Chapter 4: Security Policy Documents & Organizational Security Policies
description
Transcript of Chapter 4: Security Policy Documents & Organizational Security Policies
Chapter 4: Security Policy Documents & Organizational Security Policies
2
Objectives
Compose a statement of authority Develop and evaluate policies related to the
information security policies documents objectives and ownership
Create and asses policies associated with the management of security-related activities
Assess and manage the risks inherent in working with third parties
3
Composing a Statement of Authority
The statement should be issued by an authority figure such as a CEO, President… Buy-in from top management is a must It provides adequate credibility to the policy for all
employees
4
Composing a Statement of Authority Cont. The statement is an introduction to the policy
It sets the tone for the document Statement of authority & statement of culture
Exposes the values of the company and security measures to be deployed to protect them
An attempt at “recruiting” employees to act in a secure fashion to protect the company
5
Composing a Statement of Authority Cont. The goal of the statement of authority: to
deliver a clear message about the importance of information security for all employees If the message is not clear, employees will either
act erroneously by mistake or will disregard the whole document altogether
The statement is a teaching tool It should be created, promoted and used as such
6
Composing a Statement of Authority Cont. The statement should reflect the company
culture in both format and content Information security is first and foremost cultural
and behavioral Employees need to identify and embrace with the
company culture It is made easier if the documents that are part of
the security policy are clearly in accordance with the company policy
7
Security Policy Document Policy
States the need for written information security policies as well as who is responsible for creating, approving, enforcing & reviewing policies These responsibilities must be clearly stated in the
document so that no phase of the process is “abandoned” or ignored
Strong leadership is always a part of successful information security policies
8
Security Policy Document Policy Cont. Emphasizes management’s approach and
commitment to information security No Information policy can be successful without
full and unequivocal support from Management
It’s a policy about needing and having policies!
9
Federal Law & Information Security Policy
Many private sector industries are federally regulated: Financial Sector:
GLBA (Gramm-Leach-Bliley Act) SOX (Sarbanes-Oxley, which affects publicly-traded
companies) Healthcare:
HIPAA (Health Insurance Portability & Accountability Act Educational Institutions:
FERPA (Family Educational Rights & Privacy Act)
10
Federal Law & Information Security Policy Cont. Some organizations may fall under several
federal mandates If necessary, companies should hire 3rd-party
experts to identify under which mandates a company falls
ISO 17799 can be mapped to several federal mandate regulations Here again, it may be advantageous to hire 3rd-
party compliance experts to guide and support the company’s compliance team
11
Security Policy Document Policy Cont. The Information Security Policy Document
policy should reference federal and state regulations to which the organization is subject It is important to integrate those regulations in the
policies written for and deployed by the company The first step towards compliance is awareness!
12
The Need for an Employee Version of the Security Policies
Whole document can be too complex & intimidating The goal is to create a guide of what is acceptable and
what is not. Making the document too complex defeats that purpose
The goal is for employees to read, understand and act according to the policies The policies are useless without adequate employee
support
13
The Need for an Employee Version of the Security Policies Cont. Employees should only be given those
policies that apply to them Need-to-know and the concept of least privilege
apply here as well! Acceptable Use Agreement should be drafted
and distributed to all employees It should include (but is not limited to):
An Internet use policy An Email use policy
14
The Need for an Employee Version of the Security Policies Cont. Remind all employees that information
cannot be protected if they don’t all buy in and adopt the policies that regulate the company Again, information security is behavioral and
cultural There is no technical device that a company can
deploy to protect the confidentiality, integrity and availability of data if employees are not also enrolled in actively protecting the company’s data
15
Policies are Dynamic
Organizations change, either directly or indirectly. Their policies must also change to reflect this dynamic situation
Scheduled, regular reviews should take place
Change drivers are events within an organization that affect culture, procedures, activities, responsibilities, and more Change drivers must be identified and analyzed
16
Policies are Dynamic Cont.
Change drivers may introduce new activities and/or vulnerabilities Identified change drivers should trigger new risk &
vulnerability assessments Companies should also have regularly scheduled
risk and vulnerability assessments For separation of duties purposes, vulnerability
assessments should be conducted by 3rd-party consultants
17
Policies are Dynamic Cont.
Who is responsible for this document? The ISO, or a member of Upper Management
What “ownership” means: Developing, maintaining & reviewing policies
Policy owner does not approve policies. A higher level of the company is responsible.
Information Security Policy Document defines both ownership and authority
18
Policies are Dynamic Cont.
Decisions should include:
Who is in charge of security management? What is the scope of their enforcement authority? When should third-party expertise be brought in?
19
Managing Organizational Security
Three topics on which to focus:
Information Security Infrastructure Identification of risks from 3rd-party consultants Security Requirements for outsourcing
20
Managing Organizational Security Cont. Designing & maintaining a secure environment
requires input from representatives of each department of the company: Management IT (developers, network engineers, administrators) HR Legal & Financial services
Collaboration of all these parties is required to create and maintain a successful information security policy
21
Managing Organizational Security Cont. Designing & maintaining a secure
environment requires input from representatives of each department of the company: Management IT (developers, network engineers, administrators) HR Legal & Financial services
22
Managing Organizational Security Cont. Who is a third-party?
Business partners Vendors Contractors (including temporary workers)
Managing Organizational Security Cont. Physical Security
Protecting the network from attacks from the outside is recommended, but a company should not forget to protect the physical security of the servers Why bother to hack when you can steal?
24
Managing Organizational Security Cont. If physical access for 3rd-party is allowed,
proper control must be deployed to: Select who gets physical access To which areas is physical access granted Has due diligence been extended to verify the
integrity and credibility of those 3rd-party contractors?
25
Outsourcing Is a Growing Trend
Outsourcing is seen by some as a business tool used to lower costs. It also comes with risks: Is the work being outsourced out of the country?
If so, to which country? How is security handled in the culture of that country? How effectively are Intellectual Property laws enforced and
respected in that country?
26
Outsourcing Is a Growing Trend Cont.
Is the data secure during transmission? Is the data transferred electronically?
What secure protocols are used? Is the data physically sent overseas?
What courier system is used? How reliable/reputable/dependable is this courier system?
27
Outsourcing Is a Growing Trend Cont.
Is the data securely stored while away from the corporate network? What security controls are deployed at the periphery of
the target network? What access control methods are used on the target
control? What auditing methods are used on the target network?
28
Outsourcing Is a Growing Trend Cont.
How do you conduct due diligence on a company located halfway across the world? Is this company foreign-owned, or a subsidiary of a US-
owned corporation? Is this company reputable? Has the company sent a representative on-site to verify
the information provided to them?
29
Summary
Standards such as the ISO 17799 exist to help organizations better define appropriate ways to protect their information assets.
Written policies are not enough, and the proper security infrastructures must be deployed.
A multidisciplinary approach to security that involves all departments will result in a unified security posture that can be adopted by the whole company.
Because companies are not static, also must policies evolve with the company. In order to achieve a higher level of protection, it is recommended that companies would hire security experts.