Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

Published byHoratio Webb Modified over 8 years ago

Similar presentations

Presentation on theme: "IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines."— Presentation transcript:

1 IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines

2 Policy ● A written statement from an authority declaring a course of action for the sake of expediency. – Example: Policy dictates that all employees will read and sign the AUP before receiving access to the computing system.

3 Standard ● A detailed level of attainment. – IT standards ensure that consistent security controls are adopted. – Example: The Common Criteria have established standards for hardware and software security.

4 Procedures ● A description of the process used to accomplish a task. – Example: A procedure checklist is used to perform and verify backups.

5 Guidelines ● A suggested course of action which can be specific or general. – Example: The guidelines for a secure password include but are not limited to...

6 IT Policy Framework Purpose ● The purpose is to achieve an acceptable level of risk.

7 Data Classification Standards ● US Government ● Private enterprise

8 US Government ● Executive order 13526 (2009) – Top secret – Secret – Confidential – Public domain information is considered unclassified and is not part of the classification standard.

9 Top Secret ● Would cause grave damage to national security if it were disclosed.

10 Secret ● Would cause serious damage to national security if it were disclosed.

11 Confidential ● Would cause damage to national security if it were disclosed.

12 Guidelines ● Yes there are guidelines for separating information into the appropriate categories.

13 Unclassified ● Would you believe there are classifications for unclassified information?

14 Unclassified ● Poses no threat to national security if exposed.

15 Controlled Unclassified ● For official use only. – Example: law enforcement classified

16 Alternative classifications ● Top Secret ● Secret ● Confidential ● Restricted ● Protect ● Unclassified

17 Private Enterprise Data Classification* *(Kim, Solomon) ● Private ● Confidential ● Internal use only ● Public domain data

18 *Private ● Data about people, – Example: compliance laws like HIPAA

19 Confidential ● Information owned by the enterprise – Customer lists – Pricing information – Intellectual property – Internal use only information

20 Internal Use Only ● Information shared internally by an organization. – Most communications are not intended to be shared.

21 Public Domain Data ● Shared with the public – Web site content – White papers

22 Alternative Confidential Restricted Protected Unclassified (public)

23 Alternative ● Confidential – Substantially would undermine the financial viability of the organization.

24 Alternative ● Restricted – Cause a substantial loss of earning potential. Advantage to competitors

25 Alternative ● Protected – Cause financial loss

26 Data Classification Challanges ● Perfection is the enemy of the good! – If you insist on perfection, your system will be difficult to implement. – Employees must be properly educated in order to classify data effectively.

27 Data Classification Challenges ● Perfection is the enemy of the good! – If too complex it will fail due to lack of use – You are better served by keeping your classification scheme simple (no more complex than is necessary)

28 Data Classification Challenges ● Perfection is the enemy of the good! – Development and implementation of a data classification scheme will require resources. – If its complex, it will likely be expensive to implement

29 Implementation Tips ● Understand what is achievable – any data classification policy must become less complex as more individuals become involved in implementing the policy.

30 Implementation Tips ● Those who have something at stake should be involved in the data classification policy development.

31 Implementation Tips ● Provide appropriate education and visibility. – Any data classification scheme should be posted on the company/agency internal web- page.

32 Implementation Tips ● Align your data classification scheme with regulatory (compliance) requirements.

33 Compliance Laws ● Legislation exists mandating security controls to protect private and confidential data.

34 Example Compliance Legislation ● SOX (Sarbanes-Oxley, 2002) – Requires security controls to protect the confidentiality and integrity of financial reporting.

35 Example Compliance Legislation ● GLBA (Gramm-Leach-Bliley, 1999) – Financial institutions must protect client's private financial information.

36 Example Compliance Legislation ● HIPAA (Health Insurance Portability and Accountability, 1996) – Health care organizations must secure patient information.

37 Example Compliance Legislation ● CIPA (Children's Internet Protection Act, 2000) – Requires public schools and public libraries to implement an Internet safety policy.

38 Example Compliance Legislation ● FERPA (Family Educational Rights and Privacy Act, 1974) – Protects the school records and other private data of students.

39 Example Compliance Standard ● PCI-DSS (Payment Card Industry Data Security Standard) – An information security standard for organizations that handle payment card information. ● Debit ● Credit ● Prepaid ● ATM ● etc

40 Professionalization of the SA Discipline ● Establishment of professional societies/organizations ● Credentials – By study and examination – University degrees

41 Example Professional Organizations ● LISA (SAGE), Large Installation System Administration ● (ISC)2 – International Information Systems Security Certification Consortium.

42 Professional Organizations ● Offer credentials through study and examination ● Code of ethics ● Professional networking ● A forum for sharing new technology, ideas, etc.

43 Recommended Areas of Knowledge ● Access controls ● Cryptography ● Network security ● Risk management ● Application development security ● Legal regulations and compliance ● Operations security

Download ppt "IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Today’s Schools face:  Numerous State and Federal Regulations  Reduced Technology Funding  More Stringent Guidelines for Technology Use.

Today’s Schools face:  Numerous State and Federal Regulations  Reduced Technology Funding  More Stringent Guidelines for Technology Use.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
IS3350 Security Issues in Legal Context

IS3350 Security Issues in Legal Context
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
Presented by: Dan Landsberg August 12, 2011. Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.

Presented by: Dan Landsberg August 12, Agenda  What is Social Media?  Social Media’s Professional Side  Benefits of Social Media  Regulatory.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

Similar presentations

Ads by Google