Summarize the issues that research hospitals

profilesrvpola123
ScenarioOverview.pptx

Scenario Overview

Meal Times

Lunch 11:30 break

Back by 1pm

Dinner 5:00 pm break

Back by 6:30 pm

Scenarios

Scenario A – for odd numbered teams

Banking industry

Scenario B – for even numbered teams

Research hospitals

Unless otherwise noted all Figures are from the Textbook

Using the methodologies in Chapters 6 - 9

Summarize the issues that face banks / research hospitals

What types of policies are needed?

What core principles apply here?

What would be the best framework to use for a bank / research hospital?

What User Domains should there be?

Be sure to define who the groups are

What files and folders containing what type of data should they have access to?

How would you go about implementing the changes?

Things to consider

What assets are you protecting?

Where is it stored?

Local

Central

Cloud

What communication processes are used?

Email,

Social media

Web based

What accesses your network?

Automated devices

IoT

Artificial Intelligence

BYOD

Who are your users?

Include in Summary

Provide specific Examples of what has happened in the banking industry or research hospitals

What happened?

What solutions were implemented?

What worked?

What didn’t work?

Policy

Standards

Procedures

Guidelines

Defines how an organization performs and conducts business functions and transactions with a desired outcome

An established method implemented organization-wide

Steps required to implement a process

A parameter within which a policy, standard, or procedure is suggested

Common Frameworks

Control Objectives for Information and related Technology (COBIT)

ISO/IEC 27000 series

National Institute of Standards and Technology (NIST) Special Publications

Example: SP 800-53, “Recommended Security Controls for Federal Information Systems and Organizations

10/19/2018

8

Choosing a Framework

Describe the frameworks commonly used

Explore the ones you think would work in your scenario

Explain and describe the one you chose

Can be an existing framework

Combination of existing

Your own creation

Justify your decision

ISO /IEC 27002

Foreward

Information Security Policy

Organization of information security

Human resources security

Asset management

Access control

Cryptography

Physical and Environmental security

Operations Security

Communications Security

System acquisition, development and maintenance

Supplier relationships

Incident management

Business continuity management

Compliance

Access Control Policy Branch

Access Control Policy Branch of a Policy and Standards Library

10/19/2018

11

External and Internal Factors Affecting Policies

Policies must align with the business model or objective to be effective

External factors

Regulatory and governmental initiatives

Include the regulations that affect your industry

Internal factors

Culture, support, and funding

Describe the culture

10/19/2018

12

Core Principles

Go through and select the core principles that apply

How are you using them?

What will it take to implement?

Policy and Standards Development Core Principals

10/19/2018

14

Accountability

Awareness

Ethics

Multidisciplinary

Proportionality

Integration

Policy and Standards Development Core Principals (Continued)

10/19/2018

15

Defense in Depth

Timeliness

Reassessment

Democracy

Internal Control

Adversary

Policy and Standards Development Core Principals (Continued)

10/19/2018

16

Least Privilege

Separation of Duties

Continuity

Simplicity

Policy-Centered Security

Transparency with Customer Data

Transparency

Individual

Participation

Purpose

Specification

Use Limitation

Data Minimization

IS0/IEC 27002

IS0IEC 27002 Notice Board

http://www.iso27001security.com/html/27002.html

Implementing Policies and Libraries

Implementing your policies and libraries entails three major steps:

• Reviews and approvals for your documents

• Publication of the documents

• Awareness and training

10/19/2018

19

Build Consensus

Publication

Awareness Training

Reviews/ Approvals

Members of the Policy Change Control Board

Information Security

Compliance Management

Auditing

Human Resources (HR)

Leadership from the key information business units

Project Managers (PMs)

Members come from functional areas of the organization.

The roles for each member would be to approve changes to the policies, reflecting alignment to business objectives.

Each functional area oversee policies pertaining to their perspective area of responsibility, while they also play a role in the approval of policy changes that effect the organization as a whole.

10/19/2018

20

Policy Change Control Board

10/19/2018

21

Assess policies/ standards and recommend changes

Coordinate requests for change (RFCs)

Ensure that changes support organization’s mission and goals

Review requested changes

Establish change management process

User Domains

Define your users

Look at your industry

Who is on the network?

What do they need access to?

What should they be denied access to?