INFORMATION SECURITY MANAGEMENT LECTURE 4 INFORMATION SECURITY POLICY
- Slides: 33
INFORMATION SECURITY MANAGEMENT LECTURE 4: INFORMATION SECURITY POLICY You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra
Principles of Information Security Management Include the following characteristics that will be the focus of the current course (six P’s): Chapters 2 & 3 1. Planning 2. 3. 4. 5. 6. Chapter 4 Policy Programs Protection People Project Management http: //csrc. nist. gov/publications/Pubs. TC. html
Introduction “The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems” Policy is the essential foundation of an effective information security program
Policy • Explains the will of the organization’s management in controlling the behavior of employees
Policy – Biggest Threat to Endpoint Security? • 78% consider negligent or careless employees who do not follow security policies to be biggest threat to endpoint security • 50% did not receive any security or policy awareness training "I wouldn’t go so far to say they don’t care – mostly - but I’d also point out that organizations probably haven’t done a good job of helping them understand why they should care" http: //www. securityweek. com/employees-not-following-policy-biggest-threat-endpoint-security-it-pros-say
Bulls-eye Model
Policy, Standards, and Practices • Policy & Types • Enterprise • Issue-specific • Systems-specific • Standards • Practices
Enterprise Information Security Policy (EISP) • Sets strategic direction, scope, and tone for organization’s security efforts • Assigns responsibilities for various areas of information security • Examples: § http: //uncw. edu/policies/it. html § http: //doit. maryland. gov/support/pages/securitypolicies. aspx
EISP Elements • Overview of the corporate philosophy on security • Information about information security organization and information security roles § Responsibilities for security that are shared by all members of the organization § Responsibilities for security that are unique to each role within the organization
Example ESIP Components • • • Statement of purpose Information technology security elements Need for information technology security Information technology security responsibilities and roles Reference to other information technology standards and guidelines
Issue-Specific Security Policy (ISSP) • Provides detailed, targeted guidance • Protects organization from inefficiency and ambiguity • Indemnifies the organization against liability for an employee’s inappropriate or illegal system use
Issue-Specific Security Policy (cont’d. ) • Every organization’s ISSP should: Examples at UNCW: § Email Abuse
ISSP - Topics – – – – Email and internet use Minimum system configurations Prohibitions against hacking Home use of company-owned computer equipment Use of personal equipment on company networks Use of telecommunications technologies Use of photocopy equipment
Components of the ISSP • • Statement of Purpose Authorized Access and Usage of Equipment Prohibited Usage of Equipment Systems management Violations of policy Policy review and modification Limitations of liability
Implementing the ISSP • Common approaches
System-Specific Security Policy • System-specific security policies (Sys. SPs) frequently do not look like other types of policy • Sys. SPs can be separated into:
Managerial Guidance Sys. SPs • Created by management to guide the implementation and configuration of technology • Applies to any technology that affects the confidentiality, integrity or availability of information • Informs technologists of management intent Example: • Lifecycle Replacement
Technical Specifications Sys. SPs • System administrators’ directions on implementing managerial policy • General methods of implementing technical controls – Access control lists – Configuration rules
Technical Specifications Sys. SPs (cont’d. ) • Access control lists – Include the user access lists, matrices, and capability tables that govern the rights and privileges – Enable administrations to restrict access according to user, computer, time, duration, or even a particular file Examples: • Access to Information Resources and Data
Technical Specifications Sys. SPs (cont’d. ) • Access control lists regulate: • Administrators set user privileges
Technical Specifications Sys. SPs: Case Study Disaster at a University: A Case Study in Information Security Overview Issue People Involved Approach and Resolution Outcomes Conclusion
Guidelines for Effective Policy • For policies to be effective, they must be properly:
Developing Information Security Policy • It is often useful to view policy development as a two-part project 1. Design and develop the policy (or redesign and rewrite an outdated policy) 2. Establish management processes to perpetuate the policy within the organization
Developing Information Security Policy (cont’d. ) • Policy development projects should be – Well planned – Properly funded – Aggressively managed to ensure that it is completed on time and within budget • The policy development project can be guided by the Sec. SDLC process
Sec. SDLC Process of Policy Development • Investigation phase – – Obtain support from senior management Clearly articulate the goals of the policy project Acquire a capable project manager Develop a detailed outline of and sound estimates for project cost and scheduling
Developing Information Security Policy (cont’d. ) • Analysis phase should produce – New or recent risk assessment or IT audit documenting the current information security needs of the organization – Key reference materials • Including any existing policies
Developing Information Security Policy (cont’d. ) • Design phase includes – How the policies will be distributed – How verification of the distribution will be accomplished
Developing Information Security Policy (cont’d. ) • Implementation phase includes – Writing the policies – Policy distribution • Maintenance Phase – Maintain and modify the policy as needed – Built-in reporting mechanism – Periodic review
Alternative Approaches: The Information Securities Policy Made Easy Approach • • • Gathering key reference materials Defining a framework for policies Preparing a coverage matrix Making critical systems design decisions Structuring review, approval, and enforcement processes
Alternative Approaches: Guide for Developing Security Plans for Federal Information Systems • NIST Special Publication 800 -18, Rev. 1 reinforces a business process-centered approach to policy management • Policies are living documents • Good management practices for policy development and maintenance make for a more resilient organization
Alternative Approaches: Guide for Developing Security Plans for Federal Information Systems • Policy requirements – – An individual responsible for reviews A schedule of reviews A method for making recommendations for reviews An indication of policy and revision date Management of Information Security, 3 rd ed.
A Final Note on Policy Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy.
Next Class • Chapter 5 – Security Programs • Case Studies • We will be covering the cases during lecture. Be prepared to discuss your assigned case and read the other cases • Assessment 1
- E commerce security policy
- 01:640:244 lecture notes - lecture 15: plat, idah, farad
- Xkcd specifications
- Uphcp
- Privat security
- Visa international security model diagram
- Information security
- Computer security 161 cryptocurrency lecture
- Chapter 9 information management and security
- Project management for information security
- Management of information security 5th edition
- Itil vs iso 27001
- Information security management
- Kebijakan keamanan
- Database security policy
- Database security policies
- Cjis security policy
- Cjis security & awareness certification
- Isaca business continuity
- Test security policy match palo alto
- Security policy cycle
- Project procurement management lecture notes
- Strategic management lecture
- Construction management lecture notes
- Project management lecture notes doc
- Financial management lecture
- Public sector accounting notes
- Operations management lecture notes doc
- Performance management lecture
- Human resources department structure
- Chapter 1 introduction to human resource management
- Human resource management lecture chapter 1
- Project cost management lecture notes
- Project management lecture