1. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information Security Policy Module 1: Purpose Module 2: Life Cycle Module 3: Terminology  Module 4: Structure Module 5: Summary

2. Module 4 Structure

3. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Students should be able to: –Create a general security policy program. –Know what the components of a security policy program, issue-specific policy, and acceptable use guidelines are. Structure Learning Objectives

4. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Structure Security Policy Outline Security Program Policy Issue-Specific Policy System-Specific Policy Information Security Policy Acceptable Use Guidelines Issue-Specific Policy System-Specific Policy High-Level Low-Level

5. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 Structure Security Program Policy Security Program Policy Information Security Policy Purpose Definitions Scope Issue-Specific Policy Summaries Roles & Responsibilities References A security program policy is a high-level policy which contains general rationale and purpose of an information security policy, was well as related definitions, roles and responsibilities, and compliance. Policy Statement Introduction Relevant Resources

6. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Structure Security Program Policy: Introduction Purpose –The purpose usually contains the rationale for why the information security policy is being created. Policy Statement –The policy statement describes organizational values and philosophy on issues detailed within the security policy. Scope –The scope details application constraints of the information security policy. For example, it can specify the departments, personnel, and systems that it will impact. This is usually determined as a result of a risk analysis.

7. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 Structure Security Program Policy: Issue-Specific Summaries While the introductory sections of the security policy should be created first, most of the Security Program Policy should be developed after issue-specific and system-specific policies. Issue-Specific Summaries go through all of the issue-specific policies defined throughout the entire security policy and give a top-level overview.

8. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Structure Security Program Policy: Roles & Responsibilities The roles and responsibilities section list relevant personnel and the responsibilities they have related to the information security policy. These responsibilities and role definitions usually include: –Development, maintenance, and publication of present and future policy –Creation and decision of relevant procedures for policies –Implementation of policies –Enforcement of policies (dealing with violations) –Monitoring and auditing of compliance –User responsibilities

9. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Structure Security Program Policy: Relevant Resources References –Pertain to past policies which the information security policy supersedes, related legislation and laws, other relevant organizational policies or guidelines, and international standards. –These may be listed in the form of a link or citation. –These are useful in providing the context for an information security policy. Definitions –Clarify the meaning of terms (e.g. general information security, information technology, and specific roles). –Definitions should be concise and easy- to-understand in order to be effective. –The point of including definitions is to avoid misunderstandings in language and to provide a frame of reference.

10. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Structure Low-Level Policy Issue-Specific Policy System-Specific Policy Information Security Policy Background/Rationale Sub-Category Description Implementation Procedures Enforcement Procedures Background/Rationale Description References Evaluation Procedures Definitions Guidelines

11. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 11 Structure Low-Level Policy: Issue-Specific Issue-Specific policies usually focus on areas defined by a previous risk analysis and usually differ from organization to organization. However, all issue-specific policies do share common elements, despite variations in order or location within a document. They contain multiple sections, but should begin with an initial description of what the controls constitute (sub- categories), why they are important for the organization, and the associated risks that they impact.

12. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 12 Structure Low-Level Policy: Sub-Category General Issue-Specific policies are usually higher-level areas of security controls, which contain sub-categories. Sub-categories of issue-specific policies will also contain description and background and associated risks. In addition, similar to the issue-specific policy higher-level, there may be references to other documents, organizational processes, etc. as well as defined terms for clarification purposes.

13. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 13 Structure Low-Level Policy: Sub-Category Specific They also tend to include: –Specific guidelines which reference responsibilities and roles and are dependent on the sub-category. These can also include acceptable use guidelines. –Procedures for implementation (includes responsibilities and roles; instructions; guidelines; standards; system-specific steps; as well as training and awareness programs) –Procedures for enforcement (includes responsibilities and roles, reporting procedures and procedures for dealing with violations) –Procedures for evaluation (includes processes for evidence/documentation for evaluation, schedule for auditing, monitoring methods, auditing methods)

14. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 14 Structure Acceptable Use Guidelines Information Security Policy Acceptable Use Guidelines Acceptable Use Guidelines, like the Security Program Policy is considered a high-level policy. It is basically a summary of all acceptable use guidelines and can be categorized by the issue that they are specific to and/or to whom they apply. Acceptable Use Guidelines are usually compiled and distributed within pamphlets to regular users who neither need nor want detailed implementation and/or enforcement procedures and simply want to know what they may and may not do so that they do not cause damage to themselves or the organization.

15. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 15 Structure Exercise A good way of applying what has been learned in this module would be to view a genuine security program policy. In a linked zip file you should find the following: –“Business & Finance Bulletin IS-3 Electronic Information Security”, which is a security program policy from the University of California. –“HEP-C Alert, Inc. General Security Policy” from the company HEP-C Alert, Inc. –“Cyber-Security Policy P03-002”, version 2.0 of a security program policy for New York State government agencies. –“Government Security Policy”, a security program policy for the Canadian government. While there are some differences in the application, it is apparent that the main aspects of the security program policy detailed are contained within all of these documents.

16. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 16 An information security policy is made up of high-level policies (security program policy and acceptable use guidelines) as well as low-level policies (issue-specific and system-specific). A security program policy contains: –Purpose, Policy Statement, Scope, Issue-Specific Policy Summaries, Roles and Responsibilities, References, and Definitions. An issue-specific policy can contain sub-categories. Both of these contain a definition, rationale, references, and definitions. However, the sub-categories also tend to contain acceptable use guidelines, and specific procedures for implementation, enforcement and evaluation. Structure Summary