Enterprise Security Management

advertisement
Developing Information Security
Policy
Why is Developing Good Security Policy Difficult?
• Effective Security/IA Policy is more than locking
doors and changing passwords
• Must reflect the entire enterprise/organization
and its business goals and mission areas
• Needs to address a multitude of issues
–
–
–
–
–
Human resources
IT
Physical Security
Costs
Governance
Why is Developing Good Security Policy Difficult?
• Must be comprehensive
• To be effective the policy
must be unambiguous
• Must be a human document
– not technical
Getting Started
• “The first step toward enhancing and organization’s security is
the development and implementation of a precise, yet
enforceable security policy, informing staff of the various aspects
of their responsibilities, general use of organizational resources,
and explaining how sensitive information must be handled. The
policy will also describe in detail the meaning of the term
acceptable use, as well as listing prohibited activities.”
• Building and Implementing a Successful Information Security
Policy, by Dancho Danchev, WindowSecurity.com, 2003
Know the Organization
• When developing a Security/IA Policy it
• is critical to first know the organization
–
–
–
–
Business model
Goals/Mission
Organizational Personality
Structure
Risk Analysis
• Policy developer(s) need to know
the risks facing an organization
• Either conduct a Risk Analysis or
access existing risk data
• Understand how the organization
does or intends to manage risk
• Must include a Vulnerability
assessment
Risk Assessment
• Risk management approaches are better for connecting to
business drivers and for protecting the right assets.
• However, even risk-based approaches are limiting if there is no
enterprise context or view:
– Organizations are often not likely to act on findings even when
they direct or perform the assessment
– Operational unit strategies for protecting assets frequently collide
with enterprise barriers, such as a lack of security policy or training
– Operational units cannot devise and deploy an effective protection
strategy for the enterprise
• Therefore – the need for effective policy!!
Vulnerability Assessment
• Technology-based approaches such as vulnerability
management approaches aren’t enough
–
–
–
–
–
–
–
–
Reactive
Tool driven
Focused in the technical domain
Performed by technicians (IT) primarily
Lack of connection to business drivers, mission
Security relegated to the responsibility of IT
IT-based security decisions based on their drivers
Focused on information or network security, but not
administration, operations, or infrastructure (physical)
Standards
• Know and understand the
organizational standards that will be
used for guidance within the policy.
• Can be broader based standards
adopted by the organization
• Used as a basis for developing
comprehensive and enforceable policy
• Shall, Will, Must!!!
Issue Statements
• These statements define each of the
issues addressed within the policy
document
•
•
•
•
•
•
Access control
Unauthorized software
Unauthorized use
Data protection
Personnel requirements
Etc.
Applicability
• Identifies Where, How, When, To
Whom and To What the security/IA
policy applies
• Making this clear critical to
governance/enforcement
• Critical to eliminating ambiguities
Establish Responsibilities
• Clarifies who is responsible for
what or whom
• Can be an effective way to bring
the organization together
• Sharing responsibility for
organizational security can
expand the number of people
who believe they are
stakeholders in the success of the
organization
• Important for compliance
Compliance
• Compliance requirements must be precise
• Should be applied equally within the
organization
• Needs to define consequences of compliance
failures
• Consequences do not have to be punitive
• Punitive measures should be able to be applied
at all levels of an organization
• Compliance issues should be described as a
means of ensuring success – not just identifying
failure
Points of Contact
• It is essential that people within an
organization know who to contact
with security issues
• Questions on security/IA policy
should able to be resolved rapidly
and clearly
• Security policy management
should be seen as an asset to the
workings of the organization
Visibility
• To be effective a security/IA
policy must be visible
• Readily available to all personnel
• Should be provided at hire
• Security training must be part
of indoc
• Continued training and security
awareness should be part of the
organizational culture
Policy Challenges
•
Potential barriers to success for developing a
security/IA policy that is effective across the enterprise:
– fail to realize security management is a business issue as
well as technological challenge
– security goals are aligned with CIO, not the organization
– good policy needs more than IT to work together to achieve
information security goals
– effective policy will convince organizational units other
than IT that they should care about information security
Policy Challenges
•
Security/IA Policy has to be part of the strategic plan for
an organization
• Security strategies must also enable the organization,
but must be balanced against potentially limiting the
achievement of other strategic objectives
Download