Information Systems Security Policies & ISO 17799 Maria Karyda, PhD [email protected] Laboratory of...
-
date post
21-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Information Systems Security Policies & ISO 17799 Maria Karyda, PhD [email protected] Laboratory of...
Information Systems Security Policies & ISO 17799
Maria Karyda, [email protected]
Laboratory of Information and Communication Systems SecurityDepartment of Information and Communication Systems EngineeringUniversity of the AegeanKarlovassi, Samos, GR-83200, GREECE
IPICS – Chios, July 2005 2
Overview
Information Systems Security Policies What is a Security Policy? Why do we need them? How can we design a Policy and what should we
include? What makes a Security Policy effective?
Information Security Management Standards How can the ISO 17799 assist us?
IPICS – Chios, July 2005 3
Information Systems Security Practices Information Systems Risk Management
aims to minimize risk at acceptable levels by implementing risk analysis and management
methods (e.g. OCTAVE, CRAMM, SBA) baseline security is also an option
Information Systems Security Policy most common security management practice based on risk evaluation results based on standards and best practices
IPICS – Chios, July 2005 4
What is a Security Policy?
High level statements describing the security goals, priorities and the management intention with regard to information systems security, as well as the ways to achieve these goals.
Written in one or more documents.
IPICS – Chios, July 2005 5
Information Systems Security Policies Design Implement Publish Enforce Monitor compliance Evaluate Review Amend and update
IPICS – Chios, July 2005 6
Who is involved?
Security experts design, review and update the policy
System / network administrators implement security controls, guidelines
Management set security goals provide resources
Users follow security procedures
Auditors monitor compliance
IPICS – Chios, July 2005 7
Related ConceptsLaw, Regulations
Security Requirements
Information Systems Security Policy
Information systems security management
standardsBest Practice
Security ProceduresGuidelines
Countermeasures
Law and Regulations e.g. Data Protection, Intellectual Property Management
Security Requirements confidentiality, availability, privacy, integrity, non repudiation
Best practices and Security Standards Security, countermeasures, guidelines and procedures
IPICS – Chios, July 2005 8
Why do we need a security policy? -1- Provides a comprehensive framework for the
selection and implementation of security measures
Communication means among different stakeholders
Management of resources people, skills, money, time
Conveys the importance of security to all members of the organization
IPICS – Chios, July 2005 9
Why do we need a security policy? -2- Helps create a “security culture”
Shared beliefs and values concerning security Legal obligation Helps promote “trust relationships” between
the organizations and its business partners / clients
IPICS – Chios, July 2005 10
Designing a Security Policy: security goals elicitationRisk evaluation
Other sources of security requirements: management legal framework contractual obligations users and administrators business partners and clients
IPICS – Chios, July 2005 11
Designing a Security Policy: Issues to be addressed Goal and security targets Scope Assets covered by the Policy
data, software, hardware, locations, processes etc. Roles and responsibilities Compliance monitoring
incentives, penalties etc. Time
IPICS – Chios, July 2005 12
What kind of Security Policies are there? Computer-oriented Security Policies
Information Security Policies that implement access control (Discretionary Access Control, Mandatory Access Control)
operating systems networks application
Human-oriented Security Policies scope: department, organization applied by IS users
IPICS – Chios, July 2005 13
Security Policies Structure -1- Individual Security Policies
application or system (e.g. email policy) “use policies”
+ effective for isolated systems and autonomous applications
- high complexity, fragmented IS security management
IPICS – Chios, July 2005 14
Security Policies Structure -2- Comprehensive Security Policies
one document addressing all applications, processes and systems
- big volume, not easy to use
- contain high level security guidelines
IPICS – Chios, July 2005 15
Security Policies Structure -3- Modular Security Policies
comprehensive document with multiple annexes containing specific (e.g. per application or system) policies
can be in hypertext form
IPICS – Chios, July 2005 16
ISO/IEC 17799
First Edition: 01-12-2000 Prepared by the British Standards Institution
(as BS 7799) and was adopted by Joint Technical Committee ISO/IEC JTC 1, Information Technology, in parallel with its approval by national bodies of ISO and IEC.
“Information technology — Code of practice for information security management”
New Edition: June 2005
IPICS – Chios, July 2005 17
Security Policies Content -1-(based on ISO 17799-2000)
I. Organizational Security “Information security is a business responsibility
shared by all members of the management team.” Information security infrastructure
management should approve the information security policy,
assign security roles and co-ordinate the implementation of security across the
organization co-operation and collaboration of managers, users,
administrators, application designers, auditors and security staff, and specialist skills in areas such as insurance
IPICS – Chios, July 2005 18
Security Policies Content -2-(based on ISO 17799)
II. Asset classification and control Asset accountability
Accountability should remain with the owner of the asset. Responsibility for implementing controls may be delegated.
Information classification Information should be classified to indicate the
need, priorities and degree of protection, depending on varying degrees of sensitivity and criticality.
IPICS – Chios, July 2005 19
Security Policies Content -3-(based on ISO 17799)
III. Personnel security Security in job definition and resourcing User training
Users should be trained in security procedures and the correct use of information processing facilities to minimize possible security risks.
Responding to security incidents and malfunctions Weaknesses, malfunctions Learning from incidents Disciplinary process
IPICS – Chios, July 2005 20
Examples*
“The Terms and Conditions of Employment of the Organization are to include requirements for compliance with Information Security”
“All staff must have previous employment and other references carefully checked”
“All employees must comply with the Information Security Policy of the Organization. Any Information Security incidents resulting from non-compliance will result in immediate disciplinary action”* RUSecureTM Information Security Policies
IPICS – Chios, July 2005 21
Examples*
“The Organization is committed to providing regular and relevant Information Security awareness communications to all staff by various means, such as electronic updates, briefings, newsletters etc.”
“Periodic training for the Information Security Officer is to be prioritized to educate and train in the latest threats and Information Security Techniques”
“The Organization is committed to providing training to all users of new systems to ensure that their use is both efficinet and does not compromise Information Security”
* RUSecureTM Information Security Policies
IPICS – Chios, July 2005 22
Security Policies Content -4-(based on ISO 17799)
IV. Physical and environmental security Secure areas
Security perimeter, entry controls Protection provided should be commensurate with
the identified risks Equipment security Safety
IPICS – Chios, July 2005 23
Examples*
“A formal Hardware Inventory of all equipment is to be maintained and kept up-to-date at all times”
“All information system hardware faults are to be reported promptly and recorded in a hardware fault register”
* RUSecureTM Information Security Policies
IPICS – Chios, July 2005 24
Security Policies Content -5-(based on ISO 17799)V. Communications & operations management
Operational procedures and responsibilities Incident management procedures Segregation of duties Separation of development and operational facilities
System planning and acceptance Capacity planning, performance requirements, system acceptance
Protection against malicious software Back ups, logging Network management Media handling
tapes, disks, cassettes Information exchange between organizations
Policy on the use of e-mail or fax Electronic commerce security
IPICS – Chios, July 2005 25
Examples*
Policy statement on the use of fax:“Sensitive or confidential information may only be faxed were more secure methods of transmission are not feasible. Both the owner of the information and the intended recipient must authorize the transmissions beforehand”
Policy statement on media handling:
“Only personnel who are authorized to install or modify software shall use removable media to transfer data to/from the organization's network. Any other persons shall require specific authorization” * RUSecureTM Information Security Policies
IPICS – Chios, July 2005 26
Security Policies Content -6-(based on ISO 17799)VI. Access control User access management
Access rights, passwords User responsibilities Network access control
Network segregation Operating system access control Application access control Monitoring system access and use Mobile computing and teleworking
IPICS – Chios, July 2005 27
Examples* User access management:
“Access to all systems must be authorized by the owner of the system and such access, including the appropriate access rights, or privileges, must be recorded in an Access Control List. Such records are to be regarded as Highly Confidential documents and safeguarded accordingly”
Operating system access control
“Access to operating system commands is to be restricted to those who are authorized to perform systems administration/management functions. Even then, such access must be operated under dual control requiring the specific approval of senior management”
*RUSecureTM Information Security Policies
IPICS – Chios, July 2005 28
Security Policies Content -7-(based on ISO 17799)VII. Systems development and maintenance Security requirements of systems
“built-in” security Security in application systems
Message authentication, hash algorithms, cryptography
Cryptographic controls To protect the confidentiality, authenticity or
integrity of information (encryption, digital signatures, key management)
IPICS – Chios, July 2005 29
Examples*
“All new hardware installations are to be planned formally and notified to all interested parties ahead of the proposed installation date. Information security requirements are to be circulated for comment to all interested parties, well in advance of installation”
“All equipment must be fully and comprehensively tested and formally accepted by users before being transferred to the live environment”
*RUSecureTM Information Security Policies
IPICS – Chios, July 2005 30
Security Policies Content -8-(based on ISO 17799)
VIII. Business continuity management “To counteract interruptions to business activities and to protect
critical business processes from the effects of major failures or disasters.”
Analyze the consequences of disasters, security failures and loss of service.
Develop and implement contingency plans to ensure that business processes can be restored within the required time-scales.
Such plans should be maintained and practiced to become an integral part of all other management processes.
Business continuity management should include controls to identify and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations.
IPICS – Chios, July 2005 31
Security Policies Content -9-(based on ISO 17799)
IX. Compliance Compliance with legal requirements
Data protection and privacy of personal information
Intellectual property rights (IPR) Regulation of cryptographic controls
Compliance with security policy
IPICS – Chios, July 2005 32
Examples*
“Persons responsible for Human Resources Management are to prepare guidelines to ensure that all employees are aware of the key aspects Copyright legislation, in so far as these requirements impact on their duties”
“All employees are required to fully comply with the organisation’s Information Security Policies. The monitoring of such compliance is the responsibility of management”
*RUSecureTM Information Security Policies
IPICS – Chios, July 2005 33
Critical factors for successful application -1- Alignment with business goals Management support Organizational culture Address specific security requirements User awareness, training and education Review and evaluation procedures Gradual introduction, change management
IPICS – Chios, July 2005 34
Critical factors for successful application -2- Clear, easy to understand Easily accessible Complete Up-to-date Extendable Applicable Technology independent
IPICS – Chios, July 2005 35
Security Policies Review
Scheduled reviews e.g. once every 18 months
Occasional when major changes occur (e.g. network
configuration, new applications) Review results utilized for evaluating and
updating the Security Policy
IPICS – Chios, July 2005 36
Conclusions
There is no “out of the box” security solution Customize Security Policies
content, structure, security guidelines
Utilize best practice, Information Security Standards
Effective implementation context-dependent