Learning Objectives:
– Understand management‘s responsibilities and
role in the development, maintenance, and enforcement of information security
policy, standards, practices, procedures, and guidelines
– Understand the differences between the
organization‘s general information
security policy and the requirements and
objectives of the various issue- specific and system-specific policies.
– Know what an information security blueprint is
and what its major components are.
– Understand how an organization
institutionalizes its policies, standards, and practices using education,
training, and awareness programs.
– Become familiar with what viable information
security architecture is, what it includes, and how it is used.
Information Security Policy, Standards, and
Practices:
Management
from all communities of interest must consider policies as the basis for all
information security efforts
Policies
direct how issues should be addressed and technologies used
Security
policies are the least expensive control to execute, but the most difficult to
implement
Shaping
policy is difficult because:
– Never conflict with laws
– Stand up in court, if challenged
– Be properly administered.
Definitions:
A
policy is
A plan or course of action, as of a government,
political party, or business, intended to influence and determine decisions,
actions, and other matters
Policies
are organizational laws
Standards,
on the other hand, are more detailed statements of what must be done to comply
with policy
Practices,
procedures, and guidelines effectively explain how to comply with policy
For
a policy to be effective it must be properly disseminated, read, understood and
agreed to by all members of the organization.
Types of Policy;
Management defines three types of security policy:
– General or security program
policyTnlearners.com,edu.finstechnologies.com,webexpo
Tnlearners.com,edu.finstechnologies.com,webexpo
–
Issue-specific security policies
– Systems-specific security policies.
Security Program Policy:
A
security program policy (SPP) is also known as
– A general security policy
– IT security policy
– Information security policy
Sets
the strategic direction, scope, and tone for all security efforts within the
organization
An
executive-level document, usually drafted by or with, the CIO of the
organization and is usually 2 to 10 pages long.
Issue-Specific Security Policy (ISSP):
As
various technologies and processes are implemented, certain guidelines are
needed to use them properly
The
ISSP:
– addresses specific areas of technology
– requires frequent updates
– contains an issue statement on the
organization‘s position on an issue
Three
approaches:
– Create a number of independent ISSP documents
– Create a single comprehensive ISSP document
– Create a modular ISSP document.
Example ISSP Structure:
Statement
of Policy
Authorized
Access and Usage of Equipment
Prohibited
Usage of Equipment
Systems
Management
Violations
of Policy
Policy
Review and Modification.
Systems-Specific Policy (SysSP):
While
issue-specific policies are formalized as written documents, distributed to
users, and agreed to in writing, SysSPs are frequently codified as standards
and procedures used when configuring or maintaining systems
Systems-specific
policies fall into two groups:
– Access control lists (ACLs) consist of the
access control lists, matrices,
and capability tables governing the rights and
privileges of a particular user to a particular system
– Configuration rules comprise the specific
configuration codes entered into security systems to guide the execution of the
system.
ACL Policies:
Both
Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of systems
translate ACLs into sets of configurations that administrators use to control
access to their respective systems
ACLs
allow configuration to restrict access from anyone and anywhere
ACLs
regulate:
– Who can use the system
– What authorized users can access
– When authorized users can access the system
– Where authorized users can access the system
from
– How authorized users can access the system.
Rule Policies:
Rule
policies are more specific to the operation of a system than
ACLs
Many security systems require specific configuration scripts telling the
systems what actions to perform on each set of information they process
Policy
Management
Policies
are living documents that must be managed and nurtured, and are constantly
changing and growing
Documents
must be properly managed
Special
considerations should be made for organizations undergoing mergers, takeovers,
and partnerships
In
order to remain viable, policies must have:
an
individual responsible for reviews
a
schedule of reviews
a
method for making recommendations for reviews
a
specific effective and revision date.
Information Classification:
The
classification of information is an important aspect of policy
The
same protection scheme created to prevent production data from accidental
release to the wrong party should be applied to policies in order to keep them
freely available, but only within the organization
In
today‘s open office environments, it may be beneficial to implement a clean
desk policy
A
clean desk policy stipulates that at the end of the business day, all
classified information must be properly stored and secured.
Systems Design:
At
this point in the Security SDLC, the analysis phase is complete and the design
phase begins – many work products have been created
Designing
a plan for security begins by creating or validating a security
blueprint
Then use the blueprint to plan the tasks to be accomplished and the order
in which to proceed
Setting
priorities can follow the recommendations of published sources, or from
published standards provided by government agencies, or private consultants.
Information Security Blueprints:
One
approach is to adapt or adopt a published model or framework for information
security
A
framework is the basic skeletal structure within which additional detailed
planning of the blueprint can be placed as it is developed of refined
Experience
teaches us that what works well for one organization may not precisely fit
another.
ISO 17799/BS 7799:
One
of the most widely referenced and often discussed security models is the
Information Technology – Code of Practice for Information Security Management,
which was originally published as British Standard BS 7799
This
Code of Practice was adopted as an international standard by the International
Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC) as ISO/IEC 17799 in 2000 as a framework for
information.
ISO 17799 / BS 7799:
Several
countries have not adopted 17799 claiming there are fundamental problems:
– The global information security community has
not defined any justification for a code of practice as
identified in the ISO/IEC 17799
– 17799 lacks ―the necessary measurement
precision of a technical standard
– There is no reason to believe that 17799 is
more useful than any other approach currently available
– 17799 is not as complete as other frameworks
available
– 17799 is perceived to have been hurriedly
prepared given the tremendous impact its adoption could have on industry
information security controls.
Organizational
Security Policy is needed to provide management direction and support
Objectives:
– Operational Security Policy
– Organizational Security Infrastructure
– Asset
Classification and Control
– Personnel Security
– Physical and Environmental Security
– Communications and Operations Management
– System Access Control
– System Development and Maintenance
– Business Continuity Planning
– Compliance.
NIST Security Models:
– NIST SP 800-12 - The Computer Security Handbook
– NIST SP 800-14 - Generally Accepted Principles
and Practices for Securing IT Systems
– NIST SP 800-18 - The Guide for Developing
Security Plans for IT Systems
No comments:
Post a Comment