The document discusses several key aspects of developing an effective business information security policy, including: 1) Upholding the principles of confidentiality, integrity, and availability. 2) Applying the principle of least privilege and data provenance. 3) Creating a policy that is easily understood, reviewed over time, and supports proper risk management and regulatory compliance. 4) Evaluating how the policy may impact other security programs and processes like risk assessment, auditing, training, and culture.

1. Fort Hays State University
Fort Hays, KS
Presented by Joshua Morrison

2.  Tolerating low levels of understood risk
 Not just a function of IT department

3.  Security strategy
 Security objective
 Security policy
 Procedures
 Standards
 Guidelines
 baselines
Business Information Security
Requirements aid in how high-
level security policy is written

4. Confidentiality
Integrity Availability

5.  Prevent unauthorized disclosure of
information
 Accomplished with access controls
▪ Login / Identity verification
▪ File permissions
▪ Encryption

6.  Authenticity and accuracy of information
 Guaranteeing accuracy includes recovering from
error / disaster to a recent stable state
▪ Data backup
▪ Version control

7.  Information should be accessible to
authorized entities at all times
 Requires failure recovery planning
 Hardware, software, or human
 Minimize downtime of critical systems

8. Binary Data - 1/0 interpretation information

9.  “A particular abstraction layer must be able to
access only the information and resources
that are necessary for its legitimate purpose”
 Greatly reduces potential risk of a security
breach whether malicious or unintentional in
nature

10.  Preserving the original order and context of
information
 Applies to underlying data structure
 Ensures that information retains the
properties of being functional and
meaningful in multiple contexts

11.  Some data such as Personally Identifiable
Data (PII) can be categorized as generally
critical
 Mandated by legal and regulatory concerns
 Some data become critical within a given
context
 Example – data that has yet to be backed up in
the context of disaster recovery planning
 Categorization used to prioritize security
planning

12.  “the process of understanding and
responding to factors that may lead to a
failure in the confidentiality, integrity, or
availability of an information system”
 Measures the likelihood and impact of a
particular information security failure
 Can be qualitative, quantitative, or both
 Some level of risk is assumed by any business

13.  Often perfunctory
 Counter by modeling real-world attack scenarios
 Based on speculation
 Use ongoing investigation / evidence
 Often not assessed historically and
continuously
 Develop a cycle for conducting risk assessment
and analyze long-term trends

14.  Intensive technical vulnerability analysis
 Should be done by highly competent IT
professional
 Concerned with protecting internal resources
from malicious attacks

15.  Achieved by taking the perspective of the
threat agent (attacker)
 Begin with the malicious desires (anti-goals)
of the threat agent
 Develop a comprehensive attack pattern
repository or CAPEC
 Select security controls that address
vulnerabilities discovered in the CAPEC

16.  Heartbleed bug
 Vulnerability – OpenSSL cryptography library
 Shellshock
 Vulnerability - Unix Bash shell
 Poodle
 Vulnerability SSL v3.0
Examples of attack vectors for the CAPEC from
Symantec's annual Internet Security threat report
(2015)

17.  Humans represent significant network security
challenges
 attacks attempt to get the victim to give sensitive
data or perform unintended actions on behalf of the
attacker
 Confidence tricks such as misleading authorship of
emails are used to gain the trust of the victim
▪ Phishing
▪ Social engineering
 Information security awareness training is the best
way to counter these types of attacks

18.  Passwords
 Weak passwords are vulnerable to brute force
attacks or attacks using rainbow tables
 Very strong passwords are hard to remember
resulting in some users resorting to recording
them
 Multi-factor authentication is best, pairing the
known password with another piece of
authenticating evidence such as a fingerprint

19.  Protect data services within the network
inside virtualized environments
 virtual data centers (VDC) and committed
application implementations ,Virtual Application
Data Centers (VADC)
 Provide encapsulation to data services
 More portable, flexible, and secure

20.  People present a variety of challenges to
information security planning
 Stolen/lost laptops and mobile devices account
for many data leaks
▪ Encrypt these devices or ensure that they remain in
secure locations
 Humans are targets for sophisticated social
engineering attacks
▪ Workers must remain vigilant and informed about
specific attacks

21.  Should be continuous
 New threats are constantly being generated
 Should be targeted
 Should be measurable
 Necessary to gauge effectiveness of training
 Should promote positive attitudes about
information security

22.  the culture of a company is "a pattern of
shared basic assumptions learned by a group
as it solves problems of external adaptation
and internal integration, which has worked
well enough to be considered valid and,
therefore, to be taught to new members as
the correct way to perceive, think, and feel in
relation to those problems"

23.  understanding policy alone will not ensure
consistency in compliance with policy
 perceived cultural norms influence outcomes
 Example – how consistently are security
violations being reported?
 Influenced by social networking and peer
relationships
 Consistency of reporting increased as this
behavior is perceived as the cultural norm

24.  Information Security Culture Assessment
(ISCA)
 Survey used to benchmark the level of
information security culture in an organization
 Empirical evidence supports the value of
using ISTAAP to instill an information
security-positive culture

25.  ISTAAP is cyclical with 4 main phases
 Planning and Objectives (PO)
 DevelopTraining and Awareness (DTA)
 Targeted Implementation (TI)
 Evaluate Effectiveness (EE)

26.  The Planning and Objectives phase derives
training objectives from the company's
security strategy, security policy, and
regulatory requirements
 DTA - DevelopTraining and Awareness
techniques include everything from hands-on
training sessions to web-based training and
email

27.  TI - Groups of stakeholders receive training
on key concepts via their preferred method of
delivery
 EE - taking the ISCA to determine the effect
of the training on security culture as well as
the effectiveness of the specific training
actions. Identify future training opportunities

28.  Benefits of adopting IS standard
 Comprehensive and systematic approach
 Battle tested
 Can employ certified professionals to implement
 Can effectively report level of compliance with a
standard
 Can purchase software to facilitate standard
implementation

29.  Joint publication by the International
Organization for Standardization (ISO) and the
International Electrotechnical Commission (EIC)
 Controls-oriented information security standard
 Uses plan-do-check-act cycle
 International standard used in business and
government
 Has high level support for policy
 Defines risk assessment procedure

30.  Separate document used with ISO/EIC 27001
 Repository of security related best practices
 Comprehensive
 Non IS topic – fire safety
 IS topic – removable media policy guidelines
 Compatible with other high level standards
besides ISO/EIC 27001
 Recommend referring to this document even with
an in-house security strategy

31.  Evaluate the effectiveness of controls
 gather information about how a unit operates
 identify points at which errors are possible
 Identify system controls designed to prevent or
detect such occurrences (countermeasures)
 Auditing concludes with testing and
evaluating how well IS controls function

32.  Business should seek to exceed minimum
standards set by state and federal regulations
 HIPPA, OSHA etc.
 The legal field of information security
regulation is relatively young
 Case law is constantly being established
 As information crosses state and national
boundaries, more restrictive regulation may
apply

33.  obligations to stakeholders should be
considered when writing IS policy
 Communicate to stakeholders how their personal
information is used by the company
 Combine ethical concerns with regulatory
concerns when considering changes to IS policy

34.  Ensure the continued operation of critical
workflow functions despite the loss of
support systems
 Disasters come from many sources
 Natural disaster
 Inadvertent action
 Deliberate action

35. 1. Emergency Operations
2. Insurance – Insurance plan
3. Communication Plan
4. IT/SCM Infrastructure
5. Employee Relations
6. Legal and Regulatory

36. 1. Investigation of the incident
2. Identify and execute corrective measures
3. Identify applicable law
4. Determine if notifications are required
5. Notification and communication plan

37.  Offers low cost high performance
 Ideal for big data
 CSP security practices not transparent
 CSP security not auditable by the client
 Care must be taken to analyze contracts and
policy of CSP partners
 Must trust them with sensitive information

38.  Business goals and IS goals in turn are
prioritized by budgetary concerns
 accurate valuation of threat in risk assessment is
very important
 Human motivation aspects of economic
theory should be considered in IS policy
 Incentives
 liability

39.  Policies are high level
 Documents that support policies are more
granular
 Procedures
 Standards
 Guidelines
 Baselines

40.  As predicted, it was possible to create a list of
best practices regarding Business
Information Security Requirements
 Further research may yield more
requirements or add additional scope to
existing requirements

41.  All 3 aspects of the Confidentiality, Integrity,
andAccessibility (CIA) triad should be upheld
 The Principle of Least privilege and the
Provenance Principle should be upheld
 It should be an easily understood document
that is used as a reference point
 It should be reviewed and modified as a
company changes

42.  Each iteration of the policy should be dated
and archived
 All persons who are subject to the policy
must have easy access to it
 It should support proper management of
liability and incentives as they relate to IS
 Determine if the proposed policy would
require changes to the risk assessment or
auditing cycles

43.  Determine if the proposed policy would
require changes to security requirements
analysis . ex. adding a new attack pattern to
the CAPEC
 Determine if the proposed policy would
comply with existing legal and regulatory
restrictions
 Determine if the proposed policy could
negatively affect stakeholders

44.  Determine if the proposed policy would circumvent
current network security status
 Determine if the policy is in compliance with all
adopted security standards
 Determine if the policy affects disaster recovery or
data breach response planning
 Determine if the policy requires any new security
awareness training
 Determine how the policy will impact information
security culture
 Determine if extraordinary security measures are
required eg. assessing the security practices of a new
cloud data provider