on the company/agency internal web- page.

56 Implementation Tips Align your data classification scheme with regulatory (compliance) requirements.

57 Compliance Laws Legislation exists mandating security controls to protect private and confidential data.

58 Example Compliance Legislation SOX (Sarbanes-Oxley, 2002) – Requires security controls to protect the confidentiality and integrity of financial reporting.

59 Example Compliance Legislation GLBA (Gramm-Leach-Bliley, 1999) – Financial institutions must protect client's private financial information.

60 Example Compliance Legislation HIPAA (Health Insurance Portability and Accountability, 1996) – Health care organizations must secure patient information.

61 Example Compliance Legislation CIPA (Children's Internet Protection Act, 2000) – Requires public schools and public libraries to implement an Internet safety policy.

62 Example Compliance Legislation FERPA (Family Educational Rights and Privacy Act, 1974) – Protects the school records and other private data of students.

63 Example Compliance Standard PCI-DSS (Payment Card Industry Data Security Standard) – An information security standard for organizations that handle payment card information. Debit Credit Prepaid ATM etc

64 Professionalization of the SA Discipline Establishment of professional societies/organizations Credentials – By study and examination – University degrees

65 Example Professional Organizations LISA (SAGE), Large Installation System Administration (ISC)2 – International Information Systems Security Certification Consortium.

66 Professional Organizations Offer credentials through study and examination Code of ethics Professional networking A forum for sharing new technology, ideas, etc.

67 Recommended Areas of Knowledge Access controls Cryptography Network security Risk management Application development security Legal regulations and compliance Operations security


Download ppt "IT Security Policy Framework. Policies IT Security Policy Framework Policies Standards."

Similar presentations


Ads by Google