Chief Information Security Officer Legislative Data Center
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Chief Information Security Officer Legislative Data Center

on

  • 753 views

 

Statistics

Views

Total Views
753
Views on SlideShare
752
Embed Views
1

Actions

Likes
0
Downloads
4
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Opening
  • Focus
  • Focus
  • Intro
  • Intro
  • Definitions
  • Definitions
  • Policies Standards Procedures And Guidelines
  • View Points Management Technical
  • Policies Purpose and Structure
  • Issues with policies Building the House Roof First JITP “No Exceptions” Samples – Good and Bad - Interactive
  • Standards Purpose and Structure
  • Issues with policies Building the House Roof First JITP “No Exceptions” Samples – Good and Bad - Interactive
  • Procedures Purpose and Structure
  • Issues with policies Building the House Roof First JITP “No Exceptions” Samples – Good and Bad - Interactive
  • Guidelines Purpose and Structure
  • Issues with policies Building the House Roof First JITP “No Exceptions” Samples – Good and Bad - Interactive
  • Policy Frameworks SAM/SIMM ISO 17799 – ISO 27000’s COBIT ITIL NIST CERT FISMA
  • Regulatory drivers SOX GLBA HIPPA CA SB1386 – CA CC 1798.1 PCI SAS70
  • Parallel Frames CMMI Architecture
  • Recommendations and Focus for Policy
  • Summary
  • Closing

Chief Information Security Officer Legislative Data Center Presentation Transcript

  • 1.  
  • 2. “ Policies and Procedures” Presented by Chief Information Security Officer Legislative Data Center Information Security Engineer and Architect Legislative Data Center Policy Manager - ISSA-Sac and Vice President - ISSA-Sac and Lee Vigue – lvigue@issa-sac.org Ned Allison – nallison@issa-sac.org
  • 3. The Focus “How do we deal with it all?”
    • Policies
    • Procedures
    • Standards
    • Guidelines
    • Practices
    • Regulations
    • Civil Codes
    • Criminal Laws
    • Requirements
    • Acts
    • Agreements
    • Statutes
    • Frameworks
      • SAM
      • SIMM
      • BS7799
      • ISO17799
      • ISO27002
      • COBITv4.0
      • NIST
      • CERT
      • SANS
    • Buzz Words
      • GLBA
      • SOX
      • HIPPA
      • SAS70
      • PCI
      • SB1386
      • E-Discovery
    • Related Issues
      • Architecture
      • CMMI
      • ITIL
  • 4. Addressing the issues
    • Looking at the issues from two viewpoints
      • Management
        • Tends to focus on Policy and Guidelines
        • Issues with being proactive about Policy
        • Critical to “supportability” of Policy
      • Technical
        • Tends to focus on Standards and Procedures
        • Issues with being constrained by Policy
        • Critical to “do ability” of Policy
  • 5. Walking the path
    • Starting with The Definitions
      • What is it
      • What makes it up
      • Samples of the good the bad and the ugly
    • Placement in the frame of reference
      • How does it relate to other “strategic” goals
    • Recommendations
    • Summary
    • Questions and Answers
  • 6. What is a Policy?
    • A High Level Statement of Enterprise Beliefs, Goals and objectives along with a general means for attaining them in a specified subject area.
    a step by step implementation set at high level a specific, detailed description a Brief Statement It is not It is
  • 7. A Policy needs support
    • Because a policy is written at a high level and is a simple statement of a goal, or objective it needs to be supported by;
      • Standards
      • Procedures
      • Guidelines
  • 8. Standards, Procedures and Guidelines
    • Standards –
      • Mandatory Activities, Actions or Rules supporting policies
    • Procedures
      • Detailed specifics on implementation
    • Guidelines
      • General Statements and Recommendations
  • 9. Definitions per ISO 17799
    • Policy
      • Overall intention and direction as formally expressed by management
    • Procedure
      • A formal method to accomplish a task, in accordance with policy and guidelines
    • Guideline
      • A description that clarifies what should be done and how, to achieve objectives set out in policy*
      • According to ISO 17799-2005
  • 10. Policies
    • Management View
    • Technical View
  • 11. Policy and Standard Example
    • Policy
      • Access to Enterprise Information Systems shall be restricted to authorized users only
    • Standard
      • Users must have a unique UserID and an individual and confidential password
  • 12. Issues with Policies
    • The need to build “meat and potatoes” statements first
    • The idea of “no exceptions”
    • The idea of “JITP”, Just In Time Policies
  • 13. Standards
    • Often refer to a specific Technology or Environment
      • Change with new technologies or environments
  • 14. Issues with Standards
    • Can be expensive to Maintain
    • Require updating to new technical conditions and environment
    • Change frequently in comparison to policies
  • 15. Procedures
    • Detailed statements of requirements and process for implementing policies and standards
    • Can be step by step
    • Can be lists of required approvals or actions
  • 16. Issues with Procedures
    • Procedures change frequently with
      • Organizational Changes
      • New approval Structures
      • New Technologies
      • New Requirements
    • Must be maintained
    • Change more frequently than Standards
    • Multiple Procedures may apply to a single Standard or Policy process
  • 17. What are Guidelines
    • General Statements and Recommendations designed to achieve Policy objectives and Standards Requirements
    • Can be used to provide a framework for Procedural implementation
  • 18. Issues with Guidelines
    • Guidelines are recommendations not mandatory requirements
    • Guidelines are not enforceable
    • Guidelines are frequently misused
  • 19. Examples
    • Policy
      • Access to information systems is restricted to authorized users only
    • Standard
      • Users will have a unique UserID and confidential password
    • Procedure
      • User will obtain a UserID and one time password upon management approval and must immediately change the password upon first login
    • Guideline
      • Passwords should be complex, consisting of more than 8 characters and include Upper Case, Lower Case, Numbers and Symbols
  • 20.  
  • 21. Samples Discussions
  • 22. Policy Frameworks
    • CA State SAM and SIMM
    • ISO 17799 – soon to become ISO 27000 Series
    • COBIT
    • NIST
    • CERT
    • others
  • 23. Regulatory Drivers
    • SOX
    • GLBA
    • HIPPA
    • PCI
    • SAS70
    • CA SB1386 – CA CC1798.1
      • others
  • 24. Parallel Frameworks
    • CMMI
    • Enterprise Architecture
    • ITIL
  • 25. Recommendations and Focus for Policies, Standards, Procedures and Guidelines
    • Find a Framework with works for your organization and adapt it to your needs
    • Get Executive Management support of your efforts
    • Engage Technical Staff in Standards and Procedures to ensure ownership
    • Publish Policy to all, Standards to those responsible, Procedures to those who engage in the process and Guidelines to the whole group involved to ensure awareness
    • Review and regularly maintain the structure to ensure that it remains accurate, do able, and relevant to your organizational needs and the changing regulatory and technical environments
  • 26. Framework Recommendation
    • Use COBIT as an overall implementation
      • Provides Auditable Metrics
    • Use ISO 17799 (27000’s) as a Security Framework
      • Provides Detailed Structure to the whole security picture
    • Use NIST/CERT/SANS as a Standards Source
      • Provides Details of specific Technologies and Requirements
    • User ITIL to implement Procedures
      • Provides structure to Operational Aspects of Security
  • 27. Summary
    • Management View
    • Technical View
  • 28.
    • Questions
    • And
    • Discussion
  • 29. Closing Resources
    • http://sam.dgs.ca.gov/default.htm
    • http://www.dof.ca.gov/OTROS/StatewideIT/SIMM/SIMM.asp
    • http://www.sans.org/resources/policies/
    • http://csrc.nist.gov
    • http:// www.iso.org /
    • http://www.itil.co.uk/
    • http://www.isaca.org/
    • http://www.issa.org/
    • And finally the shamless plug
      • http://www.issa-sac.org/welcome.shtml