Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Policies and Implementation Issues

Published byΤάνις Δάβης Modified over 5 years ago

Similar presentations

Presentation on theme: "Security Policies and Implementation Issues"— Presentation transcript:

1 Security Policies and Implementation Issues
Lecture 5 How to Design, Organize, Implement, and Maintain IT Security Policies

2 5/28/2019 Learning Objective Describe how to design, organize, implement, and maintain IT security policies.

3 Key Concepts Core principles of policy and standards design
5/28/2019 Key Concepts Core principles of policy and standards design Implementing policy and libraries Policy change control board purpose and roles Business drivers for policy and standards changes Best practices for policy management and maintenance

4 Who, what, when, where, why and How?
5/28/2019 Who, what, when, where, why and How? Youtube: The Electric Company, The Good Charlotte

5 Architectural Operating Model: Four Business Model Concepts
5/28/2019 Architectural Operating Model: Four Business Model Concepts Diversified Coordinated Replicated Unified Diversified Technology solution has a low level of integration and standardization with the enterprise. Exchange of data and use of services outside the business unit itself is minimal. Coordinated Technology solution shares data across the enterprise. Level of shared services and standardization are minimal. Replicated Technology solution shares services across the enterprise. Level of data sharing is minimal. Unified Technology solution both shares data and has standardized services across the enterprise.

6 Enterprise Architecture As A Strategy: Creating a Foundation for Business Execution
This book explains ways to analyze and categorize the primary operating model of he business based on 4 key concepts that we will be reviewing to understand how IT Policies and Standards align. Why? By focusing on the business model and processes in which the company must execute well, this model provides a baseline approach to understand IT systems needed to digitize or level of automation for those processes. Examples in the book include companies around he world that are profiled by the authors to illustrates how constructing the right enterprise architecture can enhance profitability and time to market, facilitate competitive positioning and improves strategy execution, and includes how it may impact IT costs.

7 Aligning Operating Model Concepts

8 Policy and Standards Development Core Principals
5/28/2019 Policy and Standards Development Core Principals Accountability Awareness Ethics Multidisciplinary Proportionality Integration

9 Policy and Standards Development Core Principals (Continued)
5/28/2019 Policy and Standards Development Core Principals (Continued) Defense in Depth Timeliness Reassessment Democracy Internal Control Adversary

10 Policy and Standards Development Core Principals (Continued)
5/28/2019 Policy and Standards Development Core Principals (Continued) Least Privilege Separation of Duties Continuity Simplicity Policy-Centered Security

11 Transparency with Customer Data
Individual Participation Purpose Specification Use Limitation Data Minimization Transparency

12 Security Controls Categorization Schemes
What is the control? Administrative controls Technical controls Physical controls What does the control do? Preventive security controls Detective or response controls Corrective controls Recovery controls

13 IS0/IEC 27002 IS0IEC 27002 Notice Board

14 Understanding Taxonomy
Introduction to ISO 15926, April 14, 2014,  

15 A Policy and Standards Library Taxonomy
5/28/2019 A Policy and Standards Library Taxonomy

16 A Policy and Standards Library Taxonomy (Continued)
5/28/2019 A Policy and Standards Library Taxonomy (Continued) Control standards branch out from the Access Control (IS-POL-800) framework policy.

17 A Policy and Standards Library Taxonomy (Continued)
5/28/2019 A Policy and Standards Library Taxonomy (Continued) Baseline standards and procedures provide additional branches of the library tree.

18 A Policy and Standards Library Taxonomy (Continued)
5/28/2019 A Policy and Standards Library Taxonomy (Continued) Guidelines provide additional branches of the library tree.

19 Implementing Policies and Libraries
5/28/2019 Implementing Policies and Libraries Build Consensus Reviews/ Approvals Publication Awareness Training Implementing your policies and libraries entails three major steps: • Reviews and approvals for your documents • Publication of the documents • Awareness and training

20 Members of the Policy Change Control Board
5/28/2019 Members of the Policy Change Control Board Information Security Compliance Management Auditing Human Resources (HR) Leadership from the key information business units Project Managers (PMs) Members come from functional areas of the organization. The roles for each member would be to approve changes to the policies, reflecting alignment to business objectives. Each functional area oversee policies pertaining to their perspective area of responsibility, while they also play a role in the approval of policy changes that effect the organization as a whole.

21 Policy Change Control Board
5/28/2019 Policy Change Control Board Assess policies/ standards and recommend changes Coordinate requests for change (RFCs) Ensure that changes support organization’s mission and goals Review requested changes Establish change management process

22 Best Practices for Policy Maintenance
5/28/2019 Best Practices for Policy Maintenance Updates and revisions Exceptions and waivers Request from users and management Changes to the organization

23 Business Drivers for Policy and Standards Changes
Business-as-usual developments Business exceptions Business innovations Business technology innovations Strategic changes

24 Summary Core principles of policy and standards design
5/28/2019 Summary Core principles of policy and standards design Implementing policy and libraries Policy change control board purpose and roles Business drivers for policy and standards changes Best practices for policy management and maintenance

Download ppt "Security Policies and Implementation Issues"

Similar presentations

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
ISS IT Assessment Framework

ISS IT Assessment Framework
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Introduction to Systems Analysis and Design

Introduction to Systems Analysis and Design
Chapter 16 16-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
ISO 9001:2015 Revision overview - General users

ISO 9001:2015 Revision overview - General users
Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.

Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.
NASA IT Governance Overview Gary Cox August 18, 2010.

NASA IT Governance Overview Gary Cox August 18, 2010.
Roles and Responsibilities

Roles and Responsibilities
1.  Describe an overall framework for project integration management ◦ RelatIion to the other project management knowledge areas and the project life.

1.  Describe an overall framework for project integration management ◦ RelatIion to the other project management knowledge areas and the project life.
MD Digital Government Summit, June 26, 2006 1 Maryland Project Management Oversight & System Development Life Cycle (SDLC) Robert Krauss MD Digital Government.

MD Digital Government Summit, June 26, Maryland Project Management Oversight & System Development Life Cycle (SDLC) Robert Krauss MD Digital Government.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System 402.354.4894 Managed Information Security.

1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.

Information Security IBK3IBV01 College 3 Paul J. Cornelisse.

Similar presentations

Ads by Google