IT Security Policy Framework Policies Standards Procedures Guidelines

IT Security Policy Framework Policies ●Standards ●Procedures ●Guidelines ●

Policy ● A written statement from an authority declaring a course of action for the sake of expediency. – Example: Policy dictates that all employees will read and sign the AUP before receiving access to the computing system.

Standard ● A detailed level of attainment. – IT standards ensure that consistent security controls are adopted. – Example: The Common Criteria have established standards for hardware and software security.

Procedures ● A description of the process used to accomplish a task. – Example: A procedure checklist is used to perform and verify backups.

Guidelines ● A suggested course of action which can be specific or general. – Example: The guidelines for a secure password include but are not limited to. . .

IT Policy Framework Purpose ● The purpose is to achieve an acceptable level of risk.

Data Classification Standards ● US Government ● Private enterprise

US Government ● Executive order 13526 (2009) – Top secret – Secret – Confidential – Public domain information is considered unclassified and is not part of the classification standard.

Top Secret ● Would cause grave damage to national security if it were disclosed.

Secret ● Would cause serious damage to national security if it were disclosed.

Confidential ● Would cause damage to national security if it were disclosed.

Guidelines ● Yes there are guidelines for separating information into the appropriate categories.

Unclassified ● Would you believe there are classifications for unclassified information?

Unclassified ● Poses no threat to national security if exposed.

Controlled Unclassified ● For official use only. – Example: law enforcement classified

Alternative classifications ● Top Secret ● Confidential ● Restricted ● Protect ● Unclassified

Private Enterprise Data Classification* *(Kim, Solomon) ● Private ● Confidential ● Internal use only ● Public domain data

*Private ● Data about people, – Example: compliance laws like HIPAA

Confidential ● Information owned by the enterprise – Customer lists – Pricing information – Intellectual property – Internal use only information

Internal Use Only ● Information shared internally by an organization. – Most communications are not intended to be shared.

Public Domain Data ● Shared with the public – Web site content – White papers

Alternative • Confidential • Restricted • Protected • Unclassified (public)

Alternative ● Confidential – Substantially would undermine the financial viability of the organization.

Alternative ● Restricted – Cause a substantial loss of earning potential. Advantage to competitors

Alternative ● Protected – Cause financial loss

Data Classification Challanges ● Perfection is the enemy of the good! – If you insist on perfection, your system will be difficult to implement. – Employees must be properly educated in order to classify data effectively.

Data Classification Challenges ● Perfection is the enemy of the good! – – If too complex it will fail due to lack of use You are better served by keeping your classification scheme simple (no more complex than is necessary)

Data Classification Challenges ● Perfection is the enemy of the good! – Development and implementation of a data classification scheme will require resources. – If its complex, it will likely be expensive to implement

Implementation Tips ● Understand what is achievable – any data classification policy must become less complex as more individuals become involved in implementing the policy.

Implementation Tips ● Those who have something at stake should be involved in the data classification policy development.

Implementation Tips ● Provide appropriate education and visibility. – Any data classification scheme should be posted on the company/agency internal webpage.

Implementation Tips ● Align your data classification scheme with regulatory (compliance) requirements.

Compliance Laws ● Legislation exists mandating security controls to protect private and confidential data.

Example Compliance Legislation ● SOX (Sarbanes-Oxley, 2002) – Requires security controls to protect the confidentiality and integrity of financial reporting.

Example Compliance Legislation ● GLBA (Gramm-Leach-Bliley, 1999) – Financial institutions must protect client's private financial information.

Example Compliance Legislation ● HIPAA (Health Insurance Portability and Accountability, 1996) – Health care organizations must secure patient information.

Example Compliance Legislation ● CIPA (Children's Internet Protection Act, 2000) – Requires public schools and public libraries to implement an Internet safety policy.

Example Compliance Legislation ● FERPA (Family Educational Rights and Privacy Act, 1974) – Protects the school records and other private data of students.

Example Compliance Standard ● PCI-DSS (Payment Card Industry Data Security Standard) – An information security standard for organizations that handle payment card information. ● ● ● Debit Credit Prepaid ATM etc

Professionalization of the SA Discipline ● ● Establishment of professional societies/organizations Credentials – By study and examination – University degrees

Example Professional Organizations ● ● LISA (SAGE), Large Installation System Administration (ISC)2 – International Information Systems Security Certification Consortium.

Professional Organizations ● Offer credentials through study and examination ● Code of ethics ● Professional networking ● A forum for sharing new technology, ideas, etc.

Recommended Areas of Knowledge ● Access controls ● Cryptography ● Network security ● Risk management ● Application development security ● Legal regulations and compliance ● Operations security