Information Security Policy

ACP - New York Capital Region Chapter

February 10, 2010

Presenter: Dan DidierDDidier@NetSecureIA.com

In association with M.A. Polce Consulting

What’s driving your business to develop an information security policy?

Audience input, please…

Security Policy Drivers

Basel II - (international banking) BSA - (anti-money laundering) E-SIGN - (electronic signature) FACTA - (identity theft) FISMA - (federal govt.) GLBA - (banking) Identity Theft Red Flags Rule - (finance / creditors) HIPAA - (healthcare) NCUA Part 748 Patriot Act PCI SOX

Established Compliance Drivers

ARE THERE REALLY THIS MANY???

MASS. CMR - (data security law) Breach and Notification Laws (per state) NYS Security Breach Notification Act NYS Social Security Number Protection Law HITECH – (Health Information Technology for

Economic and Clinical Health Act) NYS Internet Security and Privacy Act

Recently Established Compliance Drivers

Immediate loss of business due to unavailability Long-term loss of business due to loss of

trustworthiness and reputation Loss of stock value Financial liability for breach of contract Legal liability for contributory negligence Loss of management credibility Embarrassment of employees Lowered employee morale Increased employee turnover Difficulty hiring competent staff Incitement to abuse of security policies

More Drivers…Protecting Critical Assets Against:

Information Security Life Cycle

Security Policy

Security Procedures

Awareness andTraining

Compliance

SecurityAudit

Security / RiskAssessment

An effective information security policy is designed to support the control objectives as defined by management to meet the assurance requirements of achieving business objectives and preventing, detecting, and correcting undesired events.

What is the goal of an Information Security Policy?

An information security policy enables high-level business requirements by protecting sensitive information with defined policy, controls, standards, and procedures for configuring and managing security.

Through the creation of an information security policy, an organization establishes clear guidelines necessary to implement secure business processes as defined by the key business stakeholders.

How is an Information Security Policy Implemented?

These guidelines are leveraged throughout the information security life cycle and help to define the specific policy, standards, procedures, and guidelines in each of the respective areas.

There are three key questions:

What is a Policy? What is a Standard? What is a Procedure?

Policies, Standards, and Procedures

Is defined by management / key stakeholders

Is a brief document, including◦ To whom and what the policy applies◦ The need for adherence (compliance / security)◦ A general description◦ Consequences of non-adherence

Policy

Defined by directors or department-level managers Standards define what must be done to implement

security:◦ roles and responsibilities of security personnel◦ protection against malware◦ information and software exchange mechanisms◦ user responsibilities◦ acceptable use◦ mobile computing◦ access control◦ compliance◦ government regulation◦ industry standards

Standards

Defined by directors or department-level managers, implemented by target workforce.

Procedures specifically outline how security controls must be implemented and managed.

Procedures should support the accompanying standards, ensuring that standards are followed and tasks are documented (auditable) to achieve full compliance.

This component provides many of the critical details that can either make or break and effective information security policy.

Procedures

A policy without support is useless. Consider the statement: do as I say, not as I do.

Management is wholly responsible for all ramifications of failing to properly address industry, compliance, and business requirements.

Management is also responsible for assuring the continuity of policy compliance for all external service providers. There is no transfer of liability when organizational tasks are outsourced; the originating organization and its management are ultimately responsible for ensuring compliance.

Obtaining Management Support…

Cost can be identified fairly easily Benefits may be difficult to quantify An effective program requires the support,

credibility, and advocacy of management. This needs to be obtained and maintained.

Management must be kept informed, spoken to in their language, and shown proof of impact.

…Obtaining Management support

Enable Mgmt with just enough information to:◦ Understand security concerns◦ Make informed decisions◦ Be knowledgeable on the topic

Provide reports that meld into existing communication mechanisms including progress reports and briefings.

Provide updates that highlight progress and accomplishments.

Whenever possible, use metrics to quantify progress.

Keep Management Informed

Provide relevant and accurate information:◦ Avoid overstating of threats and fears.◦ Do not provide a false sense of security.◦ Present reasonable solutions along with problems

and concerns◦ Remember the budget; include costs and benefits◦ Remember the ecology; relationship between

users and systems◦ Remember that resistance is often based on

expending funds on something perceived as a low priority; however, the cost of one incident may be quite expensive.

Speak Management’s Language

without proper enforcement mechanisms, a policy may be worth little more than the paper it was printed on.

A policy needs “teeth” to be effective and for the workforce to respect and abide by it.

However, avoid using “standard” policy language: “Failure to comply with this policy may result in disciplinary action, up to and including termination.”

Policy Enforcement…

Avoid ambiguity and explain to the workforce what may happen with increasing levels of severity:◦ Warning from management◦ Official warning from personal file◦ Revoking privileges such as Internet/email◦ Require additional training◦ Suspension without pay◦ Termination

Better Policy Enforcement

A policy must not be written solely to have a policy; it must support the business process and also be supported by it.

A policy must be considered a living, breathing document. It must be updated as business requirements and processes change.

A policy must be incorporated into the information security life cycle.

A policy must be initiated, mandated, and supported by management.

To Do and not To Do

Common drivers for developing a BCP◦ Regulatory compliance◦ Business partner requirements◦ High-level of reliance on IT◦ Past experiences with system failures or

catastrophic events (Blackout of 2004) Common goals for a BCP

◦ Minimize the impact of incidents◦ Reduce risk◦ Interpret potential threats and develop defenses◦ Integrate and enable business

Similarities of BCP and Information Security Policy

Define policies, procedures and standards for:◦ Controlling access to data during the recovery

process (document access/secuity requirements, etc).◦ Identifying and documenting information that must

be protected.◦ Implementing security to accommodate the likely

increase in use of mobile devices during recovery.◦ Physical access controls for temporary locations.◦ Backup tape (media) controls (both during non-

disaster and disaster recovery periods). ◦ 3rd party recovery vendors and access to sensitive

data/information .

Supporting BCP with Policy

Questions?