Key To Personal Information Security

advertisement
Lesson Eight
Security Management
Copyright © Center for Systems Security and Information Assurance
Lesson Objectives
• Define security management
• Explain in basic terms the function of an
organization’s security policy
• List the reasons an organization would
implement a security policy
• Define security standards and explain the
different types of standards
• Explain the role of standards organizations.
• Match the standards organization with its
role in the Information Security field
Copyright © Center for Systems Security and Information Assurance
Introduction
Security management entails the identification of
an organization’s information assets and the
development, documentation, and implementation
of policies, standards, procedures and guidelines
that ensure confidentiality, integrity, and
availability.
Copyright © Center for Systems Security and Information Assurance
Organization Policies
A policy may be defined as 'An agreed approach
in theoretical form, which has been agreed to
and/or ratified by, a governing body, and which
defines direction and degrees of freedom for
action.'
Copyright © Center for Systems Security and Information Assurance
What is a Security Policy?
• Informs users and staff
members of the need and the
responsibility to protect the
organization’s technology and
critical information.
• Defines “acceptable use”
(based upon the acceptable
risk) of all electronic media
within an organization.
Copyright © Center for Systems Security and Information Assurance
Security Policies
• Rules and practices an organization uses for its
information resources:
management
protection
allocation
• Policies and procedures provide a baseline to:
security plans
contingency plans
procurement plans
Copyright © Center for Systems Security and Information Assurance
Why a Security Policy?
1. Describes in detail acceptable network activity
and penalties for misuse
2. Provides a forum for identifying and clarifying
security goals, priorities and objectives to the
organization and its members.
3. Illustrates to each employee how they are
responsible for helping to maintain a secure
environment.
4. Defines responsibilities and the scope of
information security in an organization.
5. Provides a legal instrument in the case of
litigation
Copyright © Center for Systems Security and Information Assurance
Why a Security Policy?
6. Provides a good foundation for conducting
security audits
7. Establishes a critical asset identifying potential
vulnerabilities
8. Provides a reference for incident response
handling
9. Communicates organization culture, core
values, and ethics
10. Establishes acceptance and conformity
Copyright © Center for Systems Security and Information Assurance
Management Support
• Without management supporting security
policies, they might as well be non-existent
• Security policies and security in general start off
at the bottom of the typical executive’s priority
list
• A serious security incident or an exceptional
sales pitch by the information security
professionals help to gain the support of
management
Copyright © Center for Systems Security and Information Assurance
Types of Security Policies
•
•
•
•
•
•
•
Acceptable Encryption Policy
Acceptable Use Policy
Analog/ISDN Line Policy
Anti-Virus Policy
Application Service Provider Policy
Application Service Provider Standards
Acquisition Assessment Policy
Copyright © Center for Systems Security and Information Assurance
Types of Security Policies
•
•
•
•
•
•
Audit Vulnerability Scanning Policy
Automatically Forwarded Email Policy
Database Credentials Coding Policy
Dial-in Access Policy
DMZ Lab Security Policy
E-mail Policy
Copyright © Center for Systems Security and Information Assurance
Helpful Security Policy Links
!!!!Read the following documents!!!
• http://www.sans.org/resources/policies/
Policy_Primer.pdf
• http://www.sans.org/resources/policies/#template
• http://www.dir.state.tx.us/security/policies/
templates.htm
Copyright © Center for Systems Security and Information Assurance
Security Standards
• Specify uniform use of specific technologies,
parameters, or procedures.
• Specify a uniform use of specific technologies,
parameters or processes to be used to secure
systems.
• Contain mandatory statements which can be
measured.
Copyright © Center for Systems Security and Information Assurance
Security Standards Example
The Privacy HIPAA Standards requires that "a
covered entity must have in place appropriate
administrative, technical, and physical
safeguards to protect the privacy of protected
health information" (CMS, "HIPAA
Administrative Simplification - Privacy",
Section 164.530 (c)(1)
Copyright © Center for Systems Security and Information Assurance
Types of Security Standards
• Open versus Proprietary
• Dejure (by law) versus Defacto
Copyright © Center for Systems Security and Information Assurance
Security Standards Evolve
Copyright © Center for Systems Security and Information Assurance
Security Standards Organizations
• Government statues (federal, state and
local)
• Standards organizations (NIST, ISO, IEEE)
• Industry requirements (HIPAA, GLB,
TIA/EIA)
• Manufacture requirements (Cisco,
Microsoft)
• Internal requirements
Copyright © Center for Systems Security and Information Assurance
ISO 17799 Description
• Most widely recognized security standard—the
first version was published in December 2000
• Comprehensive in its coverage of security
issues
• Contains a substantial number of control
requirements
• Compliance and certification for even for the
most security conscious of organizations can be
daunting
Copyright © Center for Systems Security and Information Assurance
Government Cryptography Standards
Copyright © Center for Systems Security and Information Assurance
Example
• Government Standards: Incident Reporting
Computer Security Incident Handling Guide NIST Special
Publication 800-61, from National Institute of Standards
and Technology, Technology Administration, U.S.
Department of Commerce.
• A 148-page report describing guidelines for responding to
denial-of-service attacks; malicious code, including
viruses, worms and Trojan horses; unauthorized access;
inappropriate use by authorized users, and incidents
incorporating various types of security breaches.
http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
Copyright © Center for Systems Security and Information Assurance
Security Guidelines
• Address intentions and allow for interpretation
• Recommendations or best practices
• Similar to STANDARDS (not mandated
actions)
• Assist users, administrators and others in
effectively interpreting and implementing the
security policy
• Data Security and Classification Guidelines
http://www.umassp.edu/policy/data/itcdatasec
.html
Copyright © Center for Systems Security and Information Assurance
Security Procedures
• The operational processes required to implement
institutional security policy
• Operating practices can be formal or informal,
specific to a department or applicable across the
entire institution
• Detailed steps or instructions to be followed by
users, system administrators, and others to
accomplish a particular security-related task
• Assist in complying with security policy, standards
and guidelines
• http://wwwoirm.nih.gov/security/sec_policy.html
Copyright © Center for Systems Security and Information Assurance
More Examples
• Policy - All State of Illinois employee email
mailboxes must be protected by a
username/password
• Standard - The username must follow existing
standards and the password must be 8
characters long and have an alpha/numeric
combination
• Procedure – Setting the administrative
properties of the mailbox to require a username
and password be set. Auditing the passwords for
appropriate password complexity
Copyright © Center for Systems Security and Information Assurance
Plan, DO, Check, Act
Copyright © Center for Systems Security and Information Assurance
Hyperlinks to Federal Laws
• Federal Computer Intrusion Laws
• National Information Infrastructure
Protection Act of 1995
• Fraud and Related Activity in Connection
with Computers
• The Digital Millennium Copyright Act
• Software Piracy and the Law
• The Computer Fraud and Abuse Act of 1986
Copyright © Center for Systems Security and Information Assurance
Hyperlinks to Federal Laws
•
•
•
•
Electronic Communications Privacy Act
Privacy Act of 1974
Communications Act of 1934
Family Educational Rights and Privacy Act of
1974
• CAN-SPAM Act of 2003
• United States Copyright Office
Copyright © Center for Systems Security and Information Assurance
Download