Practical connection - Operations Security

profileColin Horn
9781284199840_SLID_CH07.pptx

CHAPTER 7

How to Design, Organize, Implement, and Maintain IT Security Policies

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Learning Objective(s) and Key Concepts

Describe how to design, organize, implement, and maintain IT security policies.

Core principles of policy and standards design

Implementing policies and libraries

Policy change control board purpose and roles

Business drivers for policy and standards changes

Best practices for policy management and maintenance

Learning Objective(s)

Key Concepts

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Policies and Standards Design Considerations

Best kinds of documents

Are clearly worded

Address six key questions: Who, what, where, when, why, and how

Are concise and precise

Challenge is how to establish or recognize a core set of beliefs that can influence how policies are written

One method: Break the problem down into how security controls are to be implemented and what controls are needed

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Operating Models

Diversified

Low level of integration and standardization with the enterprise

Coordinated

Shares data across the enterprise; level of shared services and standardization are minimal

Replicated

Shares services across the enterprise; level of data sharing is minimal

Unified

Shares data and has standardized services across the enterprise

FIGURE 7-1 The four basic business operating models.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

An operating model can help you understand how the security controls are to be implemented.

One issue over which disagreement often arises is how much security should be

centralized or decentralized within the business. A discussion of the operating model within

the company can identify areas of disagreement and create a common set of beliefs on the

proper placement and implementation of controls.

4

Principles for Policy and Standards Development (1 of 4)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Accountability principle—The personal responsibility of information systems security should be explicit. Some roles in the organization are accountable only for the work they perform daily. Other roles are accountable for their own work, plus all the work performed by their team of employees.

Accountability helps to ensure that people understand they are solely responsible for actions they take while using organization resources. You can think of accountability as a deterrent control.

Awareness principle—Owners, providers, and users of information systems, as well as other parties, should be informed of the existence and general context of policies,

responsibilities, practices, procedures, and organization for security of information systems. Put more simply, it is unlikely that stakeholders will comply with policies they are not aware of.

Ethics principle—The way information systems are designed, and the level of access to data reflected in the security controls, should operate in accordance with the organization’s ethical standards. This includes the level of disclosure and access to customer data. This also needs to be entrenched in the organizational culture in order to be effective.

Multidisciplinary principle—Policy and standards library documents should be written to consider everyone affected, including technical, administrative, organizational, operational, commercial, educational, and legal personnel.

Proportionality principle—Security levels, costs, practices, and procedures should be appropriate and proportionate to the value of the data and the degree of reliance on the system. They should also be proportional to the potential severity, probability, and extent of harm to the system or loss of the data. In other words, don’t spend $1000 to protect $500 worth of assets.

Integration principle—Your documents should be coordinated and integrated with each other. They should also integrate with other relevant measures, practices, and procedures for a coherent system of security.

5

Accountability

Awareness

Ethics

Multidisciplinary

Proportionality

Integration

Principles for Policy and Standards Development (2 of 4)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Defense-in-depth principle—Security increases when it is implemented as a series of overlapping layers of controls and countermeasures that provide three elements

to secure assets: prevention, detection, and response. This is referred to as defense in depth. It is both a military concept and an information security concept. Defense in depth dictates that security mechanisms be layered so that the weaknesses of one mechanism are countered by the strengths of two or more other mechanisms. This is a core security concept.

Timeliness principle—All personnel, assigned agents, and third-party providers should act in a timely and coordinated manner to prevent and to respond to breaches of the security.

Reassessment principle—The security of information systems should be periodically reassessed. Risks to technology change daily, and periodic reassessments are needed to ensure that security requirements and practices are kept current with these changes. Standards also need reassessments, at least annually, to ensure they represent the current state of affairs.

Privacy principle—The security of an information system should include secure private information of users of the system. In other words, consider your users or partners when requiring information that could place their privacy rights at risk.

Internal control principle—Information security forms the core of an organization’s information internal control systems. Regulations mandate that internal control systems be in place and operating correctly. Organizations rely on technology to maintain business records. It’s essential that such technology include internal control mechanisms. These maintain the integrity of the information and represent a true picture of the organization’s activities.

Adversary principle—Controls, security strategies, architectures, and policy library documents should be developed and implemented in anticipation of attack from intelligent, rational, and irrational adversaries who may intend harm. This is also the case with threat assessment.

6

Defense in depth

Timeliness

Reassessment

Privacy

Internal control

Adversary

Principles for Policy and Standards Development (3 of 4)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Least privilege principle—People should be granted only enough privilege to accomplish assigned tasks and no more. This is another core principle of security.

Separation of duty principle—Responsibilities and privileges should be divided to prevent a person or a small group of collaborating people from inappropriately controlling multiple key aspects of a process and causing harm or loss. For example, in an accounting department, the person preparing invoices for payment should not be the same person writing the checks for payment.

Continuity principle—Identify your organization’s needs for disaster recovery and continuity of operations. Prepare the organization and its information systems accordingly.

Simplicity principle—Try to favor small and simple safeguards over large and complex ones. Security is improved when it’s made simpler. Obviously, security should not be oversimplified, but instead made as simple as practically possible.

Policy-centered security principle—Policies, standards, and procedures should be established as the formal basis for managing the planning, control, and evaluation of all information security activities.

7

Least privilege

Separation of duty

Continuity

Simplicity

Policy-centered security

Principles for Policy and Standards Development (4 of 4)

Some specific steps that should be taken when developing security policies:

Risk identification—Always begin by identifying the risks that the policies are trying to mitigate

Legal compliance—Make certain that policies comply with any legal or regulatory requirements

Practicality—Make sure the policy is something you can implement and enforce

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

8

The Importance of Transparency with Regard to Customer Data (1 of 2)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Organizations should be transparent and should notify individuals of the collection, use, dissemination, and maintenance of personally identifiable information (PII).

PII

Nonpublic personal information (NPI)

Information that can be used to identify a specific person. This can be something used alone, such as a person’s name

Used by the Gramm-Leach-Bliley Act uses to refer to any personally identifiable financial information that a consumer provides to a financial institution

The Importance of Transparency with Regard to Customer Data (2 of 2)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Transparency with regard to handling of customer data should include these elements.

10

Individual participation

Consent in the collection, use, dissemination, and maintenance of PII

Purpose specification

Describe authority that permits the collection of PII and articulate the purpose or purposes for which they intend to use data

Data minimization

Collect PII that is directly relevant and necessary to accomplish specified purpose(s); retain PII only for as long as is necessary

Use limitation

Use PII solely for the purpose(s) specified

Types of Controls for Policies and Standards (1 of 2)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Administrative

The policies, standards, and procedures that guide employees when conducting the organization’s business

Examples: Preemployment screening of personnel; change management process

Technical

The devices, protocols, and other technology used to protect assets

Examples: Antivirus systems, cryptographic systems, firewalls

Physical

The devices used to control physical access

Examples: Fences, security guards, locked doors, motion detectors, alarms

Types of Controls for Policies and Standards (2 of 2)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

These control types describe what controls do.

12

Preventive security controls

Prevent intentional or unintentional security threats

Examples: Network access policies, firewall rules

Detective or response controls

Act like alarms and warnings

Examples: Motion detectors, log files

Corrective controls

Help you respond to and fix a security incident

Examples: Remove a virus, close a firewall port

Recovery controls

Help you put a system back into operation once an incident ends

Examples: Disaster recovery, tape backups

Document Organization Considerations

Although there are many ways to organize a library of policies, one thing they all have in common is the need for a numbering scheme

A numbering scheme helps you organize the material by topic; it becomes a quick reference point for people to use to refer to specific content

You can create your own numbering scheme or use an existing one

Should you decide to use an existing framework like ISO/IEC 27002, you can begin with the taxonomy it provides

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

A Possible Policy and Standards Library Taxonomy

FIGURE 7-2 A possible policy and standards library taxonomy.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Control Standards Branch Out from the Access Control (IS-POL-800) Framework Policy

FIGURE 7-3 Control standards branch out from

the Access Control (IS-POL-800) framework policy.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Baseline Standards and Procedures Provide Additional Branches of the Library Tree

FIGURE 7-4 Baseline standards and procedures provide additional branches of the library tree.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Guidelines Provide Additional Branches of the Library Tree

FIGURE 7-5 Guidelines provide additional branches of the library tree.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Considerations for Implementing Policies and Standards

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Building consensus on intent

Reviews and approvals for your documents

Publication of the documents

Awareness and training

Reviews and Approvals

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Document Review

Technical personnel

Legal

Human resources (HR)

Audit and compliance

Policy Change Control Board (1 of 2)

Change control board (CCB)

Sometimes referred to as a change advisory board (CAB)

Effective oversight of policy changes ensures that:

Security is implemented in a thoughtful way

Changes are not made unilaterally or cause unexpected consequences

Oversight of the policy change process is usually under a committee

Committee members are often senior leaders who represent technology and business interests

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Policy Change Control Board (2 of 2)

Objectives of the policy change control board:

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Assess policies and standards and make recommendations for change

Coordinate requests for change (RFCs)

Ensure that changes to existing policies and standards support the organization’s mission and goals

Review requested changes to the policy framework

Establish a change management process for policies and standards

Business Drivers for Policy and Standards Changes

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Business exceptions

Business innovations

Business technology innovations

Strategic changes

Legal changes

Regulatory changes

Maintaining Your Policy and Standards Library

Policy change control board helps determine which document changes should be made.

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Major revision

Minor revision

Usually has low significance

Example: Clarifying wording within a sentence or paragraph

Significantly changes the policy

Example: New requirements

Best Practices for Policies and Standards Maintenance (1 of 2)

Base decisions on core information security principles to support business objectives

Establish a cohesive and coherent document organization taxonomy that leaves room for growth and changes

Use common templates for each type of document and stick with them

Use a collaboration tool for developing documents that allows others access to drafts early in the development cycle. It should be easy to solicit reviews and comments

Establish a repeatable review process for draft documents

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Best Practices for Policies and Standards Maintenance (2 of 2)

Publish the library in a form that the organization is already using to avoid confusion

Use a broad variety of communications and awareness media and techniques to reach a wide audience. Keep your message consistent and easy to understand

Establish a policy change control board to help identify major changes to the library and to keep it up to date

Create a “lessons learned” process to improve the policy through feedback and review of major events

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Case Studies and Examples

Cyprus Shipping Chamber

Wanted to address security requirements of smart shipping

Studied a subset of the company and used that as a template to study security

Examined each organization security concern using a scenario

Facilitated development of security policies

American Imaging Management (AIM)

Needed to improve due diligence practices, expand corporate security program

Performed risk assessment

Used the Plan-Do-Act-Check cycle from the ISO standards

Created a road map for building a security program that could be registered to the ISO 27001 standard

California Office of the State Chief Information Officer (OCIO)

Issued new policy that addresses employee remote access security standards for working from home or off-site

Ensures users are trained for their roles and responsibilities

Also requires state agencies to complete a compliance form

Private Sector 1

Private Sector 2

Public Sector

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

Summary

Core principles of policy and standards design

Implementing policies and libraries

Policy change control board purpose and roles

Business drivers for policy and standards changes

Best practices for policy management and maintenance

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com

10/10/2020

27

.MsftOfcThm_Accent1_lumMod_40_lumOff_60_Fill { fill:#FFE7A7; }