Information Systems Security
Policies & ISO 17799
Maria Karyda, PhD
mka@aegean.gr
Laboratory of Information and Communication Systems Security
Department of Information and Communication Systems Engineering
University of the Aegean
Karlovassi, Samos, GR-83200, GREECE
Overview


Information Systems Security Policies

What is a Security Policy?

Why do we need them?

How can we design a Policy and what should we
include?

What makes a Security Policy effective?
Information Security Management Standards

How can the ISO 17799 assist us?
IPICS – Chios, July 2005
2
Information Systems Security Practices


Information Systems Risk Management

aims to minimize risk at acceptable levels

by implementing risk analysis and management
methods (e.g. OCTAVE, CRAMM, SBA)

baseline security is also an option
Information Systems Security Policy

most common security management practice

based on risk evaluation results

based on standards and best practices
IPICS – Chios, July 2005
3
What is a Security Policy?


High level statements describing the security
goals, priorities and the management
intention with regard to information systems
security, as well as the ways to achieve these
goals.
Written in one or more documents.
IPICS – Chios, July 2005
4
Information Systems Security Policies








Design
Implement
Publish
Enforce
Monitor compliance
Evaluate
Review
Amend and update
IPICS – Chios, July 2005
5
Who is involved?

Security experts


System / network administrators



set security goals
provide resources
Users


implement security controls, guidelines
Management


design, review and update the policy
follow security procedures
Auditors

monitor compliance
IPICS – Chios, July 2005
6
Related Concepts
Law, Regulations
Security Requirements
Best Practice
Information Systems
Security Policy
Security Procedures


e.g. Data Protection, Intellectual Property Management
Security Requirements


Guidelines
Countermeasures
Law and Regulations


Information systems
security management
standards
confidentiality, availability, privacy, integrity, non repudiation
Best practices and Security Standards
Security, countermeasures, guidelines and procedures
IPICS – Chios, July 2005
7
Why do we need a security policy? -1


Provides a comprehensive framework for the
selection and implementation of security
measures
Communication means among different
stakeholders
Management of resources


people, skills, money, time
Conveys the importance of security to all
members of the organization
IPICS – Chios, July 2005
8
Why do we need a security policy? -2
Helps create a “security culture”



Shared beliefs and values concerning security
Legal obligation
Helps promote “trust relationships” between
the organizations and its business partners /
clients
IPICS – Chios, July 2005
9
Designing a Security Policy: security goals
elicitation
Risk evaluation
Other sources of security requirements:
 management
 legal framework
 contractual obligations
 users and administrators
 business partners and clients
IPICS – Chios, July 2005
10
Designing a Security Policy: Issues to be
addressed



Goal and security targets
Scope
Assets covered by the Policy



Roles and responsibilities
Compliance monitoring


data, software, hardware, locations, processes etc.
incentives, penalties etc.
Time
IPICS – Chios, July 2005
11
What kind of Security Policies are there?

Computer-oriented Security Policies





Information Security Policies that implement
access control (Discretionary Access Control,
Mandatory Access Control)
operating systems
networks
application
Human-oriented Security Policies


scope: department, organization
applied by IS users
IPICS – Chios, July 2005
12
Security Policies Structure -1
Individual Security Policies
application or system (e.g. email policy)
 “use policies”
+ effective for isolated systems and autonomous
applications
- high complexity, fragmented IS security
management

IPICS – Chios, July 2005
13
Security Policies Structure -2
Comprehensive Security Policies
one document addressing all applications,
processes and systems
- big volume, not easy to use
- contain high level security guidelines

IPICS – Chios, July 2005
14
Security Policies Structure -3
Modular Security Policies


comprehensive document with multiple annexes
containing specific (e.g. per application or system)
policies
can be in hypertext form
IPICS – Chios, July 2005
15
ISO/IEC 17799




First Edition: 01-12-2000
Prepared by the British Standards Institution
(as BS 7799) and was adopted by Joint
Technical Committee ISO/IEC JTC 1,
Information Technology, in parallel with its
approval by national bodies of ISO and IEC.
“Information technology — Code of practice
for information security management”
New Edition: June 2005
IPICS – Chios, July 2005
16
Security Policies Content -1(based on ISO 17799-2000)
I. Organizational Security


“Information security is a business responsibility
shared by all members of the management team.”
Information security infrastructure




management should approve the information security
policy,
assign security roles and
co-ordinate the implementation of security across the
organization
co-operation and collaboration of managers, users,
administrators, application designers, auditors and security
staff, and specialist skills in areas such as insurance
IPICS – Chios, July 2005
17
Security Policies Content -2(based on ISO 17799)
II. Asset classification and control
 Asset accountability


Accountability should remain with the owner of the
asset. Responsibility for implementing controls
may be delegated.
Information classification

Information should be classified to indicate the
need, priorities and degree of protection,
depending on varying degrees of sensitivity and
criticality.
IPICS – Chios, July 2005
18
Security Policies Content -3(based on ISO 17799)
III. Personnel security


Security in job definition and resourcing
User training


Users should be trained in security procedures and the
correct use of information processing facilities to minimize
possible security risks.
Responding to security incidents and malfunctions



Weaknesses, malfunctions
Learning from incidents
Disciplinary process
IPICS – Chios, July 2005
19
Examples*
“The Terms and Conditions of Employment of the
Organization are to include requirements for
compliance with Information Security”
“All staff must have previous employment and
other references carefully checked”
“All employees must comply with the Information
Security Policy of the Organization. Any
Information Security incidents resulting from
non-compliance will result in immediate
disciplinary action”
* RUSecureTM Information Security Policies
IPICS – Chios, July 2005
20
Examples*
“The Organization is committed to providing regular and
relevant Information Security awareness communications to
all staff by various means, such as electronic updates,
briefings, newsletters etc.”
“Periodic training for the Information Security Officer is to be
prioritized to educate and train in the latest threats and
Information Security Techniques”
“The Organization is committed to providing training to all
users of new systems to ensure that their use is both efficinet
and does not compromise Information Security”
* RUSecureTM Information Security Policies
IPICS – Chios, July 2005
21
Security Policies Content -4(based on ISO 17799)
IV. Physical and environmental security
 Secure areas




Security perimeter, entry controls
Protection provided should be commensurate with
the identified risks
Equipment security
Safety
IPICS – Chios, July 2005
22
Examples*
“A formal Hardware Inventory of all
equipment is to be maintained and kept
up-to-date at all times”
“All information system hardware faults
are to be reported promptly and recorded
in a hardware fault register”
* RUSecureTM Information Security Policies
IPICS – Chios, July 2005
23
Security Policies Content -5(based on ISO 17799)
V. Communications & operations management

Operational procedures and responsibilities




System planning and acceptance





Capacity planning, performance requirements, system acceptance
Protection against malicious software
Back ups, logging
Network management
Media handling


Incident management procedures
Segregation of duties
Separation of development and operational facilities
tapes, disks, cassettes
Information exchange between organizations


Policy on the use of e-mail or fax
Electronic commerce security
IPICS – Chios, July 2005
24
Examples*
Policy statement on the use of fax:
“Sensitive or confidential information may only
be faxed were more secure methods of
transmission are not feasible. Both the owner
of the information and the intended recipient
must authorize the transmissions beforehand”
Policy statement on media handling:
“Only personnel who are authorized to install
or modify software shall use removable media
to transfer data to/from the organization's
network. Any other persons shall require
specific authorization”
* RUSecureTM Information Security Policies
IPICS – Chios, July 2005
25
Security Policies Content -6(based on ISO 17799)
VI. Access control

User access management



User responsibilities
Network access control





Access rights, passwords
Network segregation
Operating system access control
Application access control
Monitoring system access and use
Mobile computing and teleworking
IPICS – Chios, July 2005
26
Examples*


User access management:
“Access to all systems must be authorized by the owner of
the system and such access, including the appropriate access
rights, or privileges, must be recorded in an Access Control
List. Such records are to be regarded as Highly Confidential
documents and safeguarded accordingly”
Operating system access control
“Access to operating system commands is to be restricted to
those who are authorized to perform systems
administration/management functions. Even then, such
access must be operated under dual control requiring the
specific approval of senior management”
*RUSecureTM Information Security Policies
IPICS – Chios, July 2005
27
Security Policies Content -7(based on ISO 17799)
VII. Systems development and maintenance

Security requirements of systems


Security in application systems


“built-in” security
Message authentication, hash algorithms,
cryptography
Cryptographic controls

To protect the confidentiality, authenticity or
integrity of information (encryption, digital
signatures, key management)
IPICS – Chios, July 2005
28
Examples*
“All new hardware installations are to be
planned formally and notified to all interested
parties ahead of the proposed installation date.
Information security requirements are to be
circulated for comment to all interested parties,
well in advance of installation”
“All equipment must be fully and
comprehensively tested and formally accepted
by users before being transferred to the live
environment”
*RUSecureTM
Information Security Policies
IPICS – Chios, July 2005
29
Security Policies Content -8(based on ISO 17799)
VIII. Business continuity management





“To counteract interruptions to business activities and to protect
critical business processes from the effects of major failures or
disasters.”
Analyze the consequences of disasters, security failures and loss of
service.
Develop and implement contingency plans to ensure that business
processes can be restored within the required time-scales.
Such plans should be maintained and practiced to become an
integral part of all other management processes.
Business continuity management should include controls to identify
and reduce risks, limit the consequences of damaging incidents, and
ensure the timely resumption of essential operations.
IPICS – Chios, July 2005
30
Security Policies Content -9(based on ISO 17799)
IX. Compliance
 Compliance with legal requirements




Data protection and privacy of personal
information
Intellectual property rights (IPR)
Regulation of cryptographic controls
Compliance with security policy
IPICS – Chios, July 2005
31
Examples*
“Persons responsible for Human Resources
Management are to prepare guidelines to
ensure that all employees are aware of the key
aspects Copyright legislation, in so far as
these requirements impact on their duties”
“All employees are required to fully comply
with the organisation’s Information Security
Policies. The monitoring of such compliance is
the responsibility of management”
*RUSecureTM Information Security Policies
IPICS – Chios, July 2005
32
Critical factors for successful application -1






Alignment with business goals
Management support
Organizational culture
Address specific security requirements
User awareness, training and education
Review and evaluation procedures
Gradual introduction, change management
IPICS – Chios, July 2005
33
Critical factors for successful application -2






Clear, easy to understand
Easily accessible
Complete
Up-to-date
Extendable
Applicable
Technology independent
IPICS – Chios, July 2005
34
Security Policies Review

Scheduled reviews


Occasional


e.g. once every 18 months
when major changes occur (e.g. network
configuration, new applications)
Review results utilized for evaluating and
updating the Security Policy
IPICS – Chios, July 2005
35
Conclusions

There is no “out of the box” security solution

Customize Security Policies



content, structure, security guidelines
Utilize best practice, Information Security
Standards
Effective implementation

context-dependent
IPICS – Chios, July 2005
36