Summarize the issues that research hospitals
Scenario Overview
Meal Times
Lunch 11:30 break
Back by 1pm
Dinner 5:00 pm break
Back by 6:30 pm
Scenarios
Scenario A – for odd numbered teams
Banking industry
Scenario B – for even numbered teams
Research hospitals
Unless otherwise noted all Figures are from the Textbook
Using the methodologies in Chapters 6 - 9
Summarize the issues that face banks / research hospitals
What types of policies are needed?
What core principles apply here?
What would be the best framework to use for a bank / research hospital?
What User Domains should there be?
Be sure to define who the groups are
What files and folders containing what type of data should they have access to?
How would you go about implementing the changes?
Things to consider
What assets are you protecting?
Where is it stored?
Local
Central
Cloud
What communication processes are used?
Email,
Social media
Web based
What accesses your network?
Automated devices
IoT
Artificial Intelligence
BYOD
Who are your users?
Include in Summary
Provide specific Examples of what has happened in the banking industry or research hospitals
What happened?
What solutions were implemented?
What worked?
What didn’t work?
Policy
Standards
Procedures
Guidelines
Defines how an organization performs and conducts business functions and transactions with a desired outcome
An established method implemented organization-wide
Steps required to implement a process
A parameter within which a policy, standard, or procedure is suggested
Common Frameworks
Control Objectives for Information and related Technology (COBIT)
ISO/IEC 27000 series
National Institute of Standards and Technology (NIST) Special Publications
Example: SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations
10/19/2018
8
Choosing a Framework
Describe the frameworks commonly used
Explore the ones you think would work in your scenario
Explain and describe the one you chose
Can be an existing framework
Combination of existing
Your own creation
Justify your decision
ISO /IEC 27002
Foreward
Information Security Policy
Organization of information security
Human resources security
Asset management
Access control
Cryptography
Physical and Environmental security
Operations Security
Communications Security
System acquisition, development and maintenance
Supplier relationships
Incident management
Business continuity management
Compliance
Access Control Policy Branch
Access Control Policy Branch of a Policy and Standards Library
10/19/2018
11
External and Internal Factors Affecting Policies
Policies must align with the business model or objective to be effective
External factors
Regulatory and governmental initiatives
Include the regulations that affect your industry
Internal factors
Culture, support, and funding
Describe the culture
10/19/2018
12
Core Principles
Go through and select the core principles that apply
How are you using them?
What will it take to implement?
Policy and Standards Development Core Principals
10/19/2018
14
Accountability
Awareness
Ethics
Multidisciplinary
Proportionality
Integration
Policy and Standards Development Core Principals (Continued)
10/19/2018
15
Defense in Depth
Timeliness
Reassessment
Democracy
Internal Control
Adversary
Policy and Standards Development Core Principals (Continued)
10/19/2018
16
Least Privilege
Separation of Duties
Continuity
Simplicity
Policy-Centered Security
Transparency with Customer Data
Transparency
Individual
Participation
Purpose
Specification
Use Limitation
Data Minimization
IS0/IEC 27002
IS0IEC 27002 Notice Board
http://www.iso27001security.com/html/27002.html
Implementing Policies and Libraries
Implementing your policies and libraries entails three major steps:
• Reviews and approvals for your documents
• Publication of the documents
• Awareness and training
10/19/2018
19
Build Consensus
Publication
Awareness Training
Reviews/ Approvals
Members of the Policy Change Control Board
Information Security
Compliance Management
Auditing
Human Resources (HR)
Leadership from the key information business units
Project Managers (PMs)
Members come from functional areas of the organization.
The roles for each member would be to approve changes to the policies, reflecting alignment to business objectives.
Each functional area oversee policies pertaining to their perspective area of responsibility, while they also play a role in the approval of policy changes that effect the organization as a whole.
10/19/2018
20
Policy Change Control Board
10/19/2018
21
Assess policies/ standards and recommend changes
Coordinate requests for change (RFCs)
Ensure that changes support organization’s mission and goals
Review requested changes
Establish change management process
User Domains
Define your users
Look at your industry
Who is on the network?
What do they need access to?
What should they be denied access to?