Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Security Policies & ISO 17799

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Systems Security Policies & ISO 17799"— Presentation transcript:

1 Information Systems Security Policies & ISO 17799
Maria Karyda, PhD Laboratory of Information and Communication Systems Security Department of Information and Communication Systems Engineering University of the Aegean Karlovassi, Samos, GR-83200, GREECE

2 Overview Information Systems Security Policies
What is a Security Policy? Why do we need them? How can we design a Policy and what should we include? What makes a Security Policy effective? Information Security Management Standards How can the ISO assist us? IPICS – Chios, July 2005

3 Information Systems Security Practices
Information Systems Risk Management aims to minimize risk at acceptable levels by implementing risk analysis and management methods (e.g. OCTAVE, CRAMM, SBA) baseline security is also an option Information Systems Security Policy most common security management practice based on risk evaluation results based on standards and best practices IPICS – Chios, July 2005

4 What is a Security Policy?
High level statements describing the security goals, priorities and the management intention with regard to information systems security, as well as the ways to achieve these goals. Written in one or more documents. IPICS – Chios, July 2005

5 Information Systems Security Policies
Design Implement Publish Enforce Monitor compliance Evaluate Review Amend and update IPICS – Chios, July 2005

6 Who is involved? Security experts System / network administrators
design, review and update the policy System / network administrators implement security controls, guidelines Management set security goals provide resources Users follow security procedures Auditors monitor compliance IPICS – Chios, July 2005

7 Related Concepts Law and Regulations Security Requirements
e.g. Data Protection, Intellectual Property Management Security Requirements confidentiality, availability, privacy, integrity, non repudiation Best practices and Security Standards Security, countermeasures, guidelines and procedures IPICS – Chios, July 2005

8 Why do we need a security policy? -1-
Provides a comprehensive framework for the selection and implementation of security measures Communication means among different stakeholders Management of resources people, skills, money, time Conveys the importance of security to all members of the organization IPICS – Chios, July 2005

9 Why do we need a security policy? -2-
Helps create a “security culture” Shared beliefs and values concerning security Legal obligation Helps promote “trust relationships” between the organizations and its business partners / clients IPICS – Chios, July 2005

10 Designing a Security Policy: security goals elicitation
Risk evaluation Other sources of security requirements: management legal framework contractual obligations users and administrators business partners and clients IPICS – Chios, July 2005

11 Designing a Security Policy: Issues to be addressed
Goal and security targets Scope Assets covered by the Policy data, software, hardware, locations, processes etc. Roles and responsibilities Compliance monitoring incentives, penalties etc. Time IPICS – Chios, July 2005

12 What kind of Security Policies are there?
Computer-oriented Security Policies Information Security Policies that implement access control (Discretionary Access Control, Mandatory Access Control) operating systems networks application Human-oriented Security Policies scope: department, organization applied by IS users IPICS – Chios, July 2005

13 Security Policies Structure -1-
Individual Security Policies application or system (e.g. policy) “use policies” + effective for isolated systems and autonomous applications - high complexity, fragmented IS security management IPICS – Chios, July 2005

14 Security Policies Structure -2-
Comprehensive Security Policies one document addressing all applications, processes and systems - big volume, not easy to use - contain high level security guidelines IPICS – Chios, July 2005

15 Security Policies Structure -3-
Modular Security Policies comprehensive document with multiple annexes containing specific (e.g. per application or system) policies can be in hypertext form IPICS – Chios, July 2005

16 ISO/IEC 17799 First Edition: 01-12-2000
Prepared by the British Standards Institution (as BS 7799) and was adopted by Joint Technical Committee ISO/IEC JTC 1, Information Technology, in parallel with its approval by national bodies of ISO and IEC. “Information technology — Code of practice for information security management” New Edition: June 2005 IPICS – Chios, July 2005

17 Security Policies Content -1- (based on ISO 17799-2000)
I. Organizational Security “Information security is a business responsibility shared by all members of the management team.” Information security infrastructure management should approve the information security policy, assign security roles and co-ordinate the implementation of security across the organization co-operation and collaboration of managers, users, administrators, application designers, auditors and security staff, and specialist skills in areas such as insurance IPICS – Chios, July 2005

18 Security Policies Content -2- (based on ISO 17799)
II. Asset classification and control Asset accountability Accountability should remain with the owner of the asset. Responsibility for implementing controls may be delegated. Information classification Information should be classified to indicate the need, priorities and degree of protection, depending on varying degrees of sensitivity and criticality. IPICS – Chios, July 2005

19 Security Policies Content -3- (based on ISO 17799)
III. Personnel security Security in job definition and resourcing User training Users should be trained in security procedures and the correct use of information processing facilities to minimize possible security risks. Responding to security incidents and malfunctions Weaknesses, malfunctions Learning from incidents Disciplinary process IPICS – Chios, July 2005

20 Examples* “The Terms and Conditions of Employment of the Organization are to include requirements for compliance with Information Security” “All staff must have previous employment and other references carefully checked” “All employees must comply with the Information Security Policy of the Organization. Any Information Security incidents resulting from non-compliance will result in immediate disciplinary action” * RUSecureTM Information Security Policies IPICS – Chios, July 2005

21 Examples* “The Organization is committed to providing regular and relevant Information Security awareness communications to all staff by various means, such as electronic updates, briefings, newsletters etc.” “Periodic training for the Information Security Officer is to be prioritized to educate and train in the latest threats and Information Security Techniques” “The Organization is committed to providing training to all users of new systems to ensure that their use is both efficinet and does not compromise Information Security” * RUSecureTM Information Security Policies IPICS – Chios, July 2005

22 Security Policies Content -4- (based on ISO 17799)
IV. Physical and environmental security Secure areas Security perimeter, entry controls Protection provided should be commensurate with the identified risks Equipment security Safety IPICS – Chios, July 2005

23 Examples* “A formal Hardware Inventory of all equipment is to be maintained and kept up-to-date at all times” “All information system hardware faults are to be reported promptly and recorded in a hardware fault register” * RUSecureTM Information Security Policies IPICS – Chios, July 2005

24 Security Policies Content -5- (based on ISO 17799)
V. Communications & operations management Operational procedures and responsibilities Incident management procedures Segregation of duties Separation of development and operational facilities System planning and acceptance Capacity planning, performance requirements, system acceptance Protection against malicious software Back ups, logging Network management Media handling tapes, disks, cassettes Information exchange between organizations Policy on the use of or fax Electronic commerce security IPICS – Chios, July 2005

25 Examples* Policy statement on the use of fax:
“Sensitive or confidential information may only be faxed were more secure methods of transmission are not feasible. Both the owner of the information and the intended recipient must authorize the transmissions beforehand” Policy statement on media handling: “Only personnel who are authorized to install or modify software shall use removable media to transfer data to/from the organization's network. Any other persons shall require specific authorization” * RUSecureTM Information Security Policies IPICS – Chios, July 2005

26 Security Policies Content -6- (based on ISO 17799)
VI. Access control User access management Access rights, passwords User responsibilities Network access control Network segregation Operating system access control Application access control Monitoring system access and use Mobile computing and teleworking IPICS – Chios, July 2005

27 Examples* User access management:
“Access to all systems must be authorized by the owner of the system and such access, including the appropriate access rights, or privileges, must be recorded in an Access Control List. Such records are to be regarded as Highly Confidential documents and safeguarded accordingly” Operating system access control “Access to operating system commands is to be restricted to those who are authorized to perform systems administration/management functions. Even then, such access must be operated under dual control requiring the specific approval of senior management” *RUSecureTM Information Security Policies IPICS – Chios, July 2005

28 Security Policies Content -7- (based on ISO 17799)
VII. Systems development and maintenance Security requirements of systems “built-in” security Security in application systems Message authentication, hash algorithms, cryptography Cryptographic controls To protect the confidentiality, authenticity or integrity of information (encryption, digital signatures, key management) IPICS – Chios, July 2005

29 Examples* “All new hardware installations are to be planned formally and notified to all interested parties ahead of the proposed installation date. Information security requirements are to be circulated for comment to all interested parties, well in advance of installation” “All equipment must be fully and comprehensively tested and formally accepted by users before being transferred to the live environment” *RUSecureTM Information Security Policies IPICS – Chios, July 2005

30 Security Policies Content -8- (based on ISO 17799)
VIII. Business continuity management “To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.” Analyze the consequences of disasters, security failures and loss of service. Develop and implement contingency plans to ensure that business processes can be restored within the required time-scales. Such plans should be maintained and practiced to become an integral part of all other management processes. Business continuity management should include controls to identify and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations. IPICS – Chios, July 2005

31 Security Policies Content -9- (based on ISO 17799)
IX. Compliance Compliance with legal requirements Data protection and privacy of personal information Intellectual property rights (IPR) Regulation of cryptographic controls Compliance with security policy IPICS – Chios, July 2005

32 Examples* “Persons responsible for Human Resources Management are to prepare guidelines to ensure that all employees are aware of the key aspects Copyright legislation, in so far as these requirements impact on their duties” “All employees are required to fully comply with the organisation’s Information Security Policies. The monitoring of such compliance is the responsibility of management” *RUSecureTM Information Security Policies IPICS – Chios, July 2005

33 Critical factors for successful application -1-
Alignment with business goals Management support Organizational culture Address specific security requirements User awareness, training and education Review and evaluation procedures Gradual introduction, change management IPICS – Chios, July 2005

34 Critical factors for successful application -2-
Clear, easy to understand Easily accessible Complete Up-to-date Extendable Applicable Technology independent IPICS – Chios, July 2005

35 Security Policies Review
Scheduled reviews e.g. once every 18 months Occasional when major changes occur (e.g. network configuration, new applications) Review results utilized for evaluating and updating the Security Policy IPICS – Chios, July 2005

36 Conclusions There is no “out of the box” security solution
Customize Security Policies content, structure, security guidelines Utilize best practice, Information Security Standards Effective implementation context-dependent IPICS – Chios, July 2005

Download ppt "Information Systems Security Policies & ISO 17799"

Similar presentations

Module N° 7 – SSP training programme

Module N° 7 – SSP training programme
Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
ISMS standards and control processes ISO27001 & ISO27002

ISMS standards and control processes ISO27001 & ISO27002
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Tel: 787-647-396.

Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer Systems

Auditing Computer Systems
ISO Information Security Management

ISO Information Security Management
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google