Presentation on theme: "Information Security Policy"— Presentation transcript:
1 Information Security Policy INFORMATION SECURITY MANAGEMENTLecture 4:Information Security PolicyYou got to be careful if you don’t know where you’re going,because you might not get there. – Yogi Berra
2 Principles of Information Security Management Include the following characteristics that will be the focus of the current course (six P’s):PlanningPolicyProgramsProtectionPeopleProject ManagementChapters 2 & 3Chapter 4These differ from general IT and management communitiesExtend basic characteristics for general leadership and management and this is the focus of the current course.
3 Introduction“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems” Policy is the essential foundation of an effective information security program
4 PolicyExplains the will of the organization’s management in controlling the behavior of employees
5 Policy – Biggest Threat to Endpoint Security? 78% consider negligent or careless employees who do not follow security policies to be biggest threat to endpoint security50% did not receive any security or policy awareness training"I wouldn’t go so far to say they don’t care – mostly - but I’d also point out that organizations probably haven’t done a good job of helping them understand why they should care"
7 Policy, Standards, and Practices Policy & TypesEnterpriseIssue-specificSystems-specificStandardsPractices
8 Enterprise Information Security Policy (EISP) Sets strategic direction, scope, and tone for organization’s security effortsAssigns responsibilities for various areas of information securityExamples:
9 EISP Elements Overview of the corporate philosophy on security Information about information security organization and information security rolesResponsibilities for security that are shared by all members of the organizationResponsibilities for security that are unique to each role within the organization
10 Example ESIP Components Statement of purposeInformation technology security elementsNeed for information technology securityInformation technology security responsibilities and rolesReference to other information technology standards and guidelines
11 Issue-Specific Security Policy (ISSP) Provides detailed, targeted guidanceProtects organization from inefficiency and ambiguityIndemnifies the organization against liability for an employee’s inappropriate or illegal system use
12 Issue-Specific Security Policy (cont’d.) Every organization’s ISSP should:Examples at UNCW:Abuse
13 ISSP - Topics Email and internet use Minimum system configurations Prohibitions against hackingHome use of company-owned computer equipmentUse of personal equipment on company networksUse of telecommunications technologiesUse of photocopy equipment
14 Components of the ISSP Statement of Purpose Authorized Access and Usage of EquipmentProhibited Usage of EquipmentSystems managementViolations of policyPolicy review and modificationLimitations of liability
16 System-Specific Security Policy System-specific security policies (SysSPs) frequently do not look like other types of policySysSPs can be separated into:
17 Managerial Guidance SysSPs Created by management to guide the implementation and configuration of technologyApplies to any technology that affects the confidentiality, integrity or availability of informationInforms technologists of management intentExample:Lifecycle Replacement
18 Technical Specifications SysSPs System administrators’ directions on implementing managerial policyGeneral methods of implementing technical controlsAccess control listsConfiguration rules
19 Technical Specifications SysSPs (cont’d.) Access control listsInclude the user access lists, matrices, and capability tables that govern the rights and privilegesEnable administrations to restrict access according to user, computer, time, duration, or even a particular fileExamples:Access to Information Resources and Data
20 Technical Specifications SysSPs (cont’d.) Access control lists regulate:Administrators set user privileges
21 Technical Specifications SysSPs: Case Study Disaster at a University: A Case Study in Information Security Overview Issue People Involved Approach and Resolution Outcomes Conclusion
22 Guidelines for Effective Policy For policies to be effective, they must be properly:
23 Developing Information Security Policy It is often useful to view policy development as a two-part projectDesign and develop the policy (or redesign and rewrite an outdated policy)Establish management processes to perpetuate the policy within the organization
24 Developing Information Security Policy (cont’d.) Policy development projects should beWell plannedProperly fundedAggressively managed to ensure that it is completed on time and within budgetThe policy development project can be guided by the SecSDLC process
25 SecSDLC Process of Policy Development Investigation phaseObtain support from senior managementClearly articulate the goals of the policy projectAcquire a capable project managerDevelop a detailed outline of and sound estimates for project cost and scheduling
26 Developing Information Security Policy (cont’d.) Analysis phase should produceNew or recent risk assessment or IT audit documenting the current information security needs of the organizationKey reference materialsIncluding any existing policies
27 Developing Information Security Policy (cont’d.) Design phase includesHow the policies will be distributedHow verification of the distribution will be accomplished
28 Developing Information Security Policy (cont’d.) Implementation phase includesWriting the policiesPolicy distributionMaintenance PhaseMaintain and modify the policy as neededBuilt-in reporting mechanismPeriodic review
29 Alternative Approaches: The Information Securities Policy Made Easy Approach Gathering key reference materialsDefining a framework for policiesPreparing a coverage matrixMaking critical systems design decisionsStructuring review, approval, and enforcement processes
30 Alternative Approaches: Guide for Developing Security Plans for Federal Information Systems NIST Special Publication , Rev. 1 reinforces a business process-centered approach to policy managementPolicies are living documentsGood management practices for policy development and maintenance make for a more resilient organization
31 Alternative Approaches: Guide for Developing Security Plans for Federal Information Systems Policy requirementsAn individual responsible for reviewsA schedule of reviewsA method for making recommendations for reviewsAn indication of policy and revision dateManagement of Information Security, 3rd ed.
32 A Final Note on PolicyLest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy.
33 Next Class Chapter 5 – Security Programs Case Studies Assessment 1 We will be covering the cases during lecture. Be prepared to discuss your assigned case and read the other casesAssessment 1