Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by Jaycee Clavel

Lecture-5

advertisement 
LECTURE 5: INFORMATION
SECURITY POLICY, STANDARDS,
AND PRACTICES
Department of Computing and Information Sciences
College of Arts and Sciences
Mariano Marcos State University
CMPSC 147 : Information
Assurance and Security
Ralph Perdido
Instructor
OBJECTIVES
• Define
policies, practices,
standards, guidelines, and
procedures
• Know the function of policy
and its foundation for planning.
• Define and differentiate the
components of security policy.
• Types of security policy.
2
POLICY AS THE FOUNDATION FOR PLANNING
» Key Terms
• de facto standard a widely adopted or accepted standard by a public or group
rather than a formal standards organization. Contrast with a de jure standard.
• de jure standard a formally evaluated, approved, and ratified standard by a formal
standards organization. Contrast with a de facto standard.
• guidelines non-mandatory recommendations the employee may use as a
reference in complying with a policy.
• information security policy is a written policy on a organization provided by the
management to inform employees and others in a workplace about proper
behavior regarding the use of information and information assets.
• practices example of actions that illustrate compliance with policies.
3
POLICY AS THE FOUNDATION FOR PLANNING
» Key Terms
• procedures step-by-step instructions designed to assist employees in following
policies, standards, and guidelines.
• standard a detailed statement of what must be done to comply with policy.
4
POLICY AS THE FOUNDATION FOR PLANNING
» Example
Policy: Use strong passwords, frequently changed.
Guidelines: we recommend you don’t use family or pet names, or parts of your
Social Security number, employee number, or phone number in your password
Practices: according to X, most organizations require employees to change
passwords at least semi-annually.
Procedures: in order to change your password, first click the Windows Start button,
then….
Standards: must be at least 8 characters, with at least one number, one letter, and
one special character.
5
INFORMATION SECURITY POLICY, STANDARDS, AND PRACTICES
» Policy as the basis…
• Management from all communities of interest must make
policies the basis for all information security planning, design,
and deployment.
» What is policy?
• Policy direct how issues should be addressed and how
technologies should be used.
• Policies do not specify the proper operation of equipment or
software.
• Policy should never contradict law; policy must be able to stand
up in court, if challenged; and policy should be properly
administered through dissemination and documented
acceptance.
https://www.freepik.com/free-photosvectors/policy
6
INFORMATION SECURITY POLICY, STANDARDS, AND PRACTICES
» What is policy?
• Policies function like laws to dictate
acceptable and unacceptable behavior,
as well as penalties for failure to
comply.
» Security policy
• in governmental agencies views it as a
national security and national policies
in dealing with foreign state.
• In general; it is a set of rules that
protects an organization’s assets.
• Information security policy provides
rules
for
protection
of
the
organization’s information assets.
https://www.freepik.com/free-photosvectors/policy
7
INFORMATION SECURITY POLICY, STANDARDS, AND PRACTICES
» Information security policy
• Provides rules for protection of the organization’s information
assets.
» Types of Security Policy (by Special Publication (SP) 800-14 of the
National Institute of Standards and Technology (NIST)
1. Enterprise information security policies
2. Issue-specific security policies
3. Systems-specific security policies
8
INFORMATION SECURITY POLICY, STANDARDS, AND PRACTICES
» Criteria to be met in creating a policy
• Dissemination (distribution): the policy has been made readily
available for review by the employee. Hard copy and electronic
distribution.
• Review (reading): the policy has been disseminated in an intelligible
form, including versions for employees who are illiterate, readingimpaired, and unable to read English. Techniques: recording the
policy in English and other languages.
• Comprehension (understanding): the employee understand the
requirements and content of the policy. Techniques: quizzes and other
assessments.
• Compliance (agreement): the employee agrees to comply with the policy
through act or affirmation. Techniques: mouse click or key-stroke action to
acknowledge agreement.
9
INFORMATION SECURITY POLICY, STANDARDS, AND PRACTICES
» Criteria to be met in creating a policy
• Uniform enforcement (fairness in application): the policy has been
uniformly enforces, regardless of employee status or assignment.
10
INFORMATION SECURITY POLICY, STANDARDS, AND PRACTICES
Policies,
standards,
guidelines,
and
procedures
Example:
https://tinyurl.com/yyj8
ta7w
11
INFORMATION SECURITY POLICY, STANDARDS, AND PRACTICES
» Standards
• More detailed statements of what must be done to comply
with policy.
• Two types of standards
• de facto standards – may be informal or part of an
organizational culture. (e.g. use of QWERTY keyboard layout;
Breadcrumb trail on websites.)
• de jure standards – standards that may be published,
scrutinized, ratified by a group, formal standard. Established
by law. (e.g. TCP/IP; ASCII)
https://depositphotos.com/vectorimages/standards.html
12
TYPES OF SECURITY POLICY
» Enterprise Information Security Policy (EISP)
• The high-level information security policy that sets the strategic direction,
scope, and tone for all of an organization’s security efforts.
• Known as a general security, policy, organizational security policy, IT
security policy, or information security policy.
• Is an executive-level document.
• Guides the development, implementation, and management of the
security program.
• It defines the purpose, scope, constraints, and applicability of the security
program.
• Assigns responsibilities in system administrations, maintenance of info.
security policies, and the practices and responsibilities of users.
13
https://www.istockphoto.com/vector/securitypolicy-vector-icon-with-outline-colors-
TYPES OF SECURITY POLICY
» Enterprise Information Security Policy (EISP)
• Addresses legal compliance (by National Institute of Standards and
Technology):
1.
General compliance to ensure that an organization meets the requirements
for establishing a program and assigning responsibilities therein to various
organizational components.
2.
The use of specifies penalties and disciplinary action.
14
https://www.istockphoto.com/vector/securitypolicy-vector-icon-with-outline-colors-
TYPES OF SECURITY POLICY
» Enterprise Information Security Policy (EISP)
• EISP Elements
•
An overview of the corporate philosophy on security
• Information on the structure of the information security organization and people
who fulfill the information security role.
•
Fully articulated responsibilities for security that are shared by all members of
the organization (employees, contractors, consultants, partners, and visitors)
•
Fully articulated responsibilities for security that are unique to each role within
the organization.
15
https://www.istockphoto.com/vector/securitypolicy-vector-icon-with-outline-colors-
TYPES OF SECURITY POLICY
» Enterprise Information Security Policy (EISP)
• Components of the EISP
16
https://www.istockphoto.com/vector/securitypolicy-vector-icon-with-outline-colors-
TYPES OF SECURITY POLICY
» Enterprise Information Security Policy (EISP)
• Components of the EISP
17
https://www.istockphoto.com/vector/securitypolicy-vector-icon-with-outline-colors-
TYPES OF SECURITY POLICY
» Issue-Specific Security Policy (ISSP)
• policy that provides detailed, targeted guidance to instruct all members of
the organization in the use of processes or technologies.
• addresses specific areas of technology;
• requires frequent updates; and
• contains a statement about the organization’s position on a specific issue.
18
https://www.istockphoto.com/vector/securitypolicy-vector-icon-with-outline-colors-
TYPES OF SECURITY POLICY
» Issue-Specific Security Policy (ISSP)
• ISSPs may cover the following topics:
•
E-mail
•
Use of the Internet and World Wide Web
•
Specific minimum configurations of computers to defend against worms and viruses
•
Prohibitions against hacking or testing organization security controls
•
Home use of company-owned computer equipment
•
Use of personal equipment on company networks (BYOD: bring your own device)
•
Use of telecommunications technologies, such as fax and phone
•
Use of photocopy equipment
•
Use of portable storage devices: USB memory stick, backpack drives, games players, and
other device capable of storing digital files.
•
Use of cloud-based storage services that are not self-hosted by the organization or
engaged under contract; Google Drive, Dropbox, and Microsoft Live.
19
https://www.istockphoto.com/vector/securitypolicy-vector-icon-with-outline-colors-
TYPES OF SECURITY POLICY
» Issue-Specific Security Policy (ISSP)
• Three approaches in creating and manage ISSPs
1.
Independent ISSP documents, each tailored to a specific issue.
2.
A single comprehensive ISSP document that covers all issues.
3.
A modular ISSP document that unifies policy creation and administration while
maintaining each specific issue’s requirements.
20
https://www.istockphoto.com/vector/securitypolicy-vector-icon-with-outline-colors-
TYPES OF SECURITY POLICY
» Issue-Specific Security Policy (ISSP)
• Components of an ISSP
•
Statement of Policy
• Policy should begin with a clear statement of purpose
•
Authorized Access and Usage of Equipment
• Who can use the technology governed by the policy, and what it can be used
for.
•
Prohibited Use of Equipment
•
Unless a particular use is clearly prohibited.
• Systems Management
•
Focuses on the users’ relationship to systems management.
21
https://www.istockphoto.com/vector/security-policy-vector-icon-withoutline-colors-gm1155946177-314885904
TYPES OF SECURITY POLICY
» Issue-Specific Security Policy (ISSP)
• Components of an ISSP
•
Violations of Policy
• Violations of policy should carry penalties that are appropriate.
•
Policy Review and Modification
• Any document is only useful if it is up to date, each policy should contain
procedures and timetable for periodic review.
•
Limitations of Liability
•
Policy should state that if employees violate a company policy or any law using
company technologies, the company will not protect the, and the company is
not liable for their actions.
22
https://www.istockphoto.com/vector/security-policy-vector-icon-withoutline-colors-gm1155946177-314885904
TYPES OF SECURITY POLICY
» Systems-Specific Security Policy (SysSP)
• function as standards or procedures to be used when configuring or
maintaining systems.
• Two general groups of SysSPs
1. Managerial Guidance SysSPs
• a document created by management to guide the implementation and configuration of
technology.
• Example: following the firewall’s configuration guidelines established by the management.
2. Technical Specifications SysSPs
• systems administrator need to create a policy to implement the managerial policy.
• Example: user password must be changed quarterly; systems administrator can implement a
technical control within a specific application to enforce this policy.
23
https://www.istockphoto.com/vector/security-policy-vector-icon-withoutline-colors-gm1155946177-314885904
TYPES OF SECURITY POLICY
» Systems-Specific Security Policy (SysSP)
• Two general groups of SysSPs
2. Technical Specifications SysSPs
• Methods in implementing technical controls:
1. Access Control Lists (ACL) – consists of details
about user access and use permissions and
privileges for an organizational asset or resource.
• ACL regulations:
• Who can use the system
• What authorized users can access
• When authorized users can access the system
• Where authorized users can access the system
2. Configuration Rule Policies – govern how a security
system reacts to the data it receives. A rule-based
policy that may or may not deal with users directly.
Example: intrusion detection and
protection systems, proxy servers
24
POLICY MANAGEMENT
» Policy Management
• Policies are living documents that must be managed.
• Security policies must have:
• a responsible manager,
•
a schedule of reviews,
• a method for making recommendations for reviews, and
•
a policy issuance and revision date.
25
POLICY MANAGEMENT
» Policy Management
• A responsible manager
•
Often called as policy administrator—does not necessarily have to be proficient
in relevant technology, only moderate technical background.
• Schedule of Reviews
•
Policies retain their effectiveness if periodically reviewed for currency and
accuracy.
•
A policy should be reviewed annually.
• Review Procedures and Practices
• In facilitating policy review, the policy manager should have a mechanism
by which people make recommendations. (e.g., via e-mail, office mail,
dropbox)
26
POLICY MANAGEMENT
» Policy Management
• Policy and Revision Date
•
Policy must contain date of origin and the date(s) of any revision.
• Sunset clause – indicates expiration date of a policy.
• Automated Policy Management
• Automation can streamline the repetitive steps of writing a policy, tracking the
workflow of policy approvals, publishing policy, and tracking when employees
have read the policy.
27
LECTURE 5: INFORMATION
SECURITY POLICY, STANDARDS,
AND PRACTICES
Department of Computing and Information Sciences
College of Arts and Sciences
Mariano Marcos State University
CMPSC 147 : Information
Assurance and Security
Ralph Perdido
Instructor
Related documents
The benefits of exercise and The dangers of lack of exercise
The benefits of exercise and The dangers of lack of exercise
605 tree obstacle course
605 tree obstacle course
Activity 2
Activity 2
Untitled document
Untitled document
Slides
Slides
Cylo
Cylo
isitvivid
isitvivid
Chapter 1
Chapter 1
Download
advertisement