Add to collection(s) Add to saved
  1. Business
  2. Management

here

advertisement 
CSE 4482: Computer Security Management:
Assessment and Forensics
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875
Lectures: Tues (CB 122), 7–10 PM
Office hours: Wed 2-4 pm (CSEB 3043), or by
appointment.
3/18/2016
1
Ch 4: Information Security Policy
Objectives
• Upon completion of this material you should be
able to:
– Define information security policy and understand its
central role in a successful information security
program
– Describe the three major types of information security
policy and explain what goes into each type
– Develop various types various types of information
security policies
2
Management of Information Security, 3rd ed.
Introduction
• Policy is the essential foundation of an
effective information security program
• Policy maker sets the tone and emphasis
on the importance of information security
• Objectives
– Reduced risk
– Compliance with laws and regulations
– Assurance of operational continuity,
information integrity, and confidentiality
3
Management of Information Security, 3rd ed.
Why Policy?
• Policies are the least expensive means of
control and often the most difficult to
implement
• Basic rules for shaping a policy
– Policy should never conflict with law
– Policy must be able to stand up in court if
challenged
– Policy must be properly supported and
administered
4
Management of Information Security, 3rd ed.
Why Policy? (cont’d.)
• Bulls-eye model
– Networks: threats first meet the organization’s network
– Systems: computers and manufacturing systems
– Applications: all applications systems
5
Management of Information Security, 3rd ed.
Why Policy? (cont’d.)
Policies are important reference documents
– For internal audits
– For the resolution of legal disputes about
management's due diligence
– Policy documents can act as a clear
statement of management's intent
Types of information security policy
– Enterprise information security program policy
– Issue-specific information security policies
– Systems-specific policies
6
Management of Information Security, 3rd ed.
Policy, Standards, and Practices
• Policy : A plan or course of action that influences
decisions
– must be properly disseminated, read, understood,
agreed-to, and uniformly enforced
– require constant modification and maintenance
• Standards
– A more detailed statement of what must be done to
comply with policy
• Practices
– Procedures and guidelines explain how employees will
comply with policy
7
Management of Information Security, 3rd ed.
Policies, Standards, & Practices
Figure 4-2 Policies, standards and practices
Management of Information Security, 3rd ed.
8
Source: Course Technology/Cengage Learning
Enterprise Information Security
Policy (EISP)
• Sets strategic direction, scope, and tone for
organization’s security efforts
• Assigns responsibilities for various areas of
information security
• Guides development, implementation, and
management requirements of information
security program
9
Management of Information Security, 3rd ed.
EISP Elements
1. corporate philosophy on security
2. information security organization and
information security roles
10
Management of Information Security, 3rd ed.
Example ESIP Components
•
•
•
•
Statement of purpose
Information technology security elements
Need for information technology security
Information technology security
responsibilities and roles
• Reference to other information technology
standards and guidelines
11
Management of Information Security, 3rd ed.
Issue-Specific Security Policy
(ISSP)
• Provides detailed, targeted guidance
– Instruction for secure use of a technology systems
– Begins with introduction to fundamental technological
philosophy of the organization
• Protects organization from inefficiency and
ambiguity
– Documents how the technology-based system is
controlled
– Identifies the processes and authorities that provide
this control
• Indemnifies the organization against liability for
an employee’s inappropriate or illegal system use
12
Management of Information Security, 3rd ed.
Issue-Specific Security Policy- contd
• ISSP topics
– Email and internet use
– Minimum system configurations
– Prohibitions against hacking
– Home use of company-owned computer
equipment
– Use of personal equipment on company
networks
– Use of telecommunications technologies
– Use of photocopy equipment
13
Management of Information Security, 3rd ed.
Components of the ISSP
• Statement of Purpose
– Scope and applicability
– Definition of technology addressed
– Responsibilities
• Authorized Access and Usage of
Equipment
– User access
– Fair and responsible use
– Protection of privacy
14
Management of Information Security, 3rd ed.
Components of the ISSP - contd
• Prohibited Usage of Equipment
–
–
–
–
–
Disruptive use or misuse
Criminal use
Offensive or harassing materials
Copyrighted, licensed or other intellectual property
Other restrictions
• Systems management
–
–
–
–
–
Management of stored materials
Employer monitoring
Virus protection
Physical security
Encryption
15
Management of Information Security, 3rd ed.
Components of the ISSP - contd
• Violations of policy
– Procedures for reporting violations
– Penalties for violations
• Policy review and modification
– Scheduled review of policy and procedures for
modification
• Limitations of liability
– Statements of liability or disclaimers
16
Management of Information Security, 3rd ed.
System-Specific Security Policy
• System-specific security policies (SysSPs)
frequently do not look like other types of
policy
– may function as standards or procedures to be
used when configuring or maintaining systems
• SysSPs can be separated into
– Management guidance
– Technical specifications
– Or combined in a single policy document
17
Management of Information Security, 3rd ed.
Managerial Guidance SysSPs
• Created by management to guide the
implementation and configuration of technology
• Applies to any technology that affects the
confidentiality, integrity or availability of
information, e.g. firewall configuration
• Informs technologists of management intent
18
Management of Information Security, 3rd ed.
Technical Specifications SysSPs
• System administrators’ directions on
implementing managerial policy
• Each type of equipment has its own type of
policies
• General methods of implementing technical
controls
– Access control lists
– Configuration rules
19
Management of Information Security, 3rd ed.
Technical Specifications SysSPs - contd
• Access control lists
– Include the user access lists, matrices, and capability
tables that govern the rights and privileges
– A similar method that specifies which subjects and
objects users or groups can access is called a
capability table
– These specifications are frequently complex matrices,
rather than simple lists or tables
– Enable administrations to restrict access according to
user, computer, time, duration, or even a particular file
20
Management of Information Security, 3rd ed.
Technical Specifications SysSPs - contd
• Access control lists regulate
–
–
–
–
–
–
Who can use the system
What authorized users can access
When authorized users can access the system
Where authorized users can access the system from
How authorized users can access the system
Restricting what users can access, e.g. printers, files,
communications, and applications
• Administrators set user privileges
– Read, write, create, modify, delete, compare, copy
21
Management of Information Security, 3rd ed.
Technical Specifications SysSPs - contd
Figure 4-5 Windows XP ACL
Management of Information Security, 3rd ed.
22
Source: Course Technology/Cengage Learning
Technical Specifications SysSPs - contd
• Configuration rules
– Specific configuration codes entered into security
systems
• Guide the execution of the system when information is passing
through it
• Many security systems require specific
configuration scripts telling the systems what
actions to perform on each set of information they
process
23
Management of Information Security, 3rd ed.
Technical Specifications SysSPs
(cont’d.)
Figure 4-6 Firewall configuration rules
24
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Guidelines for Effective Policy
• policies must be properly:
– Developed using industry-accepted practices
– Distributed or disseminated using all
appropriate methods
– Reviewed or read by all employees
– Understood by all employees
– Formally agreed to by act or assertion
– Uniformly applied and enforced
25
Management of Information Security, 3rd ed.
Development steps
•
•
•
•
•
•
Investigation (goals, support, particiption)
Analysis (risk assessment)
Design (components, dissemination)
Implement (detailed specification)
Maintenance
Distribution
26
Policy Comprehension
Figure 4-9 Readability statistics
27
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Automated Tools
Figure 4-10 The VigilEnt policy center
28
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
The Information Securities Policy
Made Easy Approach
•
•
•
•
•
Gathering key reference materials
Defining a framework for policies
Preparing a coverage matrix
Making critical systems design decisions
Structuring review, approval, and
enforcement processes
29
Management of Information Security, 3rd ed.
The Information Securities Policy
Made Easy Approach (cont’d.)
Figure 4-11 A sample coverage matrix
Management of Information Security, 3rd ed.
30
Source: Course Technology/Cengage Learning
A Final Note on Policy
• Lest you believe that the only reason to
have policies is to avoid litigation, it is
important to emphasize the preventative
nature of policy
– Policies exist, first and foremost, to inform
employees of what is and is not acceptable
behavior in the organization
– Policy seeks to improve employee productivity,
and prevent potentially embarrassing situations
31
Management of Information Security, 3rd ed.
Summary
•
•
•
•
•
•
Introduction
Why Policy?
Enterprise Information Security Policy
Issue-Specific Security Policy
System-Specific Policy
Guidelines for Policy Development
32
Management of Information Security, 3rd ed.
Next
• Ch 5: Developing the security program
33
Objectives
• Completion of this material will enable you to:
– Explain the organizational approaches to information security
– List and describe the functional components of an information
security program
– Determine how to plan and staff an organization’s information
security program based on its size
– Evaluate the internal and external factors that influence the
activities and organization of an information security program
– List and describe the typical job titles and functions performed in
the information security program
– Describe the components of a security education, training, and
awareness program and explain how organizations create and
manage these programs
34
Management of Information Security, 3rd ed.
Introduction
• Some organizations use security program
to describe the entire set of personnel,
plans, policies, and initiatives related to
information security
– The term “information security program” is
used here to describe the structure and
organization of the effort that contains risks to
the information assets of the organization
35
Management of Information Security, 3rd ed.
Organizing for Security
• Variables involved in structuring an
information security program
– Organizational culture
– Size
– Security personnel budget
– Security capital budget
• As organizations increase in size:
– Their security departments are not keeping up
with increasingly complex organizational
infrastructures
36
Management of Information Security, 3rd ed.
Organizing for Security (cont’d.)
• Information security departments tend to
form internal groups
– To meet long-term challenges and handle dayto-day security operations
• Functions are likely to be split into groups
• Smaller organizations typically create fewer
groups
– Perhaps having only one general group of
specialists
37
Management of Information Security, 3rd ed.
Organizing for Security (cont’d.)
• Very large organizations (> 10,000 computers
– Security budgets often grow faster than IT budgets
– Even with a large budgets, the average amount spent
on security per user is still smaller than any other type
of organization
• Small organizations spend more than $5,000 per user on
security; very large organizations spend about 1/18th of that,
roughly $300 per user
– Does a better job in the policy and resource
management areas
– Only 1/3 of organizations handled incidents according
to an IR plan
38
Management of Information Security, 3rd ed.
Organizing for Security (cont’d.)
• Large organizations
– Have 1,000 to 10,000 computers
– Security approach has often matured,
integrating planning and policy into the
organization’s culture
– Do not always put large amounts of resources
into security
• Considering the vast numbers of computers and
users often involved
– They tend to spend proportionally less on
security
39
Management of Information Security, 3rd ed.
Security in Large Organizations
• One approach separates functions into four
areas:
– Functions performed by non-technology
business units outside of IT
– Functions performed by IT groups outside of
information security area
– Functions performed within information
security department as customer service
– Functions performed within the information
security department as compliance
40
Management of Information Security, 3rd ed.
Security in Large Organizations - contd
• The CISO has responsibility for information
security functions
– Should be adequately performed somewhere within
the organization
• The deployment of full-time security personnel
depends on:
– Sensitivity of the information to be protected
– Industry regulations
– General profitability
• The more money the company can dedicate to its
personnel budget
– The more likely it is to maintain a large information
security staff
Management of Information Security, 3rd ed.
41
Security in Large Organizations
(cont’d.)
Figure 5-1 Example of information security staffing in a large organization
42
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Security in Large Organizations
(cont’d.)
Figure 5-2 Example of information security staffing in a very large organization
43
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Security in Medium-Sized Organizations
• Have between 100 and 1000 computers
– Have a smaller total budget
– Have same sized security staff as the small
organization, but a larger need
– Must rely on help from IT staff for plans and practices
– Ability to set policy, handle incidents, and effectively
allocate resources is worse than any other size
– May be large enough to implement a multi-tiered
approach to security
• With fewer dedicated groups and more functions assigned to
each group
– Tend to ignore some security functions
44
Management of Information Security, 3rd ed.
Security in Medium-Sized
Organizations (cont’d.)
Figure 5-3 Example of information security staffing in a medium-sized organization
45
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Security in Small Organizations
• Have between 10 and 100 computers
– Have a simple, centralized IT organizational model
– Spend disproportionately more on security
– Information security is often the responsibility of a
single security administrator
– Have little in the way of formal policy, planning, or
security measures
– Often outsource Web presence or ecommerce
– Security training and awareness is commonly
conducted on a 1-on-1 basis
– Policies (when they exist) are often issue-specific
– Threats from insiders are less likely
• Every employee knows every other employee
46
Management of Information Security, 3rd ed.
Security in Small Organizations
(cont’d.)
Figure 5-4 Example of information security staffing in a smaller organization
47
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Placing Information Security
• In large organizations
– InfoSec is often located within the information
technology department
• Headed by the CISO who reports directly to the top computing
executive, or CIO
• An InfoSec program is sometimes at odds with
the goals and objectives of the IT department as
a whole, because the goals and objectives of the
CIO and the CISO may come in conflict
– It is not difficult to understand the current movement to
separate information security from the IT division
– The challenge is to design a reporting structure for the
InfoSec program that balances the needs of each of
the communities of interest
48
Management of Information Security, 3rd ed.
Placing Information Security,
option 1: Information Technology
Figure 5-5 Wood’s Option 1: Information security reports to information technology department
49
Management of Information Security, 3rd ed.
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Pros/cons
Widespread use
• Close to CEO
• Within IT dept
• Conflict of interest
• Security is not just a technological issue
50
Placing Information Security,
option 2: Security dept
Figure 5-6 Wood’s Option 2: Information security reports to broadly defined security department
51
Management of Information Security, 3rd ed.
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Pros/cons
Also popular
• In a dept that focuses on security
• Preventive viewpoint
• Cultural differences
• Resource allocation disparity
52
Placing Information Security,
option 3: Administrative services
Figure 5-7 Wood’s Option 3: Information security reports to administrative services department
53
Management of Information Security, 3rd ed.
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Pros/Cons
• Close to CEO
• Focus on people
• Disparity with the other concerns
54
Placing Information Security,
option 4: insurance and risk mgmt
Figure 5-8 Wood’s Option 4: Information security reports to insurance and risk management department
55
Management of Information Security, 3rd ed.
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Placing Information Security,
option 5: strategy and planning
Figure 5-9 Wood’s Option 5: Information security reports to strategy and planning department
56
Management of Information Security, 3rd ed.
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Components of the Security Program
• Organization’s information security needs
– Unique to the culture, size, and budget of the
organization
– Determining what level the information security
program operates on depends on the
organization’s strategic plan
• Also the plan’s vision and mission statements
• The CIO and CISO should use these two
documents to formulate the mission statement for
the information security program
57
Management of Information Security, 3rd ed.
Information Security Roles and Titles
Figure 5-10 Information security roles
58
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Implementing Security Education,
Training, and Awareness Programs
• SETA program
– Designed to reduce accidental security
breaches
– Consists of three elements: security education,
security training, and security awareness
• Awareness, training, and education
programs offer two major benefits:
– Improving employee behavior
– Enabling the organization to hold employees
accountable for their actions
59
Management of Information Security, 3rd ed.
Implementing SETA
Programs (cont’d.)
• Purpose of SETA is to enhance security:
– By building in-depth knowledge, to design,
implement, or operate security programs for
organizations and systems
– By developing skills and knowledge so that
computer users can perform their jobs while
using IT systems more securely
– By improving awareness of the need to protect
system resources
60
Management of Information Security, 3rd ed.
Implementing SETA
Programs (cont’d.)
Table 5-3 Framework of security education, training and awareness
Management of Information Security, 3rd ed.
Source: National Institute of Standards and Technology.
An Introduction to Computer Security:
61 The NIST
Handbook. SP 800-12.
http://csrc.nist.gov/publications/nistpubs/800-12/.
Security Education
• Employees within information security may
be encouraged to seek a formal education
– If not prepared by their background or
experience
– A number of institutions of higher learning,
including colleges and universities, provide
formal coursework in information security
62
Management of Information Security, 3rd ed.
Security Education (cont’d.)
Figure 5-11 Information security knowledge map
63
Management of Information Security, 3rd ed.
Source: Course Technology/Cengage Learning
Security Training
• Involves providing detailed information and
hands-on instruction
– To develop user skills to perform their duties securely
• develop customized training or outsource
• Customizing training for users
– By functional background
• General user
• Managerial user
• Technical user
– By skill level
• Novice
• Intermediate
• Advanced
64
Management of Information Security, 3rd ed.
Security Awareness
• One of the least frequently implemented,
but most effective security methods is the
security awareness program
• Security awareness programs:
– Set the stage for training by changing
organizational attitudes to realize the
importance of security and the adverse
consequences of its failure
– Remind users of the procedures to be followed
65
Management of Information Security, 3rd ed.
Security Awareness (cont’d.)
– Refrain from using technical jargon
– Define learning objectives, state them clearly,
and provide sufficient detail and coverage
– Keep things light
– Don’t overload the users
– Help users understand their roles in InfoSec
– Utilize in-house communications media
– Make the awareness program formal
– Provide good information early, rather than
perfect information late
66
Management of Information Security, 3rd ed.
Security Awareness (cont’d.)
• Effective training and awareness programs
make employees accountable for their
actions
• Dissemination and enforcement of policy
become easier when training and
awareness programs are in place
• Demonstrating due care and due diligence
can help indemnify the institution against
lawsuits
67
Management of Information Security, 3rd ed.
Security Awareness (cont’d.)
• Many security awareness components are
available at little or no cost
– Others can be very expensive
• Examples of security awareness
components
– Videos
– Posters and banners
– Lectures and conferences
– Computer-based training
68
Management of Information Security, 3rd ed.
Security Awareness (cont’d.)
• Examples of security awareness
components (cont’d.)
– Newsletters
– Brochures and flyers
– Trinkets (coffee cups, pens, pencils, T-shirts)
– Bulletin boards
69
Management of Information Security, 3rd ed.
Security Awareness (cont’d.)
• Organizations can establish Web pages or sites
dedicated to promoting information security
awareness
– The challenge lies in updating the messages frequently
enough to keep them fresh
• Tips on creating and maintaining an educational
Web site
–
–
–
–
–
See what’s already out there
Plan ahead
Keep page loading time to a minimum
Seek feedback
Spend time promoting your site
70
Management of Information Security, 3rd ed.
Summary
• Introduction
• Organizing for security
• Placing information security within an
organization
• Components of the security program
• Information security roles and titles
• Implementing security education, training,
and awareness programs
71
Management of Information Security, 3rd ed.
Related documents
Ch 4
Ch 4
EECS711-Chapter (4)
EECS711-Chapter (4)
456-fa11-4-policy
456-fa11-4-policy
Slides
Slides
chapter4 - Homework Market
chapter4 - Homework Market
MARKETING MANAGEMENT
MARKETING MANAGEMENT
Student User Guide – Access Code Registration
Student User Guide – Access Code Registration
CHAPTER 15 Long Reports Parts of a Long Report Front Matter Text
CHAPTER 15 Long Reports Parts of a Long Report Front Matter Text
05 -Information Security Policy(1)
05 -Information Security Policy(1)
Download
advertisement