The document covers comprehensive information security policies and practices, including the history, principles, architecture, and lifecycle of information security. It emphasizes the importance of protecting organizational data through structured policies, legal regulations, and adherence to standards to prevent unauthorized access and information breaches. The lifecycle of creating and implementing security policies includes management support, policy writing, implementation, monitoring, and ensuring compliance within organizations.

1. Information Security Policies
Professional Practice
Syed Saqib Raza Rizvi
Lecture 12

2. Topics To Be Covered:
• PART 1: Introduction To Security Policies
Information Security
History
Information Security Policy
Information Security Life Cycle
Laws and Regulation
Sources Of Standards
• PART 2: Security Principles
Basic Information Security Principles
1. Support the business
2. Defend the business
3. Promote responsible security behavior
• PART 3: Security Architecture
Introduction
Defense in Depth

3. Information Security:
• Information security, sometimes shortened to InfoSec, is the practice
of defending information from unauthorized access, illegal use,
disclosure, disruption, modification, inspection, recording or
destruction.
• Preservation of confidentiality, integrity(accuracy and consistency)
and availability of information.
• Information Security is the process of protecting the intellectual
property of an organization (information may be customer names,
trade secrets etc).
• Information security is the protection of information and minimizes
the risk of exposing information to unauthorized parties.

4. History:
• Since the early days of communication, diplomats and military
commanders understood that it was necessary to provide some
mechanism to protect the confidentiality of correspondence and to have
some means of detecting tampering.
• Julius Caesar is credited with the invention of the Caesar cipher c. 50 B.C.,
which was created in order to prevent his secret messages from being read
should a message fall into the wrong hands, but for the most part
protection was achieved through the application of procedural handling
controls.
• In the mid-19th century more complex classification systems were
developed to allow governments to manage their information according to
the degree of sensitivity.

5. History:
• By the time of the First World War, multi-tier classification systems
were used to communicate information to and from various fronts,
which encouraged greater use of code making and breaking sections
in diplomatic and military headquarters.
• During Second World War, Encoding became more sophisticated
between the wars as machines were employed to scramble and
unscramble information.

6. Information Security Policy:
• Set of policies (rules and guideline) issued by an organization to
ensure that all information technology users within the domain of
the organization, related to the security of the information.
• The evolution of computer networks has made the sharing of
information ever more prevalent. Information is now exchanged at
the rate of trillions of bytes per millisecond.

7. Information Security Policy:
• Every organization needs to protect its data and also control how it
should be distributed both within and outside the organizational
boundaries. This may mean that information may have to be
encrypted, authorized through a third party or institution and may
have restrictions placed on its distribution with reference to a
classification system laid out in the information security policy.

8. Information Security Policy:
• An example of the use of an information security policy might be in a
data storage facility which stores database records on behalf of
medical facilities. These records are sensitive and cannot be shared,
under penalty of law, with any unauthorized recipient whether a real
person or another device.
• An information security policy would be enabled within the software
that the facility uses to manage the data they are responsible for.
• A business might employ an information security policy to protect its
digital assets and intellectual rights in efforts to prevent theft of
industrial secrets and information that could benefit competitors.

9. Information Security Policy:
• A typical security policy might be hierarchical and apply differently
depending on whom they apply to.
• For example, the secretarial staff who type all the communications of
an organization are usually bound never to share any information
unless explicitly authorized, whereby a more senior manager may be
deemed authoritative enough to decide what information produced
by the secretaries can be shared, and to who, so they are not bound
by the same.
• To cover the whole organization therefore, information security
policies frequently contain different specifications depending upon
the authoritative status of the persons they apply to

10. Information Security Policies:
• Organizations are giving more priority to development of information
security policies, as protecting their assets is one of the prominent things
that needs to be considered.
• Lack of clarity in InfoSec policies can lead to catastrophic damages which
cannot be recovered. So an organization makes different strategies in
implementing a security policy successfully.
• Security policies are intended to define what is expected from employees
within an organization with respect to information systems. The objective
is to guide or control the use of systems to reduce the risk to information
assets. It also gives the staff who are dealing with information systems an
acceptable use policy, explaining what is allowed and what not

11. Information Security Policies Life Cycle:
Acceptance
Policy

12. 1. Get Management Support:
• The crucial component for the success of writing an information
security policy is gaining management support. Management will
study the need of information security policies and assign a budget to
implement security policies. Time, money, and resource mobilization
are some factors that are discussed in this level. It is the role of the
presenter to make the management understand the benefits and
gains achieved through implementing these security policies.

13. 2. Write Policies:
• Now we need to know our information systems and write policies
accordingly. Whenever information security policies are developed, a
security analyst will copy the policies from another organisation, with
a few differences. Ideally it should be the case that an analyst will
research and write policies specific to the organisation.
• Security policies need to be properly documented, as a good
understandable security policy is very easy to implement. It should
also be available to individuals responsible for implementing the
policies.

14. 2. Write Policies:
A policy should contain:
• Overview – Background information of what issue the policy addresses.
• Purpose – Why the policy is created.
• Scope – To what areas this policy covers.
• Targeted Audience – Tells to whom the policy is applicable.
• Policy – A good description of the policy.
• Definitions – A brief introduction of the technical jargon used inside the
policy.
• Version – A version number to control the changes made to the document.

15. 3. Implement Policies:
• Once the information security policy is written to cover the rules, all
employees should adhere to it while sending email, accessing VOIP,
browsing the Internet, and accessing confidential data in a system.
These policies need to be implemented across the organisation,
however IT assets that impact our business the most need to be
considered first. By implementing security policies, an organisation
will get greater outputs at a lower cost. Policies can be enforced by
implementing security controls.

16. 4. Monitor:
• Once the security policy is implemented, it will be a part of day-to-day
business activities. Security policies that are implemented need to be
reviewed whenever there is an organizational change. Policies can be
monitored by depending on any monitoring solutions like SIEM and
the violation of security policies can be seriously dealt with. There
should also be a mechanism to report any violations to the policy.
Employees often fear to raise violations directly, but a proper
mechanism will bring problems to stakeholders immediately rather
than when it is too late.

17. 4. Monitor:
Below is a list of some of the security policies that an organization may have:
Access Control Policy How information is accessed
Contingency Planning Policy How availability of data is made online 24/7
Data Classification Policy How data are classified
Change Control Policy How changes are made to directories or the file server
Wireless Policy How wireless infrastructure devices need to be configured
Incident Response Policy How incidents are reported and investigated
Termination of Access Policy How employees are terminated
Backup Policy How data are backed up
Virus Policy How virus infections need to be dealt with
Retention Policy How data can be stored
Physical Access Policy How access to the physical area is obtained
Security Awareness Policy How security awareness are carried out
Audit Trail Policy How audit trails are analysed
Firewall Policy How firewalls are named, configured etc
Network Security Policy How network systems can be secured
Encryption Policy How datas are encryped, the encryption method used, etc.

18. 5. Acceptable usage policy:
• Acceptable usage policy (AUP) is the policies that one should adhere
to while accessing the network. Some of the assets that these policies
cover are mobile, wireless, desktop, laptop and tablet computers,
email, servers, Internet, etc. For each asset we need to look at how
we can protect it, manage it, who is authorised to use and administer
the asset, what are the accepted methods of communication in these
assets, etc.

19. Laws and Regulations:
• Below is a partial listing of European, United Kingdom, Canadian and US governmental laws and regulations that have, or will
have, a significant effect on data processing and information security.
• UK Data Protection Act 1998 makes new provisions for the regulation of the processing of information relating to individuals,
including the obtaining, holding, use or disclosure of such information. The European Union Data Protection Directive (EUDPD)
requires that all EU member must adopt national regulations to standardize the protection of data privacy for citizens throughout
the EU.
• The Computer Misuse Act 1990 is an Act of the UK Parliament making computer crime (e.g. hacking) a criminal offence. The Act
has become a model upon which several other countries including Canada and the Republic of Ireland have drawn inspiration
when subsequently drafting their own information security laws.
• EU Data Retention laws requires Internet service providers and phone companies to keep data on every electronic message sent
and phone call made for between six months and two years.
• The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232 g; 34 CFR Part 99) is a US Federal law that protects the
privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S.
Department of Education. Generally, schools must have written permission from the parent or eligible student in order to release
any information from a student's education record.
• Federal Financial Institutions Examination Council’s (FFIEC) security guidelines for auditors specifies requirements for online
banking security.
• Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires the adoption of national standards for electronic
health care transactions and national identifiers for providers, health insurance plans, and employers. And, it requires health care
providers, insurance providers and employers to safeguard the security and privacy of health data.
• Gramm–Leach–Bliley Act of 1999 (GLBA), also known as the Financial Services Modernization Act of 1999, protects the privacy
and security of private financial information that financial institutions collect, hold, and process.

20. Laws and Regulations:
• Sarbanes–Oxley Act of 2002 (SOX). Section 404 of the act requires publicly traded companies to assess the effectiveness of their
internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are
responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. The act also
requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their
assessments.
• Payment Card Industry Data Security Standard (PCI DSS) establishes comprehensive requirements for enhancing payment account
data security. It was developed by the founding payment brands of the PCI Security Standards Council, including American
Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, to help facilitate the broad adoption of
consistent data security measures on a global basis. The PCI DSS is a multifaceted security standard that includes requirements
for security management, policies, procedures, network architecture, software design and other critical protective measures.
• State security breach notification laws (California and many others) require businesses, nonprofits, and state institutions to notify
consumers when unencrypted "personal information" may have been compromised, lost, or stolen.
• Personal Information Protection and Electronics Document Act (PIPEDA) – An Act to support and promote electronic commerce
by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of
electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory
Instruments Act and the Statute Revision Act.
• Hellenic Authority for Communication Security and Privacy (ADAE) (Law 165/2011) - The Greek Law establishes and describes the
minimum Information Security controls that should be deployed by every company which provides electronic communication
networks and/or services in Greece in order to protect customers' Confidentiality. These include both managerial and technical
controls (i.e. log records should be stored for two years).
• Hellenic Authority for Communication Security and Privacy (ADAE) (Law 205/2013)- The latest Greek Law published by ADAE
concentrates around the protection of the Integrity and Availability of the services and data offered by the Greek
Telecommunication Companies.The new Law forces Telcos and associated companies to build, deploy and test appropriate
Business Continuity Plans and redundant infrastructures.

21. Sources of standards:
• International Organization for Standardization (ISO) is a consortium of
national standards institutes from 157 countries, coordinated through a
secretariat in Geneva, Switzerland. ISO is the world's largest developer of
standards. ISO 15443: "Information technology - Security techniques - A
framework for IT security assurance“.
• The US National Institute of Standards and Technology (NIST) is a non-
regulatory federal agency within the U.S. Department of Commerce. The
NIST Computer Security Division develops standards, metrics, tests and
validation programs as well as publishes standards and guidelines to
increase secure IT planning, implementation, management and operation.
NIST is also the custodian of the US Federal Information Processing
Standard publications (FIPS).

22. Sources of standards:
• The Internet Society is a professional membership society with more than 100
organization and over 20,000 individual members in over 180 countries. It provides
leadership in addressing issues that confront the future of the Internet, and is the
organization home for the groups responsible for Internet infrastructure standards,
including the Internet Engineering Task Force (IETF) and the Internet Architecture
Board (IAB).
• The Information Security Forum is a global nonprofit organization of several
hundred leading organizations in financial services, manufacturing,
telecommunications, consumer goods, government, and other areas. It undertakes
research into information security practices and offers advice in its
biannual Standard of Good Practice and more detailed advisories for members.
• The Institute of Information Security Professionals (IISP) is an independent, non-
profit body governed by its members, with the principal objective of advancing the
professionalism of information security practitioners and thereby the
professionalism of the industry as a whole. The Institute developed the IISP Skills
Framework.

23. Basic Information Security Principles:
• The basic aims of information security are often summarized in three principles:
Confidentiality means making sure that information is only seen by people who
have the right to see it. For example, this could mean using a strong password on
your computer, shredding sensitive documents, and locking filing cabinets.
• Integrity means ensuring that information remains intact and unaltered. This
means watching out for alterations through malicious action, natural disaster, or
even a simple innocent mistake.
• Availability implies having access to your information when you need it. In other
words, it means making sure no person or event is able to block legitimate or
timely access to information.

24. 1: Support the business
1.1 Focus on the business: To ensure that information security is
integrated into essential business activities.
Individuals within the security community should forge relationships
with business leaders and show how information security can
complement key business and risk management processes. They
should adopt an advisory approach to information security by
supporting business objectives through resource allocation, programs
and projects. High-level enterprise-focused advice should be provided
to protect information and help manage information risk both now and
in the future

25. 1: Support the business
1.2 Deliver quality and value to stakeholders: To ensure that
information security delivers value and meets business requirements.
Internal and external stakeholders should be engaged through regular
communication so that their changing requirements for information
security can continue to be met. Promoting the value of information
security (both financial and non-financial) helps to gain support for
decision making, which can in turn help the success of the vision for
information security.

26. 1: Support the business
1.3 Provide timely and accurate information on security performance:
To support business requirements and manage information risks.
Requirements for providing information on security performance
should be clearly defined, supported by the most relevant and accurate
security metrics (such as compliance, incidents, control status and
costs) and aligned to business objectives. Information should be
captured in a periodic, consistent and rigorous manner so that
information remains accurate and results can be presented to meet the
objectives of relevant stakeholders.

27. 1: Support the business
1.4 Evaluate current and future information threats:
To analyze and assess emerging information security threats so that
informed, timely action to mitigate risks can be taken.
Major trends and specific information security threats should be
categorized in a comprehensive, standard framework covering a wide
range of topics such as political, legal, economic, sociocultural as well
as technical issues. Individuals should share and build on their
knowledge of upcoming threats to proactively address their causes,
rather than just the symptoms

28. 1: Support the business
1.5 Promote continuous improvement in information security:
To reduce costs, improve efficiency and effectiveness and promote a
culture of continuous improvement in information security
Constantly changing organizational business models - coupled with
evolving threats - require information security techniques to be
adapted and their level of effectiveness improved on an ongoing basis.
Knowledge of the latest information security techniques should be
maintained by learning from incidents and liaising with independent
research organizations.

29. 2. Defend the business
2.1 Adopt a risk-based approach:
To ensure that risks are treated in a consistent and effective manner.
Options for addressing information risk should be reviewed so that
informed, documented decisions are made about the treatment of risk. Risk
treatment typically involves choosing one or more options, which typically
include:
accepting risks (i.e. by a member of management ‘signing-off’ that they have
accepted the risks and that no further action is required);
avoiding risks (e.g. by deciding not to pursue a particular initiative);
transferring risks (e.g. by outsourcing or taking out insurance); and
mitigating risk, typically by applying appropriate security measures (e.g.
access controls, network monitoring and incident management).

30. 2. Defend the business
2.2 Protect classified information:
To prevent classified information (e.g. confidential or sensitive) being
disclosed to unauthorized individuals.
Information should be identified and then classified according to its
level of confidentiality (e.g secret, restricted, internal and public).
Classified information should be protected accordingly throughout all
stages of the information lifecycle - from creation to destruction - using
appropriate controls, such as encryption and access restrictions

31. 2. Defend the business
2.3 Develop systems securely :
To build quality, cost-effective systems upon which business people
can rely (e.g. that are consistently robust, accurate and reliable).
Information security should be integral to the scope, design, build and
testing phases of the System Development Life Cycle (SDLC). Good
security practices (e.g rigorous testing for security weaknesses, peer
review and ability to cope with error, exception and emergency
conditions) should play a key role at all stages of the development
process.

32. 3. Promote responsible security behavior:
3.1 Act in a professional and ethical manner:
To ensure that information security-related activities are performed in
a reliable, responsible and effective manner.
Information security relies heavily on the ability of professionals
within the industry to perform their roles responsibly and with a clear
understanding of how their integrity has a direct impact on the
information they are charged with protecting. Information security
professionals need to be committed to a high standard of quality in
their work while demonstrating consistent and ethical behavior and
respect for business needs, other individuals and confidential (often
personal) information.

33. 3. Promote responsible security behavior:
3.2 Foster a security-positive culture:
To provide a positive security influence on the behavior of end users,
reduce the likelihood of security incidents occurring, and limit their
potential business impact.
Emphasis should be placed on making information security a key part
of ‘business as usual’, raising security awareness amongst users and
ensuring they have the skills required to protect critical or classified
information and systems. Individuals should be made aware of the risks
to information in their care and empowered to take the necessary steps
to protect it.

34. Information Security Architecture

35. Components of Info Sec Architecture:
• Information is the lifeblood of every organization
• Information is compromised there can be a wide range of consequences
ranging from damage to a company's reputation through to financial
penalties
• Therefore, organizations take a tactical approach to addressing Information
Security
• Information Security is a strategic approach that should be based on a solid,
total framework encompassing all of an organization's Information Security
requirements

36. 1. Information:
• Within this architectural model, Information is at the heart of the
architecture.
• It is the business sensitive information that an organization needs to
protect.
• For example, UOL databases, Academics containing student’s data, HR
databases containing employee data and finance databases containing
accounting data.
• All of this data falls into the category of different structures. This refers to
data held in a structured form such as a database.
• However, there are large amounts of information within organizations that
contain business value and therefore need protecting but aren't contained
in a structured way.

37. 2. Business Decisions:
• All Information Security decisions must start from the top, which
means they must to start with the business.
• It is the responsibility of the business to decide what controls are
required, what is driving this to happen and what the business needs
from Information Security.
• These decisions are governed by a number of different factors and
influences. Some of these will be external whilst others will be driven
from an internal perspective.

38. 3. Policy and Process:
• Taking all of the relevant external and internal factors into account, it is
then the organization's responsibility to specify what Information
Security rules must be applied.
• This is done through a combination of policies and processes (or
procedures). It is these policies and processes that provide the rules
that govern the 'use' of the Information.
• For Example Restriction of Facebook and YouTube for Students on SIS

39. 4. Applications and Services:
• All access to Information is via an application.
• Information can only provide business value if it can be accessed
when it is needed and by authorized individuals.
• Information Security should not only be seen as a defense
mechanism to protect the data, but, in addition, as a business
enabler, ensuring that the Information is available to the right people
at the right time.

40. 5. Access Control:
• Access Control is at the heart of Information Security.
• All access to that information MUST flow through the Access Control
layer irrespective of whether the request is internal or external
• employee or customer??(Teacher, Student, HOD, or What??)
• The implementation of the access control layer can (and will) exist
within multiple places within an organization - in accordance with the
principle of “Defense in Depth"

42. 6. Audit and Monitoring Plan:
• The Auditing and Monitoring layer is responsible for recording all of
required security-related operations to maintain a non-repudiated
and tamper-evident trail of evidence. The level of information that
needs auditing will be determined within the Policy and Processes.
This may include:
• Information Access:
e.g. Successful and/or Failed Authentication/Authorization attempts
• Policy Administration:
e.g. Changes to access control policies
• User Administration:
e.g. Addition/Removal of users' roles and privileges
• Information Change:
e.g. Changes to sensitive Information

43. 7. Cryptography:
• At the heart of many IT-related security controls is cryptography, the
process of using complex math's and algorithms involving large
numbers, to protect information through enciphering and
deciphering messages.
• This can be used for a number of different purposes including,
maintaining the confidentiality of Information through encryption and
the integrity of Information through digital signing.

44. Security Architecture:
'Defense in Depth' and 'Least Privileges'.
By taking this approach to Information Security, organizations
can ensure that the components of their Information security
architecture address all business and critical Information and
are driven by the requirements of the business.

45. Defense in Depth:
• The principle of Defense in Depth is used to describe the concept of
implementing multiple layers of security so that if one layer is breached,
the asset being protected.
• By implementing enough layers of protection the likelihood of compromise
is drastically reduced
• One of the key fact of this principle is the heterogeneity of each layer,
ensuring that each layer is implemented using distinctly different patterns
to another layer. In Information Security terms this could be through using
different technologies, encryption standards, protocols, deployment
methods, etc.

47. Defense in Depth:

48. Defense in Depth:

49. Conclusion:
• Security policies can be developed easily depending on how big your
organisation is. But the challenge is how to implement these policies
by saving time and money.
• If a good security policy is derived and implemented, then the
organisation’s management can relax and enter into a world which is
risk-free.

50. NON CREDITED ASSIGNMENT