INFORMATION SECURITY
MANAGEMENT
LECTURE 4:
INFORMATION SECURITY POLICY
You got to be careful if you don’t know where you’re going,
because you might not get there. – Yogi Berra
Principles of Information Security
Management
Include the following characteristics that will be the
focus of the current course (six P’s):
1. Planning Chapters 2 & 3
2.
3.
4.
5.
6.
Chapter 4
Policy
Programs
Protection
People
Project Management
http://csrc.nist.gov/publications/PubsTC.html
Introduction
“The success of an information resources protection
program depends on the policy generated, and on the
attitude of management toward securing information on
automated systems”
Policy is the essential foundation of an effective
information security program
Policy
• Explains the will of the organization’s management in
controlling the behavior of employees
Policy – Biggest Threat to Endpoint Security?
• 78% consider negligent or careless employees who do
not follow security policies to be biggest threat to
endpoint security
• 50% did not receive any security or policy awareness
training
"I wouldn’t go so far to say they don’t care – mostly - but I’d also point
out that organizations probably haven’t done a good job of helping
them understand why they should care"
http://www.securityweek.com/employees-not-following-policy-biggest-threat-endpoint-security-it-pros-say
Bulls-eye Model
Policy, Standards, and Practices
• Policy & Types
• Enterprise
• Issue-specific
• Systems-specific
• Standards
• Practices
Enterprise Information Security Policy (EISP)
• Sets strategic direction, scope, and tone for organization’s
security efforts
• Assigns responsibilities for various areas of information
security
• Examples:
 http://uncw.edu/policies/it.html
 http://doit.maryland.gov/support/pages/securitypolicies.aspx
EISP Elements
• Overview of the corporate philosophy on security
• Information about information security organization and
information security roles
 Responsibilities for security that are shared by all members of
the organization
 Responsibilities for security that are unique to each role within
the organization
Example ESIP Components
•
•
•
•
•
Statement of purpose
Information technology security elements
Need for information technology security
Information technology security responsibilities and roles
Reference to other information technology standards and
guidelines
Issue-Specific Security Policy (ISSP)
• Provides detailed, targeted guidance
• Protects organization from inefficiency and ambiguity
• Indemnifies the organization against liability for an
employee’s inappropriate or illegal system use
Issue-Specific Security Policy (cont’d.)
• Every organization’s ISSP should:
Examples at UNCW:
 Email Abuse
ISSP - Topics
–
–
–
–
–
–
–
Email and internet use
Minimum system configurations
Prohibitions against hacking
Home use of company-owned computer equipment
Use of personal equipment on company networks
Use of telecommunications technologies
Use of photocopy equipment
Components of the ISSP
•
•
•
•
•
•
•
Statement of Purpose
Authorized Access and Usage of Equipment
Prohibited Usage of Equipment
Systems management
Violations of policy
Policy review and modification
Limitations of liability
Implementing the ISSP
• Common approaches
System-Specific Security Policy
• System-specific security policies (SysSPs) frequently
do not look like other types of policy
• SysSPs can be separated into:
Managerial Guidance SysSPs
• Created by management to guide the implementation
and configuration of technology
• Applies to any technology that affects the confidentiality,
integrity or availability of information
• Informs technologists of management intent
Example:
• Lifecycle Replacement
Technical Specifications SysSPs
• System administrators’ directions on implementing
managerial policy
• General methods of implementing technical controls
– Access control lists
– Configuration rules
Technical Specifications SysSPs (cont’d.)
• Access control lists
– Include the user access lists, matrices, and capability tables that
govern the rights and privileges
– Enable administrations to restrict access according to user,
computer, time, duration, or even a particular file
Examples:
• Access to Information Resources and Data
Technical Specifications SysSPs (cont’d.)
• Access control lists regulate:
• Administrators set user privileges
Technical Specifications SysSPs: Case Study
Disaster at a University:
A Case Study in Information Security
Overview
Issue
People Involved
Approach and Resolution
Outcomes
Conclusion
Guidelines for Effective Policy
• For policies to be effective, they must be properly:
Developing Information Security Policy
• It is often useful to view policy development as a twopart project
1.
Design and develop the policy (or redesign and rewrite an
outdated policy)
2.
Establish management processes to perpetuate the policy
within the organization
Developing Information Security Policy (cont’d.)
• Policy development projects should be
– Well planned
– Properly funded
– Aggressively managed to ensure that it is completed on time and
within budget
• The policy development project can be guided by the
SecSDLC process
SecSDLC Process of Policy Development
• Investigation phase
–
–
–
–
Obtain support from senior management
Clearly articulate the goals of the policy project
Acquire a capable project manager
Develop a detailed outline of and sound estimates for project
cost and scheduling
Developing Information Security Policy (cont’d.)
• Analysis phase should produce
– New or recent risk assessment or IT audit documenting the
current information security needs of the organization
– Key reference materials
• Including any existing policies
Developing Information Security Policy (cont’d.)
• Design phase includes
– How the policies will be distributed
– How verification of the distribution will be accomplished
Developing Information Security Policy (cont’d.)
• Implementation phase includes
– Writing the policies
– Policy distribution
• Maintenance Phase
– Maintain and modify the policy as needed
– Built-in reporting mechanism
– Periodic review
Alternative Approaches: The Information Securities
Policy Made Easy Approach
•
•
•
•
•
Gathering key reference materials
Defining a framework for policies
Preparing a coverage matrix
Making critical systems design decisions
Structuring review, approval, and enforcement
processes
Alternative Approaches: Guide for Developing Security Plans
for Federal Information Systems
• NIST Special Publication 800-18, Rev. 1 reinforces a
business process-centered approach to policy
management
• Policies are living documents
• Good management practices for policy development and
maintenance make for a more resilient organization
Alternative Approaches: Guide for Developing Security Plans
for Federal Information Systems
• Policy requirements
–
–
–
–
An individual responsible for reviews
A schedule of reviews
A method for making recommendations for reviews
An indication of policy and revision date
Management of Information Security, 3rd ed.
A Final Note on Policy
Lest you believe that the only reason to have policies is to
avoid litigation, it is important to emphasize the preventative
nature of policy.
Next Class
• Chapter 5 – Security Programs
• Case Studies
• We will be covering the cases during lecture. Be prepared to
discuss your assigned case and read the other cases
• Assessment 1