1. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information Security Policy Module 1: Purpose  Module 2: Life Cycle Module 3: Terminology Module 4: Structure Module 5: Summary

2. Module 2 Life Cycle

3. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 3 Students should be able to: –Conceptualize the life cycle of a security policy –Realize that security policies should incorporate both business and security needs –Understand how risk analysis feeds into security policy development –Realize that policy development is not simply creation, but dissemination, enforcement, monitoring, and maintenance. Life Cycle Learning Objectives

4. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 4 Life Cycle Broad View After the results of a business processes and risk analysis, security policies can be developed or improved to counteract threats to vulnerable assets. The policy is approved by management and institution of employee awareness programs and administratively-imposed software or hardware changes in accordance to the policy takes place. The success of the policy is largely dependent on how well it is enforced. To determine how well the policy is being upheld, verification of compliance or auditing should be performed. Due to the presence of new threats, vulnerabilities, or assets discovered through risk assessment, policies may be improved or additional policies created. Adapted from: Guel, M.D. (2001). A Short Primer for Developing Security Policies. SANS Institute. POLICY DEVELOPMENT IMPLEMENTATION ENFORCEMENT MONITORING/ MAINTENANCE BUSINESS PROCESS AND RISK ANALYSIS

5. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 5 Life Cycle Detailed View Policy definition and specification Policy analysis and translation Policy distribution and enforcement System management requirements analysis Policy review and query Policy monitoring and maintenance General management criteria and principles Other related information Event log and policy history Organizational structure and business processes model Low-level policies High-level policies Organization structure and business process analysis Organization structure redesign and business process reengineering Process Data Reverse Adapted from: Zhang, Y., Liu, X., & Wang W. (2005). Policy Lifecycle Model for Systems Management. IT Pro, 50-54.

6. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 6 Security policy should be determined by general organizational as well as security needs and should maximize security at minimized cost to other institutional goals (i.e. productivity) Security and organizational recommendations are determined through business process and security needs analysis. (Risk Analysis) Life Cycle “Nothing Exists in a Vacuum” System management requirements analysis General management criteria and principles Organizational structure and business processes model Organization structure and business process analysis

7. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 7 Life Cycle Risk Analysis Risk analysis can help identify: –Relevant areas –Operations –Organizational issues

8. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 8 Recommendations from an information security risk analysis should assist in developing policy definitions. Example: –Recommendation: An employee’s personal account should be secure –High-level Policy Definition: There should be no unauthorized access into accounts The policy should be analyzed/approved by the necessary personnel and should include feedback from all levels. If necessary, the policy should be re-defined. Life Cycle Policy Development Policy definition and specification Policy analysis and translation System management requirements analysis High-level policies

9. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 9 Often, high-level policies are very general in order to last with time and to be easily understood and approved by higher management personnel. Lower level policies are the specific instructions on how to implement and enforce these policies (procedures). These are disseminated and enforced and through feedback, these policies may be changed. Life Cycle Implementation Policy analysis and translation Policy distribution and enforcement Low-level policies

10. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 10 Implementation may include the following components: –Documentation –Email –Marketing –Distance Learning –Specialized Courses –Technological Controls Life Cycle Implementation

11. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 11 High-Level Policy –There should be no unauthorized access to accounts. Low-Level Policy –Users should change their passwords every 30 days and have a mixture of alphanumeric as well as special characters exceeding 8 characters. The user should not be able to use their last 5 passwords. Life Cycle Implementation: Example

12. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 12 Implementation of Low-Level Policy –Pamphlet with new policy enacted –Training session on information security –Incorporating a system rule that does not allow the user to create a password that does not contain a mixture of alphanumeric and special characters less than 8 characters. The system can also notify the user every 30 days to change their password and will not accept a password that has been used for the last 2 times. Life Cycle Implementation: Example, cont’d.

13. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 13 There should be monitoring and maintenance of policies for compliance (e.g. auditing). Through problems or issues discovered, specific parts of the policy can be reviewed and changed and proper action can be taken. All policy changes or related incidents should be documented. Life Cycle Monitoring and Maintenance Policy analysis and translation Policy distribution and enforcement Policy review and query Policy monitoring and maintenance Other related information Event log and policy history

14. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 14 Monitoring Analysis: –An audit is performed and it is discovered that users tend to forget passwords and end up calling the help desk causing loss in productivity and help desk time. Change to Low-Level Policy: –Special training sessions specific to people who call the help desk regularly Life Cycle Monitoring and Maintenance: Example

15. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 15 While intermittent monitoring is good, it is also beneficial to take in all changes and determine policy effects as a whole. Effects on processes and policy as well as environmental changes may lead to a change in business process and risk analysis. These changes should result in a revision of the policy. Life Cycle Policy Analysis System management requirements analysis General management criteria and principles Event log and policy history Organization structure and business process analysis Organization structure redesign and business process reengineering Policy definition and specification

16. Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 16 Security policies have a life cycle which includes risk analysis, creation, dissemination, enforcement, monitoring, and then evaluation. Security policies optimize effects of business processes perceived information security risks. Policies are high-level (change rarely) and low-level (change more frequently). Policies should evolve over time as the environment changes and effects of policy are evaluated to have effective results. Life Cycle Summary