Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security Policy Framework

Published byAsher Henthorne Modified over 10 years ago

Similar presentations

Presentation on theme: "IT Security Policy Framework"— Presentation transcript:

1 IT Security Policy Framework

2 IT Security Policy Framework
Policies

3 IT Security Policy Framework
Policies Standards

4 IT Security Policy Framework
Policies Standards Procedures

5 IT Security Policy Framework
Policies Standards Procedures Guidelines

6 Policy A written statement from an authority declaring a course of action for the sake of expediency

7 Policy A written statement from an authority declaring a course of action for the sake of expediency. Example: Policy dictates that all employees will read and sign the AUP before receiving access to the computing system.

8 Standard A detailed level of attainment.

9 Standard A detailed level of attainment.
IT standards ensure that consistent security controls are adopted.

10 Standard A detailed level of attainment.
IT standards ensure that consistent security controls are adopted. Example: The Common Criteria have established standards for hardware and software security.

11 Procedures A description of the process used to accomplish a task.

12 Procedures A description of the process used to accomplish a task.
Example: A procedure checklist is used to perform and verify backups.

13 Guidelines A suggested course of action which can be specific or general.

14 Guidelines A suggested course of action which can be specific or general. Example: The guidelines for a secure password include but are not limited to ...

15 IT Policy Framework Purpose
The purpose is to achieve an acceptable level of risk.

16 Data Classification Standards
US Government Private enterprise

17 US Government Executive order (2009)

18 US Government Executive order (2009) Top secret

19 US Government Executive order (2009) Top secret Secret

20 US Government Executive order 13526 (2009) Top secret Secret
Confidential

21 US Government Executive order 13526 (2009) Top secret Secret
Confidential Unclassified information

22 Top Secret Would cause grave damage to national security if it were disclosed.

23 Secret Would cause serious damage to national security if it were disclosed.

24 Confidential Would cause damage to national security if it were disclosed.

25 Unclassified Public domain information is considered unclassified and is not part of the classification standard.

26 Guidelines Yes there are guidelines for separating information into the appropriate categories.

27 Unclassified Would you believe there are classifications for unclassified information?

28 Unclassified Poses no threat to national security if exposed.

29 Controlled Unclassified
For official use only.

30 Alternative classifications

31 Alternative classifications
Top Secret

32 Alternative classifications
Top Secret Secret

33 Alternative classifications
Top Secret Secret Confidential

34 Alternative classifications
Top Secret Secret Confidential Restricted

35 Alternative classifications
Top Secret Secret Confidential Restricted Protected

36 Alternative classifications
Top Secret Secret Confidential Restricted Protected Unclassified

37 Private Enterprise Data Classification*
*(Kim, Solomon)

38 Private Enterprise Data Classification*
*(Kim, Solomon) Private

39 Private Enterprise Data Classification*
*(Kim, Solomon) Private Confidential

40 Private Enterprise Data Classification*
*(Kim, Solomon) Private Confidential Internal use only

41 Private Enterprise Data Classification*
*(Kim, Solomon) Private Confidential Internal use only Public domain data

42 *Private Data about people,
Example: health care records, compliance laws like HIPAA Payroll information Employee records (use encryption for these records)

43 Confidential Information owned by the enterprise Customer lists
Pricing information Intellectual property Internal use only information Proprietary technology (encryption)

44 Internal Use Only Information shared internally by an organization.
Most internal communications are not intended to be shared.

45 Public Domain Data Shared with the public Web site content
White papers

46 Alternative Confidential Restricted Protected Unclassified (public)

47 Alternative Confidential
Substantially would undermine the financial viability of the organization.

48 Alternative Restricted
Cause a substantial loss of earning potential. Advantage to competitors

49 Alternative Protected Cause financial loss

50 Data Classification Challanges
Perfection is the enemy of the good! If you insist on perfection, your system will be difficult to implement. Employees must be properly educated in order to classify data effectively.

51 Data Classification Challenges
Perfection is the enemy of the good! If too complex it will fail due to lack of use You are better served by keeping your classification scheme simple (no more complex than is necessary)

52 Data Classification Challenges
Perfection is the enemy of the good! Development and implementation of a data classification scheme will require resources. If its complex, it will likely be expensive to implement

53 Implementation Tips Understand what is achievable – any data classification policy must become less complex as more individuals become involved in implementing the policy.

54 Implementation Tips Those who have something at stake should be involved in the data classification policy development.

55 Implementation Tips Provide appropriate education and visibility.
Any data classification scheme should be posted on the company/agency internal web- page.

56 Implementation Tips Align your data classification scheme with regulatory (compliance) requirements.

57 Compliance Laws Legislation exists mandating security controls to protect private and confidential data.

58 Example Compliance Legislation
SOX (Sarbanes-Oxley, 2002) Requires security controls to protect the confidentiality and integrity of financial reporting.

59 Example Compliance Legislation
GLBA (Gramm-Leach-Bliley, 1999) Financial institutions must protect client's private financial information.

60 Example Compliance Legislation
HIPAA (Health Insurance Portability and Accountability, 1996) Health care organizations must secure patient information.

61 Example Compliance Legislation
CIPA (Children's Internet Protection Act, 2000) Requires public schools and public libraries to implement an Internet safety policy.

62 Example Compliance Legislation
FERPA (Family Educational Rights and Privacy Act, 1974) Protects the school records and other private data of students.

63 Example Compliance Standard
PCI-DSS (Payment Card Industry Data Security Standard) An information security standard for organizations that handle payment card information. Debit Credit Prepaid ATM etc

64 Professionalization of the SA Discipline
Establishment of professional societies/organizations Credentials By study and examination University degrees

65 Example Professional Organizations
LISA (SAGE), Large Installation System Administration (ISC)2 – International Information Systems Security Certification Consortium.

66 Professional Organizations
Offer credentials through study and examination Code of ethics Professional networking A forum for sharing new technology, ideas, etc.

67 Recommended Areas of Knowledge
Access controls Cryptography Network security Risk management Application development security Legal regulations and compliance Operations security

Download ppt "IT Security Policy Framework"

Similar presentations

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Today’s Schools face:  Numerous State and Federal Regulations  Reduced Technology Funding  More Stringent Guidelines for Technology Use.

Today’s Schools face:  Numerous State and Federal Regulations  Reduced Technology Funding  More Stringent Guidelines for Technology Use.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
IS3350 Security Issues in Legal Context

IS3350 Security Issues in Legal Context
Presented by: Dan Landsberg August 12, 2011. Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.

Presented by: Dan Landsberg August 12, Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Similar presentations

Ads by Google