Wrong confirmation ID

Email
Favorite
Favorited ×
Download
Embed
Private Content
Copy and paste this code into your blog or website Copy Customize… Close
We have emailed the verification/download link to "".
Login to your email and click the link to download the file directly.

To request the link at a different email address, update it here. Close
Validation messages. Success message. Fail message.

Check your bulk/spam folders if you can't find our mail.

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

+ Follow

Security Policy: The Next Generation

by Peter Hesse on Oct 18, 2010

584 views

Presentation delivered by Peter Hesse at Security BSides Atlanta, October 8, 2010

More…

Presentation delivered by Peter Hesse at Security BSides Atlanta, October 8, 2010

Less

Statistics

Favorites: 1
Downloads: 0
Comments: 0
Embed Views: 0
Views on SlideShare: 584
Total Views: 584

Is it just because we’ve been doing it so long we don’t remember?
Policies are written to counter known or notional risk.
What game are we playing if I show this to you?
Helps set the rules of the game – guidance -- not that they can’t be changed later
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Policies are hard to develop so people follow useful frameworks.
Then they have to follow some more frameworks.
And some more. And more and more.
You end up with something you didn’t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs…
Can you understand this? I can’t.
Length of policy also a huge problem.
Policies are largely formed by cut and paste. By cutting and pasting without thinking through why things are in there (“I just know they have to be”) we create additional problems. Policies which are harder to justify, policies the writers can’t even understand, policies that are too long.
Like making sausage
Quote from http://googleblog.blogspot.com/2010/09/trimming-our-privacy-policies.html We’re also simplifying our main Google Privacy Policy to make it more user-friendly by cutting down the parts that are redundant and rewriting the more legalistic bits so people can understand them more easily.
Did you know that NIST created a guide for improving the security of your XP home installation, aimed at federal teleworkers? Useful, right? It is 175 pages.
However, they distill the guide down to 5 main points, care to guess what they are?
-Patching
-Running as limited user
-Anti-malware
-Personal firewall
-Perform backups
Do they need the rest of the document?
Policies often treat as one-size-fits-all, but that is not the case. If a policy includes every risk mitigation technique known to the organization, it will have requirements that apply only to IT, only to management, only to finance – and few that apply to all users. Yet, they’re all in the same policy. We need multiple policies, or multiple views of the same policy, to make sense to the audience
Is the risk associated with these two policy statements equivalent?
Do these statements apply to the average user? (No, 1 is for IT only, 2 is for people doing downloads, and management to know that they need to approve – but how do they determine if they should?)
What do you do when one of these policies is met, but the other isn’t?
- Here is what we’re doing. We are working on prioritizing policy based on a heat map. Heat map can change based on the revelation of new threats, improved perception of risk, improved controls being put into place.
- Not getting into the metrics / qualitative/ quantitative holy war, but policies related to greater risks should have greater importance; those that relate to lower risks should be waived, deemed less important, or excised entirely
- The heat map could automatically filter based on the perspective of the audience
- Here is what we’re doing. We are working on prioritizing policy based on a heat map. Heat map can change based on the revelation of new threats, improved perception of risk, improved controls being put into place.
- Not getting into the metrics / qualitative/ quantitative holy war, but policies related to greater risks should have greater importance; those that relate to lower risks should be waived, deemed less important, or excised entirely
- The heat map could automatically filter based on the perspective of the audience
- Here is what we’re doing. We are working on prioritizing policy based on a heat map. Heat map can change based on the revelation of new threats, improved perception of risk, improved controls being put into place.
- Not getting into the metrics / qualitative/ quantitative holy war, but policies related to greater risks should have greater importance; those that relate to lower risks should be waived, deemed less important, or excised entirely
- The heat map could automatically filter based on the perspective of the audience

1 Favorite

realbeeven Tags policy infosec 1 year ago

Security Policy: The Next Generation — Presentation Transcript

Security Policies: The Next Generation Peter Hesse Gemini Security Solutions, Inc. Security B-Sides Atlanta | October 8, 2010
Why do we have security policies?
We need rules to play the game
Written a policy lately?
Written a policy lately? ISO 27001
Written a policy lately? ORANG PCI-DSS 41 CFR 102 E BOOK SAS-70 FISMAISO 27001 WeBTRUST BITS SysTrust ISO 17799 / DITSCAP FIPS 199 BS 7799 Cloud Audit HIPAA
The language of policy [Organization] and applicable subsidiary Level 2 Unit ISMs will coordinate and document the establishment of all external network connections for their unit with Network Services. As every external network connection is potentially an entry point for intruders, Level 2 Unit ISMs must document all external network connections in their unit, including modems.
Code versus Policy
Code versus Policy
What happens if we simplify?
One-size-ﬁts-all or tailor made?
What is the focus? Systems must be patched within 30 days of release of patch from vendor Management approval is required to download any copyrighted material from the Internet
Improving security policy: Prioritize
Improving security policy: Prioritize
Improving security policy: Prioritize
Improving security policy: Prioritize
The Next Generation: • Simplify, streamline, squeeze out jargon • Prioritize and heat map based on relative risk and audience • Build approaches that transcend documentation and encourage good behavior
Fin. • Peter Hesse, Gemini Security Solutions @pmhesse, pmhesse@geminisecurity.com • Extra special thanks to my partner-in-crime on this work, Michael Santarcangelo @catalyst (www.securitycatalyst.com)

Security Policy: The Next Generation

by Peter Hesse on Oct 18, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

Statistics

Security Policy: The Next Generation — Presentation Transcript