os 2 bd 10
Security Policies and Implementation Issues
Chapter 3
U.S. Compliance Laws and Information Security Policy Requirements
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Understand the relationship between regulatory compliance requirements and information system security policies.
Define cyberterrorism and the nation-state threat
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
2
Key Concepts
U.S. compliance laws and their importance
Aligning security policies with regulations
Industry self-regulation through leading practices
Who is protected by regulations
Benefits of using established security frameworks
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
3
Cyberterrorism and Nation-State Threats
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
4
Cyberterrorism: An attempt to cause fear or major disruptions in a society through computer hacking
Attacks to government computers, major companies, or key areas of the economy
Nation-states: Sovereign countries
Attacks can come from terrorist groups, individuals, or nation-states
Cyberterrorism often sponsored by nation-states
Government Drivers for Regulations
Three main drivers
Consumer protection
Stable economy
Tax revenue
Drivers are linked
Concerned with economic benefits
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
5
Stable Economy
Consumer Protection
Tax Revenue
Security Policy Competing Goals
make money
reduce threats
protect public
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
6
Key Concepts Affecting Policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
7
Consumer Rights and Privacy
General
Data Privacy
Public Interest
Full Disclosure
Limited Use of Data
Informed Consent
Opt-in/Opt-Out
Examples of U.S. Regulations
| Regulation | Applies to | Regulates |
| Federal Information Security Management Act (FISMA) | Federal government Other organizations that process government data | Information security for government agencies |
| Health Insurance Portability and Accountability Act (HIPAA) | Health care providers Health plans Business associates | Regulates privacy of protected health information |
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
8
Examples of U.S. Regulations
| Regulation | Applies to | Regulates |
| Gramm-Leach- Bliley Act (GLBA) | Banks Investment companies Other financial services | Customer data privacy |
| Sarbanes-Oxley (SOX) Act | Public corporations | Financial accuracy and public disclosure to investors |
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
9
Examples of U.S. Regulations
| Regulation | Applies to | Regulates |
| Family Educational Rights and Privacy Act (FERPA) | Educational institutions | Privacy of student educational records |
| Children’s Internet Protection Act (CIPA) | Schools and libraries that receive federal funding | Access to sexually explicit material on computers |
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
10
Regulations Protect
Individuals
Privacy
Consumer rights
Shareholders
Investor trust promotes healthy economy
Public Interest
Obligation beyond self-interest
Impact on industry or economy
National Security
Cyberterrorism threatens targeted company and country’s critical infrastructure
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
11
Align Security Policies with Regulations
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
12
Map Business Processes to Security Policy
Map Security Policy to Regulations
Map Security Controls to Regulations
Benefits of Using Established Security Frameworks
Proven standards based on years of experience across multiple industries
High-quality end product
Evidence of proper risk management
May suffice for compliance (e.g., COSO/COBIT for SOX)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
13
Security Policies and Controls Mapping to Frameworks
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
14
Industry Self-Regulation
Industries self-regulate to avoid government regulation
Self-regulation is less costly and more flexible
Industry standards may turn into
Best practices
Leading practices
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
15
Industry Self-Regulation Examples
PCI DSS
Payment Card Industry Data Security Standards
SSAE16
Statement on Standards for Attestation Engagements No. 16 (SSAE16)
ITIL
Information Technology Infrastructure Library
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
16
Roles and Responsibilities
Government Agencies
Regulate information handling at federal and state levels
Privacy and/or Compliance Officer
Determine requirements for inclusion in security policies.
Auditors
Review controls and measure compliance
Regulators
Enforce government regulations
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
17
Summary
Government drivers for regulations
Aligning security policies with regulations
Drivers behind industry self-regulation
Best practices vs. leading practices
Identifying who is protected by regulations
Benefits of using established security frameworks
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
18
Security Policies and Implementation Issues
Chapter 4
Business Challenges Within the Seven Domains of IT Responsibility
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
19
Learning Objective
Analyze how security policies help mitigate risks and support business processes in various domains of a typical IT infrastructure.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
20
Key Concepts
Seven domains of a typical IT infrastructure
Aligning security policies with business requirements
Top business risks in each domain
Common security controls for each domain
Mitigating risks within domains with security policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
21
Seven Domains of a Typical IT Infrastructure
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
22
Role of Security Policies Per Domain
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
23
User
Workstation
LAN
WAN
Remote Access
How end users access information resources
Management and security of computing devices used by end users
Management and security of local area network infrastructure
Management and security of Infrastructure controlling LAN to WAN communication
Security of data in the wide area network
LAN-to-WAN
How end users connect to the LAN
System/Application
Collecting, processing, and storing information
Authorization and Access Control
Determines who has access to what
“Who” can be a user, a device, or a service
Example: Role-Based Access Control (RBAC)
Assign permissions to roles
Assign individuals to roles
Benefit:
Reduces administrative overhead
Improves compliance through reduced complexity
Example: Attribute-Based Access Control (ABAC)
Dynamic rather than static roles
Roles expressed in business terms making them more understandable
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
24
Role-Based Access Control Concept
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
25
Central Management System
Enforces security policy through central management of controls and configuration
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
26
Inventory Management
Discovery (software, data)
Patch Management
Help Desk
Log Management
Security Management
Types of LANs: Flat vs. Segmented
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
27
Flat
Segmented
Uses network devices to restrict traffic
No controls on network traffic
All network traffic visible
Less secure
Adds more layers of security
Relies only on security of servers and workstations
More secure
Defense in depth
LAN-to-WAN Topology with DMZ
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
28
Virtual Private Networks
Types of WANs
Public Internet
Private WAN
VPNs provide encrypted tunnels through non-secure networks (e.g., Internet)
Benefits
Cheaper than private WANs
Rapid deployment
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
29
Authentication
Validation of credentials
Something you know: User ID/password
Something you have: Token (e.g., smartcard)
Something you are: Biometrics
Single-factor: 1 type of credential
Two-factor: 2 different credentials
Multi-factor: More than 1 type of credential
Method must suit the business context
Tokens + User ID/password to access Research & Development workstations
User ID/password to access Web site
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
30
Basic Types of VPN Connectivity
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
31
Mitigate Risk Through Policy
Each of the seven IT domains have different types of risks associated with them
Policy can reduce or mitigate these risks
Each policy must address as many risks in that domain as possible
Policies may cross domains
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
32
Identify Business Risks
Risks vary by industry and by organization
Using business requirements, follow the data through the seven domains
Map challenges and risks to domains
Some challenges are common
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
33
Top Business Risks and Mitigations
| Domain | Challenge | Mitigation |
| User | Getting employees to comply with policies | Training, enforcement, reward |
| Work-station | Preventing security breaches | Technical security controls and secure configurations |
| LAN | Availability of the network | Acceptable use policies |
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
34
Top Business Risks and Mitigations
| Domain | Challenge | Mitigation |
| LAN-to-WAN | Securing the DMZ | Configuration, testing and monitoring |
| WAN | Reliable, fast, cost-effective, and secure access to the Internet | Configuration, technical security controls, roles and responsibilities |
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
35
Top Business Risks and Mitigations
| Domain | Challenge | Mitigation |
| Remote Access | Securing organization data on mobile devices | Addressing emerging technologies and personally owned devices |
| System/ Application | Preventing data breaches | Data loss prevention, regulation of data in storage and transit |
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
36
Data Loss Protection
Also called data leakage protection (DLP)
Goal of DLP program is to prevent confidential information from leaving the organization accidentally or maliciously
Layers of defense
Inventory: Identification of data at rest
Perimeter: Monitoring of data in motion
Encryption: Encryption of data outside the network (e.g., mobile devices)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
37
Summary
Role of each domain of a typical IT infrastructure
Identification of business challenges and examples of common business challenges, risks and mitigations
Mitigation of risk by policy, using domains
Examples of domain security controls
Rationale for organizing policies by domain
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1/15/2017
38
2 Factor Authentication (Okta)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Examples of Breaches
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks /
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
HIPPA Policy Example
https:// docs.google.com/a/b-f.com/document/d/1DnpWjWeKMnMZfSG0tc6i5y1u-fWbOsXkA7_8sPBIeME/edit?usp=sharing
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
SOX project plan for SAP: Brown-Forman
https:// docs.google.com/a/b-f.com/presentation/d/1TKQlXPtCAakl0Dh-rruLaev8gfcb-ShAciovtE0uI7k/edit?usp=sharing
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.