Discussion
IT Policy Frameworks
Lesson 4
Security Policy and Standards
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Part I
1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
2
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Introduction
This chapter focuses on information security policy:
What it is
How to write it
How to implement it
How to maintain it
3
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Policy
Policy is an essential foundation of effective infosec program
The success of an information resources protection program depends on the policy generated, & on the attitude of management toward securing information on automated systems.
4
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
You, the policy maker, set the tone & the emphasis on how important a role infosec will have within your agency.
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws & regulations, & assurance of operational continuity, information integrity, & confidentiality.”
5
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
A quality infosec program begins & ends with policy
Policies are least expensive means of control & often the most difficult to implement
Basic rules to follow when shaping policy:
Never conflict with law
Stand up in court
Properly supported and administered
Contribute to the success of the organization
Involve end users of information systems
6
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7
Focus on the systemic solutions, not specifics
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
7
Bulls-eye model layers
1. Policies: first layer of defense
2. Networks: threats first meet organization’s network
3. Systems: computers & manufacturing systems
4. Applications: all applications systems
8
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Policies are important reference documents for internal audits & for resolution of legal disputes about management’s due diligence
Policy documents can act as a clear statement of management’s intent
9
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
10
Policy: plan or course of action that influences & determines decisions
Standards: more detailed statement of what must be done to comply with policy
Practices, procedures & guidelines:explain how employees will comply with policy
11
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
For policies to be effective, they must be:
Properly disseminated
Read
Understood
Agreed-to
12
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Policy
Policies require constant modification & maintenance
In order to produce a complete infosec policy, management must define 3 types of infosec policy:
Enterprise infosec program policy
Issue-specific infosec policies
Systems-specific infosec policies
13
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Part I
1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
14
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Enterprise InfoSec Policy (EISP)
Sets strategic direction, scope, & tone for organization’s security efforts
Assigns responsibilities for various areas of infosec
Guides development, implementation,& management requirements of infosec program
15
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
EISP documents should provide:
An overview of corporate philosophy on security
Information about infosec organization & infosec roles:
Responsibilities for security shared by all organization members
Responsibilities for security unique to each organizational role
16
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Components of the EISP
Statement of Purpose: What the policy is for
Information Technology Security Elements: Defines infosec
Need for Information Technology Security: justifies importance of infosec in the organization
Information Technology Security Responsibilities & Roles: Defines organizational structure
References Information Technology standards & guidelines
17
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Sample EISP
Protection Of Information: Information must be protected in a manner commensurate with its sensitivity, value, & criticality
Use Of Information: Company X information must be used only for business purposes expressly authorized by management
Information Handling, Access, & Usage: Information is a vital asset & all accesses to, uses of, & processing of Company X information must be consistent with policies & standards
18
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data & Program Damage Disclaimers: Company X disclaims any responsibility for loss or damage to data or software that results from its efforts to protect the confidentiality, integrity, & availability of the information handled by computers & communications systems
Legal Conflicts: Company X infosec policies were drafted to meet or exceed the protections found in existing laws & regulations, & any Company X infosec policy believed to be in conflict with existing laws or regulations must be promptly reported to infosec management
19
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Exceptions To Policies: Exceptions to infosec policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a standard risk acceptance form has been prepared by the data owner or management, & where this form has been approved by both InfoSec management & Internal Audit management
Policy Non-Enforcement: Management's non-enforcement of any policy requirement does not constitute its consent
20
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Violation Of Law: Company X management must seriously consider prosecution for all known violations of the law
Revocation Of Access Privileges: Company X reserves the right to revoke a user’s information technology privileges at any time
Industry-Specific InfoSec Standards: Company X information systems must employ industry-specific infosec standards
21
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Use Of infosec Policies & Procedures: All Company X infosec documentation including, but not limited to, policies, standards, & procedures, must be classified as “Internal Use Only,” unless expressly created for external business processes or partners
Security Controls Enforceability: All information systems security controls must be enforceable prior to being adopted as a part of standard operating procedure
22
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Part I
1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
23
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Issue-Specific Security Policy (ISSP)
Provides detailed, targeted guidance to instruct organization in secure use of tech systems
Begins with intro to fundamental technological philosophy of organization
Serves to protect employee & organization from inefficiency/ambiguity
Documents how technology-based system is controlled Identifies Processes & authorities that provide this control
Serves to indemnify organization against liability for inappropriate or illegal system use
24
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
ISSP should
Address specific technology-based systems
Require frequent updates
Contain an issue statement on the organization’s position on an issue
25
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
ISSP topics could include
use of Internet & World Wide Web
specific minimum configurations of computers to defend against malware
prohibitions against hacking or testing organization security controls
home use of company-owned computer equipment
use of personal equipment on company networks
use of telecommunications technologies
use of photocopy equipment
26
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Components of the ISSP
Statement of Purpose:
Scope & Applicability
Definition of Technology Addressed
Responsibilities
Authorized Access & Usage of Equipment:
User Access
Fair & Responsible Use
Protection of Privacy
more ...
27
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Prohibited Usage of Equipment:
Disruptive Use or Misuse
Criminal Use
Offensive or Harassing Materials
Copyrighted, Licensed, or other Intellectual Property
Other Restrictions
Systems Management:
Management of Stored Materials
Employer Monitoring
Virus Protection
Physical Security
Encryption
more ...
28
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Violations of Policy:
Procedures for Reporting Violations
Penalties for Violations
Policy Review & Modification:
Scheduled Review of Policy & Procedures for Modification
Limitations of Liability:
Statements of Liability or Disclaimers
29
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Common approaches to implementing ISSP
Number of independent ISSP documents
Single comprehensive ISSP document
Modular ISSP document that unifies policy creation & administration
Recommended approach is modular policy, which provides a balance between issue orientation & policy management
30
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Part I
1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
31
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Systems-Specific Policies (SysSPs)
They may often be created to function as standards or procedures to be used when configuring or maintaining systems
SysSPs can be separated into:
Management guidance
Technical specifications
Combined in a single policy document
32
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Management Guidance SysSPs
Created by management to guide the implementation & configuration of technology
Applies to any technology that affects the confidentiality, integrity or availability of information
Informs technologists of management intent
33
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Technical Specifications SysSPs
System administrators’ directions on implementing managerial policy
Each type of equipment has its own type of policies
Two general methods of implementing such technical controls:
1. Access control lists
2. Configuration rules
34
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Access Control Lists
ACLs enable administrations to restrict access according to user, computer, time, duration, or even a particular file
more ...
35
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Include user access lists, matrices, & capability tables that govern rights & privileges
Can control access to file storage systems, object brokers, or other network communications devices
Capability Table: similar method that specifies which subjects & objects users or groups can access
Specifications are frequently complex matrices, rather than simple lists or tables
Level of detail & specificity (often called granularity) may vary from system to system
36
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
ACLs regulate
Who can use the system
What authorized users can access
When authorized users can access the system
Where authorized users can access the system from
How authorized users can access the system
Restricting what users can access, e.g. printers, files, communications, & applications
37
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
ACL Administrators set user privileges
Read
Write
Create
Modify
Delete
Compare
Copy
38
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Configuration rules are specific configuration codes entered into security systems to guide execution of system when information is passing through it
Rule policies are more specific to system operation than ACLs & may or may not deal with users directly
Many security systems require specific configuration scripts telling systems what actions to perform on each set of information processed
39
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
40
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Combination SysSPs
Often organizations create a single document combining elements of both Management Guidance & Technical Specifications SysSPs
While this can be confusing, it is very practical
Care should be taken to articulate required actions carefully as procedures are presented
41
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Part I
1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
42
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Guidelines for Policy Development
Often useful to view policy development as a two-part project:
1. Design & develop policy (or redesign & rewrite outdated policy)
2. Establish management processes to perpetuate policy within organization
The former is an exercise in project management, while the latter requires adherence to good business practices
43
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Policy development or re-development projects should be well planned, properly funded, & aggressively managed to ensure completion on time & within budget
When a policy development project is undertaken, the project can be guided by the SecSDLC process
44
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1. Investigation Phase
The policy development team should:
Obtain support from senior management, & active involvement of IT management, specifically CIO
Clearly articulate goals of policy project
Gain participation of correct individuals affected by recommended policies
more ...
45
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Be composed from Legal, Human Resources & end-users
Assign project champion with sufficient stature & prestige
Acquire a capable project manager
Develop detailed outline of & sound estimates for, the cost & scheduling of the project
46
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
2. Analysis Phase
Should include the following activities:
New or recent risk assessment or IT audit documenting the current infosec needs of the organization
Key reference materials, including any existing policies
47
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3 & 4. Design phase
Should include:
How policies will be distributed
How verification of distribution will be accomplished
Specifications for any automated tools
Revisions to feasibility analysis reports based on improved costs & benefits as design is clarified
48
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
5. Implementation Phase
Write the policies!
Make certain policies are enforceable as written
Policy distribution is not always as straightforward
Effective policy:
Is written at a reasonable reading level
Attempts to minimize technical jargon & management terminology
49
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
50
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Part I
1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
51
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The InfoSec Policy Made Easy Approach (ISPME)
Gathering Key Reference Materials
Defining A Framework For Policies
Preparing A Coverage Matrix
Making Critical Systems Design Decisions
Structuring Review, Approval, & Enforcement Processes
52
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
53
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
ISPME Checklist
Perform risk assessment or information technology audit to determine your org’s unique infosec needs
Clarify what “policy” means within your org so that you are not preparing a “standard,” “procedure,” or some other related material
Ensure that roles & responsibilities related to infosec are clarified, including responsibility for issuing & maintaining policies
more ...
54
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Convince management that it is advisable to have documented infosec policies
Identify top management staff who will be approving final infosec document & all influential reviewers
Collect & read all existing internal infosec awareness material & make a list of the included bottom-line messages
Conduct a brief internal survey to gather ideas that stakeholders believe should be included in a new or updated infosec policy
more ...
55
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Examine other policies issued by your organization, such as those from HR management, to identify prevailing format, style, tone, length, & cross-references
Identify audience to receive infosec policy materials & determine whether they will each get a separate document or a separate page on an intranet site
Determine extent to which audience is literate, computer knowledgeable, & receptive to security messages
more ...
56
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Decide whether some other awareness efforts must take place before infosec policies are issued
Using ideas from the risk assessment, prepare a list of absolutely essential policy messages that must be communicated
If there is more than one audience, match the audiences with the bottom-line messages to be communicated through a coverage matrix.
more ...
57
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Determine how the policy material will be disseminated, noting the constraints & implications of each medium of communication
Review compliance checking, disciplinary, & enforcement processes to ensure they all can work smoothly with new policy document
Determine whether number of messages is too large to be handled all at one time, & if so, identify different categories of material that will be issued at different times
more ...
58
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Have an outline of topics to be included in the first document reviewed by several stakeholders
Based on comments from stakeholders, revise initial outline & prepare a first draft
Have first draft document reviewed by stakeholders for initial reactions, presentation suggestions, & implementation ideas
Revise draft in response to comments from stakeholders
more ...
59
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Request top management approval on policy
Prepare extracts of policy document for selected purposes
Develop awareness plan that uses policy document as a source of ideas & requirements
Create working papers memo indicating disposition of all comments received from reviewers, even if no changes were made
more ...
60
Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.