Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

InfoSecurity Roles & Responsibilities

Essential strategies
for policy development






By Charles Cresson Wood, CISA, CISSP
Independent Information Security Consultant
InfoSecurity Infrastructure, Inc.
Sausalito, California USA
www.infosecurityinfrastructure.com
+415-289-0800
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Policies are now front page news



Misunderstandings about document destruction
policy were critical part of Andersen's downfall with
Enron.
Conscientious employee shreds documents at
Cooper Tire -- documents about tread separation -and causes stock to plunge 25%.
Mistaken placement of e-mail addresses in "to" field
rather than "bcc" field violated privacy policy of Eli
Lilly, garnered bad press and triggered FTC
investigation (Prozac users).
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
What do we mean by “policies”?







Management instructions (a.k.a. directives)
Formal ways to say "this is how we do it here"
Tech talk: generalized requirements statements
Not systems settings for firewalls & other system
components
More general than procedures & standards
Unlike guidelines, policies are mandatory
Unlike architectures, policies are product and vendor
independent
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Typical parts of policy document






Written endorsement of Chief Executive Officer
Discussion of new and critical role of information
Review security risks in high-level way
Overview of those responsible & contact points
Instructions about what to do & what not to do (vast
majority of document)
Cross references to more specific documents
(intranet recommended)
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Policies at top
of document pyramid






Information Security Department issues requirements
Group does not have resources to handle all
implementations
Generating templates that can be replicated by
members of team (factory analogy)
Templates that can be enforced & audited
Templates that engender process of continuous
refinement
Integration across policies, standards, procedures,
architectures, contingency plans, etc.
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Policies as logical expression
of business rules (1)




Consistency reduces loss and costs
Programmed attacks require programmed defensive
maneuvers
Allows automation of processes that could not
previously be automated
P3P (Privacy Preferences Criteria) negotiates
policies between untrusting Web parties
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Policies as logical expression
of business rules (2)



SAML (Security Assertions Markup Language)
establishes XML framework for secure sign-on across
multiple Web-based applications from different
organizations.
Firewalls from various vendors automatically respond
to attacks by taking immediate action.
Policy clarification and specification required before
sophisticated controls are established.
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Policies considered part
of Standard of Due Care






Required by laws such as SOX, HIPAA and GLB
Required by regulations such as those from OMB
Required by case law such as University of CA San
Diego and False Claims Act
Required by management standards such as ISO
17799
Required by business partners for proprietary
information exchange
Required by customers for personal information
disclosure
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Not sufficient to simply adopt
Standard of Due Care controls




Distinguish between legal requirements to meet the
SODC and unique additional requirements.
Unique additional requirements cannot be discovered
through purchased products/services, nor through
compliance with external requirements.
Unique additional requirements are still required if
there is significant and clear need, and they are costeffective.
Case law behind the Hooper Doctrine
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Rushing to handle
information security (1)



Management too often believes security can be
handled completely via purchased products &
services.
Management cannot delegate responsibility for
determining (a) which risks to accept, (b) which to
transfer to others and (c) which to mitigate through
additional controls.
Information is critical organizational asset -management has fiduciary duty to protect and
preserve it.
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Rushing to handle
information security (2)


Management must take the time to consider unique
circumstances and appropriate responses.
Risk management process not yet clearly defined in
many organizations.
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Need for broader scope
risk assessment (1)



Running vulnerability identification & compliance
checking software, or even doing penetration attacks,
is not enough.
Examine all the places where critical, valuable and
sensitive information is stored, moved and
processed.
Ground information security activities in actual
business needs (such as protect intellectual
property).
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Need for broader scope
risk assessment (2)



Examine management issues such as organizational
design, systems development process, system
privilege request/approval process and loss history
record keeping.
Examine training & awareness issues like
telecommuting, social engineering and use of
personal machines for organizational business.
Examine technical issues such as integration of
security systems such as through network
management system.
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Reasons to perform
a risk assessment (1)





Prioritize risks so that important matters are sure to
be addressed (use for budgeting and action plan
preparation).
Set ballpark value of information and systems at risk.
Identify management processes that are lacking or
broken.
Get an independent perspective to determine
whether internal information security efforts are
effective.
Determine whether security has improved over time
and whether it needs more resources.
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Reasons to perform
a risk assessment (2)





Confront overly optimistic management with reality.
Put management on notice and compel corrective
action.
Discharge management's responsibility to protect
assets.
Generate due diligence evidence to defend against
lawsuits.
Show compliance with relevant laws & regulations,
and perhaps contractual stipulations.
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Reasons to perform
a risk assessment (3)





Obtain private status report, without publicity or
damage to reputation.
Gather information that allows control enhancements
to be justified.
Correct vulnerabilities and problems before losses
take place.
Obtain special insurance coverage and perhaps
premium rating.
Indirectly sell need for information security to
management.
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
How risk assessment empowers
policy writing (1)





Establishes reference point along spectrum of
possible policies.
Example - personal use of organizational computing
resources
Example - type of extended user authentication for
remote access
Example - number of levels found in data
classification system
Example - when to automatically declassify highly
sensitive information
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
How risk assessment
empowers policy writing (2)





Accurately identifies unique attributes of issuing
organization.
Example - technology employed like Web-based
purchasing exchange
Example - organizational culture including information
sharing views
Example - reliance on end-user independent
decision-making
Example - centralization/decentralization regarding
systems management
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Vision of integrated automated
policy environment (1)






Centralized dashboards indicate current status of information
security.
Vulnerability identification and auditing systems check
compliance.
Management tools facilitate real-time risk assessment.
Alerting tools like IDS trigger automated response chains.
Response chains include automated patch management, fix
testing, fix reporting.
Response chains include automatic report preparation and
forensic analysis.
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Vision of integrated automated
policy environment (2)



Events trigger security changes, like termination
reflected in HR database deletes system privileges.
Security systems from various vendors tied together
to reflect internal policy requirements.
Centralized dashboards allow management to
change policies on-the-fly and have these translated
automatically into deployed controls.
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Vision of integrated automated
policy environment (3)



Example - increase characters required in fixed
passwords done centrally once, then configurations
changed automatically on multiple platforms and
machines
Flexibility and malleability to respond rapidly to
changing technological and business requirements.
Consistency and integration across the board where
management requirements are automatically
translated into system configurations and business
rules.
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Questions?
Submit your questions to Charles now by
entering your question in the field on the
lower right hand corner of your screen.
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Thank you
Thank you for participating in this webcast. For more
information on developing policies, visit our Featured
Topic at the link below. A copy of this presentation
with and without audio will be available via our
Featured Topic within the next 24 hours.
searchsecurity.com/FeaturedTopic/policies
© Copyright, All Rights Reserved 2004
InfoSecurity Infrastructure, Inc.
Related documents
Press Release Control Risks and MWR InfoSecurity form cyber
Press Release Control Risks and MWR InfoSecurity form cyber
Press Release
Press Release
Events Detail - Exclusive Networks
Events Detail - Exclusive Networks
StrikeSDLC Benefits Example Case Studies: How This is Achieved
StrikeSDLC Benefits Example Case Studies: How This is Achieved
Introducing The Material Handling Industry
Introducing The Material Handling Industry
Dear Sir or Madam, I am responding to two questions only, as
Dear Sir or Madam, I am responding to two questions only, as
Testing Tools
Testing Tools
Automated computation and batch processing for remote sensing
Automated computation and batch processing for remote sensing
Centralized versus Decentralized Inventory
Centralized versus Decentralized Inventory
Lesson 1.1 Key Terms
Lesson 1.1 Key Terms
Download