Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.

Slides:



Advertisements
Similar presentations
Module N° 4 – ICAO SSP framework
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Intelligence Step 5 - Capacity Analysis Capacity Analysis Without capacity, the most innovative and brilliant interventions will not be implemented, wont.
Life Science Services and Solutions
Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.
Microsoft Operations Framework (MOF) 4.0
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Chapter 12 Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser.
Course: e-Governance Project Lifecycle Day 1
STRATEGIC PLAN Community Unit School District 300 7/29/
BENEFITS OF SUCCESSFUL IT MODERNIZATION
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
A Presentation for the Enterprise Architect © 2008 IBM Corporation IBM Technology Day - SOA SOA Governance Miroslav Petrek IT Software Architect
Information Security Policies and Standards
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Computer Security: Principles and Practice
The 10 Deadly Sins of Information Security Management
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Control environment and control activities. Day II Session III and IV.
COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.
COBIT® 5 for Risk Introduction
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Consultancy.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Strategic Information Systems Planning
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Security Policies Jim Stracka The Problem Today.
Supporting tools in an IT Project & Portfolio Management environment Ann Van Belle -
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
COBIT Information Security An Introduction Tanvir Orakzai,PhD
The Challenge of IT-Business Alignment
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
A simple performance measurement framework A good performance measurement framework will focus on the customer and measure the right things. Performance.
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
© 2001 Change Function Ltd USER ACCEPTANCE TESTING Is user acceptance testing of technology and / or processes a task within the project? If ‘Yes’: Will.
Mountains and Plains Child Welfare Implementation Center Maria Scannapieco, Ph.D. Professor & Director Center for Child Welfare UTA SSW National Resource.
Cis339 Chapter 4 Identifying and Selecting Systems Development Projects 4.1 Modern Systems Analysis and Design Fifth Edition.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
The NIST Special Publications for Security Management By: Waylon Coulter.
Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING.
Chapter 8 – Administering Security  Security Planning  Risk Analysis  Security Policies  Physical Security.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Information Security Policy Development for Management By Peter McCarthy.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Establish and Identify Processes  Identify and establish current state:  Roles and responsibilities  Processes and procedures  Operational performance.
The New Performance Appraisal Tool for RCs and UNCTs
4. Designing and Implementing Successful GRP
Security Engineering.
Updated Isaca CISM Exam Questions | Dumps4download.us
I have many checklists: how do I get started with cyber security?
Performance Measurement
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
AUDITING FOR SUSTAINABLE DEVELOPMENT
Chapter 8 Developing an Effective Ethics Program
Cyber security Policy development and implementation
Clear Language and Organizational Change
COBIT 5: Framework, BMIS, Implementation and future Information Security Guidance Presented by.
Cynthia Curry, Director National AEM Center
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Presentation transcript:

Developing Information Security Policy

Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and changing passwords Must reflect the entire enterprise/organization and its business goals and mission areas Needs to address a multitude of issues – Human resources – IT – Physical Security – Costs – Governance

Why is Developing Good Security Policy Difficult? Must be comprehensive To be effective the policy must be unambiguous Must be a human document – not technical

Getting Started “The first step toward enhancing and organization’s security is the development and implementation of a precise, yet enforceable security policy, informing staff of the various aspects of their responsibilities, general use of organizational resources, and explaining how sensitive information must be handled. The policy will also describe in detail the meaning of the term acceptable use, as well as listing prohibited activities.” Building and Implementing a Successful Information Security Policy, by Dancho Danchev, WindowSecurity.com, 2003

Know the Organization When developing a Security/IA Policy it is critical to first know the organization – Business model – Goals/Mission – Organizational Personality – Structure

Risk Analysis Policy developer(s) need to know the risks facing an organization Either conduct a Risk Analysis or access existing risk data Understand how the organization does or intends to manage risk Must include a Vulnerability assessment

Risk Assessment Risk management approaches are better for connecting to business drivers and for protecting the right assets. However, even risk-based approaches are limiting if there is no enterprise context or view: – Organizations are often not likely to act on findings even when they direct or perform the assessment – Operational unit strategies for protecting assets frequently collide with enterprise barriers, such as a lack of security policy or training – Operational units cannot devise and deploy an effective protection strategy for the enterprise Therefore – the need for effective policy!!

Vulnerability Assessment Technology-based approaches such as vulnerability management approaches aren’t enough – Reactive – Tool driven – Focused in the technical domain – Performed by technicians (IT) primarily – Lack of connection to business drivers, mission – Security relegated to the responsibility of IT – IT-based security decisions based on their drivers – Focused on information or network security, but not administration, operations, or infrastructure (physical)

Standards Know and understand the organizational standards that will be used for guidance within the policy. Can be broader based standards adopted by the organization Used as a basis for developing comprehensive and enforceable policy Shall, Will, Must!!!

Issue Statements These statements define each of the issues addressed within the policy document Access control Unauthorized software Unauthorized use Data protection Personnel requirements Etc.

Applicability Identifies Where, How, When, To Whom and To What the security/IA policy applies Making this clear critical to governance/enforcement Critical to eliminating ambiguities

Establish Responsibilities Clarifies who is responsible for what or whom Can be an effective way to bring the organization together Sharing responsibility for organizational security can expand the number of people who believe they are stakeholders in the success of the organization Important for compliance

Compliance Compliance requirements must be precise Should be applied equally within the organization Needs to define consequences of compliance failures Consequences do not have to be punitive Punitive measures should be able to be applied at all levels of an organization Compliance issues should be described as a means of ensuring success – not just identifying failure

Points of Contact It is essential that people within an organization know who to contact with security issues Questions on security/IA policy should able to be resolved rapidly and clearly Security policy management should be seen as an asset to the workings of the organization

Visibility To be effective a security/IA policy must be visible Readily available to all personnel Should be provided at hire Security training must be part of indoc Continued training and security awareness should be part of the organizational culture

Policy Challenges Potential barriers to success for developing a security/IA policy that is effective across the enterprise: – fail to realize security management is a business issue as well as technological challenge – security goals are aligned with CIO, not the organization – good policy needs more than IT to work together to achieve information security goals – effective policy will convince organizational units other than IT that they should care about information security

Policy Challenges Security/IA Policy has to be part of the strategic plan for an organization Security strategies must also enable the organization, but must be balanced against potentially limiting the achievement of other strategic objectives

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.