95-841 Information Assurance Policy
description
Transcript of 95-841 Information Assurance Policy
95-841 1-2
Information Assurance Policy
• Seminar course: Participation is Essential• Sessions (after week 4) 50% lecture, 50%
discussion• Building, developing, evaluating IA policy• Grading:
– Course presentation: 30% (see sign-up list)
– Course participation: 30% (when not presenting)
– Final paper/project: 40% (topic related policy)
95-841 1-3
Presentations
• Instructors will cover the background material• Student presenters will apply it to case study or
other realistic scenario• Student audience will evaluate application and
critique resulting policies• Presenters grade NOT based on critique results,
but on level of discussion and on effectiveness at presenting applicable policy
• Plan on 90 minutes, including discussion
95-841 1-4
Course Content
• Introduction and case study
• Policy development
• Policy evaluation
• Building policy for case study (with instructor as stakeholder)
• Larger issues (legislation and governance)
• Course summary
95-841 1-5
What is Information Assurance Policy?
• Detailed statement regarding permissible and prohibited behavior with respect to information assets to assure confidentiality, integrity and availability of those assets
• Behavior: – loading, using, disseminating data– Acquiring, using, distributing software– Acquiring, using, retiring hardware– In general: anything being done by, on or with any
information processing asset• Asset: data, software, device, network, person
95-841 1-6
Why Information Assurance Policy?(1)
Communications
Privacy
Accountability
Authorization
Encryption
Firewall Configuration
Disaster
RecoveryAuditin
gBackups
Authentication
Access Controls
Redundancy
ResourcesIntegrity
Risk Reduction
Purchasing Guidelines
95-841 1-7
Why Information Assurance Policy (2)?
PolicyStakeholders
ManagementTop management (CXO)
Users
Others (clients, partners)
Network AdminSystem Admin
Database Admin
Human Resources
Legal
95-841 1-8
Why Information Assurance Policy(3)?
Janet works in accounting department of a mid-size organization
Changed password: wrote the new one on a note; stuck the note to her monitor
Later noticed that someone had used her account but didn’t notice any obvious damage
Had heard it was bad idea to write passwords down and leave them around
Remembered that an employee had been fired for some policy violation
Did not report the incident.
95-841 1-9
Why Information Assurance Policy?(4)
Tim is a security administrator working for you in a 2000-member organization.
Detects a password sniffer running on his organization’s principal server, and on a obsolete desktop used for lighting control.
In a directory called “…”, he finds a file with 300 user ids and passwords for his site.
He reports to you his findings and asks for more time before reporting incident.
95-841 1-10
Why Information Assurance Policy?(5)
• Staffing?• New Product?• New Infrastructure?• Firewalls?• Training?
$
$
Why Information Assurance (6)
• You work as a helpdesk manager, reporting to the CIO, for a medium sized company
• An employee-owned smartphone was compromised while on travel, and through that compromise, about 3,000 customer billing records were accessed.
• What should you recommend to the CIO?
95-841 1-11
Going Forward From Here
• Policy and Technology are inherently linked• Policy implements and enables authority• We will discuss a variety of policy aspects
95-841 1-12
DevelopingCostingManagingDeploying
UserNetworkSite
ConfidentialityIntegrityAvailability
Legislation and Governance