IT Security Policy Framework
IT Security Policy Framework Policies
IT Security Policy Framework Policies Standards
IT Security Policy Framework Policies Standards Procedures
IT Security Policy Framework Policies Standards Procedures Guidelines
Policy A written statement from an authority declaring a course of action for the sake of expediency
Policy A written statement from an authority declaring a course of action for the sake of expediency. Example: Policy dictates that all employees will read and sign the AUP before receiving access to the computing system.
Standard A detailed level of attainment.
Standard A detailed level of attainment. IT standards ensure that consistent security controls are adopted.
Standard A detailed level of attainment. IT standards ensure that consistent security controls are adopted. Example: The Common Criteria have established standards for hardware and software security.
Procedures A description of the process used to accomplish a task.
Procedures A description of the process used to accomplish a task. Example: A procedure checklist is used to perform and verify backups.
Guidelines A suggested course of action which can be specific or general.
Guidelines A suggested course of action which can be specific or general. Example: The guidelines for a secure password include but are not limited to ...
IT Policy Framework Purpose The purpose is to achieve an acceptable level of risk.
Data Classification Standards US Government Private enterprise
US Government Executive order 13526 (2009)
US Government Executive order 13526 (2009) Top secret
US Government Executive order 13526 (2009) Top secret Secret
US Government Executive order 13526 (2009) Top secret Secret Confidential
US Government Executive order 13526 (2009) Top secret Secret Confidential Unclassified information
Top Secret Would cause grave damage to national security if it were disclosed.
Secret Would cause serious damage to national security if it were disclosed.
Confidential Would cause damage to national security if it were disclosed.
Unclassified Public domain information is considered unclassified and is not part of the classification standard.
Guidelines Yes there are guidelines for separating information into the appropriate categories.
Unclassified Would you believe there are classifications for unclassified information?
Unclassified Poses no threat to national security if exposed.
Controlled Unclassified For official use only.
Alternative classifications
Alternative classifications Top Secret
Alternative classifications Top Secret Secret
Alternative classifications Top Secret Secret Confidential
Alternative classifications Top Secret Secret Confidential Restricted
Alternative classifications Top Secret Secret Confidential Restricted Protected
Alternative classifications Top Secret Secret Confidential Restricted Protected Unclassified
Private Enterprise Data Classification* *(Kim, Solomon)
Private Enterprise Data Classification* *(Kim, Solomon) Private
Private Enterprise Data Classification* *(Kim, Solomon) Private Confidential
Private Enterprise Data Classification* *(Kim, Solomon) Private Confidential Internal use only
Private Enterprise Data Classification* *(Kim, Solomon) Private Confidential Internal use only Public domain data
*Private Data about people, Example: health care records, compliance laws like HIPAA Payroll information Employee records (use encryption for these records)
Confidential Information owned by the enterprise Customer lists Pricing information Intellectual property Internal use only information Proprietary technology (encryption)
Internal Use Only Information shared internally by an organization. Most internal communications are not intended to be shared.
Public Domain Data Shared with the public Web site content White papers
Alternative Confidential Restricted Protected Unclassified (public)
Alternative Confidential Substantially would undermine the financial viability of the organization.
Alternative Restricted Cause a substantial loss of earning potential. Advantage to competitors
Alternative Protected Cause financial loss
Data Classification Challanges Perfection is the enemy of the good! If you insist on perfection, your system will be difficult to implement. Employees must be properly educated in order to classify data effectively.
Data Classification Challenges Perfection is the enemy of the good! If too complex it will fail due to lack of use You are better served by keeping your classification scheme simple (no more complex than is necessary)
Data Classification Challenges Perfection is the enemy of the good! Development and implementation of a data classification scheme will require resources. If its complex, it will likely be expensive to implement
Implementation Tips Understand what is achievable – any data classification policy must become less complex as more individuals become involved in implementing the policy.
Implementation Tips Those who have something at stake should be involved in the data classification policy development.
Implementation Tips Provide appropriate education and visibility. Any data classification scheme should be posted on the company/agency internal web- page.
Implementation Tips Align your data classification scheme with regulatory (compliance) requirements.
Compliance Laws Legislation exists mandating security controls to protect private and confidential data.
Example Compliance Legislation SOX (Sarbanes-Oxley, 2002) Requires security controls to protect the confidentiality and integrity of financial reporting.
Example Compliance Legislation GLBA (Gramm-Leach-Bliley, 1999) Financial institutions must protect client's private financial information.
Example Compliance Legislation HIPAA (Health Insurance Portability and Accountability, 1996) Health care organizations must secure patient information.
Example Compliance Legislation CIPA (Children's Internet Protection Act, 2000) Requires public schools and public libraries to implement an Internet safety policy.
Example Compliance Legislation FERPA (Family Educational Rights and Privacy Act, 1974) Protects the school records and other private data of students.
Example Compliance Standard PCI-DSS (Payment Card Industry Data Security Standard) An information security standard for organizations that handle payment card information. Debit Credit Prepaid ATM etc
Professionalization of the SA Discipline Establishment of professional societies/organizations Credentials By study and examination University degrees
Example Professional Organizations LISA (SAGE), Large Installation System Administration (ISC)2 – International Information Systems Security Certification Consortium.
Professional Organizations Offer credentials through study and examination Code of ethics Professional networking A forum for sharing new technology, ideas, etc.
Recommended Areas of Knowledge Access controls Cryptography Network security Risk management Application development security Legal regulations and compliance Operations security