Upload
primeteacher32
View
537
Download
0
Embed Size (px)
Citation preview
Security Policies and Standards
Security Policies and Standards
IntroductionOrganization Collection of people working together toward a common goalMust have clear understanding of the rules of acceptable behaviorPolicy Conveys managements intentions to its employeesEffective security program Use of a formal plan to implement and manage security in the organization
2
Policies, Standards, and ProceduresPolicy Set of guidelines or instructions Organizations senior management implementsIdeaStandardsMore detailed descriptions of what must be done to comply with policySpecifics and outlineProceduresHow to accomplish the policies and standards
3
Effective PoliciesFor a policy to be considered effective and legally enforceable:DisseminationDistribution of the informationIs it in a readily available place?Review Has it been read?Who is reading it?Comprehension Is it understandable?Too confusing?Compliance Acknowledge vs. AgreeUniform enforcementHow are violations being handled?
4
What Drives Policy Development?Mission of an organization Written statement of purpose of organizationUsually Not ModifiedVision of an organizationWitten statement of the organizations long-term goalsOccasionally ModifiedStrategic planningProcess of moving the organization toward its vision.Constantly Reworked to promote progressSecurity policySet of rules that protects an organizations assets
Question: What are some security policies you are aware of?
5
Types of Information Security PoliciesInformation security policy Set of rules for the protection of an organizations information assetsEnterprise information security policiesGeneral security policy
Issue-specific security policiesSpecific technology policy
Systems-specific security policiesConfigurations
6
Enterprise Information Security Policy (EISP)Supports the mission, vision, and direction of the organization Sets the strategic direction, scope, and tone for all security effortsExecutive-level documentDrafted by organizations chief information officerExpresses the security philosophy within the IT environmentGuides the development, implementation, and management of the security programAddress an organizations need to comply with laws and regulations in two ways:General compliance Identification of specific penalties and disciplinary actions
7
Components of EISP
8
Issue-Specific Security Policy (ISSP)Addresses specific areas of technologyRequires frequent updatesContains a statement on the organizations position on a specific issueMay cover:Use of company-owned networks and the InternetUse of telecommunications technologies (fax and phone)Use of electronic mailSpecific minimum configurations of computers to defend against worms and virusesProhibitions against hacking or testing organization security controlsHome use of company-owned computer equipmentUse of personal equipment on company networksUse of photocopy equipment
9
Components of ISSP
10
Systems-Specific Policy (SysSP)Appear with the managerial guidance expected in a policy Include detailed technical specifications not usually found in other types of policy documentsManagerial Guidance SysSPsGuide the implementation and configuration of a specific technologyTechnical Specifications SysSPsGeneral methods for implementing technical controlsAccess control listsSet of specifications that identifies a piece of technologys authorized users and includes details on the rights and privileges those users have on that technologyAccess control matrix Combines capability tables and ACLsConfiguration rules Specific instructions entered into a security system to regulate how it reacts to the data it receivesRule-based policies More specific to a systems operation than ACLs May or may not deal with users directly
11
Frameworks and Industry StandardsSecurity blueprint Basis for the design, selection, and implementation of all security program elements
Security framework Outline of the overall information security strategy Roadmap for planned changes to the organizations information security environmentThe ISO 27000 SeriesNIST Model
12
NIST Security ModelsComputer Security Resource Center (CSRC) publicationsSP 800-14: Generally Accepted Principles and Practices for Securing Information Technology SystemsLists the principles and practices to be used in the development of a security blueprintSP 800-41 Rev. 1: Guidelines on Firewalls and Firewall PolicyProvides an overview of the capabilities and technologies of firewalls and firewall policiesSP 800-53 Rev. 3: Recommended Security Controls for Federal Information Systems and OrganizationsDescribes the selection and implementation of security controls for information security to lower the possibility of successful attack from threatsSP 800-53 A, Jul 2008: Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment PlansProvides a systems developmental lifecycle approach to security assessment of information systems
13
Other NIST Perimeter Defense Publications
14
Benchmarking and Best PracticesBest practicesProcedures that are accepted or prescribed as being correct or most effectiveBenchmarkingEvaluation against a standardSpheres of security - Generalized foundation of a good security framework Controls -Implemented between systems and the information, between networks and the computer systems, and between the Internet and internal networksInformation security - Designed and implemented in three layers: policies, people (education, training, and awareness programs), and technology
15
Spheres of Security
16
Security Education, Training, and Awareness ProgramEducation, training, and awareness (SETA) programResponsibility of the CISO Control measure designed to reduce the incidences of accidental security breaches by employeesDesigned to supplement the general education and training programs
17
Purpose of SETAThe Program Elements:Security education Provide Opportunity , InformThe WhySecurity training Hands-on Education and ExperienceThe HowSecurity awareness ReinforceThe WhatPurpose of SETA is to enhance security by:Improving awareness of the need to protect system resourcesDeveloping skills and knowledge so computer users can perform their jobs more securelyBuilding in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems
Security EducationInvestigate available courses from local institutions of higher learning or continuing educationCenters of Excellence programIdentifies outstanding universities that have both coursework in information security and an integrated view of information security in the institution itself4th grade cyber security training
Security TrainingProvides detailed information and hands-on instruction to employees to prepare them to perform their duties securelyIndustry training conferences and programs offered through professional agenciesSETA resources Offer assistance in the form of sample topics and structures for security classes
Security AwarenessDesigned to keep information security at the forefront of users mindsInclude newsletters, security posters, videos, bulletin boards, flyers, and trinkets
18
Security AwarenessExample
Security AwarenessExample
Security AwarenessExample
Security AwarenessExample
Security AwarenessExample
DTCCs Own Newsletter
SummaryPolicyBasis for all information security planning, design, and deploymentSecurity team develops a design blueprint used to implement the security programImplement a security education, training, and awareness (SETA) programSupplement the general education and training programs
25