Session 3 – Information Security Policies

advertisement
Session 3 – Information Security
Policies
1
General - background
• How to establish security requirements
– Risk assessments
– Legal, statutory requirements
– Business requirements for Information processing
• Select controls from a standard
• Controls to be considered to be common
practice
– Information security policy
– Allocation of responsibilities
– Awareness and training
– Technical vulnerability management
– Incident reporting
2
Critical Success factors for
addressing InfoSec in organisations
•
•
•
•
•
•
•
•
Info sec policy, objectives
Architectural approach
Management commitment / support
Understand info sec requirements
Budget for info sec
Awareness and training
Effective incident reporting system
Measurement system
3
12 Key control areas
Risk assessment and treatment
Information Security policy
Organization / management of Info Sec
Assets classification and control (management)
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information Systems acquisition, development and
maintenance
Information Security Incident Management
Business Continuity Management
Compliance
4
5. Security policy
INFORMATION SECURITY POLICY
Objective: To provide management direction and
support for information security.
Information Security Policy Document
Control …should state mngt commitment
Implementation guidance….definition
Other information: ….distribution
Review of the Information Security Policy
5
Security policy
Information security policy
d) a brief explanation of the security policies, principles,
standards and compliance requirements of particular
importance to the organization, for example:
1) compliance with legislative and contractual requirements;
2) security education requirements;
3) prevention and detection of viruses and other malicious
software;
4) business continuity management;
5) consequences of security policy violations;
e) a definition of general and specific responsibilities for
information security management, including reporting
security incidents;
6
Security policy
Information security policy
f) references to documentation which may
support the policy, e.g. more detailed security
policies and procedures for specific
information systems or security rules users
should comply with.
This policy should be communicated
throughout the organization to users in a form
that is relevant, accessible and
understandable to the intended reader.
7
Organization Information Security
INTERNAL ORGANIZATION
Objective: To manage information security within the
organization
• establish management framework
• management with leadership to
– approve the information security policy,
– assign security roles
– co-ordinate implementation of security
• Establish a source of specialist information security
advice if needed
• need multi-disciplinary approach to information
security
8
Organization Information Security
INTERNAL ORGANIZATION
Management commitment to information security
Information security co-ordination.
Allocation of information security responsibilities
Authorization process for information processing facilities
Confidentiality agreements
Contact with authorities
Contact with special interest groups
Independent review of information security......
EXTERNAL PARTIES
Identification of risks related to external parties
Addressing security when dealing with customers
Addressing security in third party agreements
9
Asset Management
RESPONSIBILITY FOR ASSETS
Objective: To achieve and maintain appropriate protection of
organizational assets.-> be accounted for, have owner
• assign responsibility for maintenance of appropriate controls
• may delegate responsibility for implementing controls
• Owners should be identified for all assets and the responsibility
for the maintenance of appropriate controls should be
assigned.
Inventory of assets
Ownership of assets
Acceptable use of assets
10
Asset Management
INFORMATION CLASSIFICATION
Objective: To ensure that information receives an appropriate
level of protection.
• Classify information to indicate
– need,
– priorities
– degree of protection
• varying degrees of sensitivity, criticality
• define appropriate set of protection levels, communicate need
for special handing measures.
Classification guidelines
Information labelling and handling
11
Human Resources Security
PRIOR TO EMPLOYMENT
Objective: To ensure that employees, contractors and third party
users understand their responsibilities, and are suitable for the
roles they are considered for, and to reduce the risk of theft,
fraud or misuse of facilities.
• Address security responsibilities at the requirement stage,
include in contracts, monitored during employment
• screen potential recruits adequately (sensitive jobs)
• All to sign confidentiality agreement.
Roles and responsibilities
Screening
Terms and conditions of employment
12
Human Resources Security
DURING EMPLOYMENT
Objective: To ensure that employees, contractors and third party
users are aware of information security threats and concerns, their
responsibilities and liabilities, and are equipped to support
organizational security policy in the course of their normal work,
and to reduce the risk of human error.
An adequate level of awareness, education, and training in
security procedures and the correct use of information processing
facilities should be provided…
Management responsibilities
Information security awareness, education, and training
Disciplinary process
13
Human Resources Security
TERMINATION OR CHANGE OF EMPLOYMENT
Objective: To ensure that employees, contractors
and third party users exit an organization or change
employment in an orderly manner.
Change of responsibilities and employments within
an organization should be managed
.
Termination responsibilities
Return of assets
Removal of access rights
14
Physical and environmental security
SECURE AREAS
Objective: To prevent unauthorized access, damage
and interference to business premises and
information.
• house critical/sensitive business information
processing facilities in secure areas,
• physically protected from unauthorized access or
damage or interference.
• The protection should be commensurate with the
identified risks.
• clear desk and clear screen policy
15
Physical and environmental security
EQUIPMENT SECURITY
Objective: To prevent loss, damage or compromise
of assets and interruption to business activities.
• Protect equipment physically from security threats
and environmental hazards.
• to reduce risk of unauthorized access to data, to
protect against loss or damage.
• also consider equipment siting and disposal
• Special controls to safeguard e.g. electrical supply
16
Communications and operations
management
OPERATIONAL PROCEDURES AND
RESPONSIBILITIES
Objective: To ensure the correct and secure
operation of information processing facilities.
• Establish responsibilities and procedures for
management and operation of all information
processing facilities.
• development of operating instructions and incident
response procedures
• Implement segregation of duties to reduce risk of
negligent or deliberate system misuse
17
Communications and operations
management
Operational Procedures and Responsibilities
Third Party Service Delivery Management
System Planning and Acceptance
Protection Against Malicious and Mobile Code
Back-Up
Network Security Management
Media Handling
Exchange of Information
Electronic Commerce Services
Monitoring
18
Access control
BUSINESS REQUIREMENTS FOR ACCESS
CONTROL
Objective: To control access to information.
• Control access to information, and business
processes on basis of business and security
requirements.
• take account of policies for information
dissemination and authorization.
19
Access control
USER ACCESS MANAGEMENT
Objective: To prevent unauthorized access to
information systems.
• Need formal procedures to control allocation
of access rights to information systems and
services.
• initial registration of new users to final deregistration of users who no longer require
access
• control allocation of privileged access rights
20
Access control
USER RESPONSIBILITIES
Objective: To prevent unauthorized user
access.
• co-operation of authorized users is essential
for effective security.
• make users aware of responsibilities e.g.
passwords use and security of user
equipment.
21
Access control
NETWORK ACCESS CONTROL
Objective: Protection of networked services.
• Control access to internal and external
networked services
• to ensure that network users do not
compromise the security of network services
have:
– appropriate interfaces
– appropriate authentication mechanisms
– control of user access
22
Access control
OPERATING SYSTEM ACCESS CONTROL
APPLICATION AND INFORMATION ACCESS
CONTROL
MOBILE COMPUTING AND TELEWORKING
23
INFORMATION SYSTEMS ACQUISITION,
DEVELOPMENT AND MAINTENANCE
SECURITY REQUIREMENTS OF
INFORMATION SYSTEMS
Objective: To ensure that security is built into
information systems.
• includes infrastructure, business applications
and user-developed applications.
• Identify and justify all security requirements
during requirements phase agree and
document (before development)
24
INFORMATION SYSTEMS ACQUISITION,
DEVELOPMENT AND MAINTENANCE
SECURITY IN DEVELOPMENT AND SUPPORT
PROCESSES
Objective: To maintain the security of application
system software and information.
• strictly control project and support environments.
• Managers responsible for application systems also
responsible for the security of the project or support
environment.
TECHNICAL VULNERABILITY MANAGEMENT
25
INFORMATION SECURITY INCIDENT
MANAGEMENT
REPORTING INFORMATION SECURITY
EVENTS AND WEAKNESSES
Reporting information security events
Reporting security weaknesses
MANAGEMENT OF INFORMATION
SECURITY INCIDENTS AND
IMPROVEMENTS
Responsibilities and procedures
Learning from information security incidents
Collection of evidence
26
Business continuity management
INFORMATION SECURITY ASPECTS OF BUSINESS
CONTINUITY MANAGEMENT
Objective: To counteract interruptions to business
activities and to protect critical business processes
from the effects of major failures or disasters.
• Business continuity management: to reduce
disruption from disasters/security failures to
acceptable level
• Analyze consequences of disasters, security failures
and loss of service.
• Develop and implement contingency plans
• Maintain and practice plans.
27
Compliance
COMPLIANCE WITH LEGAL REQUIREMENTS
Objective: To avoid breaches of any criminal
and civil law, statutory, regulatory or
contractual obligations and of any security
requirements.
• may be statutory, regulatory and contractual
security requirements for design, operation,
use and management of information systems.
• Seek advice on specific legal requirements
from the organization's legal advisers
28
Compliance
COMPLIANCE WITH SECURITY POLICIES AND
STANDARDS AND TECHNICAL COMPLIANCE
Objective: To ensure compliance of systems with
organizational security policies and standards.
• Review security of information systems regularly.
• Perform reviews against appropriate security policies
and technical platforms
• audit information systems for compliance with
security implementation standards.
29
Compliance
INFORMATION SYSTEMS AUDIT
CONSIDERATIONS
Objective: To maximize the effectiveness of
and to minimize interference to/from the
system audit process.
• controls to safeguard operational systems
and audit tools during system audits.
• Protect integrity and prevent misuse of audit
tools.
30
Download