Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Policy

Published byMeagan Nora Hunter Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security Policy"— Presentation transcript:

1 Information Security Policy
EECS 711: Security Management and Audit Molly Coplen Dan Hein Dinesh Raveendran

2 EECS 711 Chapter 4 Information Security Policy
Learning Objectives Define Information security policy and understand its central role in a successful information security program Recognize the three major types of information security policy and know what goes into each type Develop, implement, and maintain various types of information security policies 2 EECS 711 Chapter 4 Information Security Policy 2

3 EECS 711 Chapter 4 Information Security Policy
Introduction The success of any information security program lies in policy development Policy is the essential foundation of an effective information security program The centrality of information security polices to virtually everything that happens in the information security field An effective information security training and awareness effort cannot be initiated without writing information security policies 3 EECS 711 Chapter 4 Information Security Policy 3

4 NIST–Executive guide to the Protection of Information Resources
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems. You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency. Your primary responsibility is to set the information resource security policy for the organization within the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.” Key wor 4 EECS 711 Chapter 4 Information Security Policy 4

5 Basic Rules in Shaping a Policy
Policy should never conflict with law Policy must be able to stand up in court, if challenged Policy must be properly supported and administered Example: Enron’s dubious business practices and misreporting the financial records - Policy of shredding working papers by accountants 5 EECS 711 Chapter 4 Information Security Policy 5

6 EECS 711 Chapter 4 Information Security Policy
Why Policy A quality information security program begins and ends with policy Although information security policies are the least expensive means of control to execute, they are often the most difficult to implement Policy controls cost only the time and effort that the management team spends to create, approve and communicate them, and that employees spend integrating the policies into their daily activities Cost of hiring a consultant is minimal compared to technical controls 6 EECS 711 Chapter 4 Information Security Policy 6

7 Guidelines for IT policy
All policies must contribute to the success of the organization Management must ensure the adequate sharing of responsibility for proper use of information systems End users of information systems should be involved in the steps of policy formulation 7 EECS 711 Chapter 4 Information Security Policy 7

8 EECS 711 Chapter 4 Information Security Policy
Bull’s Eye Model Proven mechanism for prioritizing complex changes Issues are addressed by moving from general to specifics Focus of systemic solutions instead of individual problems 8 EECS 711 Chapter 4 Information Security Policy 8

9 Bull’s Eye Model (Contd)
9 EECS 711 Chapter 4 Information Security Policy 9

10 Bull’s Eye Model Layers
Policies – the outer layer in the bull’s eye diagram Networks – the place where threats from public networks meet the organization’s networking infrastructure; in the past, most information security efforts have focused on networks, and until recently information security was often thought to be synonymous with network security Systems – computers used as servers, desktop computers, and systems used for process control and manufacturing systems Application – all applications systems, ranging from packed applications such as office automation and programs, to high-end ERP packages and custom application software developed by the organization 10 EECS 711 Chapter 4 Information Security Policy 10

11 Charles Cresson Wood’s Need for Policy
…policies are important reference documents for internal audits and for the resolution of legal disputes about management’s due diligence [and] policy documents can act as a clear statement of management’s intent… 11 EECS 711 Chapter 4 Information Security Policy 11

12 Policy, Standards, and Practices
Policy represents the formal statement of the organization’s managerial policy, in case of our focus, the organization’s information security philosophy Tradition communities of interest use policy to express their views which then becomes the basis of planning, management and maintenance of the information security profile Policies – set of rules that dictate acceptable and unacceptable behavior within an organization Policies should not specify the proper operation of equipment or software Policy - generally defined as a plan or course of action, as of a government, political party, or business, intended to influence and determine decisions, actions, and other matters Policies direct how issues should be addressed and technologies should be used Policies should not specify the proper operation of equipment or software – which should be part of standards/guidelines 12 EECS 711 Chapter 4 Information Security Policy 12

13 Policy, Standards, and Practices (Contd)
Policies must specify the penalties for unacceptable behavior and define an appeals process To execute the policy, the organization must implement a set of standards that clarify and define exactly what is inappropriate in the workplace and to what degree the org will stop to act the inappropriate behavior Standard – More detailed statement of what must be done to comply with policy Technical controls and their associated procedures might be established such that the network blocks access to pornographic websites And to what degree the org will stop to act the inappropriate behavior 13 EECS 711 Chapter 4 Information Security Policy 13

14 Policy, Standards, and Practices (Contd)
14 EECS 711 Chapter 4 Information Security Policy 14

15 Type of InfoSec policies
Based on NIST Special Publication , the three types of information security policies are Enterprise information security program policy Issue-specific security policies System-specific security policies The usual procedure First – creation of the enterprise information security policy – the highest level of policy Next – general policies are met by developing issue- and system-specific policies – outines the reqts of writing policies for senior managers 15 EECS 711 Chapter 4 Information Security Policy 15

16 Enterprise Information Security Policy (EISP)
EISP sets the strategic direction, scope, and tone for all of an organization’s security efforts EISP assigns responsibilities for the various areas of information security including maintenance of information security policies and the practices and responsibilities of other users. EISP guides the development, implementation, and management requirements of the information security program EISP should directly support the mission and vision statements – also known as a security program policy, general security policy, IT security policy, high-level information security policy, or more simply, information security policy Which shud be met by the infosec management, IT development, IT operations and other specific security functions Defensible for legal challenges Executive level document – CISO in consultation with CIO – 2-10 pages long 16 EECS 711 Chapter 4 Information Security Policy 16

17 Integrating an Organization’s Mission and Objectives into the EISP
EISP plays a number of vital roles One of the important role is to state the importance of InfoSec to the organization’s mission and objectives. InfoSec strategic planning derives from IT strategic planning which is itself derived from the organization’s strategic planning Policy will become confusing if EISP does not directly reflect the above association Example – academic institution 17 EECS 711 Chapter 4 Information Security Policy 17

18 EECS 711 Chapter 4 Information Security Policy
EISP Elements An overview of the corporate philosophy on security Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role Fully articulated responsibilities for security that are shared by all members of the organization Fully articulated responsibilities for security that are unique to each role within the organization 18 EECS 711 Chapter 4 Information Security Policy 18

19 Components of a good EISP
Statement of Purpose Information Technology Security Elements Need for Information Technology Security Information Technology Security Responsibilities and Roles Reference to Other Information Technology Standards and Guidelines 19 EECS 711 Chapter 4 Information Security Policy 19

20 Issue-Specific Security Policy (ISSP)
Provides a common understanding of the purposes for which an employee can and cannot use a technology Should not be presented as a foundation for legal prosecution Protects both the employee and organization from inefficiency and ambiguity 20 EECS 711 Chapter 4 Information Security Policy 20

21 EECS 711 Chapter 4 Information Security Policy
Effective ISSP Articulates expectations for use of technology-based system Identifies the processes and authorities that provide documented control Indemnifies the organization against liability for an employee’s inappropriate or illegal use of the system 21 EECS 711 Chapter 4 Information Security Policy 21

22 EECS 711 Chapter 4 Information Security Policy
ISSP Topics Use of Internet, , phone, and office equipment Incident response Disaster/business continuity planning Minimum system configuration requirements Prohibitions against hacking/testing security controls Home use of company-owned systems Use of personal equipment on company networks 22 EECS 711 Chapter 4 Information Security Policy 22

23 EECS 711 Chapter 4 Information Security Policy
ISSP Components Statement of Purpose Outlines scope and applicability: what is the purpose and who is responsible for implementation Authorized Uses Users have no particular rights of use, outside that specified in the policy Prohibited Uses Common prohibitions: criminal use, personal use, disruptive use, and offensive materials 23 EECS 711 Chapter 4 Information Security Policy 23

24 EECS 711 Chapter 4 Information Security Policy
ISSP Components Systems Management Users relationship to systems management Outline users’ and administrators’ responsibilities Violations of Policy Penalties specified for each kind of violation Procedures for (often anonymously) reporting policy violation Policy Review/Modification Limitations of Liability 24 EECS 711 Chapter 4 Information Security Policy 24

25 EECS 711 Chapter 4 Information Security Policy
ISSP Implementation Three common approaches for creating/managing ISSP Create individual independent ISSP documents, tailored for specific issues Create a single ISSP document covering all issues Create a modular ISSP document unifying overall policy creation/management while addressing specific details with respect to individual issues 25 EECS 711 Chapter 4 Information Security Policy 25

26 System Specific Security Policy (SysSPs)
SysSPs provide guidance and procedures for configuring specific systems, technologies, and applications Intrusion detection systems Firewall configuration Workstation configuration SysSPs are most often technical in nature, but can also be managerial Guiding technology application to enforce higher level policy (e.g. firewall to restrict Internet access) 26 EECS 711 Chapter 4 Information Security Policy 26

27 Guidelines for Effective Policy
Developed using industry-accepted practices Distributed using all appropriate methods Reviewed or read by all employees Understood by all employees Formally agreed to by act or assertion Uniformly applied and enforced EECS 711 Chapter 4 Information Security Policy

28 Developing Information Security Policy
Investigation Phase Analysis Phase Design Phase Implementation Phase Maintenance Phase EECS 711 Chapter 4 Information Security Policy

29 EECS 711 Chapter 4 Information Security Policy
Investigation Phase Support from senior management Support and active involvement of IT management Clear articulation of goals Participation by the affected communities of interest Detailed outline of the scope of the policy development project EECS 711 Chapter 4 Information Security Policy

30 EECS 711 Chapter 4 Information Security Policy
Analysis Phase The analysis phase should produce the following: A new or recent risk assessment or IT audit documenting the information security needs of the organization. Gathering of key reference materials – including any existing policies EECS 711 Chapter 4 Information Security Policy

31 EECS 711 Chapter 4 Information Security Policy
Design Phase Users or organization members acknowledge they have received and read the policy Signature and date on a form Banner screen with a warning EECS 711 Chapter 4 Information Security Policy

32 EECS 711 Chapter 4 Information Security Policy
Implementation Phase Policy development team writes policies Resources: The Web Government sites such as NIST Professional literature Peer networks Professional consultants EECS 711 Chapter 4 Information Security Policy

33 EECS 711 Chapter 4 Information Security Policy
Maintenance Phase Policy development team responsible for monitoring, maintaining, and modifying the policy EECS 711 Chapter 4 Information Security Policy

34 EECS 711 Chapter 4 Information Security Policy
Policy Distribution Hand policy to employees Post policy on a public bulletin board Intranet Document management system EECS 711 Chapter 4 Information Security Policy

35 EECS 711 Chapter 4 Information Security Policy
Policy Reading Barriers to employees’ reading policies Literacy: 14% of American adults scored “below basic” level in prose literacy Language: non-English speaking residents EECS 711 Chapter 4 Information Security Policy

36 EECS 711 Chapter 4 Information Security Policy
Policy Comprehension Language At a reasonable reading level With minimal technical jargon and management terminology Understanding of issues Quizzes EECS 711 Chapter 4 Information Security Policy

37 EECS 711 Chapter 4 Information Security Policy
Policy Compliance Policies must be agreed to by act or affirmation Corporations incorporate policy confirmation statements into employment contracts, annual evaluations Refusing to agree to policies is tantamount to refusing to work. EECS 711 Chapter 4 Information Security Policy

38 EECS 711 Chapter 4 Information Security Policy
Policy Enforcement Uniform and impartial enforcement – must be able to withstand external scrutiny High standards of due care with regard to policy management – to defend against claims made by terminated employees EECS 711 Chapter 4 Information Security Policy

39 EECS 711 Chapter 4 Information Security Policy
Automated Tools VigilEnt Policy Center – a centralized policy approval and implementation center Manage the approval process Reduces need to distribute paper copies Manage policy acknowledgement forms EECS 711 Chapter 4 Information Security Policy

40 VigilEnt Policy Center Architecture
User Site Company Intranet Users view policies and quizzes. User information to the company intranet. Administrators receive policy docs and quizzes. Users read policy docs and complete quizzes. Policy docs and quizzes and news items to the Intranet. Administrators publish policy docs and quizzes. VPC server sends published policy docs and quizzes to the server for distribution to the user sites. VPC Server Administration Site EECS 711 Chapter 4 Information Security Policy

41 EECS 711 Chapter 4 Information Security Policy
Policy Management Policy administrator Review schedule Review procedures and practices Policy and revision dates EECS 711 Chapter 4 Information Security Policy

42 EECS 711 Chapter 4 Information Security Policy
Policy Administrator Policy administrator Champion Mid-level staff member Solicits input from business and information security communities Makes sure policy document and subsequent revisions are distributed EECS 711 Chapter 4 Information Security Policy

43 EECS 711 Chapter 4 Information Security Policy
Review Schedule Periodically reviewed for currency and accuracy, and modified to keep current Organized schedule of review Reviewed at least annually Solicit input from representatives of all affected parties, management, and staff EECS 711 Chapter 4 Information Security Policy

44 Review Procedures and Practices
Easy submission of recommendations All comments examined Management approved changes implemented EECS 711 Chapter 4 Information Security Policy

45 Policy and Revision Date
Often published without a date Legal issue – are employees “complying with an out-of-date policy Should include date of origin, revision dates don’t use “today’s date” in the document Sunset clause (expiration date) EECS 711 Chapter 4 Information Security Policy

46 Information Securities Policy Made Easy Approach
Gather key reference materials Develop a framework for policies Prepare a coverage matrix Make critical systems design decisions Structure review, approval, and enforcement processes EECS 711 Chapter 4 Information Security Policy

47 Information Securities Policy Made Easy Approach
Next Steps Post policies Develop a self-assessment questionnaire Develop revised user ID issuance forms Develop agreement to comply with InfoSec policies form Develop tests to determine if workers understand policies EECS 711 Chapter 4 Information Security Policy

48 Information Securities Policy Made Easy Approach
Next steps (continued) Assign information security coordinators Train information security coordinators Prepare and deliver a basic information security training course Develop application-specific information security policies EECS 711 Chapter 4 Information Security Policy

49 Information Securities Policy Made Easy Approach
Next steps (continued) Develop a conceptual hierarchy of information security requirements Assign information ownership and custodianship Establish an information security management committee EECS 711 Chapter 4 Information Security Policy

50 Information Securities Policy Made Easy Approach
Next steps (continued) Develop an information security architecture document Automate policy enforcement through policy servers EECS 711 Chapter 4 Information Security Policy

51 EECS 711 Chapter 4 Information Security Policy
Final Note Policies are a countermeasure to protect assets from threats Policies exist to inform employees of acceptable (unacceptable) behavior Are meant to improve employee productivity and prevent potentially embarrassing situations Communicate penalties for noncompliance EECS 711 Chapter 4 Information Security Policy

Download ppt "Information Security Policy"

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Information Security Policy

Information Security Policy
information Security Blueprint

information Security Blueprint
Information Security Policy

Information Security Policy
Chapter 29 Ethics in Accounting

Chapter 29 Ethics in Accounting
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Each problem that I solved became a rule which

Each problem that I solved became a rule which
Information Systems Security Officer

Information Systems Security Officer
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Purpose of the Standards

Purpose of the Standards
Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.

Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing

Similar presentations

Ads by Google