Practical connection - Operations Security
CHAPTER 7
How to Design, Organize, Implement, and Maintain IT Security Policies
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Learning Objective(s) and Key Concepts
Describe how to design, organize, implement, and maintain IT security policies.
Core principles of policy and standards design
Implementing policies and libraries
Policy change control board purpose and roles
Business drivers for policy and standards changes
Best practices for policy management and maintenance
Learning Objective(s)
Key Concepts
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Policies and Standards Design Considerations
Best kinds of documents
Are clearly worded
Address six key questions: Who, what, where, when, why, and how
Are concise and precise
Challenge is how to establish or recognize a core set of beliefs that can influence how policies are written
One method: Break the problem down into how security controls are to be implemented and what controls are needed
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Operating Models
Diversified
Low level of integration and standardization with the enterprise
Coordinated
Shares data across the enterprise; level of shared services and standardization are minimal
Replicated
Shares services across the enterprise; level of data sharing is minimal
Unified
Shares data and has standardized services across the enterprise
FIGURE 7-1 The four basic business operating models.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
An operating model can help you understand how the security controls are to be implemented.
One issue over which disagreement often arises is how much security should be
centralized or decentralized within the business. A discussion of the operating model within
the company can identify areas of disagreement and create a common set of beliefs on the
proper placement and implementation of controls.
4
Principles for Policy and Standards Development (1 of 4)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Accountability principle—The personal responsibility of information systems security should be explicit. Some roles in the organization are accountable only for the work they perform daily. Other roles are accountable for their own work, plus all the work performed by their team of employees.
Accountability helps to ensure that people understand they are solely responsible for actions they take while using organization resources. You can think of accountability as a deterrent control.
Awareness principle—Owners, providers, and users of information systems, as well as other parties, should be informed of the existence and general context of policies,
responsibilities, practices, procedures, and organization for security of information systems. Put more simply, it is unlikely that stakeholders will comply with policies they are not aware of.
Ethics principle—The way information systems are designed, and the level of access to data reflected in the security controls, should operate in accordance with the organization’s ethical standards. This includes the level of disclosure and access to customer data. This also needs to be entrenched in the organizational culture in order to be effective.
Multidisciplinary principle—Policy and standards library documents should be written to consider everyone affected, including technical, administrative, organizational, operational, commercial, educational, and legal personnel.
Proportionality principle—Security levels, costs, practices, and procedures should be appropriate and proportionate to the value of the data and the degree of reliance on the system. They should also be proportional to the potential severity, probability, and extent of harm to the system or loss of the data. In other words, don’t spend $1000 to protect $500 worth of assets.
Integration principle—Your documents should be coordinated and integrated with each other. They should also integrate with other relevant measures, practices, and procedures for a coherent system of security.
5
Accountability
Awareness
Ethics
Multidisciplinary
Proportionality
Integration
Principles for Policy and Standards Development (2 of 4)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Defense-in-depth principle—Security increases when it is implemented as a series of overlapping layers of controls and countermeasures that provide three elements
to secure assets: prevention, detection, and response. This is referred to as defense in depth. It is both a military concept and an information security concept. Defense in depth dictates that security mechanisms be layered so that the weaknesses of one mechanism are countered by the strengths of two or more other mechanisms. This is a core security concept.
Timeliness principle—All personnel, assigned agents, and third-party providers should act in a timely and coordinated manner to prevent and to respond to breaches of the security.
Reassessment principle—The security of information systems should be periodically reassessed. Risks to technology change daily, and periodic reassessments are needed to ensure that security requirements and practices are kept current with these changes. Standards also need reassessments, at least annually, to ensure they represent the current state of affairs.
Privacy principle—The security of an information system should include secure private information of users of the system. In other words, consider your users or partners when requiring information that could place their privacy rights at risk.
Internal control principle—Information security forms the core of an organization’s information internal control systems. Regulations mandate that internal control systems be in place and operating correctly. Organizations rely on technology to maintain business records. It’s essential that such technology include internal control mechanisms. These maintain the integrity of the information and represent a true picture of the organization’s activities.
Adversary principle—Controls, security strategies, architectures, and policy library documents should be developed and implemented in anticipation of attack from intelligent, rational, and irrational adversaries who may intend harm. This is also the case with threat assessment.
6
Defense in depth
Timeliness
Reassessment
Privacy
Internal control
Adversary
Principles for Policy and Standards Development (3 of 4)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Least privilege principle—People should be granted only enough privilege to accomplish assigned tasks and no more. This is another core principle of security.
Separation of duty principle—Responsibilities and privileges should be divided to prevent a person or a small group of collaborating people from inappropriately controlling multiple key aspects of a process and causing harm or loss. For example, in an accounting department, the person preparing invoices for payment should not be the same person writing the checks for payment.
Continuity principle—Identify your organization’s needs for disaster recovery and continuity of operations. Prepare the organization and its information systems accordingly.
Simplicity principle—Try to favor small and simple safeguards over large and complex ones. Security is improved when it’s made simpler. Obviously, security should not be oversimplified, but instead made as simple as practically possible.
Policy-centered security principle—Policies, standards, and procedures should be established as the formal basis for managing the planning, control, and evaluation of all information security activities.
7
Least privilege
Separation of duty
Continuity
Simplicity
Policy-centered security
Principles for Policy and Standards Development (4 of 4)
Some specific steps that should be taken when developing security policies:
Risk identification—Always begin by identifying the risks that the policies are trying to mitigate
Legal compliance—Make certain that policies comply with any legal or regulatory requirements
Practicality—Make sure the policy is something you can implement and enforce
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
8
The Importance of Transparency with Regard to Customer Data (1 of 2)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Organizations should be transparent and should notify individuals of the collection, use, dissemination, and maintenance of personally identifiable information (PII).
PII
Nonpublic personal information (NPI)
Information that can be used to identify a specific person. This can be something used alone, such as a person’s name
Used by the Gramm-Leach-Bliley Act uses to refer to any personally identifiable financial information that a consumer provides to a financial institution
The Importance of Transparency with Regard to Customer Data (2 of 2)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Transparency with regard to handling of customer data should include these elements.
10
Individual participation
Consent in the collection, use, dissemination, and maintenance of PII
Purpose specification
Describe authority that permits the collection of PII and articulate the purpose or purposes for which they intend to use data
Data minimization
Collect PII that is directly relevant and necessary to accomplish specified purpose(s); retain PII only for as long as is necessary
Use limitation
Use PII solely for the purpose(s) specified
Types of Controls for Policies and Standards (1 of 2)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Administrative
The policies, standards, and procedures that guide employees when conducting the organization’s business
Examples: Preemployment screening of personnel; change management process
Technical
The devices, protocols, and other technology used to protect assets
Examples: Antivirus systems, cryptographic systems, firewalls
Physical
The devices used to control physical access
Examples: Fences, security guards, locked doors, motion detectors, alarms
Types of Controls for Policies and Standards (2 of 2)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
These control types describe what controls do.
12
Preventive security controls
Prevent intentional or unintentional security threats
Examples: Network access policies, firewall rules
Detective or response controls
Act like alarms and warnings
Examples: Motion detectors, log files
Corrective controls
Help you respond to and fix a security incident
Examples: Remove a virus, close a firewall port
Recovery controls
Help you put a system back into operation once an incident ends
Examples: Disaster recovery, tape backups
Document Organization Considerations
Although there are many ways to organize a library of policies, one thing they all have in common is the need for a numbering scheme
A numbering scheme helps you organize the material by topic; it becomes a quick reference point for people to use to refer to specific content
You can create your own numbering scheme or use an existing one
Should you decide to use an existing framework like ISO/IEC 27002, you can begin with the taxonomy it provides
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
A Possible Policy and Standards Library Taxonomy
FIGURE 7-2 A possible policy and standards library taxonomy.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Control Standards Branch Out from the Access Control (IS-POL-800) Framework Policy
FIGURE 7-3 Control standards branch out from
the Access Control (IS-POL-800) framework policy.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Baseline Standards and Procedures Provide Additional Branches of the Library Tree
FIGURE 7-4 Baseline standards and procedures provide additional branches of the library tree.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Guidelines Provide Additional Branches of the Library Tree
FIGURE 7-5 Guidelines provide additional branches of the library tree.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Considerations for Implementing Policies and Standards
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Building consensus on intent
Reviews and approvals for your documents
Publication of the documents
Awareness and training
Reviews and Approvals
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Document Review
Technical personnel
Legal
Human resources (HR)
Audit and compliance
Policy Change Control Board (1 of 2)
Change control board (CCB)
Sometimes referred to as a change advisory board (CAB)
Effective oversight of policy changes ensures that:
Security is implemented in a thoughtful way
Changes are not made unilaterally or cause unexpected consequences
Oversight of the policy change process is usually under a committee
Committee members are often senior leaders who represent technology and business interests
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Policy Change Control Board (2 of 2)
Objectives of the policy change control board:
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Assess policies and standards and make recommendations for change
Coordinate requests for change (RFCs)
Ensure that changes to existing policies and standards support the organization’s mission and goals
Review requested changes to the policy framework
Establish a change management process for policies and standards
Business Drivers for Policy and Standards Changes
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Business exceptions
Business innovations
Business technology innovations
Strategic changes
Legal changes
Regulatory changes
Maintaining Your Policy and Standards Library
Policy change control board helps determine which document changes should be made.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Major revision
Minor revision
Usually has low significance
Example: Clarifying wording within a sentence or paragraph
Significantly changes the policy
Example: New requirements
Best Practices for Policies and Standards Maintenance (1 of 2)
Base decisions on core information security principles to support business objectives
Establish a cohesive and coherent document organization taxonomy that leaves room for growth and changes
Use common templates for each type of document and stick with them
Use a collaboration tool for developing documents that allows others access to drafts early in the development cycle. It should be easy to solicit reviews and comments
Establish a repeatable review process for draft documents
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Best Practices for Policies and Standards Maintenance (2 of 2)
Publish the library in a form that the organization is already using to avoid confusion
Use a broad variety of communications and awareness media and techniques to reach a wide audience. Keep your message consistent and easy to understand
Establish a policy change control board to help identify major changes to the library and to keep it up to date
Create a “lessons learned” process to improve the policy through feedback and review of major events
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Case Studies and Examples
Cyprus Shipping Chamber
Wanted to address security requirements of smart shipping
Studied a subset of the company and used that as a template to study security
Examined each organization security concern using a scenario
Facilitated development of security policies
American Imaging Management (AIM)
Needed to improve due diligence practices, expand corporate security program
Performed risk assessment
Used the Plan-Do-Act-Check cycle from the ISO standards
Created a road map for building a security program that could be registered to the ISO 27001 standard
California Office of the State Chief Information Officer (OCIO)
Issued new policy that addresses employee remote access security standards for working from home or off-site
Ensures users are trained for their roles and responsibilities
Also requires state agencies to complete a compliance form
Private Sector 1
Private Sector 2
Public Sector
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Summary
Core principles of policy and standards design
Implementing policies and libraries
Policy change control board purpose and roles
Business drivers for policy and standards changes
Best practices for policy management and maintenance
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
10/10/2020
27
.MsftOfcThm_Accent1_lumMod_40_lumOff_60_Fill { fill:#FFE7A7; }