4 IT Security Policy Framework PoliciesStandardsProcedures
5 IT Security Policy Framework PoliciesStandardsProceduresGuidelines
6 PolicyA written statement from an authority declaring a course of action for the sake of expediency
7 PolicyA written statement from an authority declaring a course of action for the sake of expediency.Example: Policy dictates that all employees will read and sign the AUP before receiving access to the computing system.
9 Standard A detailed level of attainment. IT standards ensure that consistent security controls are adopted.
10 Standard A detailed level of attainment. IT standards ensure that consistent security controls are adopted.Example: The Common Criteria have established standards for hardware and software security.
11 ProceduresA description of the process used to accomplish a task.
12 Procedures A description of the process used to accomplish a task. Example: A procedure checklist is used to perform and verify backups.
13 GuidelinesA suggested course of action which can be specific or general.
14 GuidelinesA suggested course of action which can be specific or general.Example: The guidelines for a secure password include but are not limited to ...
15 IT Policy Framework Purpose The purpose is to achieve an acceptable level of risk.
16 Data Classification Standards US GovernmentPrivate enterprise
50 Data Classification Challanges Perfection is the enemy of the good!If you insist on perfection, your system will be difficult to implement.Employees must be properly educated in order to classify data effectively.
51 Data Classification Challenges Perfection is the enemy of the good!If too complex it will fail due to lack of useYou are better served by keeping your classification scheme simple (no more complex than is necessary)
52 Data Classification Challenges Perfection is the enemy of the good!Development and implementation of a data classification scheme will require resources.If its complex, it will likely be expensive to implement
53 Implementation TipsUnderstand what is achievable – any data classification policy must become less complex as more individuals become involved in implementing the policy.
54 Implementation TipsThose who have something at stake should be involved in the data classification policy development.
55 Implementation Tips Provide appropriate education and visibility. Any data classification scheme should be posted on the company/agency internal web- page.
56 Implementation TipsAlign your data classification scheme with regulatory (compliance) requirements.
57 Compliance LawsLegislation exists mandating security controls to protect private and confidential data.
58 Example Compliance Legislation SOX (Sarbanes-Oxley, 2002)Requires security controls to protect the confidentiality and integrity of financial reporting.
59 Example Compliance Legislation GLBA (Gramm-Leach-Bliley, 1999)Financial institutions must protect client's private financial information.
60 Example Compliance Legislation HIPAA (Health Insurance Portability and Accountability, 1996)Health care organizations must secure patient information.
61 Example Compliance Legislation CIPA (Children's Internet Protection Act, 2000)Requires public schools and public libraries to implement an Internet safety policy.
62 Example Compliance Legislation FERPA (Family Educational Rights and Privacy Act, 1974)Protects the school records and other private data of students.
63 Example Compliance Standard PCI-DSS (Payment Card Industry Data Security Standard)An information security standard for organizations that handle payment card information.DebitCreditPrepaidATMetc
64 Professionalization of the SA Discipline Establishment of professional societies/organizationsCredentialsBy study and examinationUniversity degrees
65 Example Professional Organizations LISA (SAGE), Large Installation System Administration(ISC)2 – International Information Systems Security Certification Consortium.
66 Professional Organizations Offer credentials through study and examinationCode of ethicsProfessional networkingA forum for sharing new technology, ideas, etc.
67 Recommended Areas of Knowledge Access controlsCryptographyNetwork securityRisk managementApplication development securityLegal regulations and complianceOperations security