Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and."— Presentation transcript:

1 Developing Information Security Policy

2 Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and changing passwords Must reflect the entire enterprise/organization and its business goals and mission areas Needs to address a multitude of issues – Human resources – IT – Physical Security – Costs – Governance

3 Why is Developing Good Security Policy Difficult? Must be comprehensive To be effective the policy must be unambiguous Must be a human document – not technical

4 Getting Started “The first step toward enhancing and organization’s security is the development and implementation of a precise, yet enforceable security policy, informing staff of the various aspects of their responsibilities, general use of organizational resources, and explaining how sensitive information must be handled. The policy will also describe in detail the meaning of the term acceptable use, as well as listing prohibited activities.” Building and Implementing a Successful Information Security Policy, by Dancho Danchev, WindowSecurity.com, 2003

5 Know the Organization When developing a Security/IA Policy it is critical to first know the organization – Business model – Goals/Mission – Organizational Personality – Structure

6 Risk Analysis Policy developer(s) need to know the risks facing an organization Either conduct a Risk Analysis or access existing risk data Understand how the organization does or intends to manage risk Must include a Vulnerability assessment

7 Risk Assessment Risk management approaches are better for connecting to business drivers and for protecting the right assets. However, even risk-based approaches are limiting if there is no enterprise context or view: – Organizations are often not likely to act on findings even when they direct or perform the assessment – Operational unit strategies for protecting assets frequently collide with enterprise barriers, such as a lack of security policy or training – Operational units cannot devise and deploy an effective protection strategy for the enterprise Therefore – the need for effective policy!!

8 Vulnerability Assessment Technology-based approaches such as vulnerability management approaches aren’t enough – Reactive – Tool driven – Focused in the technical domain – Performed by technicians (IT) primarily – Lack of connection to business drivers, mission – Security relegated to the responsibility of IT – IT-based security decisions based on their drivers – Focused on information or network security, but not administration, operations, or infrastructure (physical)

9 Standards Know and understand the organizational standards that will be used for guidance within the policy. Can be broader based standards adopted by the organization Used as a basis for developing comprehensive and enforceable policy Shall, Will, Must!!!

10 Issue Statements These statements define each of the issues addressed within the policy document Access control Unauthorized software Unauthorized use Data protection Personnel requirements Etc.

11 Applicability Identifies Where, How, When, To Whom and To What the security/IA policy applies Making this clear critical to governance/enforcement Critical to eliminating ambiguities

12 Establish Responsibilities Clarifies who is responsible for what or whom Can be an effective way to bring the organization together Sharing responsibility for organizational security can expand the number of people who believe they are stakeholders in the success of the organization Important for compliance

13 Compliance Compliance requirements must be precise Should be applied equally within the organization Needs to define consequences of compliance failures Consequences do not have to be punitive Punitive measures should be able to be applied at all levels of an organization Compliance issues should be described as a means of ensuring success – not just identifying failure

14 Points of Contact It is essential that people within an organization know who to contact with security issues Questions on security/IA policy should able to be resolved rapidly and clearly Security policy management should be seen as an asset to the workings of the organization

15 Visibility To be effective a security/IA policy must be visible Readily available to all personnel Should be provided at hire Security training must be part of indoc Continued training and security awareness should be part of the organizational culture

16 Policy Challenges Potential barriers to success for developing a security/IA policy that is effective across the enterprise: – fail to realize security management is a business issue as well as technological challenge – security goals are aligned with CIO, not the organization – good policy needs more than IT to work together to achieve information security goals – effective policy will convince organizational units other than IT that they should care about information security

17 Policy Challenges Security/IA Policy has to be part of the strategic plan for an organization Security strategies must also enable the organization, but must be balanced against potentially limiting the achievement of other strategic objectives

Download ppt "Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Intelligence Step 5 - Capacity Analysis Capacity Analysis Without capacity, the most innovative and brilliant interventions will not be implemented, wont.

Intelligence Step 5 - Capacity Analysis Capacity Analysis Without capacity, the most innovative and brilliant interventions will not be implemented, wont.
Life Science Services and Solutions

Life Science Services and Solutions
Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.

Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.
Microsoft Operations Framework (MOF) 4.0

Microsoft Operations Framework (MOF) 4.0
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Chapter 12 Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser.

Chapter 12 Health Care Information Systems: A Practical Approach for Health Care Management 2nd Edition Wager ~ Lee ~ Glaser.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
STRATEGIC PLAN Community Unit School District 300 7/29/2013 1.

STRATEGIC PLAN Community Unit School District 300 7/29/
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
A Presentation for the Enterprise Architect © 2008 IBM Corporation IBM Technology Day - SOA SOA Governance Miroslav Petrek IT Software Architect

A Presentation for the Enterprise Architect © 2008 IBM Corporation IBM Technology Day - SOA SOA Governance Miroslav Petrek IT Software Architect
Information Security Policies and Standards

Information Security Policies and Standards
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
The 10 Deadly Sins of Information Security Management

The 10 Deadly Sins of Information Security Management
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

Similar presentations

Ads by Google