Practical connection - Operations Security
CHAPTER 6
IT Security Policy Frameworks
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Learning Objective(s) and Key Concepts
Describe issues related to information systems security (ISS) policy implementation and enforcement.
Building blocks of a security policy framework
Types of documents for a security policy framework
Information systems security (ISS) and information assurance considerations
Considerations for creating a security policy framework
Learning Objective(s)
Key Concepts
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
What Is an IT Policy Framework?
Includes policies, standards, baselines, procedures, guidelines, and a taxonomy
Many frameworks resemble a hierarchy or tree
An organization’s security posture is often expressed in terms of risk appetite and risk tolerance
Risk appetite
Generally refers to how much risk an organization is willing to accept to achieve its goal
Risk tolerance
Relates to how much variance in the process an organization will accept
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
A Policy and Standards Library Framework
FIGURE 6-1 A policy and standards library framework.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Charting Risk Appetite
FIGURE 6-2 Charting risk appetite.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
What Is a Program Framework Policy or Charter? (1 of 2)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
High-level policy defines:
The program’s purpose and mission
The program’s scope within the organization
Assignment of responsibilities for program implementation
Compliance management
What Is a Program Framework Policy or Charter? (2 of 2)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Purpose and Mission
Scope
Responsibilities
Compliance
States the purpose and mission of the program
Specifies what the program covers
States the responsibilities of personnel and departments related to the program
Should address enforcement of the policy; for example, what happens if someone doesn’t comply with computer security policies?
Industry-Standard Policy Frameworks
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
ISO/IEC 27002 (2015)
ISO/IEC 30105
ISO 27007
NIST Special Publication (SP) 800-53
What Is a Policy?
High-level statements, beliefs, goals, and objectives
Helps protect an organization’s resources and guide employee behavior
Provide the “what” and “why” of security measures
Lack of information security policies and enforcement leaves an organization vulnerable to data breaches, business interruptions, and legal liabilities
Policies describe:
Details of how a program runs
Who is responsible for day-to-day work
How training and awareness are conducted
How compliance is handled
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
What Are Standards?
Formal documents that establish:
Uniform criteria that you can evaluate and measure
Methods to accomplish a goal
Repeatable processes and practices for compliance with policies
Issue-specific standard
Focuses on an area of current relevance and concern to your company
System-specific standard, or baseline standard
Focuses on the secure configuration of a specific system, device, operating system, or application
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
What Are Procedures?
Written instructions on how to comply with a standard
A specific series of actions or operations that are executed in the same manner repeatedly
Support the policy framework and associated standards by codifying the steps that are proven to yield compliant systems
Examples: Incident reporting, server configuration, emergency evacuation
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Procedures should be:
Clear and unambiguous
Repeatable
Up to date
Tested
Documented
What Are Guidelines?
Assist people in developing procedures or processes with best practices that other people have found useful
Can clarify issues or problems that have arisen after the publication of a standard
Provide the people who implement standards or baselines more detailed information and guidance (hints, tips, processes, etc.) to aid in compliance
Are optional in a library but are often helpful
May become a standard when their adoption is widely accepted and implemented
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Business Considerations for the Framework
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Cost
Cost of implementing and maintaining the framework
Impact
Impact of the controls required by the framework on employees, customers, and business processes
Roles for Policy and Standards Development and Compliance (1 of 2)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
CISO
Establishes and maintains security and risk management programs for information resources
Information resources manager
Maintains policies and procedures that provide for security and risk management of information resources
Information resources security officer
Directs policies and procedures designed to protect information resources, identifies vulnerabilities, and develops security awareness program
Owners of information resources
Responsible for carrying out the program that uses the resources; does not imply personal ownership
Roles for Policy and Standards Development and Compliance (2 of 2)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Custodians of information resources
Provide technical facilities, data processing, and other support services to owners and users of information resources
Technical managers
Provide technical support for security of information resources
Internal auditors
Conduct periodic risk-based reviews to ensure the effectiveness of information resources security policies and procedures
Control partners
Ensure that security policies result in operational compliance with risk appetite and regulatory requirements
Users
Have access to information resources in accordance with the owner-defined controls and access rules
Information Assurance Considerations
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Confidentiality
Integrity
Availability
Best Practices for IT Security Policy Framework Creation
When implementing policies, use various methods to spread the word throughout your organization, such as presentations, videos, panel discussions, road shows, and newsletters
Introduce computer security policies in a manner that ensures that management’s support is clear, especially where employees feel overwhelmed with policies, directives, guidelines, and procedures
State core principles in the form of goals upfront. This defines “what” the framework must achieve
Get buy-in on the “what,” and then get others to work together with you on the “how”
Gain ownership from key user groups by offering them choices on how to achieve policy goals
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Case Studies and Examples (1 of 2)
Alberta Health Services
Established a policy development and document management framework
Goes beyond policy creation and approval
Has a whole section on policy implementation, and a section on how to review the policy and evaluate its efficacy
University of Huddlesfield in England
Published a policy development framework
Describes a policy owner responsible for the development and dissemination of the policy as well as maintenance and review
Suggests, when needed, consultation with subject matter expert
A large section is devoted to approval of policies and policy changes
Private Sector 1
Private Sector 2
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Case Studies and Examples (2 of 2)
State of Tennessee
Used ISO/IEC 17799 (27002)
Policies and frameworks covered all information asset owned, leased, or controlled by the State of Tennessee
Control the practices of external parties that need access to the State of Tennessee’s information resources
Target Corporation
December 2013 point-of-sale (PoS) data breach
40 million credit card records stolen
70 million records containing PII
Largest data breaches of its kind
Serious weaknesses in the information security framework and related controls
Public Sector
Private Sector 3
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Summary
Building blocks of a security policy framework
Types of documents for a security policy framework
Information systems security (ISS) and information assurance considerations
Considerations for creating a security policy framework
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
10/10/2020
20