Taxonomy-based Information Security PoliciesPresentation Transcript
Information Security Juggernaut ij Making it better without making it complex Taxonomy-based Security Policies By Ravila Helen White, CISSP, CISM, CISA, GCIH
Disclaimer This presentation and the concepts herein are my opinions through private research, practice and chatting with other professionals. It is not the opinion of past, present or future employers.
Taxonomy is the practice and science of classification. Mathematically, a hierarchical taxonomy is a tree structure of classifications for a given set of objects. It is also named Containment hierarchy. At the top of this structure is a single classification, the root node, that applies to all objects. Legally, an open-ended contextual taxonomy—a taxonomy holding only with respect to a specific context. What it is
Technological uses of taxonomy? Data warehouse Data marts Report(s)
Used in Policy Development Groups like policies together Eliminates redundant policies Sustainable policy design and maintenance
What are Policy Artifacts Legal documents Authoritative Guides
Controls for Security Policies
Security Policy Controls Point Enterprise Hybrid Context Use Scenario Exception Floor
Defining Policy Context
Defining Context System or domain identification Parent identification Context control aligns to parent or superset Use Scenario identification Use scenario defines child domain and or consumer
Develop a Schema System or domain identification Parent identification Context control aligns to parent or superset Use Scenario identification Use scenario defines child domain and or consumer
Policy concept schema
Policy Narrative Meta policy Micro policies Use Scenario Exceptions
Tip #1 Write policies after you’ve identified the business peers who must help support and enforce policy
Tip #2 Keep track of policy violations. Violations may occur due to lack of training or understanding.
Tip #3 Examined the organization’s technology roadmap. Write policies that compliment the roadmap. This will reduce the amount of incremental updates to the policy.
Tip #4 Provide end-users with a FAQ or information documentation to help convey meaning behind why supporting policies are important and safeguard the organization.
Copyright Information Some works in this presentation have been licensed under the Creative Common license (CC). Please respect the license when using the concepts or adapting them. For more information please go here: www.creativecommons.org
Thank you… For a complete narrative of this presentation, please search for “Writing security policies using a taxonomy-based approach” or reference the December 2009 issue of Information Security magazine.