2. Policies and Procedures Presented by Chief Information
Security Officer Legislative Data Center Information Security
Engineer and Architect Legislative Data Center Policy Manager -
ISSA-Sac and Vice President - ISSA-Sac and Lee Vigue
[email protected] Ned Allison [email protected]
3. The Focus How do we deal with it all?
Policies
Procedures
Standards
Guidelines
Practices
Regulations
Civil Codes
Criminal Laws
Requirements
Acts
Agreements
Statutes
Frameworks
SAM
SIMM
BS7799
ISO17799
ISO27002
COBITv4.0
NIST
CERT
SANS
Buzz Words
GLBA
SOX
HIPPA
SAS70
PCI
SB1386
E-Discovery
Related Issues
Architecture
CMMI
ITIL
4. Addressing the issues
Looking at the issues from two viewpoints
Management
Tends to focus on Policy and Guidelines
Issues with being proactive about Policy
Critical to supportability of Policy
Technical
Tends to focus on Standards and Procedures
Issues with being constrained by Policy
Critical to do ability of Policy
5. Walking the path
Starting with The Definitions
What is it
What makes it up
Samples of the good the bad and the ugly
Placement in the frame of reference
How does it relate to other strategic goals
Recommendations
Summary
Questions and Answers
6. What is a Policy?
A High Level Statement of Enterprise Beliefs, Goals and
objectives along with a general means for attaining them in a
specified subject area.
a step by step implementation set at high level a specific,
detailed description a Brief Statement It is not It is
7. A Policy needs support
Because a policy is written at a high level and is a simple
statement of a goal, or objective it needs to be supported by;
Standards
Procedures
Guidelines
8. Standards, Procedures and Guidelines
Standards
Mandatory Activities, Actions or Rules supporting policies
Procedures
Detailed specifics on implementation
Guidelines
General Statements and Recommendations
9. Definitions per ISO 17799
Policy
Overall intention and direction as formally expressed by
management
Procedure
A formal method to accomplish a task, in accordance with policy
and guidelines
Guideline
A description that clarifies what should be done and how, to
achieve objectives set out in policy*
According to ISO 17799-2005
10. Policies
Management View
Technical View
11. Policy and Standard Example
Policy
Access to Enterprise Information Systems shall be restricted to
authorized users only
Standard
Users must have a unique UserID and an individual and
confidential password
12. Issues with Policies
The need to build meat and potatoes statements first
The idea of no exceptions
The idea of JITP, Just In Time Policies
13. Standards
Often refer to a specific Technology or Environment
Change with new technologies or environments
14. Issues with Standards
Can be expensive to Maintain
Require updating to new technical conditions and
environment
Change frequently in comparison to policies
15. Procedures
Detailed statements of requirements and process for
implementing policies and standards
Can be step by step
Can be lists of required approvals or actions
16. Issues with Procedures
Procedures change frequently with
Organizational Changes
New approval Structures
New Technologies
New Requirements
Must be maintained
Change more frequently than Standards
Multiple Procedures may apply to a single Standard or Policy
process
17. What are Guidelines
General Statements and Recommendations designed to achieve
Policy objectives and Standards Requirements
Can be used to provide a framework for Procedural
implementation
18. Issues with Guidelines
Guidelines are recommendations not mandatory requirements
Guidelines are not enforceable
Guidelines are frequently misused
19. Examples
Policy
Access to information systems is restricted to authorized users
only
Standard
Users will have a unique UserID and confidential password
Procedure
User will obtain a UserID and one time password upon management
approval and must immediately change the password upon first
login
Guideline
Passwords should be complex, consisting of more than 8
characters and include Upper Case, Lower Case, Numbers and
Symbols
20.
21. Samples Discussions
22. Policy Frameworks
CA State SAM and SIMM
ISO 17799 soon to become ISO 27000 Series
COBIT
NIST
CERT
others
23. Regulatory Drivers
SOX
GLBA
HIPPA
PCI
SAS70
CA SB1386 CA CC1798.1
others
24. Parallel Frameworks
CMMI
Enterprise Architecture
ITIL
25. Recommendations and Focus for Policies, Standards,
Procedures and Guidelines
Find a Framework with works for your organization and adapt it
to your needs
Get Executive Management support of your efforts
Engage Technical Staff in Standards and Procedures to ensure
ownership
Publish Policy to all, Standards to those responsible,
Procedures to those who engage in the process and Guidelines to the
whole group involved to ensure awareness
Review and regularly maintain the structure to ensure that it
remains accurate, do able, and relevant to your organizational
needs and the changing regulatory and technical environments
26. Framework Recommendation
Use COBIT as an overall implementation
Provides Auditable Metrics
Use ISO 17799 (27000s) as a Security Framework
Provides Detailed Structure to the whole security picture
Use NIST/CERT/SANS as a Standards Source
Provides Details of specific Technologies and Requirements
User ITIL to implement Procedures
Provides structure to Operational Aspects of Security