management and info security
1
ITC358 ICT Management and Information Security
Chapter 4
Information Security Policy
Each problem that I solved became a rule which served
afterwards to solve other problems – René Descartes
1
Objectives
Upon completion of this material you should be able to:
Define information security policy and understand its central role in a successful information security program
Describe the three major types of information security policy and explain what goes into each type
Develop, implement, and maintain various types of information security policies
Management of Information Security, 3rd ed.
2
Introduction
Policy is the essential foundation of an effective information security program
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems”
Policy maker sets the tone and emphasis on the importance of information security
Policy objectives
Reduced risk
Compliance with laws and regulations
Assurance of operational continuity, information integrity, and confidentiality
3
Why Policy?
A quality information security program begins and ends with policy
Policies are the least expensive means of control and often the most difficult to implement
Basic rules for shaping a policy
Policy should never conflict with law
Policy must be able to stand up in court if challenged
Policy must be properly supported and administered
4
Why Policy? (cont’d.)
Figure 4-1 The bull’s eye model
Source: Course Technology/Cengage Learning
5
Why Policy? (cont’d.)
Bulls-eye model layers
Policies: first layer of defense
Networks: threats first meet the organisation’s network
Systems: computers and manufacturing systems
Applications: all applications systems
6
Why Policy? (cont’d.)
Policies are important reference documents
For internal audits
For the resolution of legal disputes about management's due diligence
Policy documents can act as a clear statement of management's intent
7
Policy, Standards, and Practices
Policy
A plan or course of action that influences decisions
For policies to be effective they must be properly disseminated, read, understood, agreed-to, and uniformly enforced
Policies require constant modification and maintenance
8
Policy, Standards, and Practices (cont’d.)
Types of information security policy
Enterprise information security program policy
Issue-specific information security policies
Systems-specific policies
Standards
A more detailed statement of what must be done to comply with policy
Practices
Procedures and guidelines explain how employees will comply with policy
9
Policies, Standards, & Practices
Figure 4-2 Policies, standards and practices
Source: Course Technology/Cengage Learning
10
Enterprise Information Security Policy (EISP)
Sets strategic direction, scope, and tone for organisation’s security efforts
Assigns responsibilities for various areas of information security
Guides development, implementation, and management requirements of information security program
11
EISP Elements
EISP documents should provide:
An overview of the corporate philosophy on security
Information about information security organisation and information security roles
Responsibilities for security that are shared by all members of the organisation
Responsibilities for security that are unique to each role within the organisation
12
Example ESIP Components
Statement of purpose
What the policy is for
Information technology security elements
Defines information security
Need for information technology security
Justifies importance of information security in the organisation
Information technology security responsibilities and roles
Defines organisational structure
Reference to other information technology standards and guidelines
13
Issue-Specific Security Policy (ISSP)
Provides detailed, targeted guidance
Instructs the organisation in secure use of a technology systems
Begins with introduction to fundamental technological philosophy of the organisation
Protects organisation from inefficiency and ambiguity
Documents how the technology-based system is controlled
14
Issue-Specific Security Policy (cont’d.)
Protects organisation from inefficiency and ambiguity (cont’d.)
Identifies the processes and authorities that provide this control
Indemnifies the organisation against liability for an employee’s inappropriate or illegal system use
15
Issue-Specific Security Policy (cont’d.)
Every organisation’s ISSP should:
Address specific technology-based systems
Require frequent updates
Contain an issue statement on the organisation’s position on an issue
16
Issue-Specific Security Policy (cont’d.)
ISSP topics
Email and internet use (AUP)
Minimum system configurations (GPO)
Prohibitions against hacking (Firewall)
Home use of company-owned computer equipment (Remote VPN)
Use of personal equipment on company networks (Virus spread)
Use of telecommunications technologies (well train)
Use of photocopy equipment
17
Components of the ISSP
Statement of Purpose
Scope and applicability
Definition of technology addressed
Responsibilities
Authorised Access and Usage of Equipment
User access
Fair and responsible use
Protection of privacy
18
Components of the ISSP (cont’d.)
Prohibited Usage of Equipment
Disruptive use or misuse
Criminal use
Offensive or harassing materials
Copyrighted, licensed or other intellectual property
Other restrictions
19
Components of the ISSP (cont’d.)
Systems management
Management of stored materials
Employer monitoring
Virus protection
Physical security
Encryption
Violations of policy
Procedures for reporting violations
Penalties for violations
20
Components of the ISSP (cont’d.)
Policy review and modification
Scheduled review of policy and procedures for modification
Limitations of liability
Statements of liability or disclaimers (working?)
21
Implementing the ISSP
Common approaches
Several independent ISSP documents
A single comprehensive ISSP document
A modular ISSP document that unifies policy creation and administration
The recommended approach is the modular policy
Provides a balance between issue orientation and policy management
22
System-Specific Security Policy
System-specific security policies (SysSPs) frequently do not look like other types of policy
They may function as standards or procedures to be used when configuring or maintaining systems (services configuration)
SysSPs can be separated into
Management guidance
Technical specifications
Or combined in a single policy document
23
Managerial Guidance SysSPs
Created by management to guide the implementation and configuration of technology
Applies to any technology that affects the confidentiality, integrity or availability of information
Informs technologists of management intent
24
Technical Specifications SysSPs
System administrators’ directions on implementing managerial policy
Each type of equipment has its own type of policies
General methods of implementing technical controls
Access control lists
Configuration rules
25
Access control lists
Include the user access lists, matrices, and capability tables that govern the rights and privileges
A similar method that specifies which subjects and objects users or groups can access is called a capability table
These specifications are frequently complex matrices, rather than simple lists or tables
Technical Specifications SysSPs (cont’d.)
26
Access control lists (cont’d.)
Enable administrations to restrict access according to user, computer, time, duration, or even a particular file
Access control lists regulate
Who can use the system
What authorised users can access
When authorised users can access the system
Technical Specifications SysSPs (cont’d.)
27
Access control lists regulate (cont’d.)
Where authorised users can access the system from
How authorised users can access the system
Restricting what users can access, e.g. printers, files, communications, and applications
Administrators set user privileges
Read, write, create, modify, delete, compare, copy
Technical Specifications SysSPs (cont’d.)
28
Technical Specifications SysSPs (cont’d.)
Figure 4-5 Windows XP ACL
Source: Course Technology/Cengage Learning
29
Technical Specifications SysSPs (cont’d.)
Configuration rules
Specific configuration codes entered into security systems
Guide the execution of the system when information is passing through it
Rule policies are more specific to system operation than ACLs
May or may not deal with users directly
30
Technical Specifications SysSPs (cont’d.)
Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process
31
Technical Specifications SysSPs (cont’d.)
Figure 4-6 Firewall configuration rules
Source: Course Technology/Cengage Learning
32
Often organisations create a single document combining elements of both management guidance and technical specifications SysSPs
This can be confusing, but practical
Care should be taken to articulate the required actions carefully as the procedures are presented
Technical Specifications SysSPs (cont’d.)
33
Figure 4-7 IDPS configuration rules
Source: Course Technology/Cengage Learning
34
Guidelines for Effective Policy
For policies to be effective, they must be properly:
Developed using industry-accepted practices
Distributed or disseminated using all appropriate methods
Reviewed or read by all employees
Understood by all employees
Formally agreed to by act or assertion
Uniformly applied and enforced
35
Developing Information Security Policy
It is often useful to view policy development as a two-part project
First, design and develop the policy (or redesign and rewrite an outdated policy)
Second, establish management processes to perpetuate the policy within the organisation
The former is an exercise in project management, while the latter requires adherence to good business practices
36
Developing Information Security Policy (cont’d.)
Policy development projects should be
Well planned
Properly funded
Aggressively managed to ensure that it is completed on time and within budget
The policy development project can be guided by the SecSDLC process
37
Developing Information Security Policy (cont’d.)
Investigation phase
Obtain support from senior management, and active involvement of IT management, specifically the CIO
Clearly articulate the goals of the policy project
Gain participation of correct individuals affected by the recommended policies
38
Developing Information Security Policy (cont’d.)
Investigation phase (cont’d.)
Involve legal, human resources and end-users
Assign a project champion with sufficient stature and prestige
Acquire a capable project manager
Develop a detailed outline of and sound estimates for project cost and scheduling
39
Developing Information Security Policy (cont’d.)
Analysis phase should produce
New or recent risk assessment or IT audit documenting the current information security needs of the organisation
Key reference materials
Including any existing policies
40
Figure 4-8 End user license agreement for Microsoft Windows XP
Developing Information Security Policy (cont’d.)
41
Developing Information Security Policy (cont’d.)
Design phase includes
How the policies will be distributed
How verification of the distribution will be accomplished
Specifications for any automated tools
Revisions to feasibility analysis reports based on improved costs and benefits as the design is clarified
42
Developing Information Security Policy (cont’d.)
Implementation phase includes
Writing the policies
Making certain the policies are enforceable as written
Policy distribution is not always straightforward
Effective policy is written at a reasonable reading level, and attempts to minimise technical jargon and management terminology
43
Developing Information Security Policy (cont’d.)
Maintenance Phase
Maintain and modify the policy as needed to ensure that it remains effective as a tool to meet changing threats
The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously
Periodic review should be built in to the process
44
Policy Comprehension
Figure 4-9 Readability statistics
Source: Course Technology/Cengage Learning
45
Automated Tools
Figure 4-10 The VigilEnt policy center
46
The Information Securities Policy Made Easy Approach
Gathering key reference materials
Defining a framework for policies
Preparing a coverage matrix
Making critical systems design decisions
Structuring review, approval, and enforcement processes
47
The Information Securities Policy Made Easy Approach (cont’d.)
Figure 4-11 A sample coverage matrix
Source: Course Technology/Cengage Learning
48
The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (to slide 60)
Perform a risk assessment or information technology audit
To determine your organisation's unique information security needs
Clarify the meaning of “policy” within your organisation
Ensure clear roles and responsibilities related to information security
Including responsibility for issuing and maintaining policies
49
The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Convince management that it is advisable to have documented information security policies
Identify the top management staff who will be approving the final information security document and all influential reviewers
Collect, read and summarise all existing internal information security awareness material
50
The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Gather ideas that stakeholders believe should be included in a new or updated information security policy
Examine other policies issued by your organisation
to identify prevailing format, style, tone, length, and cross-references
Identify the audience and distribution method of information security policy materials
51
The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Determine the extent to which the audience is literate, computer knowledgeable, and receptive to security messages
Decide whether some other awareness efforts must take place before information security policies are issued
Using ideas from the risk assessment, prepare a list of absolutely essential policy messages that must be communicated
52
The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
If there is more than one audience, match the audiences with the bottom-line messages to be communicated through a coverage matrix
Determine how the policy material will be disseminated, noting the constraints and implications of each medium of communication
53
The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Review the compliance checking process, disciplinary process, and enforcement process to ensure that they all can work smoothly with the new policy document
Determine whether the number of messages is too large to be handled all at one time
If so, identify different categories of material to be issued at different times
54
The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Outline the topics to be included in the first document reviewed by several stakeholders
Based on comments from the stakeholders, revise the initial outline and prepare a first draft
Have the first draft reviewed by stakeholders for initial reactions, suggestions, and implementation ideas
Revise the draft in response to comments from stakeholders
55
The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Request top management approval on the policy
Prepare extracts of the policy document for selected purposes
Develop an awareness plan that uses the policy document as a source of ideas and requirements
56
The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Create a working papers memo indicating the disposition of all comments received from reviewers, even if no changes were made
Write a lessons-learned memo about the project so that the next version can be prepared more efficiently, better received, and more responsive
Prepare a list of next steps to implement the requirements specified in the policy document
57
The Information Securities Policy Made Easy Approach (cont’d.)
ISPME next steps
Post polices to intranet or equivalent
Develop a self-assessment questionnaire
Develop revised user ID issuance form
Develop agreement to comply with information security policies form
Develop tests to determine if workers understand policies
Assign information security coordinators
Train information security coordinators
58
The Information Securities Policy Made Easy Approach (cont’d.)
ISPME next steps (cont’d.)
Prepare and deliver a basic information security training course
Develop application specific information security policies
Develop a conceptual hierarchy of information security requirements
Assign information ownership and custodianship
59
The Information Securities Policy Made Easy Approach (cont’d.)
ISPME next steps (cont’d.)
Establish an information security management committee
Develop an information security architecture document
60
SP 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems
NIST Special Publication 800-18, Rev. 1 reinforces a business process-centered approach to policy management
Policies are living documents
These documents must be properly disseminated (distributed, read, understood and agreed to), and managed
61
SP 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems (cont’d.)
Good management practices for policy development and maintenance make for a more resilient organisation
Policy requirements
An individual responsible for reviews
A schedule of reviews
Policy requirements (cont’d.)
A method for making recommendations for reviews
An indication of policy and revision date
62
A Final Note on Policy
Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasise the preventative nature of policy
Policies exist, first and foremost, to inform employees of what is and is not acceptable behaviour in the organisation
Policy seeks to improve employee productivity, and prevent potentially embarrassing situations
63
Summary
Introduction
Why Policy?
Enterprise Information Security Policy
Issue-Specific Security Policy
System-Specific Policy
Guidelines for Policy Development
64