Presentation on theme: "Information Security Policies and Standards"— Presentation transcript:
1 Information Security Policies and Standards Bryan McLaughlinInformation Security OfficerCreighton University
2 The challenges before us Define security policies and standardsMeasure actual security against policyReport violations to policyCorrect violations to conform with policySummarize policy compliance for the organization
7 Securing a network is like securing a house with a 1000 doors and a 1000 windows We have to be smart enough to recognize a door or a window,We have to know where all the doors and windows are,We have to know, at any time whether the doors and windows are open or closed.We have 1000s of kids (users) running in and out.
9 The Purpose Provide a framework for the management of security across the enterprise
10 Definitions Policies Standards Guidelines High level statements that provide guidance to workers who must make present and future decisionStandardsRequirement statements that provide specific technical specificationsGuidelinesOptional but recommended specifications
11 Security PolicyAccess to network resource will be granted through a unique user ID and passwordPasswords will be 8 characters longPasswords should include one non-alpha and not found in dictionaryA policy may have many standards associated.A standard should have only one policy associated.A standard may have many guidelines associated
12 Elements of Policies Set the tone of Management Establish roles and responsibilityDefine asset classificationsProvide direction for decisionsEstablish the scope of authorityProvide a basis for guidelines and proceduresEstablish accountabilityDescribe appropriate use of assetsEstablish relationships to legal requirements
13 Policies should…… Clearly identify and define the information security goals and the goalsof the university.
16 Step 1 – Collect Background Information Obtain existing policiesCreighton'sOthersIdentify what levels of control are neededIdentify who should write the policies
17 Step 2 – Perform Risk Assessment Justify the Policies with Risk AssessmentIdentify the critical functionsIdentify the critical processesIdentify the critical dataAssess the vulnerabilities
18 Step 3 – Create a Policy Review Board The Policy Development ProcessWrite the initial “Draft”Send to the Review Board for CommentsIncorporate CommentsResolve Issues Face-to-FaceSubmit “Draft” Policy to Cabinet for Approval
19 Step 4 – Develop the Information Security Plan Establish goalsDefine rolesDefine responsibilitiesNotify the User community as to the directionEstablish a basis for compliance, risk assessment, and audit of information security
20 Step 5 – Develop Information Security Policies, Standards, and Guidelines High level statements that provide guidance to workers who must make present and future decisionStandardsRequirement statements that provide specific technical specificationsGuidelinesOptional but recommended specificationsGuidelines are used when standards cannot be enforced or management support is lukewarm.Examples:Standard: Passwords must be 8 characters long and expire every 90 daysGuideline: Passwords should be constructed using alpha, numeric, upper case, lower case, and special characters.
21 Step 6 – Implement Policies and Standards Distribute Policies.Obtain agreement with policies before accessing Creighton Systems.Implement controls to meet or enforce policies.
22 Step 7 – Awareness and Training Makes users aware of the expected behaviorTeaches users How & When to secure informationReduces losses & theftReduces the need for enforcement
23 Step 8 – Monitor for Compliance Management is responsible for establishing controlsManagement should REGULARLY review the status of controlsEnforce “User Contracts” (Code of Conduct)Establish effective authorization approvalEstablish an internal review processInternal Audit Reviews
28 Minimum HIPAA Requirements Physical SafeguardsSecurity Plan (Security Roles and Responsibilities) (§ .308(b)(1))Media Control Policy (§ .308(b)(2))Physical Access Policy (§ .308(b)(3))Workstation Use Policy (§ .308(b)(4))Workstation Safeguard Policy (§ .308(b)(5))Security Awareness & Training Policy (§ .308(b)(6))
29 Minimum HIPAA Requirements Technical Security Services and MechanismsMechanism for controlling system access (§ .308(c)(1)(i))“Need-to-know”Employ event logging on systems that process or store PHI (§ .308(c)(1)(ii))Mechanism to authorize the privileged use of PHI (§ .308(c)(3))Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle.Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner (§ .308(c)(4))checksums, double keying, message authentication codes, and digital signatures.Users must be authenticated prior to accessing PHI (§ .308(c)(5))Uniquely identify each user and authenticate identityImplement at least one of the following methods to authenticate a user:Password;Biometrics;Physical token;Call-back or strong authentication for dial-up remote access users.Implement automatic log-offs to terminate sessions after set periods of inactivity.Protection of PHI on networks with connections to external communication systems or public networks (§ .308(d))Intrusion detectionEncryption
30 Creighton Specific Policies Access Control PolicyContingency Planning PolicyData Classification PolicyChange Control PolicyWireless PolicyIncident Response PolicyTermination of Access PolicyBackup PolicyVirus PolicyRetention PolicyPhysical Access PolicyComputer Security PolicySecurity Awareness PolicyAudit Trail PolicyFirewall PolicyNetwork Security PolicyEncryption Policy
31 Policy Hierarchy Governance Policy Access Control Policy User ID AuthenticationStandardPasswordConstructionStandardUser IDNamingStandardStrongPasswordConstructionGuidelines