LAB

CYB 4304, Cybersecurity Law and Policy 1

Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to:

1. Classify the vulnerabilities in the information technology (IT) security policy framework definition. 1.1 Determine the appropriate security policy definitions to mitigate specific risks, threats, or

vulnerabilities. Required Unit Resources Chapter 6: IT Security Policy Frameworks Chapter 7: How to Design, Organize, Implement, and Maintain IT Security Policies Unit Lesson

Introduction Now that we have established some policies within the seven domains in Unit II, we need to look at the security program of the organization. This program, or security policy framework, establishes a logical structure for the organization’s policies and documentation. The documents that make up the framework are used to build process, determine what technology is appropriate, and create an enforcement strategy. Therefore, the framework consists of all the document processes that are used to help define the policies and procedures for an organization to become successful in implementing and sustaining the controls of managing information security on an enterprise (Johnson & Easttom, 2022). One such enterprise framework that will be discussed is the ISO/IEC 27002 framework in this unit.

The Policy Framework Hierarchy The policy framework consists of procedures, standards, guidelines, baselines, and hierarchical tree policies. Therefore, when designing such a security policy framework, there are many branches of the framework that you must consider. The framework includes the overall policy at the top of the hierarchy file with all the subcomponents associated with risk, assets, physical security, and access control following below the overall policy in the hierarchical tree.

The Framework Policy/Charter Examined The framework policy, or charter, is a capstone document that establishes the information security program. According to Johnson and Easttom (2022), it defines several elements.

• The purpose and mission of the security program: Here, one defines the goals of the IT program and management structure.

• The scope of the organization: Here, one describes what the program will cover, including elements like resources, personnel, and information.

• The responsibilities of assignments for implementation: The responsibilities should include the role of managers, users, and the IT organization.

• Compliance management: This relates to a plan for enforcement of the policy and assurance that policies will be adhered to.

Industry-Standard Policy Frameworks

UNIT III STUDY GUIDE Information Technology Security Policies, Procedures, and Guidelines

CYB 4304, Cybersecurity Law and Policy 2

UNIT x STUDY GUIDE Title

Three main notable frameworks have been widely accepted and adopted—COBIT, NIST, and the ISO/IEC 27000 Series—we will discuss the latter here in more detail. The ISO/IEC 27002 is more formally known as Information Technology—Security Techniques—Code of Practice for Information Security Controls. Many companies use this standard to establish and administrate their information technology (IT) security programs. The ISO/IEC 27002 framework consists of 15 main areas.

National Institute of Standards and Technology Special Publication 800-53 National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce. It is responsible for developing standards and communicating these standards to businesses and government agencies. Federal systems use SP 800-53, so the recommendations and practices need to be well vetted. However, organizations use these standards to build upon their own infrastructure. SP 800-53 addresses 18 areas that address managerial, operational, and technical controls:

• access control, • audit and accountability, • security assessment and authorization, • configuration management, • contingency planning, • identification and authentication, • incident response, • maintenance, • media protection, • physical and environmental protection, • planning, • personnel security, • risk assessment, • systems and services acquisition, • systems and communications protection, • system and information integrity, • program management, and • awareness and training (Johnson & Easttom, 2022).

NIST SP 800-53 describes the periodic checks of risks to the operations, people, and assets when using information systems or broadcasting information through this comprehensive lens. While risk is an inherent part of doing business, it may be reduced to other organizations' standards and best practices.

Principles for Policy Standards Development The risk assessments are unique to each organization even if they share the same industry; therefore, there are no hard, fast templates for developing IT security programs. However, security principles in which control requirements are used to implement the security policies and standards. According to Johnson and Easttom (2022), these principles are the industry’s best practices and can be used to help develop policies, standards, baselines, procedures, and guidelines.

• Accountability principle—The organization as well as the employees are accountable for the security of their work and resources utilized within the organization.

• Awareness principle—All clients are informed of the organization’s policies and standards of its information systems.

• Ethics principle—The use of organization IT systems by all involved, both outside and inside the organization abide by the ethical standards of information systems.

• Multidisciplinary principle—The policy and standards are written for all personnel, from human resources personnel to legal personnel or operational staff.

• Proportionality principle—The costs that are used to protect the assets should be directly proportional to the value of the data being protected.

• Integration principle—All written policies must be able to work seamlessly together. • Defense-in-depth principle—There exists a layer of security mechanisms that provide the prevention,

detection, and response to secure IT assets.

CYB 4304, Cybersecurity Law and Policy 3

UNIT x STUDY GUIDE Title

• Timeliness principle—All personnel must act in a timely and coordinated manner as specified in the policies to report any security breach.

• Reassessment principle—Risks of IT assets must be reevaluated periodically to ensure policies, standards, and assets maintain sustainability in the current security posture.

• Privacy principle—The privacy of rights and information are protected for all clients and organizations. • Internal control principle—The integrity of the information within the organization is an accurate, true

picture through internal control systems that operate the information systems. • Adversary principle—The protection against external as well as internal intruders through the use of a

security framework to anticipate attacks on the organization. • Least privilege principle—This is commonly known as need-to-know access. If an individual does not

need to know, then he or she will be denied access to information assets. • Separation of duty principle—This checks and balances where no individual should have complete

access to all information systems. • Continuity principle—The organization must identify those critical needs in the event of disaster

recovery. In other words, an organization must consider the sustainability of operations after experiencing significant damage from a catastrophe.

• Simplicity principle—This is to remove the complexity in safeguarding security. • Policy centered security principle—Use the security framework as the formal basis for evaluating all

information security activities (Johnson & Easttom, 2022). Utilize these principles in developing those security policies and procedures for the organization. Ensure these policies and procedures are distributed throughout the organization and those vendors dealing with the organization. Further, there are essential steps to be taken while developing a security policy, including identifying the risks that are to be mitigated, ensuring that all policies comply with any relevant legal requirements, and ensuring that the principles can be practically implemented and enforced (Johnson & Easttom, 2022). As you may recall, risk assessments are those checks and balances that need to be done periodically to ensure that the risks have been identified to ensure uninterruptable business continuity of the organization. These assessments affect the hardware or software of the IT infrastructure and people and their operation control of the organization assets. Remember, these risk assessments are unique to each organization and should be embedded within the security policy framework.

Reference Johnson, R., & Easttom, C. (2022). Security policies and implementation issues (3rd ed.). Jones & Bartlett

Learning. https://online.vitalsource.com/#/books/9781284200034