IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

Slides:



Advertisements
Similar presentations
IT Security Policy Framework
Advertisements

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Today’s Schools face:  Numerous State and Federal Regulations  Reduced Technology Funding  More Stringent Guidelines for Technology Use.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
IS3350 Security Issues in Legal Context
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
Presented by: Dan Landsberg August 12, Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
IT Security Challenges In Higher Education Steve Schuster Cornell University.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Internal Auditing and Outsourcing
Banks and the Privacy of Medical Information 8 th National HIPAA Summit March 8, 2004 Joy Pritts, JD Health Policy Institute Georgetown University
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Evolving IT Framework Standards (Compliance and IT)
An Educational Computer Based Training Program CBTCBT.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
An Educational Computer Based Training Program CBTCBT.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Student Confidentiality: The FERPA/HIPAA Facts AISD Policy Student Records AISD Procedure AP. 11.
1 Copyright © 2014 M. E. Kabay. All rights reserved. CSH5 Chapter 67 “Developing Classification Policies for Data” Karthik Raman & Kevin Beets Classification.
OVERVIEW OF INFORMATION SYSTEM (IS) AUDITING NORHAFIZAH BINTI ABDUL MUDALIP YAP YONG TECK TAN YUAN JUE TAY QIU JIE GROUP MEMBER:
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.
Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
HIPAA A Sea of Confusion, A Wave of the future and A High Tide of Confidentiality.
Prepared by The Office of the Registrar Youngstown State University February, 2009.
Protecting your Managed Services Practice: Are you at Risk?
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
The Medical College of Georgia HIPAA Privacy Rule Orientation.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
Wisconsin Department of Health Services Purchase of Services Contract Guide Julie Anstett and Lucinda Champion Friday, May 6, 2016 Wisconsin Department.
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
IS4680 Security Auditing for Compliance
Information Security based on International Standard ISO 27001
IS4680 Security Auditing for Compliance
CompTIA Security+ Study Guide (SY0-401)
The Issues with Technology in education
Presentation transcript:

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines

Policy ● A written statement from an authority declaring a course of action for the sake of expediency. – Example: Policy dictates that all employees will read and sign the AUP before receiving access to the computing system.

Standard ● A detailed level of attainment. – IT standards ensure that consistent security controls are adopted. – Example: The Common Criteria have established standards for hardware and software security.

Procedures ● A description of the process used to accomplish a task. – Example: A procedure checklist is used to perform and verify backups.

Guidelines ● A suggested course of action which can be specific or general. – Example: The guidelines for a secure password include but are not limited to...

IT Policy Framework Purpose ● The purpose is to achieve an acceptable level of risk.

Data Classification Standards ● US Government ● Private enterprise

US Government ● Executive order (2009) – Top secret – Secret – Confidential – Public domain information is considered unclassified and is not part of the classification standard.

Top Secret ● Would cause grave damage to national security if it were disclosed.

Secret ● Would cause serious damage to national security if it were disclosed.

Confidential ● Would cause damage to national security if it were disclosed.

Guidelines ● Yes there are guidelines for separating information into the appropriate categories.

Unclassified ● Would you believe there are classifications for unclassified information?

Unclassified ● Poses no threat to national security if exposed.

Controlled Unclassified ● For official use only. – Example: law enforcement classified

Alternative classifications ● Top Secret ● Secret ● Confidential ● Restricted ● Protect ● Unclassified

Private Enterprise Data Classification* *(Kim, Solomon) ● Private ● Confidential ● Internal use only ● Public domain data

*Private ● Data about people, – Example: compliance laws like HIPAA

Confidential ● Information owned by the enterprise – Customer lists – Pricing information – Intellectual property – Internal use only information

Internal Use Only ● Information shared internally by an organization. – Most communications are not intended to be shared.

Public Domain Data ● Shared with the public – Web site content – White papers

Alternative Confidential Restricted Protected Unclassified (public)

Alternative ● Confidential – Substantially would undermine the financial viability of the organization.

Alternative ● Restricted – Cause a substantial loss of earning potential. Advantage to competitors

Alternative ● Protected – Cause financial loss

Data Classification Challanges ● Perfection is the enemy of the good! – If you insist on perfection, your system will be difficult to implement. – Employees must be properly educated in order to classify data effectively.

Data Classification Challenges ● Perfection is the enemy of the good! – If too complex it will fail due to lack of use – You are better served by keeping your classification scheme simple (no more complex than is necessary)

Data Classification Challenges ● Perfection is the enemy of the good! – Development and implementation of a data classification scheme will require resources. – If its complex, it will likely be expensive to implement

Implementation Tips ● Understand what is achievable – any data classification policy must become less complex as more individuals become involved in implementing the policy.

Implementation Tips ● Those who have something at stake should be involved in the data classification policy development.

Implementation Tips ● Provide appropriate education and visibility. – Any data classification scheme should be posted on the company/agency internal web- page.

Implementation Tips ● Align your data classification scheme with regulatory (compliance) requirements.

Compliance Laws ● Legislation exists mandating security controls to protect private and confidential data.

Example Compliance Legislation ● SOX (Sarbanes-Oxley, 2002) – Requires security controls to protect the confidentiality and integrity of financial reporting.

Example Compliance Legislation ● GLBA (Gramm-Leach-Bliley, 1999) – Financial institutions must protect client's private financial information.

Example Compliance Legislation ● HIPAA (Health Insurance Portability and Accountability, 1996) – Health care organizations must secure patient information.

Example Compliance Legislation ● CIPA (Children's Internet Protection Act, 2000) – Requires public schools and public libraries to implement an Internet safety policy.

Example Compliance Legislation ● FERPA (Family Educational Rights and Privacy Act, 1974) – Protects the school records and other private data of students.

Example Compliance Standard ● PCI-DSS (Payment Card Industry Data Security Standard) – An information security standard for organizations that handle payment card information. ● Debit ● Credit ● Prepaid ● ATM ● etc

Professionalization of the SA Discipline ● Establishment of professional societies/organizations ● Credentials – By study and examination – University degrees

Example Professional Organizations ● LISA (SAGE), Large Installation System Administration ● (ISC)2 – International Information Systems Security Certification Consortium.

Professional Organizations ● Offer credentials through study and examination ● Code of ethics ● Professional networking ● A forum for sharing new technology, ideas, etc.

Recommended Areas of Knowledge ● Access controls ● Cryptography ● Network security ● Risk management ● Application development security ● Legal regulations and compliance ● Operations security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.