Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Policies Jim Stracka www.pentasafe.com. The Problem Today.

Published byJoshua Nash Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Policies Jim Stracka www.pentasafe.com. The Problem Today."— Presentation transcript:

1 Security Policies Jim Stracka www.pentasafe.com

2 The Problem Today

3 VigilEnt Security Agents VigilEnt Policy Center VigilEnt Security Manager VigilEnt Security Solution

4 Overwhelming Validation Customers Strategic Alliances Investors

5 Agenda Business Issues What Is An Information Security Policy ? Policy Development Process Conclusion

6

7 Business Issues Organizations Embracing New Business Models Increased Risks In New Economy Environments How Do You Conduct E-Business Safely ? Security Is A BUSINESS Issue Not A Technology Issue Security Must Be Governed By Policy

8 Why have a Security Policy ? Clearly Establishes Expectations Acts As An Extension Of The Organizations Leadership Opportunity To Address Asset Protection Ensures Proper Compliance With Laws, Regulations etc Ensures Implementation Of Proper Controls Reduces Liability

9 What is a Policy ? A Policy Defines Expectations Policies Are Written At A High Level Technology Changes, But Policies Rarely Do Your Policy Should Indicate A “Perfect World” (Security Gap)

10 Policy or Standard? The Rule Process Should Incorporate Two Levels: Policy: Few And Short Statements Sets The Goal Your Trying To Achieve Language Used (Will / Shall) Standard: Gets Much More Specific; To Platform; Technology; Procedure Language Used (Should / Could)

11 The Problem Today

12 Anatomy of a Security Policy Elements of a Viable Policy: Policy Statements Purpose Scope Controls Definitions Applicable Entities Roles And Responsibilities References Information Assets

13 Policy Elements: Policy Statement The Policy Statement is a one or two sentence description of the policy. It describes the control environment, not how the organization will accomplish the objective. Policy Statement

14 Policy Elements: Purpose The policy Purpose describes the reason for this particular policy (i.e., why it exists). Purpose

15 Policy Elements: Scope The policy Scope primarily defines who falls under the jurisdiction of the policy. As a further explanation of scope, policy statements should indicate who must observe the policies and when it may be acceptable for worker actions or activities to be inconsistent with policies. Scope

16 Policy Elements: Information Assets Integral element of any security policy Not likely restated for each policy statement However, it is important to identify for each policy statement if there are any specific inclusions or exclusions to this information (this is most effectively done on a class basis) Examples: “The provisions set forth in this policy statement apply to all identified classes of information assets.” “This policy applies only to information assets that are classified as ‘Confidential’ or ‘Highly Sensitive’.”

17 Short, to the Point, Clear Keep It Brief Policy Never Tells Or Suggests How To Achieve The Objective Policy Rarely Changes Because It Does Not Depend On A Person, Process, or Technology

18 Develop A “Policy On Policy” Clearly Define The Policy Administration Process: For Developing New Policy For Requesting Modification To Existing Policy To Suggest The Elimination Of Outdated Policy – Who Writes The Policy? – Who Reviews The Policy? – Who Approves The Policy? – What Is The Process For Requesting Exceptions?

19 Policy Priorities The Policies Of The Organization As A Whole Should Take Precedence More Granular Section Policies Can Always Be Added To The Overall Policies For The Organization Specific Enterprise Sections May Require Additional Policies Due To The Nature Of Their Business

20 Integration of Policy & IT Make Use Of What Is Available Use Of Policy To Develop Standards Use Of Standards To Communicate Policy Make Use Of Platform Specific MVS, AS400, Sun/Solaris, Novell, NT Standards To Develop Policy

21 The Problem Today

22 Policy Life-Cycle The greatest challenge of implementing an information security policy is keeping the policy active. The policy life-cycle process is shown below; the last two steps tend to be the most overlooked: – Monitoring, compliance and enforcement; and – Review and Update

23 Code of Conduct Use Your Corporate “Code of Conduct” To Help Support Your Policy Efforts The “Code of Conduct” Usually Supports Business Directives and Ethical Actions Make Sure Your Policy Efforts Support Your “Code of Conduct”

24 Consequences There Should Be A Separate Policy That Delineates The Consequences Of Failure To Comply With Policy Appropriate Procedures Must Be Identified, Communicated, and Enforced Need to work with Human Resources / Senior Management

25 Policy Implementation Develop “Educated” Draft(s) Involve Many Areas / Departments (Form A Policy Committee) Obtain Leadership Approval From The Start Train Staff On Policy / And Security Issues Communicate Content / Milestones Of Process Use A Machine To Sustain The Process

26 Ideal Times To Develop Policies Your Organization Just Suffered A Loss Competing Organization Just Suffered A Loss Press Discussing A Major Vulnerability Your Organization Just Received Adverse Audit Report Your Organization Just Hit With Lawsuit Your Organization Will Make Major Changes Other InfoSec Initiatives Are Well Underway

27 Conclusion Developing Policy Is Not An Easy Process Why Do Many Fail? – Complicated Process – Many Twists And Turns – Lack Of Management Support Automated Tools Are Long Overdue

28 Do you want more??? Jim Stracka 888-400-2834 j.stracka@pentasafe.com www.pentasafe.com

Download ppt "Security Policies Jim Stracka www.pentasafe.com. The Problem Today."

Similar presentations

Technology Center 1600 Training on Writing Rejections Under 35 U.S.C. § 103.

Technology Center 1600 Training on Writing Rejections Under 35 U.S.C. § 103.
1 Welcome Safety Regulatory Function Handbook April 2006.

1 Welcome Safety Regulatory Function Handbook April 2006.
Program Management Office (PMO) Design

Program Management Office (PMO) Design
Radiopharmaceutical Production

Radiopharmaceutical Production
Process and Procedure Documentation. Agenda Why document processes and procedures? What is process and procedure documentation? Who creates and uses this.

Process and Procedure Documentation. Agenda Why document processes and procedures? What is process and procedure documentation? Who creates and uses this.
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
How are you going to manage?.  Informal  collection of vendors  loosely managed  minimal structure  Informal  collection of vendors  loosely managed.

How are you going to manage?.  Informal  collection of vendors  loosely managed  minimal structure  Informal  collection of vendors  loosely managed.
QA Programs for Local Health Departments

QA Programs for Local Health Departments
Charles E. Constantin Director, Senior Bank Regulatory Compliance Officer Royal Bank of Canada, RBC Capital Markets Institute of International Bankers.

Charles E. Constantin Director, Senior Bank Regulatory Compliance Officer Royal Bank of Canada, RBC Capital Markets Institute of International Bankers.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.

Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.
9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.

9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.
IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS

IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS
Information Systems Security Officer

Information Systems Security Officer
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 8: Developing an Effective Ethics Program.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 8: Developing an Effective Ethics Program.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Purpose of the Standards

Purpose of the Standards
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Similar presentations

Ads by Google