More Related Content Similar to Security Policies and Implementation IssuesChapter 12Inciden.docx (20) Security Policies and Implementation IssuesChapter 12Inciden.docx1. Security Policies and Implementation Issues
Chapter 12
Incident Response Team (IRT) Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Describe the different information security systems (ISS)
policies associated with incident response teams (IRTs).
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
2
2. Key Concepts
Incident response policies
Team members associated with incident response
Emergency services related to IRTs
Policies specific to incident response support services
Policies associated with handling the media and what to
disclose
Business impact analysis (BIA) policies
Business continuity plan (BCP) policies
Disaster recovery plan (DRP) policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
3
Incident Response Team (IRT)
Cross-functional team
Organized and coordinated
Various skills
Usually only responds to major incidents
Minor incidents considered part of normal operations
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
3. Company
www.jblearning.com
All rights reserved.
7/17/2014
4
Definition of an Incident
Any event that violates security policy
Unauthorized access to data
Unauthorized modification of data
Disruption of service
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
5
Classifying Breach by Attack Vector
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
4. Attack Vectors
SQL injection
Malicious code or malware
Insecure remote access
Insecure wireless
Improperly segmented network environment
Classifying an Incident
Develop a classification system
Varies by industry type
Should meet legal and regulatory obligations
Common approach is to use categories that assess threat level
Malicious code
Denial of Service
Unauthorized access
Inappropriate usage
5. Major vs. minor
Major incidents are significant
Determination based on risk to organization
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
7
Forming an Incident Response Team
Develop a charter
Determine IRT Model
Set goals (e.g., response time)
Identify Team Members
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Team Members
Information Technology
Information Security
Human Resources
Legal
Public Relations
7. Member management
For team members
Communications
How goals are achieved
Level of authority
Source of authority
Summary
Mission Statement
Methods
Charter Sections
8. IRT Models
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
9
On-Site Response
Supporting Role
Coordination
Coordinates several local teams
Full authority to contain breach
Technical assistance to local team
9. Roles and Responsibilities
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
IRT Manager
This individual makes all the final calls on how to respond to an
incident, they are the interface with management
IRT Coordinator
They act as the official scribe of the team. All activity flows
through this person who maintains the official records of the
team
Users
May have supporting role in IRT as data owner representatives
System Administrators
The subject matter experts (SMEs) chosen for each incident
response effort will vary depending upon the type of incident
and affected system(s)
Information Security Personnel
These team members may also have specialized forensic skills
10. needed to collect and analyze evidence
Management
Ultimately, management is held accountable for the outcome of
the incident response effort May have supporting role in IRT as
data owner representatives
7/17/2014
10
Incident Response Support Services
This is a broad category to mean any team that supports the
organization’s IT and business processes
Example: The help desk is a support services team
During an incident, the help desk may be in direct contact with
the customer who is impacted by the attack
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
This is a broad category to mean any team that supports the
organization’s information technology (IT) and business
processes
The helpdesk for example would be a support services team
During an incident, the helpdesk may be in direct contact with
the customer who is impacted by the attack
The helpdesk, at that point, becomes a channel of information
on the incident
It’s vital that the helpdesk during an incident is providing a
script of key talking points about the incident
7/17/2014
11. 11
Incident Response Support Services (Continued)
The help desk, at that point, becomes a channel of information
on the incident
It’s vital that the helpdesk during an incident is providing a
script of key talking points about the incident
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
The Incident Response Process
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
13
Plan and Train
Discover and Report Incident
12. Contain
Clean Up
Analyze and Prevent
Report
BIA Policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
13. www.jblearning.com
All rights reserved.
Identifies assets required for business to recover and continue
doing business
BIA may be based on multiple worst-case scenarios
Key assets include critical resources, systems, facilities,
personnel, and records
BIA should contain security breach scenarios
14. BIA Policies (Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Identifies recovery times
Used for information security and non–information security
purposes
Identifies adverse effects on the organization
Identifies key components
15. Key Objectives of the Business Impact Analysis (BIA) Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Identify resources required to recover each component
Identify human assets needed to recover these components
Identify dependencies, such as other BIA components
16. Business Continuity Planning Policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Creates a road map for continuing business operations after a
major outage or disruption of services
Establishes the requirement to create and maintain the plan
Provides guidance for building a plan
Includes key assumptions, accountability, and frequency of
testing
17. Business Continuity Planning Policies (Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Must clearly define responsibilities for creating and maintaining
a BCP plan
Identifies responsibilities for its execution
Covers the business’s support structure
BIA, BCP, and DRP
Page ‹#›
Security Policies and Implementation Issues
18. © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
BIA
Drives the requirements for the BCP
BCP
Drives requirements for the DRP
DRP
Policies needed to recover IT assets after a major outage
19. Best Practices in Incident Response
Effectiveness of the IRT and its related policies needs to be
measured
Measurement should be published annually with a comparison
to prior years
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Best Practices in Incident Response (Continued)
Measurements should include the goals in the IRT charter, plus
additional analytics to indicate the reduction of risk to the
organization, such as:
Number of incidents
Number of repeat incidents
Time to contain per incident
Financial impact to the organization
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Summary
Incident classifications
Roles and responsibilities associated with incident response
team policies
Incident support services
Best practices to create an incident response team policies
BIA, BCP, and DRP policies
20. Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
22
Security Policies and Implementation Issues
Chapter 11
Data Classification and Handling Policies
and Risk Management Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Describe the different information security systems (ISS)
21. policies associated with risk management.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
2
Key Concepts
Business risks related to information systems
Risks associated with the selected business model
Differences between public and private risk management
policies
Risk and Control Self-Assessments (RCSA)
Quality Assurance (QA) and Quality Control (QC)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
3
Purpose of Data Classification
22. Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Protect information
Retain information
Recover information
Legal Classification Scheme
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Prohibited Information
23. Confidential Information
Unrestricted Information
Restricted Information
Military Classification Scheme
The U.S. military classification scheme is defined in National
Security Information document Executive Order (EO) 12356
Top Secret—Data that the unauthorized disclosure would
reasonably expect to cause grave damage to the national
security
Secret—Data that the unauthorized disclosure would reasonably
expect to cause serious damage to the national security
Confidential—Data that the unauthorized disclosure would
reasonably expect to cause damage to the national security
Page ‹#›
24. Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Military Classification Scheme (Continued)
Unclassified data has two classification levels:
Sensitive but unclassified—Confidential data not subject to
release under the Freedom of Information Act
Unclassified—Data available to the public
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Declassification of Government Data
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Business Classification Scheme
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
25. All rights reserved.
Highly Sensitive
Data that has no negative impact on the business when released
to the public
Sensitive
Internal
Public
Mission critical data
Data that is important but not vital to the business mission
Data not related to the core business such as routine
communications within the organization
26. Developing a Customized Classification Scheme
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
10
Determine number of classification levels
Define each classification level
Name each classification level
Align classification to specific handling requirements
Define audit and reporting requirements
27. Classifying Data
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
You need to consider two primary issues when classifying data:
-Data ownership
-Security controls
These two issues help you drive maximum value from the data
classification effort.
7/17/2014
11
Data ownership
Security controls
28. Data Handling Policies
Policies, standards, and procedures must be defined regarding
data during:
Creation—During creation, data must be classified. That could
be simply placing the data within a common storage area.
Access—Access to data is governed by security policies.
Special guidance is provided on separation of duties (SoD).
Use—Use of data includes protecting and labeling information
properly after its access.
Transmission—Data must be transmitted in accordance with
policies and standards.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Data Handling Policies (Continued)
Storage—Storage devices of data must be approved. This
ensures that access to the device is secured and properly
controlled
Physical Transport—Transport of data must be approved. This
ensures that the data leaves the confines of the private network
and is protected and tracked
Destruction—Destruction of data is sometimes called
“disposal.” When an asset reaches its end of life, it must be
destroyed in a controlled procedure
29. Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Database Encryption Attack Scenarios
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Data Classification of Volume versus Time to Recover
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Risk Management Process
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
30. All rights reserved.
Risk and Control Self-Assessment (RCSA)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
What the major known risks are
Which of these risks will limit the ability of the organization to
complete its mission
What plans are in place to deal with these risks
Who “owns” the management and monitoring of these risks
Risk Management Policies
Risk avoidance is primarily a business decision, however
differences between public and private are clear:
Public organizations cannot avoid high risk, such as police
departments
Private organizations can avoid risk with strategic decisions as
31. to where to place their data centers, out of storm paths
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Risk Management Policies (Continued)
The power to choose what risk to accept is the main difference
between public and private organizations
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Risk Management Strategies
Risk avoidance—Not engaging in certain activities that can
incur risk
Risk acceptance—Accepting the risk involved in certain
activities and addressing any consequences that result
Risk transference—Sharing the risk with an outside party
Risk mitigation—Reducing or eliminating the risk by applying
controls
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
32. 7/17/2014
20
Quality Assurance vs. Quality Control
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Quality Assurance: The act of giving confidence, the state of
being certain, or the act of making certain
Quality Control: An evaluation to indicate needed corrective
responses; the act of guiding a process in which variability is
attributable to a constant system of chance causes
Best Practices for Data Classification
and Risk Management Policies
Keep the classification simple—no more than three to five data
classes.
Ensure that data classes are easily understood by employees.
Data classification must highlight which data is most valuable
to the organization.
Classify data in the most effective manner that classifies the
highest-risk data first.
33. Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
22
Summary
Data classification based on military scheme
Risk management policies for private and public sector
Roles and responsibilities associated with risk management
policies
Data handling policies
Quality Assurance (QA) and Quality Control (QC)
Risk and Control Self Assessments (RCSA)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
23
34. Security Policies and Implementation Issues
Week 7
IT Infrastructure Security Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
1
Key Concepts
Elements of an infrastructure security policy
Policies associated with various domains of a typical IT
infrastructure
Best practices in creating and maintaining IT policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
2
35. Key Purpose of an IT Infrastructure Policy
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Provide technical knowledge of:
The interaction
of various layers of the network
The placement
of key controls
The types of risks to be detected and guarded against
Three Ways to Organize Policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
36. Domain
Logical way to review policies and requirements
The seven domains are a common taxonomy, or classification
system, across the industry
Different domains may have different security requirements
Functional Area
Used in mature companies whose processes rarely change
Advantage: May be tailored to a specific audience
Disadvantage: Functional areas may change due to organization
realignments
Layers of Security
Also known as defense in depth
Multiple security controls within network perimeter, operating
system, applications, and database, for example
Constantly changing technology presents challenges
Number of layers of security required varies depending on
needs of company
10/8/2017
4
Domain
Functional Area
Layers of Security
37. Seven Domains of a Typical IT Infrastructure
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
5
Policy Organization
Requirements may cross domains
Malware protection
Password/Authentication requirements
Requirements may conflict between domains
Policies will vary among organizations
Use standard document types to identify domain security control
requirements
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
38. 6
Creating Policy Documents
Documents should
Differentiate between core requirements and technological
requirements
Follow a standard format
Remain relevant without constant modification
Not contain duplicate content
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
7
Policy Documents
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
39. 10/8/2017
8
Control Standards
Baseline Standards
Procedure Documents
Guidelines
Implementation processes; each baseline standard needs a
procedure
Minimum security requirements for specific technologies
Policy statements concerned with core requirements
Recommendations
Dictionary
Used in the policies that define the scope and meaning of terms
used
40. Workstation Domain
Control Standards
Device management
User permissions
Align with functional
responsibilities
Baseline Standards
Specific technology requirements for each device
Review standards from vendors or organizations
Procedures
Step-by-step configuration instructions
Guidelines
Acquisitions (e.g., preferred vendors)
Description of threats and countermeasures
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
41. 10/8/2017
9
Workstation
End user devices
Laptops, desktops, mobile devices
Focus on physical and logical security
Control Standards
Firewalls
Denial of Service
Align with functional
responsibilities
Baseline Standards
Specific technology requirements for each device
Review standards from vendors or organizations
Procedures
Step-by-step configuration
Guidelines
Acquisitions (e.g., preferred vendors)
Description of threats and countermeasures
LAN Domain
Page ‹#›
42. Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
10
LAN
Local area network infrastructure
Servers, network infrastructure
Focus on connectivity and traffic management
LAN-to-WAN Domain
Control Standards
Access control to the
Internet
Traffic filtering
Baseline Standards
Specific technology requirements for perimeter devices
Procedures
Step-by-step configuration
43. Guidelines
DMZ, IDS/IPS, content filtering
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
11
LAN to WAN
Connects LAN to outside network (e.g., Internet)
Focus on securing resources that bridge internal and external
networks
Control Standards
WAN management,
Domain Name Services,
router security, protocols,
Web services
Baseline Standards
Review standards from vendors or organizations
44. Procedures
Step-by-step configuration of routers and firewalls
Change management
Guidelines
When and how Web services may be used
DNS management within the LAN and WAN environments
WAN Domain
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
12
WAN
Wide Area Network (e.g., Internet) services and hardware
Focus on WAN connection management, DNS
Control Standards
VPN connections
Multi-factor authentication
45. Baseline Standards
VPN gateway options
VPN client options
Procedures
Step-by-step VPN configuration and debugging
Guidelines
Description of threats
Security of remote computing environments, such as working
from home
Remote Access Domain
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
13
Focus on authentication and connection
End user remote connection technology
Remote Access
46. Control Standards
Firewalls
Denial of Service
Align with functional
responsibilities
Baseline Standards
Specific technology
requirements for each device
Review standards from
vendors or organizations
Procedures
Step-by-step configuration
Guidelines
Acquisitions (e.g., preferred vendors)
Description of threats and countermeasures
System/Application Domain
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
14
Focus on security issues associated with applications and data
Data processing and storage technology
System/Application
47. Control Standards
Protect with FIPS encryption
Segregation of data and
voice networks
Baseline Standards
Specific technology
requirements for each device
Review standards from
vendors or organizations
Procedures
Step-by-step configuration
Guidelines
May include VoIP systems architecture and security guidelines
Telecommunications Policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
15
Telecommunications
48. Technology, service, or system that provides transmission of
electronic data and information
Best Practices for IT Infrastructure Security Policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Select a framework, such as ISO or COBIT
Develop requirements and standards based on the framework
Review what others have done and adapt that work to meet your
needs before creating content
10/8/2017
16
Select a framework, such as ISO or COBIT
Develop requirements and standards based on the framework
Review and adapt
49. Best Practices for IT Infrastructure Security Policies
(Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Make your policies and standards available to anyone expected
to follow them
Keep content cohesive
Keep content coherent
Maintain the same “voice” throughout a single document
10/8/2017
17
Make policies/standards available to all
Keep content cohesive
Keep content coherent
Maintain the same “voice” throughout
50. Best Practices for IT Infrastructure Security Policies
(Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Add only the information that is necessary to convey the
information
Stay on the message
Make your library searchable
Federate ownership to where it best belongs
10/8/2017
18
Add only necessary information
Stay on message
Make your library searchable
Federate ownership to where it best belongs
51. Roles and Responsibilities
Information Security (IS) Manager
Policy creation, application, and alignment with organizational
goals
IT Auditor
Ensuring that controls are in place per policy
System/Application Administrator
Applying controls to Workstation, LAN, and LAN-to-WAN
Domains
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
19
Lack of Controls
With lack of controls all of the following and more are possible:
Workstations would have different configurations
LANs would allow unauthorized traffic
WANs would have vulnerabilities
Network devices would not be configured the same
Users would have access to data they are not directly working
with
52. Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
20
Case Studies
Smaller bank wants to clear checks with a larger bank
X9.37
3rd party used
Baseline standard change and procedural changes
State of Maryland
Online Health Records
Information Technology Support Division (ITSD) requirements
Controlled change statewide
HIPAA
Televent
Monitors and supports energy industry in US and Canada
Breach of their firewall and network
SCADA system – never intended be online
Did segmentation
Both test and production environments compromised
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
53. Summary
Elements of an infrastructure security policy
Policies associated with various domains of a typical IT
infrastructure
Best practices in creating and maintaining IT policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/8/2017
22
Security Policies and Implementation Issues
Chapter 9
User Domain Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
54. 1
Learning Objective
Describe the different information systems security (ISS)
policies associated with the User Domain.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/1/2017
2
Key Concepts
Reasons for governing users with policies
Regular and privileged users
Acceptable use policy (AUP) and privileged-level access
agreement (PAA)
Security awareness policy (SAP)
Differences between public and private User Domain policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
55. 10/1/2017
3
The User as the Weakest Link in the Security Chain
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/1/2017
4
Social engineering can occur at any time within any
organization
Human mistakes often occur and can lead to security breaches
People that use computers have different skill levels, thus have
different perceptions on information security
56. The User as the Weakest Link in the Security Chain
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/1/2017
5
One of the most significant threats come from within an
organization from an “Insider”
Applications have weaknesses that are not known and these
weaknesses can be exploited by users either knowingly or
unknowingly
Security awareness training can remove this weakest link in the
security chain
Different Types of Users Within an Organization
57. Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/1/2017
6
Employees
System admins
Security personnel
Contractors
Vendors
Guests and general public
Control partners
58. Example of User Types
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/1/2017
7
Contingent and System Accounts
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
59. Contingent Accounts
Need unlimited rights to install, configure, repair, and recover
networks and applications, and to restore data
System Accounts
Need elevated privileges to start, stop, and manage system
services
Credentials are prime targets for hackers
IDs are not assigned to individuals until a disaster recovery
event is declared
Accounts can be interactive or non-interactive
System accounts are also referred to as “service accounts”
60. User Access Requirements
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Each user requires different levels of access to applications and
information within the organization
Users require information from different systems across the
organization to do their jobs
The data coming from different systems often has different
security controls
The different role each user has within the organization can
create security challenges
10/1/2017
9
Users require different access
Users require information from different systems
Data has different security controls
61. Differences and Similarities in User Domain Policies
Similarities
Private organizations may follow public-compliance laws
depending on their governance requirements
Public organizations may be small is size and thus have similar
control over their user populations
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/1/2017
10
Differences and Similarities in User Domain Policies
Differences
Public organizations must follow Sarbanes Oxley Compliance
(SOX), Health Insurance Portability and Accountability Act
(HIPAA), and other compliance laws
Private organizations are often smaller and easier to control
from a user standpoint
Private organizations may not follow public-compliance laws
62. Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/1/2017
11
Acceptable Use Policy (AUP)
Attempts to protect an organization’s computers and network
Addresses password management
Addresses software licenses
Addresses intellectual property management
Describes e-mail etiquette
Describes the level of privacy an individual should expect when
using an organization’s computer or network
Describes noncompliance consequences
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/1/2017
12
Privileged-Level Access Agreement (PAA)
63. Acknowledges the risk associated with elevated access in the
event the credentials are breached or abused
Asks user to promise to use access only for approved
organization business
Asks user to promise not to attempt to “hack” or breach security
Asks user to promise to protect any output from these
credentials such as reports, logs, files, and downloads
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/1/2017
13
Security Awareness Policy (SAP)
Addresses:
Basic principles of information security
Awareness of risk and threats
Dealing with unexpected risk
Reporting suspicious activity, incidents, and breaches
Building a culture that is security and risk aware
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
64. 10/1/2017
14
Roles and Responsibilities: Who Needs Training?
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Executive Managers
Responsible for governance and compliance requirements, and
funding and policy support
Program and Functional Managers
Responsible for security management, planning, and
implementation; also risk management and contingency
planning
IT Security Program Managers
Responsible for broad training in security planning, system and
application security management, risk management, and
contingency planning
Auditors
Responsible for broad training in security planning, system and
application security management, risk management, and
contingency planning
All Users
Responsible for basic security
10/1/2017
15
All Users
65. Program and Functional Managers
IT Security Program Managers
Auditors
IT Function Management and Operations Personnel
Executive Managers
Best Practices for User Domain Policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Attachments—Never open an e-mail attachment from a source
that is not trusted or known
66. Encryption—Always encrypt sensitive data that leaves the
confines of a secure server
Least privilege— Individuals should only have the access
necessary to perform their responsibilities
Unique identity—All users must use unique credentials
Virus protection—Virus and malware prevention must be
installed on every desktop and laptop computer
Layered defense—Use an approach that establishes overlapping
layers of security
Patch management—All network devices should have the latest
security patches
Lease Access Privilege and Best Fit Access Privilege
Page ‹#›
Security Policies and Implementation Issues
67. © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Least Access Privileges
Customizes access to the individual
Best Fit Privileges
Customizes access to the group or class of users
Who Develops User Policies
Chief financial officer (CFO)
Chief operations officer (COO)
Information security manager
IT manager
Marketing and sales manager
Unit manager
Materials manager
Purchasing manager
Inventory manager
68. Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/1/2017
18
Case Studies
Government Laptop compromised
Collapse of Barings Bank
Unauthorized access to Defense Department Systems
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Summary
Different user types and user access requirements in an
organization
SAP, AUP, and PAA
Roles and responsibilities associated with user policies
User policies in public and private organizations
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
69. Company
www.jblearning.com
All rights reserved.
10/1/2017
20
Security Policies and Implementation Issues
Chapter 8
IT Security Policy Framework Approaches
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Describe the different methods, roles, responsibilities, and
accountabilities of personnel, along with the governance and
compliance of a security policy framework.
Page ‹#›
70. Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
2
Key Concepts
Different methods and best practices for approaching a security
policy framework
Importance of defining roles, responsibilities, and
accountability for personnel
Separation of duties (SoD)
Importance of governance and compliance
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Information Systems Security Policy Frameworks
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Choosing the framework that works in your organization is not
easy
71. -The one selected will be based on the organizational type, risk,
and view from top management
A simplified security policy framework domain model
-Federal Information Security Management act of 2002
(FISMA)
-Committee of Sponsoring Organizations (COSO)
-Control Objectives for Information and related Technology
(COBIT) (public organization only as this is for SOX 404)
-ISO 17799 (27002), 20000 (ITIL), NIST, OCTAVE, PCI DSS
(if you process payments electronically)
Frameworks are flexible and allow an organization to adopt
constructs that fit their overall governance and compliance
planning requirements
10/1/2017
4
Choosing the right framework is not easy
Use a simplified security policy framework domain model
Flexible frameworks fit governance and compliance planning
requirements
72. IT Security Policy Framework Domain Model
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
10/1/2017
5
Risk IT Framework
Process Model
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Roles
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
73. Company
www.jblearning.com
All rights reserved.
Head of information management
Data stewards
Data custodians
Data administrators
Data security administrators
Roles and Responsibilities
Executive Management
Responsible for governance and compliance requirements,
funding, and policy support
Chief Information Officer (CIO)/Chief Security Officer (CSO)
Responsible for policy creation, reporting, funding, and support
Chief Financial Officer (CFO)/Chief Operating Officer (COO)
Responsible for data stewardship, owners of the data
Page ‹#›
74. Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Roles and Responsibilities (Continued)
System Administrators/Application Administrators
Responsible for custodianship of the data, maintaining the
quality of the data, and executing the policies and procedures
pertaining to the data, like backup, versioning, updating,
downloading, and database administration
Security Administrator
Responsible for granting access and assess threats to the data,
IA program
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Committees
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Separation of Duties (SoD)
Layered security approach
SoD duties fall within each IT domain
75. Applying SoD can and will reduce both fraud and human errors
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Layered security approach
Using layered security provides redundancy of layers, so if one
fails to catch the risk, another layer should. Thus, the more
layers the better the chance that a risk will be mitigated.
However, one must remember that cost and restrictions are also
present with each layer deployed
Domain of responsibility and accountability
These SoD duties fall within each individual domain and
applying SoD can and will reduce both fraud and human errors
10/1/2017
11
Information Technology (IT) Security Controls
IT security controls are a function of IT infrastructure that an
organization has in its control and the regulatory and business
objectives that need to be controlled
You can have too many IT security controls, impeding the
organization from operating at optimal capacity, thus reducing
its revenue potential
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
76. All rights reserved.
Information Technology (IT) Security Controls (Continued)
Generic IT security controls as a function of a business model
Deploy a layered security approach
Use SoD approach
This applies to transactions within the domain of responsibility
Conduct security awareness training annually
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Information Technology (IT) Security Controls (Continued)
Apply the three lines of defense model
First line: The business unit
Second line: The risk management team
Third line: Use independent auditors
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Importance of Governance and Compliance
Implementing a governance framework can allow organization
to identify and mitigate risks in orderly fashion
Can be a cost reduction move for organizations as they can
77. easily respond to audit requests
A well-defined governance and compliance framework provides
a structured approach
Can provide a common language
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Importance of Governance and Compliance (Continued)
Is also a best-practice model for organizations of all shapes and
sizes
Controls and risks become measurable with a framework
Organizations with a governance and compliance framework can
operate more efficiently
If you can measure the organization against a fixed set of
standards and controls, you have won
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Security Policy Framework: Six Business Risks
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
78. Strategic risks is a broad category focused on an event that may
change how the organization operates
Compliance risks relate to the impact of the business failing to
comply with legal obligations
Financial risks is the potential impact when the business fails to
have adequate liquidity to meet its obligations
Operational risks is a broad category that describes any event
that disrupts the organization’s daily activities
Reputational risk results from negative publicity regarding an
organization’s practices. This type of risk could lead to a loss of
revenue or to litigation.
Other risks is a broad category that relates to all other non-IT
specific events
10/1/2017
17
Strategic
Compliance
Financial
Operational
79. Reputational
Other
Best Practices: Security Policy Framework
Using a risk management approach to framework
implementation reduces the highest risk to the organization
ISACA COBIT framework for SOX 404 requirements for
publically traded organizations
Aligning the organization’s security policy with business
objectives and regulatory requirements
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Best Practices: Security Policy Framework (Continued)
The use of a best practice methodology will best be answered
based on organizational requirements and governmental
regulations
80. Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
GRC and ERM
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Governance, Risk management, and Compliance (GRC)
A discipline formally bringing together risk and compliance
GRC best practices
ISO 27000 series
COBIT
COSO
Enterprise Risk Management (ERM)
81. Follows common risk methodologies
Similarities Between GRC and ERM
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Defines risk in terms of business threats
Applies flexible frameworks to satisfy multiple compliance
regulations
Eliminates redundant controls, policies, and efforts
Proactively enforces policy
Seeks line of sight into the entire population of risks
10/1/2017
21
Defines risk in terms of business threats
82. Applies flexible frameworks
Eliminates redundant controls, policies, and efforts
Similarities Between GRC and ERM (Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Defines risk in terms of business threats
Applies flexible frameworks to satisfy multiple compliance
regulations
Eliminates redundant controls, policies, and efforts
Proactively enforces policy
Seeks line of sight into the entire population of risks
10/1/2017
22
Proactively enforces policy
83. Seeks line of sight into the entire population of risks
Differences Between GRC and ERM
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
GRC focuses on technology, a series of tools and centralized
policies
ERM focuses on value delivery, takes a broad look at risk based
on the adoption driven by the organization’s leadership, and
shifts the discussion from what the organization should spend to
how the organization spends money mitigating risk
10/1/2017
23
GRC
Focuses on technology, a series of tools and centralized policies
84. ERM
Focuses on value delivery
Takes a broad look at risk based on adoption driven by
leadership
Case Studies
Hamburger chain
POS
WiFi Hotspot
Edward Snowden
Excessive access
Penetration testing
Adnoc Distribution
Inadequate funding of IT
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Summary
85. Information systems security policy frameworks and IT security
controls
Difference between GRC and ERM
Business risks associated with security policy framework
Roles and responsibilities associated with information systems
security policy framework and SoD
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Security Policies and Implementation Issues
Lecture 5
How to Design, Organize, Implement, and Maintain IT Security
Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
1
Learning Objective
86. Describe how to design, organize, implement, and maintain IT
security policies.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
9/24/2017
2
Key Concepts
Core principles of policy and standards design
Implementing policy and libraries
Policy change control board purpose and roles
Business drivers for policy and standards changes
Best practices for policy management and maintenance
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
9/24/2017
3
Who, what, when, where, why and How?
87. Youtube: The Electric Company, The Good Charlotte
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
9/24/2017
4
Architectural Operating Model: Four Business Model Concepts
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Diversified
Technology solution has a low level of integration and
standardization with the enterprise.
Exchange of data and use of services outside the business unit
itself is minimal.
Coordinated
Technology solution shares data across the enterprise.
88. Level of shared services and standardization are minimal.
Replicated
Technology solution shares services across the enterprise.
Level of data sharing is minimal.
Unified
Technology solution both shares data and has standardized
services across the enterprise.
9/24/2017
5
Diversified
Coordinated
Replicated
Unified
This book explains ways to analyze and categorize the primary
operating model of he business based on 4 key concepts that we
will be reviewing to understand how IT Policies and Standards
align.
Why? By focusing on the business model and processes in
which the company must execute well, this model provides a
89. baseline approach to understand IT systems needed to digitize
or level of automation for those processes.
Examples in the book include companies around he world that
are profiled by the authors to illustrates how constructing the
right enterprise architecture can enhance profitability and time
to market, facilitate competitive positioning and improves
strategy execution, and includes how it may impact IT costs.
Enterprise Architecture As A Strategy: Creating a Foundation
for Business Execution
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Aligning Operating Model Concepts
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Policy and Standards Development Core Principals
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
91. © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
9/24/2017
9
Defense in Depth
Timeliness
Reassessment
Democracy
Internal Control
Adversary
92. Policy and Standards Development Core Principals (Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
9/24/2017
10
Least Privilege
Separation of Duties
Continuity
Simplicity
Policy-Centered Security
93. Transparency with Customer Data
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Transparency
Individual
Participation
Purpose
Specification
Use
Limitation
Data
Minimization
94. Security Controls Categorization Schemes
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
What is the control?
What does the control do?
Administrative controls
Technical controls
Physical controls
Preventive security controls
Detective or response controls
Corrective controls
95. Recovery controls
IS0/IEC 27002
IS0IEC 27002 Notice Board
http://www.iso27001security.com/html/27002.html
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Understanding Taxonomy
Introduction to ISO 15926, April 14, 2014,
http://infowebml.ws/intro/index.htm
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
A Policy and Standards Library
Taxonomy
Page ‹#›
96. Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
9/24/2017
15
A Policy and Standards Library
Taxonomy (Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Control standards branch out from the Access Control (IS-POL-
800) framework policy.
9/24/2017
16
A Policy and Standards Library
Taxonomy (Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
97. www.jblearning.com
All rights reserved.
Baseline standards and procedures provide additional branches
of the library tree.
9/24/2017
17
A Policy and Standards Library
Taxonomy (Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Guidelines provide additional branches of the library tree.
9/24/2017
18
Implementing Policies and Libraries
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Implementing your policies and libraries entails three major
steps:
98. • Reviews and approvals for your documents
• Publication of the documents
• Awareness and training
9/24/2017
19
Build Consensus
Publication
Awareness Training
Reviews/
Approvals
Members of the Policy Change Control Board
Information Security
Compliance Management
Auditing
Human Resources (HR)
Leadership from the key information business units
Project Managers (PMs)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
99. Company
www.jblearning.com
All rights reserved.
Members come from functional areas of the organization.
The roles for each member would be to approve changes to the
policies, reflecting alignment to business objectives.
Each functional area oversee policies pertaining to their
perspective area of responsibility, while they also play a role in
the approval of policy changes that effect the organization as a
whole.
9/24/2017
20
Policy Change Control Board
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
9/24/2017
21
Assess policies/
standards and recommend changes
100. Coordinate requests for change (RFCs)
Ensure that changes support organization’s mission and goals
Review requested changes
Establish change management process
Best Practices for Policy Maintenance
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
102. Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Business-as-usual developments
Business exceptions
Business innovations
Business technology innovations
Strategic changes
Summary
Core principles of policy and standards design
Implementing policy and libraries
Policy change control board purpose and roles
Business drivers for policy and standards changes
Best practices for policy management and maintenance
103. Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
9/24/2017
24
Security Policies and Implementation Issues
Chapter 6
IT Security Policy Frameworks
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
1
Learning Objective
Describe the components and basic requirements for creating a
security policy framework.
104. Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
2
Key Concepts
Key building blocks of security policy framework
Types of documents for a security policy framework
Information systems security (ISS) and information assurance
considerations
Process to create a security policy framework
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
3
Policy and Standards Library Framework
Page ‹#›
Security Policies and Implementation Issues
105. © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
4
Policy Framework Components
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
5
Policy
Standards
Procedures
106. Guidelines
Defines how an organization performs and conducts business
functions and transactions with a desired outcome
An established method implemented organization-wide
Steps required to implement a process
A parameter within which a policy, standard, or procedure is
suggested
Common Frameworks
Control Objectives for Information and related Technology
107. (COBIT)
ISO/IEC 27000 series
National Institute of Standards and Technology (NIST) Special
Publications
Example: SP 800-53, “Recommended Security Controls for
Federal Information Systems and Organizations
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
6
Access Control Policy Branch
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Access Control Policy Branch of a Policy and Standards Library
7/17/2014
7
External and Internal Factors Affecting Policies
Policies must align with the business model or objective to be
108. effective
External factors
Regulatory and governmental initiatives
Internal factors
Culture, support, and funding
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
8
Creating a Security Policy Framework
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Set a budget
Assemble a team
Select a commonly accepted framework as a foundation
- COBIT, ISO/ISC 27000 series, NIST SPs
Use a content management system, if possible
Cross-reference your security documents with standards
Coordinate development with other departments in the
organization
7/17/2014
109. 9
Set a budget
Assemble a team
Select a basic framework
Creating a Security Policy Framework (Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Set a budget
Assemble a team
Select a commonly accepted framework as a foundation
- COBIT, ISO/ISC 27000 series, NIST SPs
110. Use a content management system, if possible
Cross-reference your security documents with standards
Coordinate development with other departments in the
organization
7/17/2014
10
Use a content management system
Cross-reference standards
Coordinate with other departments
Roles Related to a Policy and Standards Library
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
111. CISO
- Establishes and maintains security and risk management
programs for information resources
Information resources manager
- Maintains policies and procedures that provide for security
and risk management of information resources
Information resources security officer
- Directs policies and procedures designed to protectinformation
resources; identifies vulnerabilities,develops security awareness
program
Owners of information resources
- Responsible for carrying out the program that uses the
resources. This does not imply personal ownership. These
individuals may be regarded as program managers or delegates
for the owner.
Custodians of information resources
- Provide technical facilities, data processing, and other support
services to owners and users of information resources
Technical managers (network and system administrators)
- Provide technical support for security of information resources
Internal auditors
- Conduct periodic risk-based reviews of information resources
security policies and procedures
Users
- Have access to information resources in accordance with the
owner-defined controls and access rules
7/17/2014
112. 11
CISO
Information resources manager
Information resources security officer
Owners of information resources
Roles Related to a Policy and Standards Library (Continued)
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
CISO
- Establishes and maintains security and risk management
programs for information resources
Information resources manager
- Maintains policies and procedures that provide for security
113. and risk management of information resources
Information resources security officer
- Directs policies and procedures designed to protectinformation
resources; identifies vulnerabilities,develops security awareness
program
Owners of information resources
- Responsible for carrying out the program that uses the
resources. This does not imply personal ownership. These
individuals may be regarded as program managers or delegates
for the owner.
Custodians of information resources
- Provide technical facilities, data processing, and other support
services to owners and users of information resources
Technical managers (network and system administrators)
- Provide technical support for security of information resources
Internal auditors
- Conduct periodic risk-based reviews of information resources
security policies and procedures
Users
- Have access to information resources in accordance with the
owner-defined controls and access rules
7/17/2014
12
Custodians of information resources
Technical managers
114. Internal auditors
Users
Case Studies on Security Policy Framework Creation
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
13
Case Study
Private Sector
Case Study
115. Public Sector
Case Study
Health care w/7,000 devices
Incomplete inventory
No easy way to classify assets
HIPAA
Used NIST SP 800-53 to establish the framework
State of Tennessee
Used ISO/IEC 17799 (27002)
Policies and frameworks covered all information asset owned,
leased, or controlled by the State of Tennessee
Private Sector
116. Target Corporation
1,797 US and 127 Canadian stores
December 2013 point-of-sale (PoS) data breach
40 million credit card records stolen
70 million records containing PII
Largest data breaches of its kind
Information Assurance and Information Systems Security
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
117. Company
www.jblearning.com
All rights reserved.
Information Assurance
Protecting information during processing and use
The 5 Pillars
Implementation of appropriate accounting and other integrity
controls
Development of systems that detect and thwart attempts to
perform unauthorized activity
ISS
Protecting information and the systems that store and process
the information
Automation of security controls, where possible
Assurance of a level of uptime of all systems
7/17/2014
14
Security
Policy
Framework
IA
ISS
118. Information Systems Security Considerations
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
Unauthorized Access to and Use of the System
Unauthorized Disclosure of the Information
Disruption of the System or Services
Modification of Information
Destruction of Information Resources
Summary
119. Considerations for information assurance and information
security
Process to create a security policy framework
Factors that affect polices and the best practices to maintain
policies
Page ‹#›
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning
Company
www.jblearning.com
All rights reserved.
7/17/2014
16