Security Policies and Implementation IssuesChapter 12Inciden.docx

Security Policies and Implementation Issues
Chapter 12
Incident Response Team (IRT) Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Page ‹#›
Company
www.jblearning.com
1
Learning Objective
Describe the different information security systems (ISS)
policies associated with incident response teams (IRTs).
Page ‹#›
Company
www.jblearning.com
7/17/2014
2

Key Concepts
Incident response policies
Team members associated with incident response
Emergency services related to IRTs
Policies specific to incident response support services
Policies associated with handling the media and what to
disclose
Business impact analysis (BIA) policies
Business continuity plan (BCP) policies
Disaster recovery plan (DRP) policies
Page ‹#›
Company
www.jblearning.com
7/17/2014
3
Incident Response Team (IRT)
Cross-functional team
Organized and coordinated
Various skills
Usually only responds to major incidents
Minor incidents considered part of normal operations
Page ‹#›

Company
www.jblearning.com
7/17/2014
4
Definition of an Incident
Any event that violates security policy
Unauthorized access to data
Unauthorized modification of data
Disruption of service
Page ‹#›
Company
www.jblearning.com
7/17/2014
5
Classifying Breach by Attack Vector
Page ‹#›
Company
www.jblearning.com

Attack Vectors
SQL injection
Malicious code or malware
Insecure remote access
Insecure wireless
Improperly segmented network environment
Classifying an Incident
Develop a classification system
Varies by industry type
Should meet legal and regulatory obligations
Common approach is to use categories that assess threat level
Malicious code
Denial of Service
Unauthorized access
Inappropriate usage

Major vs. minor
Major incidents are significant
Determination based on risk to organization
Page ‹#›
Company
www.jblearning.com
7/17/2014
7
Forming an Incident Response Team
Develop a charter
Determine IRT Model
Set goals (e.g., response time)
Identify Team Members
Page ‹#›
Company
www.jblearning.com
Team Members
Information Technology
Information Security
Human Resources
Legal
Public Relations

Business Continuity
Data Owner
Management
7/17/2014
8
Organizational Structure
Roles & Responsibilities
Information Flow
Authority & Reporting
Goals
Team responsibilities
Incident Declaration
Definitions
Declaration process
Team alignment

Member management
For team members
Communications
How goals are achieved
Level of authority
Source of authority
Summary
Mission Statement
Methods
Charter Sections

IRT Models
Page ‹#›
Company
www.jblearning.com
7/17/2014
9
On-Site Response
Supporting Role
Coordination
Coordinates several local teams
Full authority to contain breach
Technical assistance to local team

Roles and Responsibilities
Page ‹#›
Company
www.jblearning.com
IRT Manager
This individual makes all the final calls on how to respond to an
incident, they are the interface with management
IRT Coordinator
They act as the official scribe of the team. All activity flows
through this person who maintains the official records of the
team
Users
May have supporting role in IRT as data owner representatives
System Administrators
The subject matter experts (SMEs) chosen for each incident
response effort will vary depending upon the type of incident
and affected system(s)
Information Security Personnel
These team members may also have specialized forensic skills

needed to collect and analyze evidence
Management
Ultimately, management is held accountable for the outcome of
the incident response effort May have supporting role in IRT as
data owner representatives
7/17/2014
10
Incident Response Support Services
This is a broad category to mean any team that supports the
organization’s IT and business processes
Example: The help desk is a support services team
During an incident, the help desk may be in direct contact with
the customer who is impacted by the attack
Page ‹#›
Company
www.jblearning.com
This is a broad category to mean any team that supports the
organization’s information technology (IT) and business
processes
The helpdesk for example would be a support services team
During an incident, the helpdesk may be in direct contact with
the customer who is impacted by the attack
The helpdesk, at that point, becomes a channel of information
on the incident
It’s vital that the helpdesk during an incident is providing a
script of key talking points about the incident
7/17/2014

11
Incident Response Support Services (Continued)
The help desk, at that point, becomes a channel of information
on the incident
It’s vital that the helpdesk during an incident is providing a
script of key talking points about the incident
Page ‹#›
Company
www.jblearning.com
The Incident Response Process
Page ‹#›
Company
www.jblearning.com
7/17/2014
13
Plan and Train
Discover and Report Incident

Contain
Clean Up
Analyze and Prevent
Report
BIA Policies
Page ‹#›
Company

www.jblearning.com
Identifies assets required for business to recover and continue
doing business
BIA may be based on multiple worst-case scenarios
Key assets include critical resources, systems, facilities,
personnel, and records
BIA should contain security breach scenarios

BIA Policies (Continued)
Page ‹#›
Company
www.jblearning.com
Identifies recovery times
Used for information security and non–information security
purposes
Identifies adverse effects on the organization
Identifies key components

Key Objectives of the Business Impact Analysis (BIA) Policy
Page ‹#›
Company
www.jblearning.com
Identify resources required to recover each component
Identify human assets needed to recover these components
Identify dependencies, such as other BIA components

Business Continuity Planning Policies
Page ‹#›
Company
www.jblearning.com
Creates a road map for continuing business operations after a
major outage or disruption of services
Establishes the requirement to create and maintain the plan
Provides guidance for building a plan
Includes key assumptions, accountability, and frequency of
testing

Business Continuity Planning Policies (Continued)
Page ‹#›
Company
www.jblearning.com
Must clearly define responsibilities for creating and maintaining
a BCP plan
Identifies responsibilities for its execution
Covers the business’s support structure
BIA, BCP, and DRP
Page ‹#›

Company
www.jblearning.com
BIA
Drives the requirements for the BCP
BCP
Drives requirements for the DRP
DRP
Policies needed to recover IT assets after a major outage

Best Practices in Incident Response
Effectiveness of the IRT and its related policies needs to be
measured
Measurement should be published annually with a comparison
to prior years
Page ‹#›
Company
www.jblearning.com
Best Practices in Incident Response (Continued)
Measurements should include the goals in the IRT charter, plus
additional analytics to indicate the reduction of risk to the
organization, such as:
Number of incidents
Number of repeat incidents
Time to contain per incident
Financial impact to the organization
Page ‹#›
Company
www.jblearning.com
Summary
Incident classifications
Roles and responsibilities associated with incident response
team policies
Incident support services
Best practices to create an incident response team policies
BIA, BCP, and DRP policies

Page ‹#›
Company
www.jblearning.com
7/17/2014
22
Chapter 11
Data Classification and Handling Policies
and Risk Management Policies
Company
www.jblearning.com
Page ‹#›
Company
www.jblearning.com
1
Learning Objective
Describe the different information security systems (ISS)

policies associated with risk management.
Page ‹#›
Company
www.jblearning.com
7/17/2014
2
Key Concepts
Business risks related to information systems
Risks associated with the selected business model
Differences between public and private risk management
policies
Risk and Control Self-Assessments (RCSA)
Quality Assurance (QA) and Quality Control (QC)
Page ‹#›
Company
www.jblearning.com
7/17/2014
3
Purpose of Data Classification

Page ‹#›
Company
www.jblearning.com
Protect information
Retain information
Recover information
Legal Classification Scheme
Page ‹#›
Company
www.jblearning.com
Prohibited Information

Confidential Information
Unrestricted Information
Restricted Information
Military Classification Scheme
The U.S. military classification scheme is defined in National
Security Information document Executive Order (EO) 12356
Top Secret—Data that the unauthorized disclosure would
reasonably expect to cause grave damage to the national
security
Secret—Data that the unauthorized disclosure would reasonably
expect to cause serious damage to the national security
Confidential—Data that the unauthorized disclosure would
reasonably expect to cause damage to the national security
Page ‹#›

Company
www.jblearning.com
Military Classification Scheme (Continued)
Unclassified data has two classification levels:
Sensitive but unclassified—Confidential data not subject to
release under the Freedom of Information Act
Unclassified—Data available to the public
Page ‹#›
Company
www.jblearning.com
Declassification of Government Data
Page ‹#›
Company
www.jblearning.com
Business Classification Scheme
Page ‹#›
Company
www.jblearning.com

Highly Sensitive
Data that has no negative impact on the business when released
to the public
Sensitive
Internal
Public
Mission critical data
Data that is important but not vital to the business mission
Data not related to the core business such as routine
communications within the organization

Developing a Customized Classification Scheme
Page ‹#›
Company
www.jblearning.com
7/17/2014
10
Determine number of classification levels
Define each classification level
Name each classification level
Align classification to specific handling requirements
Define audit and reporting requirements

Classifying Data
Page ‹#›
Company
www.jblearning.com
You need to consider two primary issues when classifying data:
-Data ownership
-Security controls
These two issues help you drive maximum value from the data
classification effort.
7/17/2014
11
Data ownership
Security controls

Data Handling Policies
Policies, standards, and procedures must be defined regarding
data during:
Creation—During creation, data must be classified. That could
be simply placing the data within a common storage area.
Access—Access to data is governed by security policies.
Special guidance is provided on separation of duties (SoD).
Use—Use of data includes protecting and labeling information
properly after its access.
Transmission—Data must be transmitted in accordance with
policies and standards.
Page ‹#›
Company
www.jblearning.com
Data Handling Policies (Continued)
Storage—Storage devices of data must be approved. This
ensures that access to the device is secured and properly
controlled
Physical Transport—Transport of data must be approved. This
ensures that the data leaves the confines of the private network
and is protected and tracked
Destruction—Destruction of data is sometimes called
“disposal.” When an asset reaches its end of life, it must be
destroyed in a controlled procedure

Page ‹#›
Company
www.jblearning.com
Database Encryption Attack Scenarios
Page ‹#›
Company
www.jblearning.com
Data Classification of Volume versus Time to Recover
Page ‹#›
Company
www.jblearning.com
Risk Management Process
Page ‹#›
Company
www.jblearning.com

Risk and Control Self-Assessment (RCSA)
Page ‹#›
Company
www.jblearning.com
What the major known risks are
Which of these risks will limit the ability of the organization to
complete its mission
What plans are in place to deal with these risks
Who “owns” the management and monitoring of these risks
Risk Management Policies
Risk avoidance is primarily a business decision, however
differences between public and private are clear:
Public organizations cannot avoid high risk, such as police
departments
Private organizations can avoid risk with strategic decisions as

to where to place their data centers, out of storm paths
Page ‹#›
Company
www.jblearning.com
Risk Management Policies (Continued)
The power to choose what risk to accept is the main difference
between public and private organizations
Page ‹#›
Company
www.jblearning.com
Risk Management Strategies
Risk avoidance—Not engaging in certain activities that can
incur risk
Risk acceptance—Accepting the risk involved in certain
activities and addressing any consequences that result
Risk transference—Sharing the risk with an outside party
Risk mitigation—Reducing or eliminating the risk by applying
controls
Page ‹#›
Company
www.jblearning.com

7/17/2014
20
Quality Assurance vs. Quality Control
Page ‹#›
Company
www.jblearning.com
Quality Assurance: The act of giving confidence, the state of
being certain, or the act of making certain
Quality Control: An evaluation to indicate needed corrective
responses; the act of guiding a process in which variability is
attributable to a constant system of chance causes
Best Practices for Data Classification
and Risk Management Policies
Keep the classification simple—no more than three to five data
classes.
Ensure that data classes are easily understood by employees.
Data classification must highlight which data is most valuable
to the organization.
Classify data in the most effective manner that classifies the
highest-risk data first.

Page ‹#›
Company
www.jblearning.com
7/17/2014
22
Summary
Data classification based on military scheme
Risk management policies for private and public sector
Roles and responsibilities associated with risk management
policies
Data handling policies
Quality Assurance (QA) and Quality Control (QC)
Risk and Control Self Assessments (RCSA)
Page ‹#›
Company
www.jblearning.com
7/17/2014
23

Week 7
IT Infrastructure Security Policies
Company
www.jblearning.com
Page ‹#›
Company
www.jblearning.com
1
Key Concepts
Elements of an infrastructure security policy
Policies associated with various domains of a typical IT
infrastructure
Best practices in creating and maintaining IT policies
Page ‹#›
Company
www.jblearning.com
10/8/2017
2

Key Purpose of an IT Infrastructure Policy
Page ‹#›
Company
www.jblearning.com
Provide technical knowledge of:
The interaction
of various layers of the network
The placement
of key controls
The types of risks to be detected and guarded against
Three Ways to Organize Policies
Page ‹#›
Company
www.jblearning.com

Domain
Logical way to review policies and requirements
The seven domains are a common taxonomy, or classification
system, across the industry
Different domains may have different security requirements
Functional Area
Used in mature companies whose processes rarely change
Advantage: May be tailored to a specific audience
Disadvantage: Functional areas may change due to organization
realignments
Layers of Security
Also known as defense in depth
Multiple security controls within network perimeter, operating
system, applications, and database, for example
Constantly changing technology presents challenges
Number of layers of security required varies depending on
needs of company
10/8/2017
4
Domain
Functional Area
Layers of Security

Seven Domains of a Typical IT Infrastructure
Page ‹#›
Company
www.jblearning.com
10/8/2017
5
Policy Organization
Requirements may cross domains
Malware protection
Password/Authentication requirements
Requirements may conflict between domains
Policies will vary among organizations
Use standard document types to identify domain security control
requirements
Page ‹#›
Company
www.jblearning.com
10/8/2017

6
Creating Policy Documents
Documents should
Differentiate between core requirements and technological
requirements
Follow a standard format
Remain relevant without constant modification
Not contain duplicate content
Page ‹#›
Company
www.jblearning.com
10/8/2017
7
Policy Documents
Page ‹#›
Company
www.jblearning.com

10/8/2017
8
Control Standards
Baseline Standards
Procedure Documents
Guidelines
Implementation processes; each baseline standard needs a
procedure
Minimum security requirements for specific technologies
Policy statements concerned with core requirements
Recommendations
Dictionary
Used in the policies that define the scope and meaning of terms
used

Workstation Domain
Control Standards
Device management
User permissions
Align with functional
responsibilities
Baseline Standards
Specific technology requirements for each device
Review standards from vendors or organizations
Procedures
Step-by-step configuration instructions
Guidelines
Acquisitions (e.g., preferred vendors)
Description of threats and countermeasures
Page ‹#›
Company
www.jblearning.com

10/8/2017
9
Workstation
End user devices
Laptops, desktops, mobile devices
Focus on physical and logical security
Control Standards
Firewalls
Denial of Service
responsibilities
Baseline Standards
Specific technology requirements for each device
Procedures
Step-by-step configuration
Guidelines
LAN Domain
Page ‹#›

Company
www.jblearning.com
10/8/2017
10
LAN
Local area network infrastructure
Servers, network infrastructure
Focus on connectivity and traffic management
LAN-to-WAN Domain
Control Standards
Access control to the
Internet
Traffic filtering
Baseline Standards
Specific technology requirements for perimeter devices
Procedures

Guidelines
DMZ, IDS/IPS, content filtering
Page ‹#›
Company
www.jblearning.com
10/8/2017
11
LAN to WAN
Connects LAN to outside network (e.g., Internet)
Focus on securing resources that bridge internal and external
networks
Control Standards
WAN management,
Domain Name Services,
router security, protocols,
Web services
Baseline Standards

Procedures
Step-by-step configuration of routers and firewalls
Change management
Guidelines
When and how Web services may be used
DNS management within the LAN and WAN environments
WAN Domain
Page ‹#›
Company
www.jblearning.com
10/8/2017
12
WAN
Wide Area Network (e.g., Internet) services and hardware
Focus on WAN connection management, DNS
Control Standards
VPN connections
Multi-factor authentication

Baseline Standards
VPN gateway options
VPN client options
Procedures
Step-by-step VPN configuration and debugging
Guidelines
Description of threats
Security of remote computing environments, such as working
from home
Remote Access Domain
Page ‹#›
Company
www.jblearning.com
10/8/2017
13
Focus on authentication and connection
End user remote connection technology
Remote Access

Control Standards
Firewalls
Denial of Service
responsibilities
Baseline Standards
Specific technology
requirements for each device
Review standards from
vendors or organizations
Procedures
Guidelines
System/Application Domain
Page ‹#›
Company
www.jblearning.com
10/8/2017
14
Focus on security issues associated with applications and data
Data processing and storage technology
System/Application

Control Standards
Protect with FIPS encryption
Segregation of data and
voice networks
Baseline Standards
Specific technology
requirements for each device
Review standards from
vendors or organizations
Procedures
Guidelines
May include VoIP systems architecture and security guidelines
Telecommunications Policies
Page ‹#›
Company
www.jblearning.com
10/8/2017
15
Telecommunications

Technology, service, or system that provides transmission of
electronic data and information
Best Practices for IT Infrastructure Security Policies
Page ‹#›
Company
www.jblearning.com
Select a framework, such as ISO or COBIT
Develop requirements and standards based on the framework
Review what others have done and adapt that work to meet your
needs before creating content
10/8/2017
16
Select a framework, such as ISO or COBIT
Develop requirements and standards based on the framework
Review and adapt

(Continued)
Page ‹#›
Company
www.jblearning.com
Make your policies and standards available to anyone expected
to follow them
Keep content cohesive
Keep content coherent
Maintain the same “voice” throughout a single document
10/8/2017
17
Make policies/standards available to all
Keep content cohesive
Keep content coherent
Maintain the same “voice” throughout

(Continued)
Page ‹#›
Company
www.jblearning.com
Add only the information that is necessary to convey the
information
Stay on the message
Make your library searchable
Federate ownership to where it best belongs
10/8/2017
18
Add only necessary information
Stay on message
Make your library searchable
Federate ownership to where it best belongs

Information Security (IS) Manager
Policy creation, application, and alignment with organizational
goals
IT Auditor
Ensuring that controls are in place per policy
System/Application Administrator
Applying controls to Workstation, LAN, and LAN-to-WAN
Domains
Page ‹#›
Company
www.jblearning.com
10/8/2017
19
Lack of Controls
With lack of controls all of the following and more are possible:
Workstations would have different configurations
LANs would allow unauthorized traffic
WANs would have vulnerabilities
Network devices would not be configured the same
Users would have access to data they are not directly working
with

Page ‹#›
Company
www.jblearning.com
10/8/2017
20
Case Studies
Smaller bank wants to clear checks with a larger bank
X9.37
3rd party used
Baseline standard change and procedural changes
State of Maryland
Online Health Records
Information Technology Support Division (ITSD) requirements
Controlled change statewide
HIPAA
Televent
Monitors and supports energy industry in US and Canada
Breach of their firewall and network
SCADA system – never intended be online
Did segmentation
Both test and production environments compromised
Page ‹#›
Company
www.jblearning.com

Summary
Elements of an infrastructure security policy
Policies associated with various domains of a typical IT
infrastructure
Best practices in creating and maintaining IT policies
Page ‹#›
Company
www.jblearning.com
10/8/2017
22
Chapter 9
User Domain Policies
Company
www.jblearning.com
Page ‹#›
Company
www.jblearning.com

1
Learning Objective
Describe the different information systems security (ISS)
policies associated with the User Domain.
Page ‹#›
Company
www.jblearning.com
10/1/2017
2
Key Concepts
Reasons for governing users with policies
Regular and privileged users
Acceptable use policy (AUP) and privileged-level access
agreement (PAA)
Security awareness policy (SAP)
Differences between public and private User Domain policies
Page ‹#›
Company
www.jblearning.com

10/1/2017
3
The User as the Weakest Link in the Security Chain
Page ‹#›
Company
www.jblearning.com
10/1/2017
4
Social engineering can occur at any time within any
organization
Human mistakes often occur and can lead to security breaches
People that use computers have different skill levels, thus have
different perceptions on information security

The User as the Weakest Link in the Security Chain
Page ‹#›
Company
www.jblearning.com
10/1/2017
5
One of the most significant threats come from within an
organization from an “Insider”
Applications have weaknesses that are not known and these
weaknesses can be exploited by users either knowingly or
unknowingly
Security awareness training can remove this weakest link in the
security chain
Different Types of Users Within an Organization

Page ‹#›
Company
www.jblearning.com
10/1/2017
6
Employees
System admins
Security personnel
Contractors
Vendors
Guests and general public
Control partners

Example of User Types
Page ‹#›
Company
www.jblearning.com
10/1/2017
7
Contingent and System Accounts
Page ‹#›
Company
www.jblearning.com

Contingent Accounts
Need unlimited rights to install, configure, repair, and recover
networks and applications, and to restore data
System Accounts
Need elevated privileges to start, stop, and manage system
services
Credentials are prime targets for hackers
IDs are not assigned to individuals until a disaster recovery
event is declared
Accounts can be interactive or non-interactive
System accounts are also referred to as “service accounts”

User Access Requirements
Page ‹#›
Company
www.jblearning.com
Each user requires different levels of access to applications and
information within the organization
Users require information from different systems across the
organization to do their jobs
The data coming from different systems often has different
security controls
The different role each user has within the organization can
create security challenges
10/1/2017
9
Users require different access
Users require information from different systems
Data has different security controls

Differences and Similarities in User Domain Policies
Similarities
Private organizations may follow public-compliance laws
depending on their governance requirements
Public organizations may be small is size and thus have similar
control over their user populations
Page ‹#›
Company
www.jblearning.com
10/1/2017
10
Differences and Similarities in User Domain Policies
Differences
Public organizations must follow Sarbanes Oxley Compliance
(SOX), Health Insurance Portability and Accountability Act
(HIPAA), and other compliance laws
Private organizations are often smaller and easier to control
from a user standpoint
Private organizations may not follow public-compliance laws

Page ‹#›
Company
www.jblearning.com
10/1/2017
11
Acceptable Use Policy (AUP)
Attempts to protect an organization’s computers and network
Addresses password management
Addresses software licenses
Addresses intellectual property management
Describes e-mail etiquette
Describes the level of privacy an individual should expect when
using an organization’s computer or network
Describes noncompliance consequences
Page ‹#›
Company
www.jblearning.com
10/1/2017
12
Privileged-Level Access Agreement (PAA)

Acknowledges the risk associated with elevated access in the
event the credentials are breached or abused
Asks user to promise to use access only for approved
organization business
Asks user to promise not to attempt to “hack” or breach security
Asks user to promise to protect any output from these
credentials such as reports, logs, files, and downloads
Page ‹#›
Company
www.jblearning.com
10/1/2017
13
Security Awareness Policy (SAP)
Addresses:
Basic principles of information security
Awareness of risk and threats
Dealing with unexpected risk
Reporting suspicious activity, incidents, and breaches
Building a culture that is security and risk aware
Page ‹#›
Company
www.jblearning.com

10/1/2017
14
Roles and Responsibilities: Who Needs Training?
Page ‹#›
Company
www.jblearning.com
Executive Managers
Responsible for governance and compliance requirements, and
funding and policy support
Program and Functional Managers
Responsible for security management, planning, and
implementation; also risk management and contingency
planning
IT Security Program Managers
Responsible for broad training in security planning, system and
application security management, risk management, and
contingency planning
Auditors
Responsible for broad training in security planning, system and
application security management, risk management, and
contingency planning
All Users
Responsible for basic security
10/1/2017
15
All Users

Program and Functional Managers
IT Security Program Managers
Auditors
IT Function Management and Operations Personnel
Executive Managers
Best Practices for User Domain Policies
Page ‹#›
Company
www.jblearning.com
Attachments—Never open an e-mail attachment from a source
that is not trusted or known

Encryption—Always encrypt sensitive data that leaves the
confines of a secure server
Least privilege— Individuals should only have the access
necessary to perform their responsibilities
Unique identity—All users must use unique credentials
Virus protection—Virus and malware prevention must be
installed on every desktop and laptop computer
Layered defense—Use an approach that establishes overlapping
layers of security
Patch management—All network devices should have the latest
security patches
Lease Access Privilege and Best Fit Access Privilege
Page ‹#›

Company
www.jblearning.com
Least Access Privileges
Customizes access to the individual
Best Fit Privileges
Customizes access to the group or class of users
Who Develops User Policies
Chief financial officer (CFO)
Chief operations officer (COO)
Information security manager
IT manager
Marketing and sales manager
Unit manager
Materials manager
Purchasing manager
Inventory manager

Page ‹#›
Company
www.jblearning.com
10/1/2017
18
Case Studies
Government Laptop compromised
Collapse of Barings Bank
Unauthorized access to Defense Department Systems
Page ‹#›
Company
www.jblearning.com
Summary
Different user types and user access requirements in an
organization
SAP, AUP, and PAA
Roles and responsibilities associated with user policies
User policies in public and private organizations
Page ‹#›

Company
www.jblearning.com
10/1/2017
20
Chapter 8
IT Security Policy Framework Approaches
Company
www.jblearning.com
Page ‹#›
Company
www.jblearning.com
1
Learning Objective
Describe the different methods, roles, responsibilities, and
accountabilities of personnel, along with the governance and
compliance of a security policy framework.
Page ‹#›

Company
www.jblearning.com
2
Key Concepts
Different methods and best practices for approaching a security
policy framework
Importance of defining roles, responsibilities, and
accountability for personnel
Separation of duties (SoD)
Importance of governance and compliance
Page ‹#›
Company
www.jblearning.com
Information Systems Security Policy Frameworks
Page ‹#›
Company
www.jblearning.com
Choosing the framework that works in your organization is not
easy

-The one selected will be based on the organizational type, risk,
and view from top management
A simplified security policy framework domain model
-Federal Information Security Management act of 2002
(FISMA)
-Committee of Sponsoring Organizations (COSO)
-Control Objectives for Information and related Technology
(COBIT) (public organization only as this is for SOX 404)
-ISO 17799 (27002), 20000 (ITIL), NIST, OCTAVE, PCI DSS
(if you process payments electronically)
Frameworks are flexible and allow an organization to adopt
constructs that fit their overall governance and compliance
planning requirements
10/1/2017
4
Choosing the right framework is not easy
Use a simplified security policy framework domain model
Flexible frameworks fit governance and compliance planning
requirements

IT Security Policy Framework Domain Model
Page ‹#›
Company
www.jblearning.com
10/1/2017
5
Risk IT Framework
Process Model
Page ‹#›
Company
www.jblearning.com
Roles
Page ‹#›

Company
www.jblearning.com
Head of information management
Data stewards
Data custodians
Data administrators
Data security administrators
Executive Management
Responsible for governance and compliance requirements,
funding, and policy support
Chief Information Officer (CIO)/Chief Security Officer (CSO)
Responsible for policy creation, reporting, funding, and support
Chief Financial Officer (CFO)/Chief Operating Officer (COO)
Responsible for data stewardship, owners of the data
Page ‹#›

Company
www.jblearning.com
Roles and Responsibilities (Continued)
System Administrators/Application Administrators
Responsible for custodianship of the data, maintaining the
quality of the data, and executing the policies and procedures
pertaining to the data, like backup, versioning, updating,
downloading, and database administration
Security Administrator
Responsible for granting access and assess threats to the data,
IA program
Page ‹#›
Company
www.jblearning.com
Committees
Page ‹#›
Company
www.jblearning.com
Separation of Duties (SoD)
Layered security approach
SoD duties fall within each IT domain

Applying SoD can and will reduce both fraud and human errors
Page ‹#›
Company
www.jblearning.com
Layered security approach
Using layered security provides redundancy of layers, so if one
fails to catch the risk, another layer should. Thus, the more
layers the better the chance that a risk will be mitigated.
However, one must remember that cost and restrictions are also
present with each layer deployed
Domain of responsibility and accountability
These SoD duties fall within each individual domain and
applying SoD can and will reduce both fraud and human errors
10/1/2017
11
Information Technology (IT) Security Controls
IT security controls are a function of IT infrastructure that an
organization has in its control and the regulatory and business
objectives that need to be controlled
You can have too many IT security controls, impeding the
organization from operating at optimal capacity, thus reducing
its revenue potential
Page ‹#›
Company
www.jblearning.com

Information Technology (IT) Security Controls (Continued)
Generic IT security controls as a function of a business model
Deploy a layered security approach
Use SoD approach
This applies to transactions within the domain of responsibility
Conduct security awareness training annually
Page ‹#›
Company
www.jblearning.com
Information Technology (IT) Security Controls (Continued)
Apply the three lines of defense model
First line: The business unit
Second line: The risk management team
Third line: Use independent auditors
Page ‹#›
Company
www.jblearning.com
Importance of Governance and Compliance
Implementing a governance framework can allow organization
to identify and mitigate risks in orderly fashion
Can be a cost reduction move for organizations as they can

easily respond to audit requests
A well-defined governance and compliance framework provides
a structured approach
Can provide a common language
Page ‹#›
Company
www.jblearning.com
Importance of Governance and Compliance (Continued)
Is also a best-practice model for organizations of all shapes and
sizes
Controls and risks become measurable with a framework
Organizations with a governance and compliance framework can
operate more efficiently
If you can measure the organization against a fixed set of
standards and controls, you have won
Page ‹#›
Company
www.jblearning.com
Security Policy Framework: Six Business Risks
Page ‹#›
Company
www.jblearning.com

Strategic risks is a broad category focused on an event that may
change how the organization operates
Compliance risks relate to the impact of the business failing to
comply with legal obligations
Financial risks is the potential impact when the business fails to
have adequate liquidity to meet its obligations
Operational risks is a broad category that describes any event
that disrupts the organization’s daily activities
Reputational risk results from negative publicity regarding an
organization’s practices. This type of risk could lead to a loss of
revenue or to litigation.
Other risks is a broad category that relates to all other non-IT
specific events
10/1/2017
17
Strategic
Compliance
Financial
Operational

Reputational
Other
Best Practices: Security Policy Framework
Using a risk management approach to framework
implementation reduces the highest risk to the organization
ISACA COBIT framework for SOX 404 requirements for
publically traded organizations
Aligning the organization’s security policy with business
objectives and regulatory requirements
Page ‹#›
Company
www.jblearning.com
Best Practices: Security Policy Framework (Continued)
The use of a best practice methodology will best be answered
based on organizational requirements and governmental
regulations

Page ‹#›
Company
www.jblearning.com
GRC and ERM
Page ‹#›
Company
www.jblearning.com
Governance, Risk management, and Compliance (GRC)
A discipline formally bringing together risk and compliance
GRC best practices
ISO 27000 series
COBIT
COSO
Enterprise Risk Management (ERM)

Follows common risk methodologies
Similarities Between GRC and ERM
Page ‹#›
Company
www.jblearning.com
Defines risk in terms of business threats
Applies flexible frameworks to satisfy multiple compliance
regulations
Eliminates redundant controls, policies, and efforts
Proactively enforces policy
Seeks line of sight into the entire population of risks
10/1/2017
21

Applies flexible frameworks
Similarities Between GRC and ERM (Continued)
Page ‹#›
Company
www.jblearning.com
Applies flexible frameworks to satisfy multiple compliance
regulations
10/1/2017
22

Differences Between GRC and ERM
Page ‹#›
Company
www.jblearning.com
GRC focuses on technology, a series of tools and centralized
policies
ERM focuses on value delivery, takes a broad look at risk based
on the adoption driven by the organization’s leadership, and
shifts the discussion from what the organization should spend to
how the organization spends money mitigating risk
10/1/2017
23
GRC
Focuses on technology, a series of tools and centralized policies

ERM
Focuses on value delivery
Takes a broad look at risk based on adoption driven by
leadership
Case Studies
Hamburger chain
POS
WiFi Hotspot
Edward Snowden
Excessive access
Penetration testing
Adnoc Distribution
Inadequate funding of IT
Page ‹#›
Company
www.jblearning.com
Summary

Information systems security policy frameworks and IT security
controls
Difference between GRC and ERM
Business risks associated with security policy framework
Roles and responsibilities associated with information systems
security policy framework and SoD
Page ‹#›
Company
www.jblearning.com
Lecture 5
How to Design, Organize, Implement, and Maintain IT Security
Policies
Company
www.jblearning.com
Page ‹#›
Company
www.jblearning.com
1
Learning Objective

Describe how to design, organize, implement, and maintain IT
security policies.
Page ‹#›
Company
www.jblearning.com
9/24/2017
2
Key Concepts
Core principles of policy and standards design
Implementing policy and libraries
Policy change control board purpose and roles
Business drivers for policy and standards changes
Best practices for policy management and maintenance
Page ‹#›
Company
www.jblearning.com
9/24/2017
3
Who, what, when, where, why and How?

Youtube: The Electric Company, The Good Charlotte
Page ‹#›
Company
www.jblearning.com
9/24/2017
4
Architectural Operating Model: Four Business Model Concepts
Page ‹#›
Company
www.jblearning.com
Diversified
Technology solution has a low level of integration and
standardization with the enterprise.
Exchange of data and use of services outside the business unit
itself is minimal.
Coordinated
Technology solution shares data across the enterprise.

Level of shared services and standardization are minimal.
Replicated
Technology solution shares services across the enterprise.
Level of data sharing is minimal.
Unified
Technology solution both shares data and has standardized
services across the enterprise.
9/24/2017
5
Diversified
Coordinated
Replicated
Unified
This book explains ways to analyze and categorize the primary
operating model of he business based on 4 key concepts that we
will be reviewing to understand how IT Policies and Standards
align.
Why? By focusing on the business model and processes in
which the company must execute well, this model provides a

baseline approach to understand IT systems needed to digitize
or level of automation for those processes.
Examples in the book include companies around he world that
are profiled by the authors to illustrates how constructing the
right enterprise architecture can enhance profitability and time
to market, facilitate competitive positioning and improves
strategy execution, and includes how it may impact IT costs.
Enterprise Architecture As A Strategy: Creating a Foundation
for Business Execution
Page ‹#›
Company
www.jblearning.com
Aligning Operating Model Concepts
Page ‹#›
Company
www.jblearning.com
Policy and Standards Development Core Principals
Page ‹#›
Company
www.jblearning.com

9/24/2017
8
Accountability
Awareness
Ethics
Multidisciplinary
Proportionality
Integration
Policy and Standards Development Core Principals (Continued)
Page ‹#›

Company
www.jblearning.com
9/24/2017
9
Defense in Depth
Timeliness
Reassessment
Democracy
Internal Control
Adversary

Policy and Standards Development Core Principals (Continued)
Page ‹#›
Company
www.jblearning.com
9/24/2017
10
Least Privilege
Separation of Duties
Continuity
Simplicity
Policy-Centered Security

Transparency with Customer Data
Page ‹#›
Company
www.jblearning.com
Transparency
Individual
Participation
Purpose
Specification
Use
Limitation
Data
Minimization

Security Controls Categorization Schemes
Page ‹#›
Company
www.jblearning.com
What is the control?
What does the control do?
Administrative controls
Technical controls
Physical controls
Preventive security controls
Detective or response controls
Corrective controls

Recovery controls
IS0/IEC 27002
IS0IEC 27002 Notice Board
http://www.iso27001security.com/html/27002.html
Page ‹#›
Company
www.jblearning.com
Understanding Taxonomy
Introduction to ISO 15926, April 14, 2014,
http://infowebml.ws/intro/index.htm
Page ‹#›
Company
www.jblearning.com
A Policy and Standards Library
Taxonomy
Page ‹#›

Company
www.jblearning.com
9/24/2017
15
Taxonomy (Continued)
Page ‹#›
Company
www.jblearning.com
Control standards branch out from the Access Control (IS-POL-
800) framework policy.
9/24/2017
16
Page ‹#›
Company

www.jblearning.com
Baseline standards and procedures provide additional branches
of the library tree.
9/24/2017
17
Page ‹#›
Company
www.jblearning.com
Guidelines provide additional branches of the library tree.
9/24/2017
18
Implementing Policies and Libraries
Page ‹#›
Company
www.jblearning.com
Implementing your policies and libraries entails three major
steps:

• Reviews and approvals for your documents
• Publication of the documents
• Awareness and training
9/24/2017
19
Build Consensus
Publication
Awareness Training
Reviews/
Approvals
Members of the Policy Change Control Board
Information Security
Compliance Management
Auditing
Human Resources (HR)
Leadership from the key information business units
Project Managers (PMs)
Page ‹#›

Company
www.jblearning.com
Members come from functional areas of the organization.
The roles for each member would be to approve changes to the
policies, reflecting alignment to business objectives.
Each functional area oversee policies pertaining to their
perspective area of responsibility, while they also play a role in
the approval of policy changes that effect the organization as a
whole.
9/24/2017
20
Policy Change Control Board
Page ‹#›
Company
www.jblearning.com
9/24/2017
21
Assess policies/
standards and recommend changes

Coordinate requests for change (RFCs)
Ensure that changes support organization’s mission and goals
Review requested changes
Establish change management process
Best Practices for Policy Maintenance
Page ‹#›
Company

www.jblearning.com
9/24/2017
22
Updates and revisions
Exceptions and waivers
Request from users and management
Changes to the organization
Business Drivers for Policy and Standards Changes

Page ‹#›
Company
www.jblearning.com
Business-as-usual developments
Business exceptions
Business innovations
Business technology innovations
Strategic changes
Summary
Core principles of policy and standards design
Implementing policy and libraries
Policy change control board purpose and roles
Business drivers for policy and standards changes
Best practices for policy management and maintenance

Page ‹#›
Company
www.jblearning.com
9/24/2017
24
Chapter 6
IT Security Policy Frameworks
Company
www.jblearning.com
Page ‹#›
Company
www.jblearning.com
1
Learning Objective
Describe the components and basic requirements for creating a
security policy framework.

Page ‹#›
Company
www.jblearning.com
7/17/2014
2
Key Concepts
Key building blocks of security policy framework
Types of documents for a security policy framework
Information systems security (ISS) and information assurance
considerations
Process to create a security policy framework
Page ‹#›
Company
www.jblearning.com
7/17/2014
3
Policy and Standards Library Framework
Page ‹#›

Company
www.jblearning.com
7/17/2014
4
Policy Framework Components
Page ‹#›
Company
www.jblearning.com
7/17/2014
5
Policy
Standards
Procedures

Guidelines
Defines how an organization performs and conducts business
functions and transactions with a desired outcome
An established method implemented organization-wide
Steps required to implement a process
A parameter within which a policy, standard, or procedure is
suggested
Common Frameworks
Control Objectives for Information and related Technology

(COBIT)
ISO/IEC 27000 series
National Institute of Standards and Technology (NIST) Special
Publications
Example: SP 800-53, “Recommended Security Controls for
Federal Information Systems and Organizations
Page ‹#›
Company
www.jblearning.com
7/17/2014
6
Access Control Policy Branch
Page ‹#›
Company
www.jblearning.com
Access Control Policy Branch of a Policy and Standards Library
7/17/2014
7
External and Internal Factors Affecting Policies
Policies must align with the business model or objective to be

effective
External factors
Regulatory and governmental initiatives
Internal factors
Culture, support, and funding
Page ‹#›
Company
www.jblearning.com
7/17/2014
8
Creating a Security Policy Framework
Page ‹#›
Company
www.jblearning.com
Set a budget
Assemble a team
Select a commonly accepted framework as a foundation
- COBIT, ISO/ISC 27000 series, NIST SPs
Use a content management system, if possible
Cross-reference your security documents with standards
Coordinate development with other departments in the
organization
7/17/2014

9
Set a budget
Assemble a team
Select a basic framework
Creating a Security Policy Framework (Continued)
Page ‹#›
Company
www.jblearning.com
Set a budget
Assemble a team
Select a commonly accepted framework as a foundation
- COBIT, ISO/ISC 27000 series, NIST SPs

Use a content management system, if possible
Cross-reference your security documents with standards
Coordinate development with other departments in the
organization
7/17/2014
10
Use a content management system
Cross-reference standards
Coordinate with other departments
Roles Related to a Policy and Standards Library
Page ‹#›
Company
www.jblearning.com

CISO
- Establishes and maintains security and risk management
programs for information resources
Information resources manager
- Maintains policies and procedures that provide for security
and risk management of information resources
Information resources security officer
- Directs policies and procedures designed to protectinformation
resources; identifies vulnerabilities,develops security awareness
program
Owners of information resources
- Responsible for carrying out the program that uses the
resources. This does not imply personal ownership. These
individuals may be regarded as program managers or delegates
for the owner.
Custodians of information resources
- Provide technical facilities, data processing, and other support
services to owners and users of information resources
Technical managers (network and system administrators)
- Provide technical support for security of information resources
Internal auditors
- Conduct periodic risk-based reviews of information resources
security policies and procedures
Users
- Have access to information resources in accordance with the
owner-defined controls and access rules
7/17/2014

11
CISO
Roles Related to a Policy and Standards Library (Continued)
Page ‹#›
Company
www.jblearning.com
CISO
- Establishes and maintains security and risk management
programs for information resources
- Maintains policies and procedures that provide for security

and risk management of information resources
- Directs policies and procedures designed to protectinformation
resources; identifies vulnerabilities,develops security awareness
program
- Responsible for carrying out the program that uses the
resources. This does not imply personal ownership. These
individuals may be regarded as program managers or delegates
for the owner.
- Provide technical facilities, data processing, and other support
services to owners and users of information resources
Technical managers (network and system administrators)
- Provide technical support for security of information resources
Internal auditors
- Conduct periodic risk-based reviews of information resources
security policies and procedures
Users
- Have access to information resources in accordance with the
owner-defined controls and access rules
7/17/2014
12
Technical managers

Internal auditors
Users
Case Studies on Security Policy Framework Creation
Page ‹#›
Company
www.jblearning.com
7/17/2014
13
Case Study
Private Sector
Case Study

Public Sector
Case Study
Health care w/7,000 devices
Incomplete inventory
No easy way to classify assets
HIPAA
Used NIST SP 800-53 to establish the framework
State of Tennessee
Used ISO/IEC 17799 (27002)
Policies and frameworks covered all information asset owned,
leased, or controlled by the State of Tennessee
Private Sector

Target Corporation
1,797 US and 127 Canadian stores
December 2013 point-of-sale (PoS) data breach
40 million credit card records stolen
70 million records containing PII
Largest data breaches of its kind
Information Assurance and Information Systems Security
Page ‹#›

Company
www.jblearning.com
Information Assurance
Protecting information during processing and use
The 5 Pillars
Implementation of appropriate accounting and other integrity
controls
Development of systems that detect and thwart attempts to
perform unauthorized activity
ISS
Protecting information and the systems that store and process
the information
Automation of security controls, where possible
Assurance of a level of uptime of all systems
7/17/2014
14
Security
Policy
Framework
IA
ISS

Information Systems Security Considerations
Page ‹#›
Company
www.jblearning.com
Unauthorized Access to and Use of the System
Unauthorized Disclosure of the Information
Disruption of the System or Services
Modification of Information
Destruction of Information Resources
Summary

Considerations for information assurance and information
security
Process to create a security policy framework
Factors that affect polices and the best practices to maintain
policies
Page ‹#›
Company
www.jblearning.com
7/17/2014
16

Security Policies and Implementation IssuesChapter 12Inciden.docx

Recommended

Recommended

More Related Content

Similar to Security Policies and Implementation IssuesChapter 12Inciden.docx

Similar to Security Policies and Implementation IssuesChapter 12Inciden.docx (20)

More from jeffreye3

More from jeffreye3 (20)

Recently uploaded

Recently uploaded (20)

Security Policies and Implementation IssuesChapter 12Inciden.docx