Security Policies and Standards

Security Policies and Standards

IntroductionOrganization Collection of people working together toward a common goalMust have clear understanding of the rules of acceptable behaviorPolicy Conveys managements intentions to its employeesEffective security program Use of a formal plan to implement and manage security in the organization

2

Policies, Standards, and ProceduresPolicy Set of guidelines or instructions Organizations senior management implementsIdeaStandardsMore detailed descriptions of what must be done to comply with policySpecifics and outlineProceduresHow to accomplish the policies and standards

3

Effective PoliciesFor a policy to be considered effective and legally enforceable:DisseminationDistribution of the informationIs it in a readily available place?Review Has it been read?Who is reading it?Comprehension Is it understandable?Too confusing?Compliance Acknowledge vs. AgreeUniform enforcementHow are violations being handled?

4

What Drives Policy Development?Mission of an organization Written statement of purpose of organizationUsually Not ModifiedVision of an organizationWitten statement of the organizations long-term goalsOccasionally ModifiedStrategic planningProcess of moving the organization toward its vision.Constantly Reworked to promote progressSecurity policySet of rules that protects an organizations assets

Question: What are some security policies you are aware of?

5

Types of Information Security PoliciesInformation security policy Set of rules for the protection of an organizations information assetsEnterprise information security policiesGeneral security policy

Issue-specific security policiesSpecific technology policy

Systems-specific security policiesConfigurations

6

Enterprise Information Security Policy (EISP)Supports the mission, vision, and direction of the organization Sets the strategic direction, scope, and tone for all security effortsExecutive-level documentDrafted by organizations chief information officerExpresses the security philosophy within the IT environmentGuides the development, implementation, and management of the security programAddress an organizations need to comply with laws and regulations in two ways:General compliance Identification of specific penalties and disciplinary actions

7

Components of EISP

8

Issue-Specific Security Policy (ISSP)Addresses specific areas of technologyRequires frequent updatesContains a statement on the organizations position on a specific issueMay cover:Use of company-owned networks and the InternetUse of telecommunications technologies (fax and phone)Use of electronic mailSpecific minimum configurations of computers to defend against worms and virusesProhibitions against hacking or testing organization security controlsHome use of company-owned computer equipmentUse of personal equipment on company networksUse of photocopy equipment

9

Components of ISSP

10

Systems-Specific Policy (SysSP)Appear with the managerial guidance expected in a policy Include detailed technical specifications not usually found in other types of policy documentsManagerial Guidance SysSPsGuide the implementation and configuration of a specific technologyTechnical Specifications SysSPsGeneral methods for implementing technical controlsAccess control listsSet of specifications that identifies a piece of technologys authorized users and includes details on the rights and privileges those users have on that technologyAccess control matrix Combines capability tables and ACLsConfiguration rules Specific instructions entered into a security system to regulate how it reacts to the data it receivesRule-based policies More specific to a systems operation than ACLs May or may not deal with users directly

11

Frameworks and Industry StandardsSecurity blueprint Basis for the design, selection, and implementation of all security program elements

Security framework Outline of the overall information security strategy Roadmap for planned changes to the organizations information security environmentThe ISO 27000 SeriesNIST Model

12

NIST Security ModelsComputer Security Resource Center (CSRC) publicationsSP 800-14: Generally Accepted Principles and Practices for Securing Information Technology SystemsLists the principles and practices to be used in the development of a security blueprintSP 800-41 Rev. 1: Guidelines on Firewalls and Firewall PolicyProvides an overview of the capabilities and technologies of firewalls and firewall policiesSP 800-53 Rev. 3: Recommended Security Controls for Federal Information Systems and OrganizationsDescribes the selection and implementation of security controls for information security to lower the possibility of successful attack from threatsSP 800-53 A, Jul 2008: Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment PlansProvides a systems developmental lifecycle approach to security assessment of information systems

13

Other NIST Perimeter Defense Publications

14

Benchmarking and Best PracticesBest practicesProcedures that are accepted or prescribed as being correct or most effectiveBenchmarkingEvaluation against a standardSpheres of security - Generalized foundation of a good security framework Controls -Implemented between systems and the information, between networks and the computer systems, and between the Internet and internal networksInformation security - Designed and implemented in three layers: policies, people (education, training, and awareness programs), and technology

15

Spheres of Security

16

Security Education, Training, and Awareness ProgramEducation, training, and awareness (SETA) programResponsibility of the CISO Control measure designed to reduce the incidences of accidental security breaches by employeesDesigned to supplement the general education and training programs

17

Purpose of SETAThe Program Elements:Security education Provide Opportunity , InformThe WhySecurity training Hands-on Education and ExperienceThe HowSecurity awareness ReinforceThe WhatPurpose of SETA is to enhance security by:Improving awareness of the need to protect system resourcesDeveloping skills and knowledge so computer users can perform their jobs more securelyBuilding in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems

Security EducationInvestigate available courses from local institutions of higher learning or continuing educationCenters of Excellence programIdentifies outstanding universities that have both coursework in information security and an integrated view of information security in the institution itself4th grade cyber security training

Security TrainingProvides detailed information and hands-on instruction to employees to prepare them to perform their duties securelyIndustry training conferences and programs offered through professional agenciesSETA resources Offer assistance in the form of sample topics and structures for security classes

Security AwarenessDesigned to keep information security at the forefront of users mindsInclude newsletters, security posters, videos, bulletin boards, flyers, and trinkets

18

Security AwarenessExample

Security AwarenessExample

Security AwarenessExample

Security AwarenessExample

Security AwarenessExample

DTCCs Own Newsletter

SummaryPolicyBasis for all information security planning, design, and deploymentSecurity team develops a design blueprint used to implement the security programImplement a security education, training, and awareness (SETA) programSupplement the general education and training programs

25