Practical connection - Operations Security

profileColin Horn
9781284199840_SLID_CH06.pptx

CHAPTER 6

IT Security Policy Frameworks

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Learning Objective(s) and Key Concepts

Describe issues related to information systems security (ISS) policy implementation and enforcement.

Building blocks of a security policy framework

Types of documents for a security policy framework

Information systems security (ISS) and information assurance considerations

Considerations for creating a security policy framework

Learning Objective(s)

Key Concepts

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

What Is an IT Policy Framework?

Includes policies, standards, baselines, procedures, guidelines, and a taxonomy

Many frameworks resemble a hierarchy or tree

An organization’s security posture is often expressed in terms of risk appetite and risk tolerance

Risk appetite

Generally refers to how much risk an organization is willing to accept to achieve its goal

Risk tolerance

Relates to how much variance in the process an organization will accept

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

A Policy and Standards Library Framework

FIGURE 6-1 A policy and standards library framework.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Charting Risk Appetite

FIGURE 6-2 Charting risk appetite.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

What Is a Program Framework Policy or Charter? (1 of 2)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

High-level policy defines:

The program’s purpose and mission

The program’s scope within the organization

Assignment of responsibilities for program implementation

Compliance management

What Is a Program Framework Policy or Charter? (2 of 2)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Purpose and Mission

Scope

Responsibilities

Compliance

States the purpose and mission of the program

Specifies what the program covers

States the responsibilities of personnel and departments related to the program

Should address enforcement of the policy; for example, what happens if someone doesn’t comply with computer security policies?

Industry-Standard Policy Frameworks

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

ISO/IEC 27002 (2015)

ISO/IEC 30105

ISO 27007

NIST Special Publication (SP) 800-53

What Is a Policy?

High-level statements, beliefs, goals, and objectives

Helps protect an organization’s resources and guide employee behavior

Provide the “what” and “why” of security measures

Lack of information security policies and enforcement leaves an organization vulnerable to data breaches, business interruptions, and legal liabilities

Policies describe:

Details of how a program runs

Who is responsible for day-to-day work

How training and awareness are conducted

How compliance is handled

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

What Are Standards?

Formal documents that establish:

Uniform criteria that you can evaluate and measure

Methods to accomplish a goal

Repeatable processes and practices for compliance with policies

Issue-specific standard

Focuses on an area of current relevance and concern to your company

System-specific standard, or baseline standard

Focuses on the secure configuration of a specific system, device, operating system, or application

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

What Are Procedures?

Written instructions on how to comply with a standard

A specific series of actions or operations that are executed in the same manner repeatedly

Support the policy framework and associated standards by codifying the steps that are proven to yield compliant systems

Examples: Incident reporting, server configuration, emergency evacuation

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Procedures should be:

Clear and unambiguous

Repeatable

Up to date

Tested

Documented

What Are Guidelines?

Assist people in developing procedures or processes with best practices that other people have found useful

Can clarify issues or problems that have arisen after the publication of a standard

Provide the people who implement standards or baselines more detailed information and guidance (hints, tips, processes, etc.) to aid in compliance

Are optional in a library but are often helpful

May become a standard when their adoption is widely accepted and implemented

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Business Considerations for the Framework

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Cost

Cost of implementing and maintaining the framework

Impact

Impact of the controls required by the framework on employees, customers, and business processes

Roles for Policy and Standards Development and Compliance (1 of 2)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

CISO

Establishes and maintains security and risk management programs for information resources

Information resources manager

Maintains policies and procedures that provide for security and risk management of information resources

Information resources security officer

Directs policies and procedures designed to protect information resources, identifies vulnerabilities, and develops security awareness program

Owners of information resources

Responsible for carrying out the program that uses the resources; does not imply personal ownership

Roles for Policy and Standards Development and Compliance (2 of 2)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Custodians of information resources

Provide technical facilities, data processing, and other support services to owners and users of information resources

Technical managers

Provide technical support for security of information resources

Internal auditors

Conduct periodic risk-based reviews to ensure the effectiveness of information resources security policies and procedures

Control partners

Ensure that security policies result in operational compliance with risk appetite and regulatory requirements

Users

Have access to information resources in accordance with the owner-defined controls and access rules

Information Assurance Considerations

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Confidentiality

Integrity

Availability

Best Practices for IT Security Policy Framework Creation

When implementing policies, use various methods to spread the word throughout your organization, such as presentations, videos, panel discussions, road shows, and newsletters

Introduce computer security policies in a manner that ensures that management’s support is clear, especially where employees feel overwhelmed with policies, directives, guidelines, and procedures

State core principles in the form of goals upfront. This defines “what” the framework must achieve

Get buy-in on the “what,” and then get others to work together with you on the “how”

Gain ownership from key user groups by offering them choices on how to achieve policy goals

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Case Studies and Examples (1 of 2)

Alberta Health Services

Established a policy development and document management framework

Goes beyond policy creation and approval

Has a whole section on policy implementation, and a section on how to review the policy and evaluate its efficacy

University of Huddlesfield in England

Published a policy development framework

Describes a policy owner responsible for the development and dissemination of the policy as well as maintenance and review

Suggests, when needed, consultation with subject matter expert

A large section is devoted to approval of policies and policy changes

Private Sector 1

Private Sector 2

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Case Studies and Examples (2 of 2)

State of Tennessee

Used ISO/IEC 17799 (27002)

Policies and frameworks covered all information asset owned, leased, or controlled by the State of Tennessee

Control the practices of external parties that need access to the State of Tennessee’s information resources

Target Corporation

December 2013 point-of-sale (PoS) data breach

40 million credit card records stolen

70 million records containing PII

Largest data breaches of its kind

Serious weaknesses in the information security framework and related controls

Public Sector

Private Sector 3

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Summary

Building blocks of a security policy framework

Types of documents for a security policy framework

Information systems security (ISS) and information assurance considerations

Considerations for creating a security policy framework

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

10/10/2020

20