Security Policies and Implementation Issues Lecture 5 How to Design, Organize, Implement, and Maintain IT Security Policies

5/28/2019 Learning Objective Describe how to design, organize, implement, and maintain IT security policies.

Key Concepts Core principles of policy and standards design 5/28/2019 Key Concepts Core principles of policy and standards design Implementing policy and libraries Policy change control board purpose and roles Business drivers for policy and standards changes Best practices for policy management and maintenance

Who, what, when, where, why and How? 5/28/2019 Who, what, when, where, why and How? Youtube: The Electric Company, The Good Charlotte

Architectural Operating Model: Four Business Model Concepts 5/28/2019 Architectural Operating Model: Four Business Model Concepts Diversified Coordinated Replicated Unified Diversified Technology solution has a low level of integration and standardization with the enterprise. Exchange of data and use of services outside the business unit itself is minimal. Coordinated Technology solution shares data across the enterprise. Level of shared services and standardization are minimal. Replicated Technology solution shares services across the enterprise. Level of data sharing is minimal. Unified Technology solution both shares data and has standardized services across the enterprise.

Enterprise Architecture As A Strategy: Creating a Foundation for Business Execution This book explains ways to analyze and categorize the primary operating model of he business based on 4 key concepts that we will be reviewing to understand how IT Policies and Standards align. Why? By focusing on the business model and processes in which the company must execute well, this model provides a baseline approach to understand IT systems needed to digitize or level of automation for those processes. Examples in the book include companies around he world that are profiled by the authors to illustrates how constructing the right enterprise architecture can enhance profitability and time to market, facilitate competitive positioning and improves strategy execution, and includes how it may impact IT costs.

Aligning Operating Model Concepts

Policy and Standards Development Core Principals 5/28/2019 Policy and Standards Development Core Principals Accountability Awareness Ethics Multidisciplinary Proportionality Integration

Policy and Standards Development Core Principals (Continued) 5/28/2019 Policy and Standards Development Core Principals (Continued) Defense in Depth Timeliness Reassessment Democracy Internal Control Adversary

Policy and Standards Development Core Principals (Continued) 5/28/2019 Policy and Standards Development Core Principals (Continued) Least Privilege Separation of Duties Continuity Simplicity Policy-Centered Security

Transparency with Customer Data Individual Participation Purpose Specification Use Limitation Data Minimization Transparency

Security Controls Categorization Schemes What is the control? Administrative controls Technical controls Physical controls What does the control do? Preventive security controls Detective or response controls Corrective controls Recovery controls

IS0/IEC 27002 IS0IEC 27002 Notice Board http://www.iso27001security.com/html/27002.html

Understanding Taxonomy Introduction to ISO 15926, April 14, 2014,  http://infowebml.ws/intro/index.htm 

A Policy and Standards Library Taxonomy 5/28/2019 A Policy and Standards Library Taxonomy

A Policy and Standards Library Taxonomy (Continued) 5/28/2019 A Policy and Standards Library Taxonomy (Continued) Control standards branch out from the Access Control (IS-POL-800) framework policy.

A Policy and Standards Library Taxonomy (Continued) 5/28/2019 A Policy and Standards Library Taxonomy (Continued) Baseline standards and procedures provide additional branches of the library tree.

A Policy and Standards Library Taxonomy (Continued) 5/28/2019 A Policy and Standards Library Taxonomy (Continued) Guidelines provide additional branches of the library tree.

Implementing Policies and Libraries 5/28/2019 Implementing Policies and Libraries Build Consensus Reviews/ Approvals Publication Awareness Training Implementing your policies and libraries entails three major steps: • Reviews and approvals for your documents • Publication of the documents • Awareness and training

Members of the Policy Change Control Board 5/28/2019 Members of the Policy Change Control Board Information Security Compliance Management Auditing Human Resources (HR) Leadership from the key information business units Project Managers (PMs) Members come from functional areas of the organization. The roles for each member would be to approve changes to the policies, reflecting alignment to business objectives. Each functional area oversee policies pertaining to their perspective area of responsibility, while they also play a role in the approval of policy changes that effect the organization as a whole.

Policy Change Control Board 5/28/2019 Policy Change Control Board Assess policies/ standards and recommend changes Coordinate requests for change (RFCs) Ensure that changes support organization’s mission and goals Review requested changes Establish change management process

Best Practices for Policy Maintenance 5/28/2019 Best Practices for Policy Maintenance Updates and revisions Exceptions and waivers Request from users and management Changes to the organization

Business Drivers for Policy and Standards Changes Business-as-usual developments Business exceptions Business innovations Business technology innovations Strategic changes

Summary Core principles of policy and standards design 5/28/2019 Summary Core principles of policy and standards design Implementing policy and libraries Policy change control board purpose and roles Business drivers for policy and standards changes Best practices for policy management and maintenance