Policy Review (Top-Down Methodology) Lesson 7

Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are well-written policy statements. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents.” “The top-down portion of the network vulnerability assessment (NVA) looks at the policies requested in the Pre-NVA Checklist”

Documents from checklist Network Topology (diagram) Firewall Architecture Remote Access Server Architecture Detailed list of Mission-Critical Applications Brief description (purpose) Data storage method (database) Who is the data owner/administrator? Who are the users (job title)? Security mechanisms Sensitive or critical data Information Security Policies Password & ID Policy Confidential information policies and procedures Data classification System Access Policy and Procedures Corporate Communication Policies Electronic/paper communications Disposal Policy Internet Usage Policy Mission Statements Organization Charts

Policy Management Life Cycle

Some Definitions Policy A high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area. General Program Policy Sets the strategic directions of the enterprise for global behavior and assigns resources for its implementation (e.g. conflict of interest, standards of conduct,…) Topic-specific policy Addresses specific issues of concern to the organization (e.g. , Internet and phone usage, physical security..) System- or Application-specific policy Focus on decisions taken by management to protect a particular application or system. Exhibit 1, p85-86 contains a list of possible policies

Components of a policy Topic Defines the goals of the policy. Scope Used to broaden or narrow the topic Responsibilities Who is responsible for what actions. Compliance Discusses what actions occur when an individual is found to be in noncompliance and what actions an organization must take when found in noncompliance.

Writing (or reviewing) a policy “5 W’s of Journalism 101” (and 1 H) What: what is to be protected (the topic) Who: who is responsible (responsibilities) Where: where within the organization does the policy reach (scope) How: how compliance will be monitored (compliance) When: when does the policy take effect Why: why the policy was developed The last two may actually not be in the policy itself. When and why are often covered in a cover letter with policy issuance

The Information Security Policy Should be Approved by management Published and communicated with all employees State management commitment Outline the organization’s approach to managing information security Should include A definition of information security A statement of management intent, supporting the goals and principles of information security A definition of general and specific responsibilities References to documentation that may support the policy

From The Texas Code

California SB 1386 This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Any customer injured by a violation of this title may institute a civil action to recover damages.

GLB Requires clear disclosure by all financial institutions of their privacy policy regarding the sharing of non- public personal information with both affiliates and third parties. Requires a notice to consumers and an opportunity to "opt-out" of sharing of non-public personal information with nonaffiliated third parties subject to certain limited exceptions. Clarifies that the disclosure of a financial institution's privacy policy is required to take place at the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship.

Sarbanes-Oxley Act of 2002 The result of a number of corporate accounting scandals. Mandates specific actions to improve corporate reporting. Reaffirms necessity for financial statement audit process and role of external auditors. IT security and controls considered part of effective fraud management.

HIPAA Health Insurance Portability and Accountability Act Standards require that measures be taken to secure health information covered by this act while in the custody of entities governed by HIPAA as well as in transit between covered entities and from covered entities to others. Wants to ensure the confidentiality, integrity, and availability of electronic protected health information.

Some useful (possibly) documents NIST Special publication , “Generally accepted principles and practices for securing Information Technology Systems” Includes discussion on policies and risk management. NIST Special publication , “Recommended Security Controls for Federal Information Systems” Includes discussion of “Baseline Security Controls” at three level (low, med, high) NIST Special publication “Security Self- Assessment Guide for Information Technology Systems” Has nice checklist as well as a method to interpret results NIST Special publication “Guide for developing security plans for Information Technology Systems”

A final note… Download from web site and read the document “Building and Implementing a Successful Information Security Policy” by Dancho Danchev at windowsecurity.com

Summary What is the importance and significance of this material? How does this topic fit into the subject of “Security Risk Analysis”?