Information systems 365 lecture four - Security Policy Development, Data Classification Methods and...

Information Security 365/765, Fall Semester, 2014

Course Instructor, Nicholas DavisLecture 4, Security Policy Development, Data Classification Methods, Workplace Controls

Next TimeNext Time

Security policiesInformation classificationSecurity awareness training

04/10/23 UNIVERSITY OF WISCONSIN 2

Security PolicySecurity Policy

An overall general statement, produced by senior management, which dictates the role which security management plays in the organization

Made up of goals and responsibilitiesShows strategic and tactical value of the policyOutlines how enforcement should be carried out04/10/23 UNIVERSITY OF WISCONSIN 3

Security Policy ComponentsSecurity Policy ComponentsBusiness ObjectivesBusiness Objectives

Business objectives should drive the policy’s creation, implementation, enforcement. The policy should not dictate business objectives


Security Policy ComponentsSecurity Policy ComponentsMake It LegibleMake It Legible

The document should be written in plain language, which all the employees can easily understand the portions which apply to them, without question


Security Policy ComponentsSecurity Policy ComponentsUniformityUniformity

Make certain it fits all business functions and processes


Security PolicySecurity PolicyLegal ConformityLegal Conformity

It should support all legislation and regulations which apply to the company, local, national and international


Security PolicySecurity PolicyA Living DocumentA Living Document

It should be re-visited on a regular basis and updated as necessary, as changes occur within the company.

Make certain that all changes are documented and changes are recorded


Security PolicySecurity PolicyAdaptabilityAdaptability

It should be written in such a way as to make it useful for several years at a time, under normal circumstances, and flexible enough to deal with minor changes, as they occur.


Security PolicySecurity PolicyLanguageLanguage

The tone of the policy must be certain and strong. Avoid using the word “should”, as it leaves room for interpretation. Instead, use the words “shall”, “will” and “must”, throughout the document


Security PolicySecurity PolicyStyleStyle

No frillsProfessional lookingConsistent presentation


Why is IT Security PolicyWhy is IT Security PolicySo Important?So Important?

Helps identify company’s valuable assetsProvides authority to the security team and their activitiesProvides a reference to review when conflicts pertaining to security ariseStates clearly the company’s goals and objectives in the area of securityOutlines personal responsibility04/10/23 UNIVERSITY OF WISCONSIN 12

Why is IT Security PolicyWhy is IT Security PolicySo Important?So Important?

Helps prevent unanticipated events from occurringDefines the scope and boundaries for the security team and its functionsOutlines incident response responsibilitiesOutlines the company’s response to legal and regulatory requirements


Three Types ofThree Types ofSecurity Policies ExistSecurity Policies ExistRegulatoryAdvisoryInformative


Security Policy TypesSecurity Policy TypesRegulatoryRegulatory

Ensures that the company is following standards set by specific industry regulations. It is very detailed and specific to a type of industry:FinanceHealthcareGovernment


Security Policy TypeSecurity Policy TypeAdvisoryAdvisory

Tells employees which types of behaviors and activities shall and shall not take place within the organizationHow to handle:Medical informationFinancial transactionsConfidential information

Outlines ramifications for non-compliance


Security Policy TypeSecurity Policy TypeInformativeInformative

Informs employees on generalities of certain topics, but is not enforceable.

It teaches about issues important to the company, such as how the company would like employees to interact with business partners, the company’s goal and mission, or the corporate reporting structure


Security PolicySecurity PolicyDue Diligence ForwardDue Diligence ForwardDue Diligence, is the act of investigating and understanding the risks the company faces


Security PolicySecurity PolicyDue CareDue Care

Is a statement which demonstrates that the company has accepted and taken responsibility for activities which take place in the organization


How Due DiligenceHow Due DiligenceDue Care are RelatedDue Care are RelatedDue diligence is the understanding of the threats and risks, while due care is the countermeasures which the company has put in place to address the threats and risks


Information ClassificationInformation Classification

In the field of data management, data classification is defined as a tool for categorization of data to enable/help organization to effectively answer following questions:

What data types are available?Where are certain data located?What access levels are implemented?What protection level is implemented and does it adhere to compliance regulations?


Data ClassificationData Classification

Commercial EnterpriseMilitary

You are business students, so we will focus on commercial enterprise data classification terminology


Data ClassificationData ClassificationTypesTypes

PublicSensitivePrivateConfidential


Data ClassificationData ClassificationPublicPublic

Definition: Disclosure is not welcome, but it would not cause an adverse impact or damage to the company or its employees

Examples:How many people work at the companyCurrent job positions posted on the website


Data ClassificationData ClassificationSensitiveSensitive

Definition: Requires special precautions to ensure the integrity and confidentiality of the data, by preventing it from unauthorized modification or deletion. Requires higher than normal assurance of accuracy and completeness

Example:Financial informationDetails of projectsProfit earnings and forecasts


Data ClassificationData ClassificationPrivatePrivate

Definition: Personal information, for use only within the company. Unauthorized disclosure could adversely affect employees, the company, its business partners or customers

Examples:Work historyHR informationMedical information


Data ClassificationData ClassificationConfidentialConfidential

Definition: For use within the company only. Exempt from disclosure under the Freedom of Information Act. Unauthorized disclosure could seriously affect a company

Examples:Trade secretsProgramming software codeInformation that keeps the company competitive


Data ClassificationData ClassificationProceduresProcedures

1. Define classification levels2. Specify the criteria by which

data will be classified3. Have the data owner indicate

the classification level for their data

4. Identify the data custodian, who will be responsible for maintaining the data and its security level

5. Indicate the controls to be applied at each classification level


Data ClassificationData ClassificationProceduresProcedures

6. Document any exceptions in detail7. Indicate the methods which are used to transfer data custody to a different owner8. Create a procedure to periodically review the data’s classification and ownership9. Indicate declassification procedures10. Integrate this knowledge into a security awareness program04/10/23 UNIVERSITY OF WISCONSIN 29

If You Choose to CreateIf You Choose to CreateYou Own Data Classification You Own Data Classification

SystemSystemToo many levels will make classification complex and confusingToo few levels will encourage sloppy data classificationThere should be no overlap between classification levelsClassification levels should be developed for both data and the systems housing the data, and they should match04/10/23 UNIVERSITY OF WISCONSIN 30

Hiring PracticesHiring Practices

Job skill screeningReference checkNon-disclosure agreement (NDA) signedEducation verificationCriminal background checkCredit report checkSex offender checkDrug screeningProfessional license checkImmigration status checkSocial Security Number trace to ensure validity


Employee ControlsEmployee ControlsRotation of DutiesRotation of Duties

No one person should stay in one position for an uninterrupted period of time, as this may enable them to have too much control over a segment of business

Mandatory vacation policy


Employee ControlsEmployee ControlsSeparation of DutiesSeparation of Duties

Split knowledge system: No single employee has the knowledge to do a task by themselvesExample

Dual control: No single employee has the physical ability to do a task by themselvesExample


Termination PracticesTermination Practices

Each company needs a set of pre-defined termination proceduresExample:Once terminated, the employee must be escorted out of the facility by their managerEmployee must immediately surrender keys, employee badge, etc.Employee must be asked to complete an exit interview and return company propertyThe terminated employee’s online accounts must be disabled immediately upon termination


Beware of DisgruntledBeware of DisgruntledFormer EmployeesFormer Employees


Security AwarenessSecurity AwarenessTraining ProgramTraining Program

One for senior managementOne for staffOne for technical employees

ResponsibilitiesLiabilitiesExpectations


Security AwarenessSecurity AwarenessSenior ManagementSenior Management

Focus on: corporate assets, financial gains and losses which can occur due to information security incidents. They are the leaders, they must demonstrate the proper mindset to the rest of the company


Security AwarenessSecurity AwarenessMid-ManagementMid-Management

Focus on: policies, standards and guidelines and how they map to individual departments, responsibility for ensuring their employees adherence to the security policies, and how the managers will be held accountable for enforcement


Security AwarenessSecurity AwarenessEmployeesEmployees

Focus: on the operational aspects of information security, proper system usage, how to recognize a security issue and how to properly handle and report a suspected information security incident


Next ClassNext ClassAccess ControlAccess Control


Information systems 365 lecture four - Security Policy Development, Data Classification Methods and...

Documents

Transcript of Information systems 365 lecture four - Security Policy Development, Data Classification Methods and...