1
Session 3 – Information Security Policies
2
General - background
• How to establish security requirements– Risk assessments
– Legal, statutory requirements
– Business requirements for Information processing
• Select controls from a standard• Controls to be considered to be common practice
– Information security policy
– Allocation of responsibilities
– Awareness and training
– Technical vulnerability management
– Incident reporting
3
Critical Success factors for addressing InfoSec in organisations
• Info sec policy, objectives
• Architectural approach
• Management commitment / support
• Understand info sec requirements
• Budget for info sec
• Awareness and training
• Effective incident reporting system
• Measurement system
4
12 Key control areas
Risk assessment and treatmentInformation Security policyOrganization / management of Info Sec Assets classification and control (management)Human resources securityPhysical and environmental securityCommunications and operations management Access controlInformation Systems acquisition, development and
maintenanceInformation Security Incident ManagementBusiness Continuity ManagementCompliance
5
5. Security policy
INFORMATION SECURITY POLICY
Objective: To provide management direction and support for information security.
Information Security Policy Document
Control …should state mngt commitment
Implementation guidance….definition
Other information: ….distribution
Review of the Information Security Policy
6
Security policy Information security policy
d) a brief explanation of the security policies, principles, standards and compliance requirements of particular importance to the organization, for example:1) compliance with legislative and contractual requirements;
2) security education requirements;
3) prevention and detection of viruses and other malicious software;
4) business continuity management;
5) consequences of security policy violations;
e) a definition of general and specific responsibilities for information security management, including reporting security incidents;
7
Security policy Information security policy
f) references to documentation which may support the policy, e.g. more detailed security policies and procedures for specific information systems or security rules users should comply with.
This policy should be communicated throughout the organization to users in a form that is relevant, accessible and understandable to the intended reader.
8
Organization Information Security
INTERNAL ORGANIZATIONObjective: To manage information security within the organization
• establish management framework• management with leadership to
– approve the information security policy,
– assign security roles
– co-ordinate implementation of security
• Establish a source of specialist information security advice if needed
• need multi-disciplinary approach to information security
9
Organization Information Security
INTERNAL ORGANIZATIONManagement commitment to information securityInformation security co-ordination.Allocation of information security responsibilitiesAuthorization process for information processing facilitiesConfidentiality agreementsContact with authoritiesContact with special interest groupsIndependent review of information security......
EXTERNAL PARTIESIdentification of risks related to external partiesAddressing security when dealing with customersAddressing security in third party agreements
10
Asset Management
RESPONSIBILITY FOR ASSETSObjective: To achieve and maintain appropriate protection of organizational assets.-> be accounted for, have owner
• assign responsibility for maintenance of appropriate controls • may delegate responsibility for implementing controls • Owners should be identified for all assets and the responsibility
for the maintenance of appropriate controls should be assigned.
Inventory of assetsOwnership of assetsAcceptable use of assets
11
Asset Management
INFORMATION CLASSIFICATIONObjective: To ensure that information receives an appropriate level of protection.
• Classify information to indicate– need, – priorities– degree of protection
• varying degrees of sensitivity, criticality• define appropriate set of protection levels, communicate need
for special handing measures.
Classification guidelinesInformation labelling and handling
12
Human Resources Security
PRIOR TO EMPLOYMENT Objective: To ensure that employees, contractors and third party
users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
• Address security responsibilities at the requirement stage, include in contracts, monitored during employment
• screen potential recruits adequately (sensitive jobs)• All to sign confidentiality agreement.
Roles and responsibilitiesScreeningTerms and conditions of employment
13
Human Resources Security
DURING EMPLOYMENTObjective: To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided…
Management responsibilitiesInformation security awareness, education, and trainingDisciplinary process
14
Human Resources Security
TERMINATION OR CHANGE OF EMPLOYMENT
Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.
Change of responsibilities and employments within an organization should be managed
.
Termination responsibilities
Return of assets
Removal of access rights
15
Physical and environmental security
SECURE AREASObjective: To prevent unauthorized access, damage and interference to business premises and information.
• house critical/sensitive business information processing facilities in secure areas,
• physically protected from unauthorized access or damage or interference.
• The protection should be commensurate with the identified risks.
• clear desk and clear screen policy
16
Physical and environmental security
EQUIPMENT SECURITY
Objective: To prevent loss, damage or compromise of assets and interruption to business activities.
• Protect equipment physically from security threats and environmental hazards.
• to reduce risk of unauthorized access to data, to protect against loss or damage.
• also consider equipment siting and disposal• Special controls to safeguard e.g. electrical supply
17
Communications and operations management
OPERATIONAL PROCEDURES AND RESPONSIBILITIES
Objective: To ensure the correct and secure operation of information processing facilities.
• Establish responsibilities and procedures for management and operation of all information processing facilities.
• development of operating instructions and incident response procedures
• Implement segregation of duties to reduce risk of negligent or deliberate system misuse
18
Communications and operations management
Operational Procedures and Responsibilities
Third Party Service Delivery Management
System Planning and Acceptance
Protection Against Malicious and Mobile Code
Back-Up
Network Security Management
Media Handling
Exchange of Information
Electronic Commerce Services
Monitoring
19
Access control
BUSINESS REQUIREMENTS FOR ACCESS CONTROL
Objective: To control access to information.
• Control access to information, and business processes on basis of business and security requirements.
• take account of policies for information dissemination and authorization.
20
Access control
USER ACCESS MANAGEMENTObjective: To prevent unauthorized access to information systems.
• Need formal procedures to control allocation of access rights to information systems and services.
• initial registration of new users to final de-registration of users who no longer require access
• control allocation of privileged access rights
21
Access control
USER RESPONSIBILITIES
Objective: To prevent unauthorized user access.
• co-operation of authorized users is essential for effective security.
• make users aware of responsibilities e.g. passwords use and security of user equipment.
22
Access control
NETWORK ACCESS CONTROLObjective: Protection of networked services.
• Control access to internal and external networked services
• to ensure that network users do not compromise the security of network services have:– appropriate interfaces
– appropriate authentication mechanisms
– control of user access
23
Access control
OPERATING SYSTEM ACCESS CONTROL
APPLICATION AND INFORMATION ACCESS CONTROL
MOBILE COMPUTING AND TELEWORKING
24
INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
SECURITY REQUIREMENTS OF INFORMATION SYSTEMS
Objective: To ensure that security is built into information systems.
• includes infrastructure, business applications and user-developed applications.
• Identify and justify all security requirements during requirements phase agree and document (before development)
25
SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES
Objective: To maintain the security of application system software and information.
• strictly control project and support environments.• Managers responsible for application systems also
responsible for the security of the project or support environment.
TECHNICAL VULNERABILITY MANAGEMENT
INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE
26
INFORMATION SECURITY INCIDENT MANAGEMENT
REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES
Reporting information security eventsReporting security weaknessesMANAGEMENT OF INFORMATION
SECURITY INCIDENTS AND IMPROVEMENTS
Responsibilities and proceduresLearning from information security incidentsCollection of evidence
27
Business continuity management
INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENTObjective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
• Business continuity management: to reduce disruption from disasters/security failures to acceptable level
• Analyze consequences of disasters, security failures and loss of service.
• Develop and implement contingency plans • Maintain and practice plans.
28
Compliance
COMPLIANCE WITH LEGAL REQUIREMENTSObjective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.
• may be statutory, regulatory and contractual security requirements for design, operation, use and management of information systems.
• Seek advice on specific legal requirements from the organization's legal advisers
29
Compliance
COMPLIANCE WITH SECURITY POLICIES AND STANDARDS AND TECHNICAL COMPLIANCE
Objective: To ensure compliance of systems with organizational security policies and standards.
• Review security of information systems regularly.• Perform reviews against appropriate security policies
and technical platforms • audit information systems for compliance with
security implementation standards.
30
Compliance
INFORMATION SYSTEMS AUDIT CONSIDERATIONS
Objective: To maximize the effectiveness of and to minimize interference to/from the system audit process.
• controls to safeguard operational systems and audit tools during system audits.
• Protect integrity and prevent misuse of audit tools.
Top Related