Chapter 4: Security Policy Documents & Organizational Security Policies

2

Objectives

Compose a statement of authority Develop and evaluate policies related to the

information security policies documents objectives and ownership

Create and asses policies associated with the management of security-related activities

Assess and manage the risks inherent in working with third parties

3

Composing a Statement of Authority

The statement should be issued by an authority figure such as a CEO, President… Buy-in from top management is a must It provides adequate credibility to the policy for all

employees

4

Composing a Statement of Authority Cont. The statement is an introduction to the policy

It sets the tone for the document Statement of authority & statement of culture

Exposes the values of the company and security measures to be deployed to protect them

An attempt at “recruiting” employees to act in a secure fashion to protect the company

5

Composing a Statement of Authority Cont. The goal of the statement of authority: to

deliver a clear message about the importance of information security for all employees If the message is not clear, employees will either

act erroneously by mistake or will disregard the whole document altogether

The statement is a teaching tool It should be created, promoted and used as such

6

Composing a Statement of Authority Cont. The statement should reflect the company

culture in both format and content Information security is first and foremost cultural

and behavioral Employees need to identify and embrace with the

company culture It is made easier if the documents that are part of

the security policy are clearly in accordance with the company policy

7

Security Policy Document Policy

States the need for written information security policies as well as who is responsible for creating, approving, enforcing & reviewing policies These responsibilities must be clearly stated in the

document so that no phase of the process is “abandoned” or ignored

Strong leadership is always a part of successful information security policies

8

Security Policy Document Policy Cont. Emphasizes management’s approach and

commitment to information security No Information policy can be successful without

full and unequivocal support from Management

It’s a policy about needing and having policies!

9

Federal Law & Information Security Policy

Many private sector industries are federally regulated: Financial Sector:

GLBA (Gramm-Leach-Bliley Act) SOX (Sarbanes-Oxley, which affects publicly-traded

companies) Healthcare:

HIPAA (Health Insurance Portability & Accountability Act Educational Institutions:

FERPA (Family Educational Rights & Privacy Act)

10

Federal Law & Information Security Policy Cont. Some organizations may fall under several

federal mandates If necessary, companies should hire 3rd-party

experts to identify under which mandates a company falls

ISO 17799 can be mapped to several federal mandate regulations Here again, it may be advantageous to hire 3rd-

party compliance experts to guide and support the company’s compliance team

11

Security Policy Document Policy Cont. The Information Security Policy Document

policy should reference federal and state regulations to which the organization is subject It is important to integrate those regulations in the

policies written for and deployed by the company The first step towards compliance is awareness!

12

The Need for an Employee Version of the Security Policies

Whole document can be too complex & intimidating The goal is to create a guide of what is acceptable and

what is not. Making the document too complex defeats that purpose

The goal is for employees to read, understand and act according to the policies The policies are useless without adequate employee

support

13

The Need for an Employee Version of the Security Policies Cont. Employees should only be given those

policies that apply to them Need-to-know and the concept of least privilege

apply here as well! Acceptable Use Agreement should be drafted

and distributed to all employees It should include (but is not limited to):

An Internet use policy An Email use policy

14

The Need for an Employee Version of the Security Policies Cont. Remind all employees that information

cannot be protected if they don’t all buy in and adopt the policies that regulate the company Again, information security is behavioral and

cultural There is no technical device that a company can

deploy to protect the confidentiality, integrity and availability of data if employees are not also enrolled in actively protecting the company’s data

15

Policies are Dynamic

Organizations change, either directly or indirectly. Their policies must also change to reflect this dynamic situation

Scheduled, regular reviews should take place

Change drivers are events within an organization that affect culture, procedures, activities, responsibilities, and more Change drivers must be identified and analyzed

16

Policies are Dynamic Cont.

Change drivers may introduce new activities and/or vulnerabilities Identified change drivers should trigger new risk &

vulnerability assessments Companies should also have regularly scheduled

risk and vulnerability assessments For separation of duties purposes, vulnerability

assessments should be conducted by 3rd-party consultants

17

Policies are Dynamic Cont.

Who is responsible for this document? The ISO, or a member of Upper Management

What “ownership” means: Developing, maintaining & reviewing policies

Policy owner does not approve policies. A higher level of the company is responsible.

Information Security Policy Document defines both ownership and authority

18

Policies are Dynamic Cont.

Decisions should include:

Who is in charge of security management? What is the scope of their enforcement authority? When should third-party expertise be brought in?

19

Managing Organizational Security

Three topics on which to focus:

Information Security Infrastructure Identification of risks from 3rd-party consultants Security Requirements for outsourcing

20

Managing Organizational Security Cont. Designing & maintaining a secure environment

requires input from representatives of each department of the company: Management IT (developers, network engineers, administrators) HR Legal & Financial services

Collaboration of all these parties is required to create and maintain a successful information security policy

21

Managing Organizational Security Cont. Designing & maintaining a secure

environment requires input from representatives of each department of the company: Management IT (developers, network engineers, administrators) HR Legal & Financial services

22

Managing Organizational Security Cont. Who is a third-party?

Business partners Vendors Contractors (including temporary workers)

Managing Organizational Security Cont. Physical Security

Protecting the network from attacks from the outside is recommended, but a company should not forget to protect the physical security of the servers Why bother to hack when you can steal?

24

Managing Organizational Security Cont. If physical access for 3rd-party is allowed,

proper control must be deployed to: Select who gets physical access To which areas is physical access granted Has due diligence been extended to verify the

integrity and credibility of those 3rd-party contractors?

25

Outsourcing Is a Growing Trend

Outsourcing is seen by some as a business tool used to lower costs. It also comes with risks: Is the work being outsourced out of the country?

If so, to which country? How is security handled in the culture of that country? How effectively are Intellectual Property laws enforced and

respected in that country?

26

Outsourcing Is a Growing Trend Cont.

Is the data secure during transmission? Is the data transferred electronically?

What secure protocols are used? Is the data physically sent overseas?

What courier system is used? How reliable/reputable/dependable is this courier system?

27

Outsourcing Is a Growing Trend Cont.

Is the data securely stored while away from the corporate network? What security controls are deployed at the periphery of

the target network? What access control methods are used on the target

control? What auditing methods are used on the target network?

28

Outsourcing Is a Growing Trend Cont.

How do you conduct due diligence on a company located halfway across the world? Is this company foreign-owned, or a subsidiary of a US-

owned corporation? Is this company reputable? Has the company sent a representative on-site to verify

the information provided to them?

29

Summary

Standards such as the ISO 17799 exist to help organizations better define appropriate ways to protect their information assets.

Written policies are not enough, and the proper security infrastructures must be deployed.

A multidisciplinary approach to security that involves all departments will result in a unified security posture that can be adopted by the whole company.

Because companies are not static, also must policies evolve with the company. In order to achieve a higher level of protection, it is recommended that companies would hire security experts.