Session 3 – Information Security Policies 1 General - background • How to establish security requirements – Risk assessments – Legal, statutory requirements – Business requirements for Information processing • Select controls from a standard • Controls to be considered to be common practice – Information security policy – Allocation of responsibilities – Awareness and training – Technical vulnerability management – Incident reporting 2 Critical Success factors for addressing InfoSec in organisations • • • • • • • • Info sec policy, objectives Architectural approach Management commitment / support Understand info sec requirements Budget for info sec Awareness and training Effective incident reporting system Measurement system 3 12 Key control areas Risk assessment and treatment Information Security policy Organization / management of Info Sec Assets classification and control (management) Human resources security Physical and environmental security Communications and operations management Access control Information Systems acquisition, development and maintenance Information Security Incident Management Business Continuity Management Compliance 4 5. Security policy INFORMATION SECURITY POLICY Objective: To provide management direction and support for information security. Information Security Policy Document Control …should state mngt commitment Implementation guidance….definition Other information: ….distribution Review of the Information Security Policy 5 Security policy Information security policy d) a brief explanation of the security policies, principles, standards and compliance requirements of particular importance to the organization, for example: 1) compliance with legislative and contractual requirements; 2) security education requirements; 3) prevention and detection of viruses and other malicious software; 4) business continuity management; 5) consequences of security policy violations; e) a definition of general and specific responsibilities for information security management, including reporting security incidents; 6 Security policy Information security policy f) references to documentation which may support the policy, e.g. more detailed security policies and procedures for specific information systems or security rules users should comply with. This policy should be communicated throughout the organization to users in a form that is relevant, accessible and understandable to the intended reader. 7 Organization Information Security INTERNAL ORGANIZATION Objective: To manage information security within the organization • establish management framework • management with leadership to – approve the information security policy, – assign security roles – co-ordinate implementation of security • Establish a source of specialist information security advice if needed • need multi-disciplinary approach to information security 8 Organization Information Security INTERNAL ORGANIZATION Management commitment to information security Information security co-ordination. Allocation of information security responsibilities Authorization process for information processing facilities Confidentiality agreements Contact with authorities Contact with special interest groups Independent review of information security...... EXTERNAL PARTIES Identification of risks related to external parties Addressing security when dealing with customers Addressing security in third party agreements 9 Asset Management RESPONSIBILITY FOR ASSETS Objective: To achieve and maintain appropriate protection of organizational assets.-> be accounted for, have owner • assign responsibility for maintenance of appropriate controls • may delegate responsibility for implementing controls • Owners should be identified for all assets and the responsibility for the maintenance of appropriate controls should be assigned. Inventory of assets Ownership of assets Acceptable use of assets 10 Asset Management INFORMATION CLASSIFICATION Objective: To ensure that information receives an appropriate level of protection. • Classify information to indicate – need, – priorities – degree of protection • varying degrees of sensitivity, criticality • define appropriate set of protection levels, communicate need for special handing measures. Classification guidelines Information labelling and handling 11 Human Resources Security PRIOR TO EMPLOYMENT Objective: To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. • Address security responsibilities at the requirement stage, include in contracts, monitored during employment • screen potential recruits adequately (sensitive jobs) • All to sign confidentiality agreement. Roles and responsibilities Screening Terms and conditions of employment 12 Human Resources Security DURING EMPLOYMENT Objective: To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided… Management responsibilities Information security awareness, education, and training Disciplinary process 13 Human Resources Security TERMINATION OR CHANGE OF EMPLOYMENT Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner. Change of responsibilities and employments within an organization should be managed . Termination responsibilities Return of assets Removal of access rights 14 Physical and environmental security SECURE AREAS Objective: To prevent unauthorized access, damage and interference to business premises and information. • house critical/sensitive business information processing facilities in secure areas, • physically protected from unauthorized access or damage or interference. • The protection should be commensurate with the identified risks. • clear desk and clear screen policy 15 Physical and environmental security EQUIPMENT SECURITY Objective: To prevent loss, damage or compromise of assets and interruption to business activities. • Protect equipment physically from security threats and environmental hazards. • to reduce risk of unauthorized access to data, to protect against loss or damage. • also consider equipment siting and disposal • Special controls to safeguard e.g. electrical supply 16 Communications and operations management OPERATIONAL PROCEDURES AND RESPONSIBILITIES Objective: To ensure the correct and secure operation of information processing facilities. • Establish responsibilities and procedures for management and operation of all information processing facilities. • development of operating instructions and incident response procedures • Implement segregation of duties to reduce risk of negligent or deliberate system misuse 17 Communications and operations management Operational Procedures and Responsibilities Third Party Service Delivery Management System Planning and Acceptance Protection Against Malicious and Mobile Code Back-Up Network Security Management Media Handling Exchange of Information Electronic Commerce Services Monitoring 18 Access control BUSINESS REQUIREMENTS FOR ACCESS CONTROL Objective: To control access to information. • Control access to information, and business processes on basis of business and security requirements. • take account of policies for information dissemination and authorization. 19 Access control USER ACCESS MANAGEMENT Objective: To prevent unauthorized access to information systems. • Need formal procedures to control allocation of access rights to information systems and services. • initial registration of new users to final deregistration of users who no longer require access • control allocation of privileged access rights 20 Access control USER RESPONSIBILITIES Objective: To prevent unauthorized user access. • co-operation of authorized users is essential for effective security. • make users aware of responsibilities e.g. passwords use and security of user equipment. 21 Access control NETWORK ACCESS CONTROL Objective: Protection of networked services. • Control access to internal and external networked services • to ensure that network users do not compromise the security of network services have: – appropriate interfaces – appropriate authentication mechanisms – control of user access 22 Access control OPERATING SYSTEM ACCESS CONTROL APPLICATION AND INFORMATION ACCESS CONTROL MOBILE COMPUTING AND TELEWORKING 23 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE SECURITY REQUIREMENTS OF INFORMATION SYSTEMS Objective: To ensure that security is built into information systems. • includes infrastructure, business applications and user-developed applications. • Identify and justify all security requirements during requirements phase agree and document (before development) 24 INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES Objective: To maintain the security of application system software and information. • strictly control project and support environments. • Managers responsible for application systems also responsible for the security of the project or support environment. TECHNICAL VULNERABILITY MANAGEMENT 25 INFORMATION SECURITY INCIDENT MANAGEMENT REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES Reporting information security events Reporting security weaknesses MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS Responsibilities and procedures Learning from information security incidents Collection of evidence 26 Business continuity management INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT Objective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters. • Business continuity management: to reduce disruption from disasters/security failures to acceptable level • Analyze consequences of disasters, security failures and loss of service. • Develop and implement contingency plans • Maintain and practice plans. 27 Compliance COMPLIANCE WITH LEGAL REQUIREMENTS Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements. • may be statutory, regulatory and contractual security requirements for design, operation, use and management of information systems. • Seek advice on specific legal requirements from the organization's legal advisers 28 Compliance COMPLIANCE WITH SECURITY POLICIES AND STANDARDS AND TECHNICAL COMPLIANCE Objective: To ensure compliance of systems with organizational security policies and standards. • Review security of information systems regularly. • Perform reviews against appropriate security policies and technical platforms • audit information systems for compliance with security implementation standards. 29 Compliance INFORMATION SYSTEMS AUDIT CONSIDERATIONS Objective: To maximize the effectiveness of and to minimize interference to/from the system audit process. • controls to safeguard operational systems and audit tools during system audits. • Protect integrity and prevent misuse of audit tools. 30