Research paper on data breach

srk007

Chapter62.pptx

Home >Information Systems homework help >Research paper on data breach

Security Policies and Implementation Issues

Chapter 6

IT Security Policy Frameworks

www.jblearning.com

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Learning Objective

Describe the components and basic requirements for creating a security policy framework.

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

7/17/2014

Key Concepts

Key building blocks of security policy framework

Types of documents for a security policy framework

Information systems security (ISS) and information assurance considerations

Process to create a security policy framework

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

7/17/2014

Policy and Standards Library Framework

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

7/17/2014

Policy Framework Components

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

7/17/2014

Policy

Standards

Procedures

Guidelines

Defines how an organization performs and conducts business functions and transactions with a desired outcome

An established method implemented organization-wide

Steps required to implement a process

A parameter within which a policy, standard, or procedure is suggested

Common Frameworks

Control Objectives for Information and related Technology (COBIT)

ISO/IEC 27000 series

National Institute of Standards and Technology (NIST) Special Publications

Example: SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

7/17/2014

Access Control Policy Branch

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Access Control Policy Branch of a Policy and Standards Library

7/17/2014

External and Internal Factors Affecting Policies

Policies must align with the business model or objective to be effective

External factors

Regulatory and governmental initiatives

Internal factors

Culture, support, and funding

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

7/17/2014

Creating a Security Policy Framework

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Set a budget

Assemble a team

Select a commonly accepted framework as a foundation

- COBIT, ISO/ISC 27000 series, NIST SPs

Use a content management system, if possible

Cross-reference your security documents with standards

Coordinate development with other departments in the organization

7/17/2014

Set a budget

Assemble a team

Select a basic framework

Creating a Security Policy Framework (Continued)

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Set a budget

Assemble a team

Select a commonly accepted framework as a foundation

- COBIT, ISO/ISC 27000 series, NIST SPs

Use a content management system, if possible

Cross-reference your security documents with standards

Coordinate development with other departments in the organization

7/17/2014

Use a content management system

Cross-reference standards

Coordinate with other departments

Roles Related to a Policy and Standards Library

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

CISO

- Establishes and maintains security and risk management programs for information resources

Information resources manager

- Maintains policies and procedures that provide for security and risk management of information resources

Information resources security officer

- Directs policies and procedures designed to protectinformation resources; identifies vulnerabilities,develops security awareness program

Owners of information resources

- Responsible for carrying out the program that uses the resources. This does not imply personal ownership. These individuals may be regarded as program managers or delegates for the owner.

Custodians of information resources

- Provide technical facilities, data processing, and other support services to owners and users of information resources

Technical managers (network and system administrators)

- Provide technical support for security of information resources

Internal auditors

- Conduct periodic risk-based reviews of information resources security policies and procedures

Users

- Have access to information resources in accordance with the owner-defined controls and access rules

7/17/2014

CISO

Information resources manager

Information resources security officer

Owners of information resources

Roles Related to a Policy and Standards Library (Continued)

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

CISO

- Establishes and maintains security and risk management programs for information resources

Information resources manager

- Maintains policies and procedures that provide for security and risk management of information resources

Information resources security officer

- Directs policies and procedures designed to protectinformation resources; identifies vulnerabilities,develops security awareness program

Owners of information resources

- Responsible for carrying out the program that uses the resources. This does not imply personal ownership. These individuals may be regarded as program managers or delegates for the owner.

Custodians of information resources

- Provide technical facilities, data processing, and other support services to owners and users of information resources

Technical managers (network and system administrators)

- Provide technical support for security of information resources

Internal auditors

- Conduct periodic risk-based reviews of information resources security policies and procedures

Users

- Have access to information resources in accordance with the owner-defined controls and access rules

7/17/2014

Custodians of information resources

Technical managers

Internal auditors

Users

Case Studies on Security Policy Framework Creation

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

7/17/2014

Case Study

Private Sector

Case Study

Public Sector

Case Study

Health care w/7,000 devices

Incomplete inventory

No easy way to classify assets

HIPAA

Used NIST SP 800-53 to establish the framework

State of Tennessee

Used ISO/IEC 17799 (27002)

Policies and frameworks covered all information asset owned, leased, or controlled by the State of Tennessee

Private Sector

Target Corporation

1,797 US and 127 Canadian stores

December 2013 point-of-sale (PoS) data breach

40 million credit card records stolen

70 million records containing PII

Largest data breaches of its kind

Information Assurance and Information Systems Security

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Information Assurance

Protecting information during processing and use

The 5 Pillars

Implementation of appropriate accounting and other integrity controls

Development of systems that detect and thwart attempts to perform unauthorized activity

ISS

Protecting information and the systems that store and process the information

Automation of security controls, where possible

Assurance of a level of uptime of all systems

7/17/2014

Security Policy Framework

ISS

Information Systems Security Considerations

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

Unauthorized Access to and Use of the System

Unauthorized Disclosure of the Information

Disruption of the System or Services

Modification of Information

Destruction of Information Resources

Summary

Considerations for information assurance and information security

Process to create a security policy framework

Factors that affect polices and the best practices to maintain policies

Page ‹#›

Security Policies and Implementation Issues

www.jblearning.com

7/17/2014