Presentation on theme: "Information Security Policy"— Presentation transcript:
1Information Security Policy INFORMATION SECURITY MANAGEMENTLecture 4:Information Security PolicyYou got to be careful if you don’t know where you’re going,because you might not get there. – Yogi Berra
2Principles of Information Security Management Include the following characteristics that will be the focus of the current course (six P’s):PlanningPolicyProgramsProtectionPeopleProject ManagementChapters 2 & 3Chapter 4These differ from general IT and management communitiesExtend basic characteristics for general leadership and management and this is the focus of the current course.
3Introduction“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems” Policy is the essential foundation of an effective information security program
4PolicyExplains the will of the organization’s management in controlling the behavior of employees
5Policy – Biggest Threat to Endpoint Security? 78% consider negligent or careless employees who do not follow security policies to be biggest threat to endpoint security50% did not receive any security or policy awareness training"I wouldn’t go so far to say they don’t care – mostly - but I’d also point out that organizations probably haven’t done a good job of helping them understand why they should care"
7Policy, Standards, and Practices Policy & TypesEnterpriseIssue-specificSystems-specificStandardsPractices
8Enterprise Information Security Policy (EISP) Sets strategic direction, scope, and tone for organization’s security effortsAssigns responsibilities for various areas of information securityExamples:
9EISP Elements Overview of the corporate philosophy on security Information about information security organization and information security rolesResponsibilities for security that are shared by all members of the organizationResponsibilities for security that are unique to each role within the organization
10Example ESIP Components Statement of purposeInformation technology security elementsNeed for information technology securityInformation technology security responsibilities and rolesReference to other information technology standards and guidelines
11Issue-Specific Security Policy (ISSP) Provides detailed, targeted guidanceProtects organization from inefficiency and ambiguityIndemnifies the organization against liability for an employee’s inappropriate or illegal system use
12Issue-Specific Security Policy (cont’d.) Every organization’s ISSP should:Examples at UNCW:Abuse
13ISSP - Topics Email and internet use Minimum system configurations Prohibitions against hackingHome use of company-owned computer equipmentUse of personal equipment on company networksUse of telecommunications technologiesUse of photocopy equipment
14Components of the ISSP Statement of Purpose Authorized Access and Usage of EquipmentProhibited Usage of EquipmentSystems managementViolations of policyPolicy review and modificationLimitations of liability
16System-Specific Security Policy System-specific security policies (SysSPs) frequently do not look like other types of policySysSPs can be separated into:
17Managerial Guidance SysSPs Created by management to guide the implementation and configuration of technologyApplies to any technology that affects the confidentiality, integrity or availability of informationInforms technologists of management intentExample:Lifecycle Replacement
18Technical Specifications SysSPs System administrators’ directions on implementing managerial policyGeneral methods of implementing technical controlsAccess control listsConfiguration rules
19Technical Specifications SysSPs (cont’d.) Access control listsInclude the user access lists, matrices, and capability tables that govern the rights and privilegesEnable administrations to restrict access according to user, computer, time, duration, or even a particular fileExamples:Access to Information Resources and Data
20Technical Specifications SysSPs (cont’d.) Access control lists regulate:Administrators set user privileges
21Technical Specifications SysSPs: Case Study Disaster at a University: A Case Study in Information Security Overview Issue People Involved Approach and Resolution Outcomes Conclusion
22Guidelines for Effective Policy For policies to be effective, they must be properly:
23Developing Information Security Policy It is often useful to view policy development as a two-part projectDesign and develop the policy (or redesign and rewrite an outdated policy)Establish management processes to perpetuate the policy within the organization
24Developing Information Security Policy (cont’d.) Policy development projects should beWell plannedProperly fundedAggressively managed to ensure that it is completed on time and within budgetThe policy development project can be guided by the SecSDLC process
25SecSDLC Process of Policy Development Investigation phaseObtain support from senior managementClearly articulate the goals of the policy projectAcquire a capable project managerDevelop a detailed outline of and sound estimates for project cost and scheduling
26Developing Information Security Policy (cont’d.) Analysis phase should produceNew or recent risk assessment or IT audit documenting the current information security needs of the organizationKey reference materialsIncluding any existing policies
27Developing Information Security Policy (cont’d.) Design phase includesHow the policies will be distributedHow verification of the distribution will be accomplished
28Developing Information Security Policy (cont’d.) Implementation phase includesWriting the policiesPolicy distributionMaintenance PhaseMaintain and modify the policy as neededBuilt-in reporting mechanismPeriodic review
29Alternative Approaches: The Information Securities Policy Made Easy Approach Gathering key reference materialsDefining a framework for policiesPreparing a coverage matrixMaking critical systems design decisionsStructuring review, approval, and enforcement processes
30Alternative Approaches: Guide for Developing Security Plans for Federal Information Systems NIST Special Publication , Rev. 1 reinforces a business process-centered approach to policy managementPolicies are living documentsGood management practices for policy development and maintenance make for a more resilient organization
31Alternative Approaches: Guide for Developing Security Plans for Federal Information Systems Policy requirementsAn individual responsible for reviewsA schedule of reviewsA method for making recommendations for reviewsAn indication of policy and revision dateManagement of Information Security, 3rd ed.
32A Final Note on PolicyLest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy.
33Next Class Chapter 5 – Security Programs Case Studies Assessment 1 We will be covering the cases during lecture. Be prepared to discuss your assigned case and read the other casesAssessment 1