IT Security Policy Framework

Slides:



Advertisements
Similar presentations
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Advertisements

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Today’s Schools face:  Numerous State and Federal Regulations  Reduced Technology Funding  More Stringent Guidelines for Technology Use.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
IS3350 Security Issues in Legal Context
Presented by: Dan Landsberg August 12, Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Chapter 17 Controls and Security Measures
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Internal Auditing and Outsourcing
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Information Security Framework & Standards
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
An Educational Computer Based Training Program CBTCBT.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
An Educational Computer Based Training Program CBTCBT.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
1 Copyright © 2014 M. E. Kabay. All rights reserved. CSH5 Chapter 67 “Developing Classification Policies for Data” Karthik Raman & Kevin Beets Classification.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.
Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
HIPAA A Sea of Confusion, A Wave of the future and A High Tide of Confidentiality.
Prepared by The Office of the Registrar Youngstown State University February, 2009.
Chapter 4: Laws, Regulations, and Compliance
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
The Medical College of Georgia HIPAA Privacy Rule Orientation.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Pioneers in secure data storage devices. Users have become more accustomed to using multiple devices, are increasingly mobile, and are now used to storing.
Information Security Program
E&O Risk Management: Meeting the Challenge of Change
IS4680 Security Auditing for Compliance
IS4680 Security Auditing for Compliance
CompTIA Security+ Study Guide (SY0-401)
OBSERVE ETHICAL PRACTICES
CIT 485: Advanced Cybersecurity
Lesson 1: Introduction to HIPAA
Presentation transcript:

IT Security Policy Framework

IT Security Policy Framework Policies

IT Security Policy Framework Policies Standards

IT Security Policy Framework Policies Standards Procedures

IT Security Policy Framework Policies Standards Procedures Guidelines

Policy A written statement from an authority declaring a course of action for the sake of expediency

Policy A written statement from an authority declaring a course of action for the sake of expediency. Example: Policy dictates that all employees will read and sign the AUP before receiving access to the computing system.

Standard A detailed level of attainment.

Standard A detailed level of attainment. IT standards ensure that consistent security controls are adopted.

Standard A detailed level of attainment. IT standards ensure that consistent security controls are adopted. Example: The Common Criteria have established standards for hardware and software security.

Procedures A description of the process used to accomplish a task.

Procedures A description of the process used to accomplish a task. Example: A procedure checklist is used to perform and verify backups.

Guidelines A suggested course of action which can be specific or general.

Guidelines A suggested course of action which can be specific or general. Example: The guidelines for a secure password include but are not limited to ...

IT Policy Framework Purpose The purpose is to achieve an acceptable level of risk.

Data Classification Standards US Government Private enterprise

US Government Executive order 13526 (2009)

US Government Executive order 13526 (2009) Top secret

US Government Executive order 13526 (2009) Top secret Secret

US Government Executive order 13526 (2009) Top secret Secret Confidential

US Government Executive order 13526 (2009) Top secret Secret Confidential Unclassified information

Top Secret Would cause grave damage to national security if it were disclosed.

Secret Would cause serious damage to national security if it were disclosed.

Confidential Would cause damage to national security if it were disclosed.

Unclassified Public domain information is considered unclassified and is not part of the classification standard.

Guidelines Yes there are guidelines for separating information into the appropriate categories.

Unclassified Would you believe there are classifications for unclassified information?

Unclassified Poses no threat to national security if exposed.

Controlled Unclassified For official use only.

Alternative classifications

Alternative classifications Top Secret

Alternative classifications Top Secret Secret

Alternative classifications Top Secret Secret Confidential

Alternative classifications Top Secret Secret Confidential Restricted

Alternative classifications Top Secret Secret Confidential Restricted Protected

Alternative classifications Top Secret Secret Confidential Restricted Protected Unclassified

Private Enterprise Data Classification* *(Kim, Solomon)

Private Enterprise Data Classification* *(Kim, Solomon) Private

Private Enterprise Data Classification* *(Kim, Solomon) Private Confidential

Private Enterprise Data Classification* *(Kim, Solomon) Private Confidential Internal use only

Private Enterprise Data Classification* *(Kim, Solomon) Private Confidential Internal use only Public domain data

*Private Data about people, Example: health care records, compliance laws like HIPAA Payroll information Employee records (use encryption for these records)

Confidential Information owned by the enterprise Customer lists Pricing information Intellectual property Internal use only information Proprietary technology (encryption)

Internal Use Only Information shared internally by an organization. Most internal communications are not intended to be shared.

Public Domain Data Shared with the public Web site content White papers

Alternative Confidential Restricted Protected Unclassified (public)

Alternative Confidential Substantially would undermine the financial viability of the organization.

Alternative Restricted Cause a substantial loss of earning potential. Advantage to competitors

Alternative Protected Cause financial loss

Data Classification Challanges Perfection is the enemy of the good! If you insist on perfection, your system will be difficult to implement. Employees must be properly educated in order to classify data effectively.

Data Classification Challenges Perfection is the enemy of the good! If too complex it will fail due to lack of use You are better served by keeping your classification scheme simple (no more complex than is necessary)

Data Classification Challenges Perfection is the enemy of the good! Development and implementation of a data classification scheme will require resources. If its complex, it will likely be expensive to implement

Implementation Tips Understand what is achievable – any data classification policy must become less complex as more individuals become involved in implementing the policy.

Implementation Tips Those who have something at stake should be involved in the data classification policy development.

Implementation Tips Provide appropriate education and visibility. Any data classification scheme should be posted on the company/agency internal web- page.

Implementation Tips Align your data classification scheme with regulatory (compliance) requirements.

Compliance Laws Legislation exists mandating security controls to protect private and confidential data.

Example Compliance Legislation SOX (Sarbanes-Oxley, 2002) Requires security controls to protect the confidentiality and integrity of financial reporting.

Example Compliance Legislation GLBA (Gramm-Leach-Bliley, 1999) Financial institutions must protect client's private financial information.

Example Compliance Legislation HIPAA (Health Insurance Portability and Accountability, 1996) Health care organizations must secure patient information.

Example Compliance Legislation CIPA (Children's Internet Protection Act, 2000) Requires public schools and public libraries to implement an Internet safety policy.

Example Compliance Legislation FERPA (Family Educational Rights and Privacy Act, 1974) Protects the school records and other private data of students.

Example Compliance Standard PCI-DSS (Payment Card Industry Data Security Standard) An information security standard for organizations that handle payment card information. Debit Credit Prepaid ATM etc

Professionalization of the SA Discipline Establishment of professional societies/organizations Credentials By study and examination University degrees

Example Professional Organizations LISA (SAGE), Large Installation System Administration (ISC)2 – International Information Systems Security Certification Consortium.

Professional Organizations Offer credentials through study and examination Code of ethics Professional networking A forum for sharing new technology, ideas, etc.

Recommended Areas of Knowledge Access controls Cryptography Network security Risk management Application development security Legal regulations and compliance Operations security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.