- No category
Cybersecurity Policy: Definition, Types & Key Elements
advertisement
Chapter - 5 Cybersecurity Policy 1 Outline • Introduction to Cybersecurity Policy • Cybersecurity Policy definition • Why Cybersecurity Policy? • Methods of Improving Awareness of Security Policy • Key elements of a policy • Types of security policy • Other categories of security policy 2 Cybersecurity Policy Objectives • Upon completing this lecture, you will be able to: – Explain the purpose of policies, standards, guidelines, and procedures – Name policy types – Define regulatory policies – Define advisory policies – Define informative policies – Define baselines and guidelines for policies 3 Cybersecurity Policy • Security is a multilayered process. • After a risk assessment is completed, policies will fall quickly in place. • Security policy can be determined based on feedback from risk assessment. • The risk assessment should help drive policy creation on items such as these: – Passwords – Patch management – Employee hiring and termination practices – Backup practices and storage requirements – Security awareness training – Antivirus – System setup and configuration 4 Cybersecurity Policy CISSP definition • The term cybersecurity policy has more than one meaning. • Policy is senior management's directives to: – create a computer security program, – to protect the corporation’s assets, – establish its goals, and – assign responsibilities. • The term policy is also used to refer to the specific security rules for particular systems. • Additionally, policy may refer to specific managerial decisions: – setting an organization's e-mail privacy policy or – fax security policy. 5 Cybersecurity Policy: Definition… • The policy defines the corporation’s high-level information security beliefs. • In these terms, a policy can then be described as a high-level statement of a company’s security: – beliefs, – goals, and – objectives, – as well as the general means for their realization for a specified subject area. • In general, policies are: – brief, – technical, and – solution independent documents. 6 Cybersecurity Policy: Definition… • A security policy is a document that: – defines the scope of security needed by the organization and – discusses the assets that require protection and – the extent to which security solutions should go to provide the necessary protection. • The security policy is an overview or generalization of an organization’s security needs. • Security policy: – defines the main security objectives and outlines – defines security framework of an organization. – identifies the major functional areas of data processing and – clarifies and defines all relevant terminology. 7 Why Cybersecurity Policy? • To Prevent cyber attacks against the country’s critical information infrastructures • To Reduce national vulnerability to cyber attacks • To Minimize damage and recovery time from cyber attacks • To Create cyber resilience and trusted digital economy • … 8 Cybersecurity Policy… • For security to be effective, it must start at the top of an organization. • Senior management must make decisions on: – what should be protected, – how it should be protected, and – to what extent it should be protected. • These findings should be crafted into written documents. • Before these documents are locked in as policies, they must be researched to verify that they will be compliant with all federal, state, and local laws. • These documents should also clearly state: – what is expected from employees and – what the result of noncompliance will be. 9 Cybersecurity Policy… • Policies are the top tier of formalized security documents. • These high-level documents offer a general statement about: – the organization’s assets and – what level of protection they should have. • Well-written policies should spell out: – who’s responsible for security, – what needs to be protected, and – what is an acceptable level of risk. 10 Cybersecurity Policy… • The security policy is also used to: – assign responsibilities, – define roles, – specify audit requirements, – outline enforcement processes, – indicate compliance requirements, and – define acceptable risk levels • This document is often used as the proof that senior management has exercised due care in protecting itself against intrusion, attack, and disaster. • Security policies are compulsory. 11 Cybersecurity Policy… • Cybersecurity Policies: – remain relevant for a substantial amount of time and – are usually updated or revised only when a fundamental change to the organization’s operations take place. 12 Cybersecurity Policy… • Security policy should clearly define: – why security is important and – what assets are valuable. • It is a strategic plan for implementing security. • The document discusses: – the importance of security to every aspect of daily business operation and – the importance of the support of the senior staff for the implementation of security. 13 Cybersecurity Policy • Should address: – Prevention of misuse – Detection (through regular checking) – Investigation (through monitoring and audit) – Procedures used to prevent security problems (unauthorised access) – Staff responsibilities (to prevent misuse) – Disciplinary procedures (for breaches of security) Methods of Improving Awareness of Security Policy • Introduction of Training • Staff Access to Guidance – Full staff meeting – Training – A leaflet distributed to all staff – Policy posted on Intranet or bulletin board – Posters displayed throughout the building – Emails sent to all staff Cybersecurity Policy • Key elements of a policy include: – Scope – all information, systems, facilities, programs, data networks, and all users of technology in the organization (both internal and external), without exception. – Information classification – should provide content-specific definitions, rather than more generic “confidential” or “restricted” – Management goals for secure handling of information in each classification category – Placement of the policy in the context of other management directives and supplementary documents 16 Cybersecurity Policy… • Key elements of a policy include… – References to supporting documents, including industry standards and guidelines – Specific instruction on organization-wide security mandates (e.g. no sharing of passwords) – Specific designation of established roles and responsibilities – Consequences for non-compliance (e.g. up to and including dismissal or termination of contract) 17 Cybersecurity Policy… • The Cybersecurity Policy serves several purposes. • The main purpose is to inform company users: – employees, – contractors and – other authorized users of their obligatory requirements for protecting the technology and information assets of the company. • The Cybersecurity Policy: – describes the technology and information assets that we must protect and – identifies many of the threats to those assets. • The Cybersecurity Policy also describes the user’s responsibilities and privileges. – What is considered acceptable use? – What are the rules regarding Internet access? 18 – The policy answers these questions, Cybersecurity Policy TARGET GROUPS • Individuals that have access to systems, including end users. • Individuals with information system, security, and/or risk management and oversight responsibilities – e.g., chief information officers, senior information security officers, – information system managers, information security managers; • Individuals with information system development responsibilities – e.g., program managers, system designers and developers, information security engineers, systems integrators; 19 Cybersecurity Policy TARGET GROUPS… • Individuals with information security implementation and operational responsibilities – e.g., mission/business owners, information system owners, – common control providers, information owners, – system administrators, information system security officers • Individuals with information security assessment and monitoring responsibilities – e.g., auditors, system evaluators, assessors, independent verifiers/validators, analysts, information system owners. 20 Types of security policy • Many organizations employ several types of security policies to define or outline their overall security strategy. • An organizational security policy focuses on issues relevant to every aspect of an organization. • An issue-specific security policy focuses on a specific – network service, – department, – function, or – other aspect that is distinct from the organization as a whole. • A system-specific security policy focuses on: – individual systems or types of systems and – recommends approved hardware and software, – outlines methods for locking down a system, and – even mandates firewall or – other specific security controls. 21 Cybersecurity Policy (CISSP) • Organizations should have the following three different types of policy: – Program policy, – Issue- Specific policy, and – System Specific policy. • Some organizations may refer to these types with other names such as: – directives, – procedures, or – plans. 22 Program Policy • The program/master security policy can be thought of as a blue print for the whole organization’s security program. – It is the strategic plan for implementing security in the organization. • An organization's program policy should: • Create and Define a Computer Security Program: – Program policy: • should be clear as to which resources, including facilities, hardware, software, information, and personnel the computer security program covers. 23 Program Policy… • An organization's program policy should: • Set Organizational Strategic Directions: – This may include defining the goals of the program. – For instance, in an organization responsible for maintaining large mission-critical databases: • reduction in errors, • data loss, • data corruption, and • recovery might be specifically stressed. 24 Program Policy… • An organization's program policy should: • Assign Responsibilities: – Responsibilities should be assigned to the computer security organization/department for direct program implementation and – other responsibilities should be assigned to related offices • Address Compliance Issues: – Program policy typically addresses two compliance issues: 1. meeting the requirements to establish a program and the responsibilities assigned therein to various organizational components, and 2. the use of specified penalties and disciplinary actions. 25 Issue-Specific Policy An organization's issue-specific policies should: • Address Specific Areas: – Topics of current relevance and concern to the organization should be addressed. – For example, to issue a policy on how the organization will approach e-mail privacy or Internet connectivity. • Be Updated Frequently: – More frequent modification is required as changes in technology and related factors take place. • Contain an Issue Statement: – The organization's position statement, applicability, roles and responsibilities, compliance, and point of contact should be clear. 26 Issue-Specific Policy… • Examples for issue-specific policy: – Change management policy – Physical security policy – Email policy – Encryption policy – Vulnerability management policy – Media disposal policy – Data retention policy – Acceptable use policy – Access control policy 27 System-Specific Policy • A system-specific policy is concerned with a specific or individual computer system. – It is meant to present the approved software, hardware, and hardening method for that specific system. • An organization's system-specific policies should: • Focus on Decisions: – The decisions taken by management to protect a particular system, should be explicitly stated. • Example: defining the extent to which individuals will be held accountable for their actions on the system, • Be Made by Management Official: – The decisions management makes should be based on a technical analysis. 28 System-Specific Policy… • An organization's system-specific policies should: • Vary From System to System: – Variances will occur because each system needs defined security objectives based on: • the system's operational requirements, • environment, and • the manager's acceptance of risk. – In addition, policies will vary based on differing needs for detail. • Be Expressed as Rules: – Who (by job category, organization placement, or name) can do – what (e.g., modify, delete) – to which specific classes and records of data, and – under what conditions. 29 All Policies • All three types of policy should be: • Supplemented: – Because policy may be written at a broad/high level, – organizations also develop standards, guidelines, and procedures that offer users, managers, and others a clear approach to implement policy and meeting organizational goals. • Visible: – Visibility aids implementation of policy by helping to ensure policy is fully communicated throughout the organization. • Supported by Management: – Without management support, the policy will become an empty token of management's "commitment" to security. • Consistent: – Other directives, laws, organizational culture, guidelines, procedures, and organizational mission should be considered. 30 Cybersecurity Policy… • They are much like a strategic plan: – because they outline what should be done – but don’t specifically dictate how to accomplish the stated goals. • Those decisions are left for standards, baselines, and procedures. • Security policies can be written to meet: – advisory, – informative, and – regulatory needs. • Each has a unique role or function. 31 Other categories of security policy • There are also three overall categories of security policies: – regulatory, – advisory, and – informative. 32 Regulatory Policy • A regulatory policy is required whenever industry or legal standards are applicable to your organization. • This policy discusses: – the regulations that must be followed and – outlines the procedures that should be used to bring about compliance. • These policies are used to make sure that the organization complies with local, state, and federal laws. • An example regulatory policy might state: – Because of recent changes to Federal Gov’t law, The Company will now keep records of employee inventions and patents for 10 years; – all email messages and any backup of such email associated with patents and inventions will be stored for one year. 33 Advisory Policy • Advisory policies are those policies that define a required behavior with authorizations. 34 Advisory Policy… • An advisory policy discusses: – behaviors and activities that are acceptable and – defines consequences of violations. • It explains senior management’s desires for security and compliance within an organization. • The job of an advisory policy is: – to ensure that all employees know the consequences of certain behavior and actions. • Most policies are advisory. 35 Advisory Policy… • Here’s an example advisory policy: – Illegal copying: Employees should never download or install any commercial software, shareware, or freeware onto any network drives or disks unless they have written permission from the network administrator. – Be prepared to be held accountable for your actions, including the loss of network privileges or employment termination if the Rules of Appropriate Use are violated. 36 Informative • Informative policies are those which are not enforceable, but can be regulated. 37 Informative policy... • An informative policy is designed to provide information or knowledge about a specific subject, such as: – company goals, – mission statements, or – how the organization interacts with partners and customers. • An informative policy provides: – support, – research, or – background information relevant to the specific elements of the overall policy. • It is developed for education. • Its goal is to inform and educate employees. 38 Security Policies and Individuals • a security policy: – does not define who is to do what but rather – defines what must be done by the various roles within the security infrastructure. • Then these defined security roles are assigned to individuals as: – a job description or – an assigned work task. 39 Acceptable Use Policy • An acceptable use policy is that exists as part of the overall security documentation infrastructure. • The acceptable use policy is specifically designed to: – assign security roles within the organization as well as – Ensure the responsibilities tied to those roles. • This policy defines: – a level of acceptable performance and – expectation of behavior and activity. • Failure to comply with the policy may result in: – job action warnings, – penalties, or – termination. 40 Security Standards, Baselines, and Guidelines • Once the main security policies are set, then the remaining security documentation can be crafted under the guidance of those policies. • Standards define compulsory requirements for the homogenous use of: – hardware, – software, – technology, and – security controls. • They provide a course of action by which technology and procedures are uniformly implemented throughout an organization. • Standards are tactical documents that define steps or methods to accomplish the goals and overall direction defined by security policies. 41 Cybersecurity Standards… • Standards are much more specific than policies. • Standards are tactical documents: – because they lay out specific steps or processes required to meet a certain requirement. • As an example: – a standard might set a mandatory requirement that all email communication be encrypted. • So although it does specify a certain standard, it doesn’t spell out how it is to be done. • That is left for the procedure. 42 Cybersecurity Procedure • Are the lowest level in the organization’s security documentation structure. • While security policy is a high-level document containing general directives, • a procedure is a very detailed document that illustrates in a step-by-step instructions on how a specific task is done. 43 Cybersecurity Procedure… • A procedure is the most specific of security documents. • A procedure is a detailed, in-depth, step-by-step document that details exactly what is to be done. • Procedures are tied to specific technologies and devices. • As an example: – your company has replaced its Checkpoint firewall with a Cisco PIX. – Although the policies and standards dictating the firewalls role in your organization probably will not change, – the procedure for configuration of the firewall will. 44 Cybersecurity Baseline • A baseline specifies the minimum level of security required. • All systems in the organization must comply with that minimum. • To determine: – which systems meet the baseline and which don’t, – an evaluation must be done, • in a regular basis, and • when major changes are done. • Such evaluation could be done either: – by the organization’s security team or – out-sourced to a third party consultant . 45 Cybersecurity Baseline… • A baseline is a minimum level of security that a system, network, or device must adhere to. • Baselines are usually mapped to industry standards. • As an example: – an organization might specify that all computer systems comply with a minimum Trusted Computer System Evaluation Criteria (TCSEC) C2 standard. 46 Cybersecurity Guidelines • A guideline points to a statement in a policy or procedure by which to determine a course of action. • Are practical instructions and recommendations targeting all levels of staff in the organization. • These instructions are considered as operational guides on how to apply and enforce the standards and baselines. • Guidelines are flexible and not obligatory. • It’s a recommendation or suggestion of how things should be done. • It is meant to be flexible so it can be customized for individual situations. 47 Cybersecurity Guidelines… • Guidelines are used to determine a recommended course of action. • Guidelines could be instructions like this: – When you receive an email from untrusted or unknown sender, don’t open any attachments in the mail. – Use of USB flush memories, hard disks, CD-ROM is prohibited in the organization’s computers. – Don’t attempt to disable or hinder the antivirus operation. • Best practices state what other competent security professionals would have done in the same or similar situation. 48 Assembling all the pieces together • The security policy dictates in general words that the organization must maintain a malware-free computer system environment. • A standard states in a strict words that every computer in the organization’s network must have an antivirus installed and updated with the latest virus definitions. • A baseline sets the threshold below which a computer will be considered insecure, and above which it will be considered as secure. • The baseline could be for example: – a computer fully-patched, – with antivirus installed, – having virus definition not older than 7 days from the latest published definitions from the vendors. 49 Cybersecurity Policy Structure Policy Standard Baseline Guideline Procedure 50 Relationship among policies, standards, procedures, baselines, and guidelines 51 Summary • A security policy is a high-level document that dictates the top managements security vision, objectives, scopes, and responsibilities. • A standard is a set of obligatory rules that support the security policy. • A security baseline is the threshold that all the systems in the organization must comply with. • A guideline is a set of flexible recommendations and best practices. • A procedure is a detailed, step-by-step documents that illustrates how to make a specific task. 52 Additional resource on Security Policy CISM 53 Establish and Maintain Information Security Policies (CISM) • The cornerstone of an effective information security architecture is a well written policy statement. • This is the source from which all other directives, standards, procedures, guidelines, and other supporting documents will spring. • A policy performs two roles, – Internal – External. • The internal portion tells employees what is expected of them and how their actions will be judged. • The external portion tells the world how the enterprise is run. 54 Cybersecurity Policy (CISM) • Security and privacy policies and procedures must have three elements to be effective. • They must be documented, communicated, and current. • There are three types of policies, and you will use each type at different times in your information security program and throughout the organization to support the business process or mission. • The three types of policies are: – Global (Tier 1): – Topic-specific (Tier 2): – Application-specific policies (Tier 3): 55 Cybersecurity Policy… • Global (Tier 1): These are used to create the organization’s overall vision and direction. • Topic-specific (Tier 2): These address particular subjects of concern. • Application-specific policies (Tier 3): These focus on decisions taken by management to control particular applications • financial reporting, payroll, etc. or • systems (budgeting system). 56 Global (Tier 1) Policy • An information security policy will define the intent of management and its sponsoring body with regard to protecting the information assets of the organization. • Senior Management is responsible for: – meeting business objectives or mission requirements – issuing global policies to establish the organization’s direction in protecting information assets. • Senior management must: – ensure that necessary resources are effectively applied – must incorporate the results of the risk analysis process into the decision-making process. 57 Global (Tier 1) Policy … • The components of a global (Tier 1) policy typically include the following four characteristics: – Topic – Scope – Responsibilities – Compliance or Consequences 58 Global (Tier 1) Policy … • Topic – The topic portion of the policy defines what specifically the policy is going to address • Convey two important elements – the topic (it should have something to do with the title of the policy) and – the hook, why the reader should continue to read the policy. • An opening topic sentence might read as follows, “Information created while employed by the company is the property of the company and must be properly protected.” 59 Global (Tier 1) Policy … • Scope – The scope can be used to broaden or narrow either the topic or the audience. • In an information security policy statement we could say, “Information is an asset and the property of the company and all employees are responsible for protecting that asset.” • In this sentence we have broadened the audience to include all employees. • We can also say something like, “Business information is an essential asset of the company. – This is true of all business information within the company regardless of how it is created, distributed, or stored and whether it is typed, handwritten, printed, filmed, computer-generated, or spoken. – Here the writer broadened the topic to include all types of information assets. 60 Global (Tier 1) Policy … • Responsibilities • Typically, this section of the policy will identify who is responsible for what. • When writing, it is better to identify the “who” by job title and not by name. • Here again the Office Administrator’s Reference Guide can be of great assistance. • The policy will want to identify what is expected from each of the stakeholders. 61 Global (Tier 1) Policy … • Compliance or Consequences • When business units or employees are found to be in a noncompliant situation, the policy must spell out the consequences of these actions. • For business units or departments, if they are found in noncompliance, they are generally subject to an audit item and will have to prepare a formal compliance response. • For an employee, being found in noncompliance with a company policy will mean they are in violation of the organization’s employee standards of conduct and will be subject to consequences described in the employee discipline policy. 62 Topic-Specific Policy (Tier 2) • Whereas the global policy (Tier 1) is intended to address the broad organization wide issues, the topic-specific policy is developed to focus on areas of current relevance and concern to the organization. • Management may find it appropriate to issue a policy on: – how an organization will approach Internet usage or – the use of the company-provided e-mail system. • The global policy (Tier 1) is usually broad enough that it does not require modification over time, whereas the topic-specific (Tier 2) policies are likely to require more frequent revisions as changes in technology and other factors dictate. 63 Topic-Specific Policy (Tier 2)… • Topic-specific policies will be created most often by an organization. • Whereas the Tier 1 policies are approved by the Information Security Steering Committee, the topic-specific (Tier 2) may be issued by a single senior manager or director. • It includes: • Thesis statement: – This is similar to the topic section discussed in the Tier 1 policies, but it also adds more information to support the goals and objectives of the policy and management’s directives. – “company-approved” software, which might be “any software not approved, purchased, screened, managed, and owned by the organization.” 64 Topic-Specific Policy (Tier 2)… • Relevance – The Tier 2 policy also needs to establish to whom the policy applies. – the policy will want to clarify where, how, and when the policy is applicable. – Example • Is the policy only enforced when employees are in the work-site campus or will it extend to off-site activities? • Responsibilities • The assignment of roles and responsibilities is also included in Tier 2 policies. • For example, the policy on company-approved software will have to identify the process to get software approved. This would include the authority (by job title) authorized to grant approval and a reference to where this process 65 is documented. Topic-Specific Policy (Tier 2)… • Compliance – For a Tier 2 policy, it may be appropriate to describe, in some detail, the infractions that are unacceptable, and the consequences of such behavior. • Supplementary Information – For any Tier 2 policy, the appropriate individuals in the organization to contact for additional information, guidance, and compliance should be indicated. 66 CISM 67 Application-Specific Policy (Tier 3)… • Global-level (Tier 1) and topic-specific (Tier 2) policies address policy on a broad level. • They usually encompass the entire enterprise. • The application-specific (Tier 3) policy focuses on one specific system or application. • The final element will be the translation of Tier 1 and Tier 2 policies down to the application and system level. • Many security issue decisions apply only at the application or system level. • Some examples of these issues include: – Who has the authority to read or modify data? – Under what circumstances can data be read or modified? – How is remote access to be controlled? 68 Application-Specific Policy (Tier 3)… • As you prepare to create Tier 3 policies, keep in mind the following concepts: – Understand the overall business objectives or mission of the enterprise. – Understand the mission of the application or system. – Establish requirements that support both sets of objectives. 69 Policy Components (CISM) 70 Development of Procedures and Guidelines That Support the Information Security Policy • Procedure writing is different from policy writing in that it is not useful to have teams develop the procedures. – Procedures will not have to be approved by a management team. – So the process is quicker, but will require some work. 71 Procedure writing process 72 73 74
0
advertisement
Download
advertisement
Add this document to collection(s)
You can add this document to your study collection(s)
Sign in Available only to authorized usersAdd this document to saved
You can add this document to your saved list
Sign in Available only to authorized users