SlideShare a Scribd company logo

The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020

Download as DOCX, PDF
Jessica Graf
Jessica Graf
1 of 8
The Role of Information Security Policy IAS5020- Info Sec Reg & Legal Env Jessica Graf Capella University Dr. David Bouvin June 7, 2015
T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 1 June 7, 2015 When it comes to developing a security policy for this college or any other business, the CIA triad has to be the foundation to that policy. The three areas of the triad are confidentiality, integrity and availability. Often times though the area of non-repudiation is also include as an important area to be covered in a security policy. The goal of any security policy is to keep assets safe (data, servers,network, people and reputation) and balance that against the usability. Before you can even attempt to write a successfulsecurity policy, you must know certain things about a business. How risk tolerant are they? What are the federaland state regulations they must follow? What are they trying to keep safe and how are they currently doing that? What type of budget do they have? What are their priorities as far as what to secure? The first objective of security is confidentiality: keeping information away from people who should not have it. Accomplishing this objective requires that we know what data we are protecting and who should have access to it. It requires that we provide protection mechanisms for the data while it is stored in the computer and while it is being transferred over networks between computers. We will need to know the application programs that we use (or could use) to manipulate the data and control the use of those applications. Confidentiality has taken on an expanded meaning in the form of privacy controls. For some industries, such as health care and finance, privacy is now a regulatory issue. The U.S.,European, Canadian, and Australian governments (with others following) have legislated privacy controls to varying degrees. (Langevin, 2008) The second objective of security is integrity: assuring that the information stored in the computer is never contaminated or changed in a way that is not appropriate. Both confidentiality and availability contribute to integrity. Keeping data away from those who should not have it and making sure that those who should have it can get it are fairly basic ways to maintain the integrity of the data. The need for data integrity connects computer security to a closely related discipline: business continuity planning and data recovery. Data will eventually be damaged by hardware failure, software failure, human errors, or
T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 2 June 7, 2015 security failures. Recovery processes are a necessary part of any business IT plan and frequently are under the control of a security department. (Proctor & Brynes, 2002) The third objective of security is availability: ensuring that data stored in the computer can be accessed by the people who should access it. Availability is a broad subject addressing things such as fault tolerance to protect against denial of service and access control to ensure that data is available to those authorized to access it. Most computers can at least differentiate between two classes of users: system administrators and general end users. The major exceptions to this rule are the desktop operating systems that have become common on personal computers. Availability has also taken on an expanded meaning. One of the most common forms of security problem for Internet applications is the "denial of service" (DoS) attack. (Khandhar, 2015) This is a focused attempt by a cyber-attacker to make a computer system and its data unavailable. This can be done in two ways. First, the attacker may try to damage the target computer or some network component on which the computer depends. Second, the attacker may simply send so many messages to the target computer that it cannot possibly process them all. Other people attempting to use that computer for legitimate purposes find that the computer is too busy to service them. (Fischer, 2014) Security can impact profitability in a positive or negative manner, depending on how it is managed. Improving security to reduce risk may cost money, and as with most of life, the last 20 percent of risks to be eliminated will cost 80 percent of the money. Once basic security needs have been met, it is important to balance risk reduction costs against the potential for loss if security fails. Most business plans contain some allowance for downside risks. Many security-related risks exceed these allowances, but a case-by-case analysis should be done before large security investments are made. (Dell SecureWorks,2014) Implementing a robust information security program within the federalgovernment is challenging. Federaland other public institutions have to contend with constantly changing technology, multiple compliance requirements, increasing complexity of information security, and changing threats,
T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 3 June 7, 2015 much like any other business in the private sector. However,the Federal government is often more of a target then other entities because of the nature of what it is, what it handles and what it stands for. Because of these things it is a bigger target, more risk adverse and has more responsibility to keep its assets safe. Governments and public institutions are often the target of threat actors. Threat actors are broken into five groups: 1. Nation-state actors 2. Organized criminal actors 3. Corporate espionage actors 4. Terrorists (Dell SecureWorks,2014) Threat actors will target a specific organization or entity and perpetrate a sustained campaign until they achieve their goals. The actors' persistence,adaptability and variability also differentiate between actors from less organized and opportunistic advanced threat actors. Threat actors may act independently or more likely, as part of a larger team or effort. In the case of teams,activities may be fully compartmentalized much like how a business separates roles,functions and organizations internally. (Dell SecureWorks,2014) While organized criminal elements may be after information and access that can lead to financial gain, nation-state sponsored actors may be driven by the desire to obtain intelligence, or gain competitive advantage for industry. (Bucci & Rosenzweig, 2013) Security benefits do have both direct and indirect costs. Direct costs include purchasing, installing, and administering security measures,such as access controlsoftware or fire suppression systems. Additionally, security measures can sometimes affect system performance,employee morale, or retraining requirements. All of these have to be considered in addition to the basic cost of the control itself. In many cases,these additional costs may well exceed the initial cost of the control (as is often seen,for example, in the costs of administering an access controlpackage). Solutions to security problems should not be chosen if they cost more, in monetary or non monetary terms, directly or indirectly, than simply tolerating the problem. In addition, organizations greater flexibility and agility in defending their
T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 4 June 7, 2015 information systems, the concept of overlays was introduced in this revision. Overlays provide a structured approach to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation, and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances. In addition, organizations greater flexibility and agility in defending their information systems, the concept of overlays was introduced in this revision. (NIST, 2013) Overlays provide a structured approach to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation, and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances. (NIST, 2013) When it comes to the impact any security policy can have on customers and business partners that have a relationship with a government agency or public institution it can be a dual edge sword. If the policy is too tight it can impact the relationship because of the issues in accessing data and resources that are needed. A good example of this was the health care website that was put out by the US government. While the issues were not all about security, it was about availability and how the failure of the website impacted the trust and reputation of the public institution responsible for it. (Fischer, 2014) Respect for customer security and privacy is one of the most important issues facing any organization (public or private) today. The public is getting sick and tired of reading about privacy breaches every day in the headlines, and they want to know that your company is doing everything reasonable and responsible to safeguard their personally identifiable information (PII).
T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 5 June 7, 2015 To gain and keep customer trust, public institutions must exercise better judgment in the collection, use, and protection of PII. Not only do you need to provide training and awareness of this to your personnel, but you also need to keep your customers, with whom you already have a business relationship, and consumers, with whom you would like to have a business relationship, and who may have provided some information to you, informed regarding what you are doing to protect their privacy and ensure the security of their information through various awareness messages. (DellSecureWorks, 2014) In the end, it comes down to developing a security policy, any organization has to asses it risks, their tolerance for risk, what they are protecting and from whom. They must make sure that the policy meets their needs of security in balance with the business goals and customers’ needs. They also must make sure they are in compliance with federal and state laws. However,the policy must be flexible enough to embrace new technologies and threats, both internal and external.
T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 6 June 7, 2015 References Bucci, S., & Rosenzweig, P. (2013, April 1). A Congressional Guide: Seven Stepsto U.S.Security, Prosperity, and Freedomin Cyberspace. Retrieved from The Heritage Foundation: http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us- security-prosperity-and-freedom-in-cyberspace Cornell University Law School. (2014). Legal Information Institute. Retrieved from 42 U.S. Code Part A - Improved Privacy Provisions and Security Provisions: https://www.law.cornell.edu/uscode/text/42/chapter-156/subchapter-III/part-A Dell SecureWorks. (2014). Security for Public Instutuions. Dell SecureWorks. (2014). Threat Actors. Austin,TX: Dell. Dennis, C. M. (2013, January 28). Lexology. Retrieved from Data security laws and the rising cybersecurity debate: http://www.lexology.com/library/detail.aspx?g=cc5c9a56-7a60-46ab-9cf4- f36cada0cafa Fischer, E. A. (2014). Cybersecurity Issues and Challenges: In Brief . Washington D.C: Congressional Research Service . Khandhar, P. (2015, April 22). Dell SecureWorks. Retrieved from Banking Botnets Persist Despite Takedowns: http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets- persist-despite-takedowns/ Langevin, J. R. (2008, September 16). GAO.gov. Retrieved from GAO-08-1075R – Federal Legal Requirements for Critical Infrastructure IT Securit: http://www.gao.gov/new.items/d081075r.pdf NIST. (2013). Security and Privacy ControlsforFederal Information Systems and Organizations. Washington DC: NIST. Proctor, P. E.,& Brynes, C. (2002). Secured Enterprise, The: Protecting Your Information Assets. New York: Prentice Hall.
T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 7 June 7, 2015

Recommended

Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
 
Cissp notes
Cissp notesCissp notes
Cissp notesJagbir Singh
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201IJNSA Journal
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist- Mark - Fullbright
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 

Recommended

Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityRedspin, Inc.
 
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESAN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVES
AN EFFECTIVE METHOD FOR INFORMATION SECURITY AWARENESS RAISING INITIATIVESijcsit
 
Cissp notes
Cissp notesCissp notes
Cissp notesJagbir Singh
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201IJNSA Journal
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010Scientia Groups
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentIJERD Editor
 
Data Breach Response Checklist
Data Breach Response ChecklistData Breach Response Checklist
Data Breach Response Checklist- Mark - Fullbright
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...Jack Whitsitt
 
Executive Breach Response Playbook
Executive Breach Response PlaybookExecutive Breach Response Playbook
Executive Breach Response PlaybookHewlett Packard Enterprise Business Value Exchange
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRBill Besse
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateKashif Ali
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0Satyanandan Atyam
 
clearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureclearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureLee Dalton
 
NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk ModelsDavid Sweigert
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
News letter May 11
News letter May 11News letter May 11
News letter May 11captsbtyagi
 
Security Lifecycle Management
Security Lifecycle ManagementSecurity Lifecycle Management
Security Lifecycle ManagementBarry Caplin
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishRSIS International
 
Classmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxClassmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxbartholomeocoombs
 
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxRunning head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxtodd581
 
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxRunning head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxglendar3
 

More Related Content

What's hot

Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...Jack Whitsitt
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsKen M. Shaurette
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRBill Besse
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Inno Eroraha [NetSecurity]
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateKashif Ali
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Booz Allen Hamilton
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0Satyanandan Atyam
 
clearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureclearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureLee Dalton
 
NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk ModelsDavid Sweigert
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the newsunnyjoshi88
 
News letter May 11
News letter May 11News letter May 11
News letter May 11captsbtyagi
 
Security Lifecycle Management
Security Lifecycle ManagementSecurity Lifecycle Management
Security Lifecycle ManagementBarry Caplin
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishRSIS International
 

What's hot (19)

Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...Introduction to National Critical Infrastructure Cyber Security: Background a...
Introduction to National Critical Infrastructure Cyber Security: Background a...
 
Executive Breach Response Playbook
Executive Breach Response PlaybookExecutive Breach Response Playbook
Executive Breach Response Playbook
 
Fdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessmentsFdic ffiec cyber_security_assessments
Fdic ffiec cyber_security_assessments
 
AI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LRAI-Cyber-Security-White-Papers-06-15-LR
AI-Cyber-Security-White-Papers-06-15-LR
 
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
Man and Machine -- Forming a Perfect Union to Mature Security Programs -- Key...
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
OverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrateOverseeCyberSecurityAsHackersSeekToInfiltrate
OverseeCyberSecurityAsHackersSeekToInfiltrate
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
 
Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...Information Security Governance: Government Considerations for the Cloud Comp...
Information Security Governance: Government Considerations for the Cloud Comp...
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and Prospect
 
Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0Cyber Threat Landscape- Security Posture - ver 1.0
Cyber Threat Landscape- Security Posture - ver 1.0
 
clearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochureclearswift-adaptive-redaction-brochure
clearswift-adaptive-redaction-brochure
 
NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
 
Online security – an assessment of the new
Online security – an assessment of the newOnline security – an assessment of the new
Online security – an assessment of the new
 
News letter May 11
News letter May 11News letter May 11
News letter May 11
 
Security Lifecycle Management
Security Lifecycle ManagementSecurity Lifecycle Management
Security Lifecycle Management
 
Privacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or PerishPrivacy Management System: Protect Data or Perish
Privacy Management System: Protect Data or Perish
 

Similar to The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020

Classmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxClassmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxbartholomeocoombs
 
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxRunning head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxtodd581
 
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxRunning head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxglendar3
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docxeugeniadean34240
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case StudyAngilina Jones
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Alexander Decker
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Alexander Decker
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxstirlingvwriters
 
ISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloJohn Intindolo
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaLizbethQuinonez813
 
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docxRunning head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docxjeanettehully
 
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docxRunning head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docxglendar3
 
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docxRunning head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docxtodd581
 
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? IJNSA Journal
 
Article 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technoArticle 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technohoney690131
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 

Similar to The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020 (20)

Classmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docxClassmate 1Cybersecurity risk can be characterized as the ris.docx
Classmate 1Cybersecurity risk can be characterized as the ris.docx
 
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxRunning head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
 
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxRunning head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case Study
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
 
Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...Protection and defense against sensitive data leakage problem within organiza...
Protection and defense against sensitive data leakage problem within organiza...
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docx
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
 
ISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloISSC361_Project_John_Intindolo
ISSC361_Project_John_Intindolo
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Identity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expaIdentity Theft ResponseYou have successfully presented an expa
Identity Theft ResponseYou have successfully presented an expa
 
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docxRunning head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
 
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docxRunning head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
 
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docxRunning head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
Running head POLICIES FOR MANAGING PRIVACY1POLICIES FOR M.docx
 
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK? HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
 
Article 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking technoArticle 1 currently, smartphone, web, and social networking techno
Article 1 currently, smartphone, web, and social networking techno
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 

The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020

  • 1. The Role of Information Security Policy IAS5020- Info Sec Reg & Legal Env Jessica Graf Capella University Dr. David Bouvin June 7, 2015
  • 2. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 1 June 7, 2015 When it comes to developing a security policy for this college or any other business, the CIA triad has to be the foundation to that policy. The three areas of the triad are confidentiality, integrity and availability. Often times though the area of non-repudiation is also include as an important area to be covered in a security policy. The goal of any security policy is to keep assets safe (data, servers,network, people and reputation) and balance that against the usability. Before you can even attempt to write a successfulsecurity policy, you must know certain things about a business. How risk tolerant are they? What are the federaland state regulations they must follow? What are they trying to keep safe and how are they currently doing that? What type of budget do they have? What are their priorities as far as what to secure? The first objective of security is confidentiality: keeping information away from people who should not have it. Accomplishing this objective requires that we know what data we are protecting and who should have access to it. It requires that we provide protection mechanisms for the data while it is stored in the computer and while it is being transferred over networks between computers. We will need to know the application programs that we use (or could use) to manipulate the data and control the use of those applications. Confidentiality has taken on an expanded meaning in the form of privacy controls. For some industries, such as health care and finance, privacy is now a regulatory issue. The U.S.,European, Canadian, and Australian governments (with others following) have legislated privacy controls to varying degrees. (Langevin, 2008) The second objective of security is integrity: assuring that the information stored in the computer is never contaminated or changed in a way that is not appropriate. Both confidentiality and availability contribute to integrity. Keeping data away from those who should not have it and making sure that those who should have it can get it are fairly basic ways to maintain the integrity of the data. The need for data integrity connects computer security to a closely related discipline: business continuity planning and data recovery. Data will eventually be damaged by hardware failure, software failure, human errors, or
  • 3. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 2 June 7, 2015 security failures. Recovery processes are a necessary part of any business IT plan and frequently are under the control of a security department. (Proctor & Brynes, 2002) The third objective of security is availability: ensuring that data stored in the computer can be accessed by the people who should access it. Availability is a broad subject addressing things such as fault tolerance to protect against denial of service and access control to ensure that data is available to those authorized to access it. Most computers can at least differentiate between two classes of users: system administrators and general end users. The major exceptions to this rule are the desktop operating systems that have become common on personal computers. Availability has also taken on an expanded meaning. One of the most common forms of security problem for Internet applications is the "denial of service" (DoS) attack. (Khandhar, 2015) This is a focused attempt by a cyber-attacker to make a computer system and its data unavailable. This can be done in two ways. First, the attacker may try to damage the target computer or some network component on which the computer depends. Second, the attacker may simply send so many messages to the target computer that it cannot possibly process them all. Other people attempting to use that computer for legitimate purposes find that the computer is too busy to service them. (Fischer, 2014) Security can impact profitability in a positive or negative manner, depending on how it is managed. Improving security to reduce risk may cost money, and as with most of life, the last 20 percent of risks to be eliminated will cost 80 percent of the money. Once basic security needs have been met, it is important to balance risk reduction costs against the potential for loss if security fails. Most business plans contain some allowance for downside risks. Many security-related risks exceed these allowances, but a case-by-case analysis should be done before large security investments are made. (Dell SecureWorks,2014) Implementing a robust information security program within the federalgovernment is challenging. Federaland other public institutions have to contend with constantly changing technology, multiple compliance requirements, increasing complexity of information security, and changing threats,
  • 4. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 3 June 7, 2015 much like any other business in the private sector. However,the Federal government is often more of a target then other entities because of the nature of what it is, what it handles and what it stands for. Because of these things it is a bigger target, more risk adverse and has more responsibility to keep its assets safe. Governments and public institutions are often the target of threat actors. Threat actors are broken into five groups: 1. Nation-state actors 2. Organized criminal actors 3. Corporate espionage actors 4. Terrorists (Dell SecureWorks,2014) Threat actors will target a specific organization or entity and perpetrate a sustained campaign until they achieve their goals. The actors' persistence,adaptability and variability also differentiate between actors from less organized and opportunistic advanced threat actors. Threat actors may act independently or more likely, as part of a larger team or effort. In the case of teams,activities may be fully compartmentalized much like how a business separates roles,functions and organizations internally. (Dell SecureWorks,2014) While organized criminal elements may be after information and access that can lead to financial gain, nation-state sponsored actors may be driven by the desire to obtain intelligence, or gain competitive advantage for industry. (Bucci & Rosenzweig, 2013) Security benefits do have both direct and indirect costs. Direct costs include purchasing, installing, and administering security measures,such as access controlsoftware or fire suppression systems. Additionally, security measures can sometimes affect system performance,employee morale, or retraining requirements. All of these have to be considered in addition to the basic cost of the control itself. In many cases,these additional costs may well exceed the initial cost of the control (as is often seen,for example, in the costs of administering an access controlpackage). Solutions to security problems should not be chosen if they cost more, in monetary or non monetary terms, directly or indirectly, than simply tolerating the problem. In addition, organizations greater flexibility and agility in defending their
  • 5. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 4 June 7, 2015 information systems, the concept of overlays was introduced in this revision. Overlays provide a structured approach to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation, and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances. In addition, organizations greater flexibility and agility in defending their information systems, the concept of overlays was introduced in this revision. (NIST, 2013) Overlays provide a structured approach to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation, and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances. (NIST, 2013) When it comes to the impact any security policy can have on customers and business partners that have a relationship with a government agency or public institution it can be a dual edge sword. If the policy is too tight it can impact the relationship because of the issues in accessing data and resources that are needed. A good example of this was the health care website that was put out by the US government. While the issues were not all about security, it was about availability and how the failure of the website impacted the trust and reputation of the public institution responsible for it. (Fischer, 2014) Respect for customer security and privacy is one of the most important issues facing any organization (public or private) today. The public is getting sick and tired of reading about privacy breaches every day in the headlines, and they want to know that your company is doing everything reasonable and responsible to safeguard their personally identifiable information (PII).
  • 6. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 5 June 7, 2015 To gain and keep customer trust, public institutions must exercise better judgment in the collection, use, and protection of PII. Not only do you need to provide training and awareness of this to your personnel, but you also need to keep your customers, with whom you already have a business relationship, and consumers, with whom you would like to have a business relationship, and who may have provided some information to you, informed regarding what you are doing to protect their privacy and ensure the security of their information through various awareness messages. (DellSecureWorks, 2014) In the end, it comes down to developing a security policy, any organization has to asses it risks, their tolerance for risk, what they are protecting and from whom. They must make sure that the policy meets their needs of security in balance with the business goals and customers’ needs. They also must make sure they are in compliance with federal and state laws. However,the policy must be flexible enough to embrace new technologies and threats, both internal and external.
  • 7. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 6 June 7, 2015 References Bucci, S., & Rosenzweig, P. (2013, April 1). A Congressional Guide: Seven Stepsto U.S.Security, Prosperity, and Freedomin Cyberspace. Retrieved from The Heritage Foundation: http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us- security-prosperity-and-freedom-in-cyberspace Cornell University Law School. (2014). Legal Information Institute. Retrieved from 42 U.S. Code Part A - Improved Privacy Provisions and Security Provisions: https://www.law.cornell.edu/uscode/text/42/chapter-156/subchapter-III/part-A Dell SecureWorks. (2014). Security for Public Instutuions. Dell SecureWorks. (2014). Threat Actors. Austin,TX: Dell. Dennis, C. M. (2013, January 28). Lexology. Retrieved from Data security laws and the rising cybersecurity debate: http://www.lexology.com/library/detail.aspx?g=cc5c9a56-7a60-46ab-9cf4- f36cada0cafa Fischer, E. A. (2014). Cybersecurity Issues and Challenges: In Brief . Washington D.C: Congressional Research Service . Khandhar, P. (2015, April 22). Dell SecureWorks. Retrieved from Banking Botnets Persist Despite Takedowns: http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets- persist-despite-takedowns/ Langevin, J. R. (2008, September 16). GAO.gov. Retrieved from GAO-08-1075R – Federal Legal Requirements for Critical Infrastructure IT Securit: http://www.gao.gov/new.items/d081075r.pdf NIST. (2013). Security and Privacy ControlsforFederal Information Systems and Organizations. Washington DC: NIST. Proctor, P. E.,& Brynes, C. (2002). Secured Enterprise, The: Protecting Your Information Assets. New York: Prentice Hall.
  • 8. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 7 June 7, 2015