1

Session 3 – Information Security Policies

2

General - background

• How to establish security requirements– Risk assessments

– Legal, statutory requirements

– Business requirements for Information processing

• Select controls from a standard• Controls to be considered to be common practice

– Information security policy

– Allocation of responsibilities

– Awareness and training

– Technical vulnerability management

– Incident reporting

3

Critical Success factors for addressing InfoSec in organisations

• Info sec policy, objectives

• Architectural approach

• Management commitment / support

• Understand info sec requirements

• Budget for info sec

• Awareness and training

• Effective incident reporting system

• Measurement system

4

12 Key control areas

Risk assessment and treatmentInformation Security policyOrganization / management of Info Sec Assets classification and control (management)Human resources securityPhysical and environmental securityCommunications and operations management Access controlInformation Systems acquisition, development and

maintenanceInformation Security Incident ManagementBusiness Continuity ManagementCompliance

5

5. Security policy

INFORMATION SECURITY POLICY

Objective: To provide management direction and support for information security.

Information Security Policy Document

Control …should state mngt commitment

Implementation guidance….definition

Other information: ….distribution

Review of the Information Security Policy

6

Security policy Information security policy

d) a brief explanation of the security policies, principles, standards and compliance requirements of particular importance to the organization, for example:1) compliance with legislative and contractual requirements;

2) security education requirements;

3) prevention and detection of viruses and other malicious software;

4) business continuity management;

5) consequences of security policy violations;

e) a definition of general and specific responsibilities for information security management, including reporting security incidents;

7

Security policy Information security policy

f) references to documentation which may support the policy, e.g. more detailed security policies and procedures for specific information systems or security rules users should comply with.

This policy should be communicated throughout the organization to users in a form that is relevant, accessible and understandable to the intended reader.

8

Organization Information Security

INTERNAL ORGANIZATIONObjective: To manage information security within the organization

• establish management framework• management with leadership to

– approve the information security policy,

– assign security roles

– co-ordinate implementation of security

• Establish a source of specialist information security advice if needed

• need multi-disciplinary approach to information security

9

Organization Information Security

INTERNAL ORGANIZATIONManagement commitment to information securityInformation security co-ordination.Allocation of information security responsibilitiesAuthorization process for information processing facilitiesConfidentiality agreementsContact with authoritiesContact with special interest groupsIndependent review of information security......

EXTERNAL PARTIESIdentification of risks related to external partiesAddressing security when dealing with customersAddressing security in third party agreements

10

Asset Management

RESPONSIBILITY FOR ASSETSObjective: To achieve and maintain appropriate protection of organizational assets.-> be accounted for, have owner

• assign responsibility for maintenance of appropriate controls • may delegate responsibility for implementing controls • Owners should be identified for all assets and the responsibility

for the maintenance of appropriate controls should be assigned.

Inventory of assetsOwnership of assetsAcceptable use of assets

11

Asset Management

INFORMATION CLASSIFICATIONObjective: To ensure that information receives an appropriate level of protection.

• Classify information to indicate– need, – priorities– degree of protection

• varying degrees of sensitivity, criticality• define appropriate set of protection levels, communicate need

for special handing measures.

Classification guidelinesInformation labelling and handling

12

Human Resources Security

PRIOR TO EMPLOYMENT Objective: To ensure that employees, contractors and third party

users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.

• Address security responsibilities at the requirement stage, include in contracts, monitored during employment

• screen potential recruits adequately (sensitive jobs)• All to sign confidentiality agreement.

Roles and responsibilitiesScreeningTerms and conditions of employment

13

Human Resources Security

DURING EMPLOYMENTObjective: To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided…

Management responsibilitiesInformation security awareness, education, and trainingDisciplinary process

14

Human Resources Security

TERMINATION OR CHANGE OF EMPLOYMENT

Objective: To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.

Change of responsibilities and employments within an organization should be managed

.

Termination responsibilities

Return of assets

Removal of access rights

15

Physical and environmental security

SECURE AREASObjective: To prevent unauthorized access, damage and interference to business premises and information.

• house critical/sensitive business information processing facilities in secure areas,

• physically protected from unauthorized access or damage or interference.

• The protection should be commensurate with the identified risks.

• clear desk and clear screen policy

16

Physical and environmental security

EQUIPMENT SECURITY

Objective: To prevent loss, damage or compromise of assets and interruption to business activities.

• Protect equipment physically from security threats and environmental hazards.

• to reduce risk of unauthorized access to data, to protect against loss or damage.

• also consider equipment siting and disposal• Special controls to safeguard e.g. electrical supply

17

Communications and operations management

OPERATIONAL PROCEDURES AND RESPONSIBILITIES

Objective: To ensure the correct and secure operation of information processing facilities.

• Establish responsibilities and procedures for management and operation of all information processing facilities.

• development of operating instructions and incident response procedures

• Implement segregation of duties to reduce risk of negligent or deliberate system misuse

18

Communications and operations management

Operational Procedures and Responsibilities

Third Party Service Delivery Management

System Planning and Acceptance

Protection Against Malicious and Mobile Code

Back-Up

Network Security Management

Media Handling

Exchange of Information

Electronic Commerce Services

Monitoring

19

Access control

BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Objective: To control access to information.

• Control access to information, and business processes on basis of business and security requirements.

• take account of policies for information dissemination and authorization.

20

Access control

USER ACCESS MANAGEMENTObjective: To prevent unauthorized access to information systems.

• Need formal procedures to control allocation of access rights to information systems and services.

• initial registration of new users to final de-registration of users who no longer require access

• control allocation of privileged access rights

21

Access control

USER RESPONSIBILITIES

Objective: To prevent unauthorized user access.

• co-operation of authorized users is essential for effective security.

• make users aware of responsibilities e.g. passwords use and security of user equipment.

22

Access control

NETWORK ACCESS CONTROLObjective: Protection of networked services.

• Control access to internal and external networked services

• to ensure that network users do not compromise the security of network services have:– appropriate interfaces

– appropriate authentication mechanisms

– control of user access

23

Access control

OPERATING SYSTEM ACCESS CONTROL

APPLICATION AND INFORMATION ACCESS CONTROL

MOBILE COMPUTING AND TELEWORKING

24

INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

SECURITY REQUIREMENTS OF INFORMATION SYSTEMS

Objective: To ensure that security is built into information systems.

• includes infrastructure, business applications and user-developed applications.

• Identify and justify all security requirements during requirements phase agree and document (before development)

25

SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES

Objective: To maintain the security of application system software and information.

• strictly control project and support environments.• Managers responsible for application systems also

responsible for the security of the project or support environment.

TECHNICAL VULNERABILITY MANAGEMENT

INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

26

INFORMATION SECURITY INCIDENT MANAGEMENT

REPORTING INFORMATION SECURITY EVENTS AND WEAKNESSES

Reporting information security eventsReporting security weaknessesMANAGEMENT OF INFORMATION

SECURITY INCIDENTS AND IMPROVEMENTS

Responsibilities and proceduresLearning from information security incidentsCollection of evidence

27

Business continuity management

INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENTObjective: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.

• Business continuity management: to reduce disruption from disasters/security failures to acceptable level

• Analyze consequences of disasters, security failures and loss of service.

• Develop and implement contingency plans • Maintain and practice plans.

28

Compliance

COMPLIANCE WITH LEGAL REQUIREMENTSObjective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.

• may be statutory, regulatory and contractual security requirements for design, operation, use and management of information systems.

• Seek advice on specific legal requirements from the organization's legal advisers

29

Compliance

COMPLIANCE WITH SECURITY POLICIES AND STANDARDS AND TECHNICAL COMPLIANCE

Objective: To ensure compliance of systems with organizational security policies and standards.

• Review security of information systems regularly.• Perform reviews against appropriate security policies

and technical platforms • audit information systems for compliance with

security implementation standards.

30

Compliance

INFORMATION SYSTEMS AUDIT CONSIDERATIONS

Objective: To maximize the effectiveness of and to minimize interference to/from the system audit process.

• controls to safeguard operational systems and audit tools during system audits.

• Protect integrity and prevent misuse of audit tools.