SlideShare a Scribd company logo

Security policy and standards

Download as PPT, PDF
Wilson Musyoka
Wilson Musyoka

The document discusses guidelines for developing effective information security policies. It describes the importance of policy and outlines three types of policies: enterprise security policies, issue-specific policies, and system-specific policies. It emphasizes that policies should be properly disseminated, understood, and agreed upon. Effective policy development involves planning, analysis of needs and risks, design, implementation, and processes for ongoing maintenance.

Technology
1 of 85
Security Policy and Standards
Computer Science CPSC 449/Fall 2005 Security Information Management 2 Part I 1. Introduction 2. Policy 3. Enterprise Information Security Policy 4. Issue-Specific Security Policy (ISSP) 5. System-Specific Policy 6. Guidelines for Policy Management 7. Another Approach to Policy Development 8. SP 800-18 Guide for Developing
Computer Science CPSC 449/Fall 2005 Security Information Management 3 Introduction This chapter focuses on information security policy:  What it is  How to write it  How to implement it  How to maintain it
Computer Science CPSC 449/Fall 2005 Security Information Management 4 Policy Policy is an essential foundation of effective infosec program The success of an information resources protection program depends on the policy generated, & on the attitude of management toward securing information on automated systems.
Computer Science CPSC 449/Fall 2005 Security Information Management 5 You, the policy maker, set the tone & the emphasis on how important a role infosec will have within your agency. Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws & regulations, & assurance of operational continuity, information integrity, & confidentiality.”
Computer Science CPSC 449/Fall 2005 Security Information Management 6 A quality infosec program begins & ends with policy Policies are least expensive means of control & often the most difficult to implement Basic rules to follow when shaping policy:  Never conflict with law  Stand up in court  Properly supported and administered  Contribute to the success of the organization  Involve end users of information systems
Computer Science CPSC 449/Fall 2005 Security Information Management 7 Focus on the systemic solutions, not specifics
Computer Science CPSC 449/Fall 2005 Security Information Management 8 Bulls-eye model layers 1. Policies: first layer of defense 2. Networks: threats first meet organization’s network 3. Systems: computers & manufacturing systems 4. Applications: all applications systems
Computer Science CPSC 449/Fall 2005 Security Information Management 9 Policies are important reference documents for internal audits & for resolution of legal disputes about management’s due diligence Policy documents can act as a clear statement of management’s intent
Computer Science CPSC 449/Fall 2005 Security Information Management 10
Computer Science CPSC 449/Fall 2005 Security Information Management 11 Policy: plan or course of action that influences & determines decisions Standards: more detailed statement of what must be done to comply with policy Practices, procedures & guidelines:explain how employees will comply with policy
Computer Science CPSC 449/Fall 2005 Security Information Management 12 For policies to be effective, they must be:  Properly disseminated  Read  Understood  Agreed-to
Computer Science CPSC 449/Fall 2005 Security Information Management 13 Policies require constant modification & maintenance In order to produce a complete infosec policy, management must define 3 types of infosec policy:  Enterprise infosec program policy  Issue-specific infosec policies  Systems-specific infosec policies
Computer Science CPSC 449/Fall 2005 Security Information Management 14 Part I 1. Introduction 2. Policy 3. Enterprise Information Security Policy 4. Issue-Specific Security Policy (ISSP) 5. System-Specific Policy 6. Guidelines for Policy Management 7. Another Approach to Policy Development 8. SP 800-18 Guide for Developing
Computer Science CPSC 449/Fall 2005 Security Information Management 15 Enterprise InfoSec Policy (EISP) Sets strategic direction, scope, & tone for organization’s security efforts Assigns responsibilities for various areas of infosec Guides development, implementation,& management requirements of infosec program
Computer Science CPSC 449/Fall 2005 Security Information Management 16 EISP documents should provide: An overview of corporate philosophy on security Information about infosec organization & infosec roles:  Responsibilities for security shared by all organization members  Responsibilities for security unique to each organizational role
Computer Science CPSC 449/Fall 2005 Security Information Management 17 Components of the EISP Statement of Purpose: What the policy is for Information Technology Security Elements: Defines infosec Need for Information Technology Security: justifies importance of infosec in the organization Information Technology Security Responsibilities & Roles: Defines organizational structure References Information Technology standards & guidelines
Computer Science CPSC 449/Fall 2005 Security Information Management 18 Sample EISP Protection Of Information: Information must be protected in a manner commensurate with its sensitivity, value, & criticality Use Of Information: Company X information must be used only for business purposes expressly authorized by management Information Handling, Access, & Usage: Information is a vital asset & all accesses to, uses of, & processing of Company X information must be consistent with policies & standards
Computer Science CPSC 449/Fall 2005 Security Information Management 19 Data & Program Damage Disclaimers: Company X disclaims any responsibility for loss or damage to data or software that results from its efforts to protect the confidentiality, integrity, & availability of the information handled by computers & communications systems Legal Conflicts: Company X infosec policies were drafted to meet or exceed the protections found in existing laws & regulations, & any Company X infosec policy believed to be in conflict with existing laws or regulations must be promptly reported to infosec management
Computer Science CPSC 449/Fall 2005 Security Information Management 20 Exceptions To Policies: Exceptions to infosec policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a standard risk acceptance form has been prepared by the data owner or management, & where this form has been approved by both InfoSec management & Internal Audit management Policy Non-Enforcement: Management's non- enforcement of any policy requirement does not constitute its consent
Computer Science CPSC 449/Fall 2005 Security Information Management 21 Violation Of Law: Company X management must seriously consider prosecution for all known violations of the law Revocation Of Access Privileges: Company X reserves the right to revoke a user’s information technology privileges at any time Industry-Specific InfoSec Standards: Company X information systems must employ industry-specific infosec standards
Computer Science CPSC 449/Fall 2005 Security Information Management 22 Use Of infosec Policies & Procedures: All Company X infosec documentation including, but not limited to, policies, standards, & procedures, must be classified as “Internal Use Only,” unless expressly created for external business processes or partners Security Controls Enforceability: All information systems security controls must be enforceable prior to being adopted as a part of standard operating procedure
Computer Science CPSC 449/Fall 2005 Security Information Management 23 Thinking about the EISP (10 min):  Information Security Policy Documents  Review and Evaluation  Appropriate Use of Information Technology Resources  Identification of Risks from Third Party Access  Physical Security Area  Personnel Security Screening  Information Security Education and Training
Computer Science CPSC 449/Fall 2005 Security Information Management 24 Part I 1. Introduction 2. Policy 3. Enterprise Information Security Policy 4. Issue-Specific Security Policy (ISSP) 5. System-Specific Policy 6. Guidelines for Policy Management 7. Another Approach to Policy Development 8. SP 800-18 Guide for Developing
Computer Science CPSC 449/Fall 2005 Security Information Management 25 Issue-Specific Security Policy (ISSP) Provides detailed, targeted guidance to instruct organization in secure use of tech systems Begins with intro to fundamental technological philosophy of organization Serves to protect employee & organization from inefficiency/ambiguity Documents how technology-based system is controlled Identifies Processes & authorities that provide this control Serves to indemnify organization against liability for inappropriate or illegal system use
Computer Science CPSC 449/Fall 2005 Security Information Management 26 ISSP should Address specific technology-based systems Require frequent updates Contain an issue statement on the organization’s position on an issue
Computer Science CPSC 449/Fall 2005 Security Information Management 27 ISSP topics could include email use of Internet & World Wide Web specific minimum configurations of computers to defend against malware prohibitions against hacking or testing organization security controls home use of company-owned computer equipment use of personal equipment on company networks use of telecommunications technologies use of photocopy equipment
Computer Science CPSC 449/Fall 2005 Security Information Management 28 Components of the ISSP Statement of Purpose:  Scope & Applicability  Definition of Technology Addressed  Responsibilities Authorized Access & Usage of Equipment:  User Access  Fair & Responsible Use  Protection of Privacy more ...
Computer Science CPSC 449/Fall 2005 Security Information Management 29 Prohibited Usage of Equipment:  Disruptive Use or Misuse  Criminal Use  Offensive or Harassing Materials  Copyrighted, Licensed, or other Intellectual Property  Other Restrictions Systems Management:  Management of Stored Materials  Employer Monitoring  Virus Protection  Physical Security  Encryption more ...
Computer Science CPSC 449/Fall 2005 Security Information Management 30 Violations of Policy:  Procedures for Reporting Violations  Penalties for Violations Policy Review & Modification:  Scheduled Review of Policy & Procedures for Modification Limitations of Liability:  Statements of Liability or Disclaimers
Computer Science CPSC 449/Fall 2005 Security Information Management 31 Common approaches to implementing ISSP Number of independent ISSP documents Single comprehensive ISSP document Modular ISSP document that unifies policy creation & administration Recommended approach is modular policy, which provides a balance between issue orientation & policy management
Computer Science CPSC 449/Fall 2005 Security Information Management 32 Discussion (10 min)  Guidelines on anti-virus process  Email-policy  Password  Third party connection agreement  Acceptable use policy
Computer Science CPSC 449/Fall 2005 Security Information Management 33 Part I 1. Introduction 2. Policy 3. Enterprise Information Security Policy 4. Issue-Specific Security Policy (ISSP) 5. System-Specific Policy 6. Guidelines for Policy Management 7. Another Approach to Policy Development 8. SP 800-18 Guide for Developing
Computer Science CPSC 449/Fall 2005 Security Information Management 34 Systems-Specific Policies (SysSPs) They may often be created to function as standards or procedures to be used when configuring or maintaining systems SysSPs can be separated into:  Management guidance  Technical specifications  Combined in a single policy document
Computer Science CPSC 449/Fall 2005 Security Information Management 35 Created by management to guide the implementation & configuration of technology Applies to any technology that affects the confidentiality, integrity or availability of information Informs technologists of management intent Management Guidance SysSPs
Computer Science CPSC 449/Fall 2005 Security Information Management 36 Technical Specifications SysSPs System administrators’ directions on implementing managerial policy Each type of equipment has its own type of policies Two general methods of implementing such technical controls: 1. Access control lists 2. Configuration rules
Computer Science CPSC 449/Fall 2005 Security Information Management 37
Computer Science CPSC 449/Fall 2005 Security Information Management 38 Access Control Lists ACLs enable administrations to restrict access according to user, computer, time, duration, or even a particular file more ...
Computer Science CPSC 449/Fall 2005 Security Information Management 39 Include user access lists, matrices, & capability tables that govern rights & privileges Can control access to file storage systems, object brokers, or other network communications devices Capability Table: similar method that specifies which subjects & objects users or groups can access Specifications are frequently complex matrices, rather than simple lists or tables Level of detail & specificity (often called granularity) may vary from system to system
Computer Science CPSC 449/Fall 2005 Security Information Management 40 ACLs regulate Who can use the system What authorized users can access When authorized users can access the system Where authorized users can access the system from How authorized users can access the system Restricting what users can access, e.g. printers, files, communications, & applications
Computer Science CPSC 449/Fall 2005 Security Information Management 41 ACL Administrators set user privileges  Read  Write  Create  Modify  Delete  Compare  Copy
Computer Science CPSC 449/Fall 2005 Security Information Management 42 Configuration rules are specific configuration codes entered into security systems to guide execution of system when information is passing through it Rule policies are more specific to system operation than ACLs & may or may not deal with users directly Many security systems require specific configuration scripts telling systems what actions to perform on each set of information processed
Computer Science CPSC 449/Fall 2005 Security Information Management 43
Computer Science CPSC 449/Fall 2005 Security Information Management 44
Computer Science CPSC 449/Fall 2005 Security Information Management 45
Computer Science CPSC 449/Fall 2005 Security Information Management 46 Combination SysSPs Often organizations create a single document combining elements of both Management Guidance & Technical Specifications SysSPs While this can be confusing, it is very practical Care should be taken to articulate required actions carefully as procedures are presented
Computer Science CPSC 449/Fall 2005 Security Information Management 47 Part I 1. Introduction 2. Policy 3. Enterprise Information Security Policy 4. Issue-Specific Security Policy (ISSP) 5. System-Specific Policy 6. Guidelines for Policy Management 7. Another Approach to Policy Development 8. SP 800-18 Guide for Developing
Computer Science CPSC 449/Fall 2005 Security Information Management 48 Guidelines for Policy Development Often useful to view policy development as a two-part project: 1. Design & develop policy (or redesign & rewrite outdated policy) 2. Establish management processes to perpetuate policy within organization The former is an exercise in project management, while the latter requires adherence to good business practices
Computer Science CPSC 449/Fall 2005 Security Information Management 49 Policy development or re-development projects should be well planned, properly funded, & aggressively managed to ensure completion on time & within budget When a policy development project is undertaken, the project can be guided by the SecSDLC process
Computer Science CPSC 449/Fall 2005 Security Information Management 50 1. Investigation Phase The policy development team should:  Obtain support from senior management, & active involvement of IT management, specifically CIO  Clearly articulate goals of policy project  Gain participation of correct individuals affected by recommended policies  more ...
Computer Science CPSC 449/Fall 2005 Security Information Management 51  Be composed from Legal, Human Resources & end-users  Assign project champion with sufficient stature & prestige  Acquire a capable project manager  Develop detailed outline of & sound estimates for, the cost & scheduling of the project
Computer Science CPSC 449/Fall 2005 Security Information Management 52 2. Analysis Phase Should include the following activities: New or recent risk assessment or IT audit documenting the current infosec needs of the organization Key reference materials, including any existing policies
Computer Science CPSC 449/Fall 2005 Security Information Management 53 3 & 4. Design phase Should include:  How policies will be distributed  How verification of distribution will be accomplished  Specifications for any automated tools  Revisions to feasibility analysis reports based on improved costs & benefits as design is clarified
Computer Science CPSC 449/Fall 2005 Security Information Management 54 5. Implementation Phase Write the policies! Make certain policies are enforceable as written Policy distribution is not always as straightforward Effective policy:  Is written at a reasonable reading level  Attempts to minimize technical jargon & management terminology
Computer Science CPSC 449/Fall 2005 Security Information Management 55 One way to measure readability
Computer Science CPSC 449/Fall 2005 Security Information Management 56 6. Maintenance Phase Maintain & modify policy as needed to ensure that it remains effective as a tool to meet changing threats Policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously Periodic review should be built into the process
Computer Science CPSC 449/Fall 2005 Security Information Management 57
Computer Science CPSC 449/Fall 2005 Security Information Management 58 Part I 1. Introduction 2. Policy 3. Enterprise Information Security Policy 4. Issue-Specific Security Policy (ISSP) 5. System-Specific Policy 6. Guidelines for Policy Management 7. Another Approach to Policy Development 8. SP 800-18 Guide for Developing
Computer Science CPSC 449/Fall 2005 Security Information Management 59 The InfoSec Policy Made Easy Approach (ISPME) Gathering Key Reference Materials Defining A Framework For Policies Preparing A Coverage Matrix Making Critical Systems Design Decisions Structuring Review, Approval, & Enforcement Processes
Computer Science CPSC 449/Fall 2005 Security Information Management 60
Computer Science CPSC 449/Fall 2005 Security Information Management 61 ISPME Checklist Perform risk assessment or information technology audit to determine your org’s unique infosec needs Clarify what “policy” means within your org so that you are not preparing a “standard,” “procedure,” or some other related material Ensure that roles & responsibilities related to infosec are clarified, including responsibility for issuing & maintaining policies more ...
Computer Science CPSC 449/Fall 2005 Security Information Management 62 Convince management that it is advisable to have documented infosec policies Identify top management staff who will be approving final infosec document & all influential reviewers Collect & read all existing internal infosec awareness material & make a list of the included bottom-line messages Conduct a brief internal survey to gather ideas that stakeholders believe should be included in a new or updated infosec policy more ...
Computer Science CPSC 449/Fall 2005 Security Information Management 63 Examine other policies issued by your organization, such as those from HR management, to identify prevailing format, style, tone, length, & cross-references Identify audience to receive infosec policy materials & determine whether they will each get a separate document or a separate page on an intranet site Determine extent to which audience is literate, computer knowledgeable, & receptive to security messages more ...
Computer Science CPSC 449/Fall 2005 Security Information Management 64 Decide whether some other awareness efforts must take place before infosec policies are issued Using ideas from the risk assessment, prepare a list of absolutely essential policy messages that must be communicated If there is more than one audience, match the audiences with the bottom-line messages to be communicated through a coverage matrix. more ...
Computer Science CPSC 449/Fall 2005 Security Information Management 65 Determine how the policy material will be disseminated, noting the constraints & implications of each medium of communication Review compliance checking, disciplinary, & enforcement processes to ensure they all can work smoothly with new policy document Determine whether number of messages is too large to be handled all at one time, & if so, identify different categories of material that will be issued at different times more ...
Computer Science CPSC 449/Fall 2005 Security Information Management 66 Have an outline of topics to be included in the first document reviewed by several stakeholders Based on comments from stakeholders, revise initial outline & prepare a first draft Have first draft document reviewed by stakeholders for initial reactions, presentation suggestions, & implementation ideas Revise draft in response to comments from stakeholders more ...
Computer Science CPSC 449/Fall 2005 Security Information Management 67 Request top management approval on policy Prepare extracts of policy document for selected purposes Develop awareness plan that uses policy document as a source of ideas & requirements Create working papers memo indicating disposition of all comments received from reviewers, even if no changes were made more ...
Computer Science CPSC 449/Fall 2005 Security Information Management 68 Write memo about project, what you learned, & what needs to be fixed so that next version of policy document can be prepared more efficiently, better received by readers, & more responsive to unique circumstances facing your organization Prepare list of next steps that will be required to implement requirements specified in policy document
Computer Science CPSC 449/Fall 2005 Security Information Management 69 ISPME Next Steps Post Polices To Intranet Or Equivalent Develop A Self-Assessment Questionnaire Develop Revised User ID Issuance Form Develop Agreement To Comply With InfoSec Policies Form Develop Tests To Determine If Workers Understand Policies Assign InfoSec Coordinators Train InfoSec Coordinators more ...
Computer Science CPSC 449/Fall 2005 Security Information Management 70 Prepare & Deliver A Basic InfoSec Training Course Develop Application Specific InfoSec Policies Develop A Conceptual Hierarchy Of InfoSec Requirements Assign Information Ownership & Custodianship Establish An infosec Management Committee Develop An infosec Architecture Document
Computer Science CPSC 449/Fall 2005 Security Information Management 71 A Final Note on Policy Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy Policies exist first & foremost to inform employees of what is & is not acceptable behaviour in the organization Policy seeks to improve employee productivity, & prevent potentially embarrassing situations
Computer Science CPSC 449/Fall 2005 Security Information Management 72 Summary Why Policy? Enterprise InfoSec Policy Issue-Specific Security Policy System-Specific Policy Guidelines for Policy Development
Computer Science CPSC 449/Fall 2005 Security Information Management 73 Part II 1. Introduction 2. Security Standard Criteria and Product Security Evaluation Process 3. Computer Products Evaluation Standards 4. Major Evaluation Criteria
Computer Science CPSC 449/Fall 2005 Security Information Management 74 1 Introduction Security Evaluation Process Security Standards and Criteria  The Orange Book  U.S. Federal Criteria  Information Technology Security Evaluation Criteria (ITSEC)  The Trusted Network Interpretation (TNI): The Red Book  Common Criteria (CC)
Computer Science CPSC 449/Fall 2005 Security Information Management 75 2 Security Standards, Criteria and Evaluation Process Purpose Criteria Process Structure Outcome/benefit
Computer Science CPSC 449/Fall 2005 Security Information Management 76 2.1 Purpose of Evaluation Certification Accreditation Evaluation Potential market benefit
Computer Science CPSC 449/Fall 2005 Security Information Management 77 2.2 Criteria Defines several degrees of rigor acceptable at each testing level of security Defines the formal requirements the product need to meet at each Assurance level Assurance levels are based on Trusted Computer System Evaluation (TCSEC)
Computer Science CPSC 449/Fall 2005 Security Information Management 78 2.3 Process of Evaluation Two evaluation directions:  Product-oriented  Process-oriented 6-steps  Proposal review  Technical assessment  Advice  Intensive preliminary technical review  Evaluation  Rating maintenance phase
Computer Science CPSC 449/Fall 2005 Security Information Management 79 2.4 Structure of Evaluation Functionality – what and how much the product can do Effectiveness – whether the product meets the effectiveness threshold Assurance – give buyer assurance and guarantee
Computer Science CPSC 449/Fall 2005 Security Information Management 80 2.5 Outcome/Benefits A great product  For evaluator, cut down the evaluation cost without cutting the value of evaluation  For buyer, result in good product to enhance the security Evaluation of a computer product can be done using either a standard or a criteria
Computer Science CPSC 449/Fall 2005 Security Information Management 81 3 Computer Products Evaluation Standards American National Standards Institute (ANSI) British Standards Institute (BSI) Institute of Electrical and Electronic Engineers Standards Association (IEEE-SA) International Information System Security Certification Consortium (ISC)2 International Organization for Standardization (ISO) National Institute of Standards and Technology (NIST) National Security Agency (NSA) International Architecture Board (IAB) Organization for the Advancement of Structured Information Standards (OASIS) Underwriters Laboratories Worldwide Web Consortium (W3C)
Computer Science CPSC 449/Fall 2005 Security Information Management 82 4 Major Evaluation Criteria The Orange Book U.S. Federal Criteria Information Technology Security Evaluation Criteria (ITSEC) The Trusted Network Interpretation (TNI): The Red Book Common Criteria (CC)
Computer Science CPSC 449/Fall 2005 Security Information Management 83 The Orange Book Three Objectives  A yardstick for user  Guidance for manufacturer  Basis for security requirements Two requirements  Specific security feature requirements  Assurance requirements
Computer Science CPSC 449/Fall 2005 Security Information Management 84 The Orange Book Four Assurance Levels  Class D – Minimal Protection  Class C  C1: Discretionary Security Protection (DSP)  C2: Controlled Access Protection (CAP)  Class B  B1: Labeled Security Protection  B2: Structured Protection  B3: Security Domain  Class A1: Verified Protection
Computer Science CPSC 449/Fall 2005 Security Information Management 85 Questions Does evaluation mean security? One advantage of process-oriented security evaluation is that it is cheap. Find other reasons why it is popular. Why, despite its popularity, is it reliable? Why is the product rated as B2/B3/A1 better than that rated C2/B1, or is it? How do I know if a product is evaluated? How do I get my product evaluated?

Recommended

Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
Eryk Budi Pratama
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
Amazon Web Services
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
MAHESHUMANATHGOPALAK
 
Security and personnel bp11521
Security and personnel bp11521Security and personnel bp11521
Security and personnel bp11521
Merlin Florrence
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-system
intellisenseit
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 

Recommended

Network Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information SecurityNetwork Security - Defense Through Layered Information Security
Network Security - Defense Through Layered Information Security
Eryk Budi Pratama
 
Security & Compliance
Security & ComplianceSecurity & Compliance
Security & Compliance
Amazon Web Services
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
MAHESHUMANATHGOPALAK
 
Security and personnel bp11521
Security and personnel bp11521Security and personnel bp11521
Security and personnel bp11521
Merlin Florrence
 
Information security-management-system
Information security-management-systemInformation security-management-system
Information security-management-system
intellisenseit
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
trainersenthil14
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
Ishrath Sultana
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
MLG College of Learning, Inc
 
Cissp combined notes
Cissp combined notesCissp combined notes
Cissp combined notes
Joshua Fonseca
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Lesson 3- Remote Access
Lesson 3- Remote AccessLesson 3- Remote Access
Lesson 3- Remote Access
MLG College of Learning, Inc
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introduction
yuliana_mar
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Kumawat Dharmpal
 
Software security
Software securitySoftware security
Software security
Roman Oliynykov
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Data security
Data securityData security
Data security
AbdulBasit938
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
Dhani Ahmad
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
Khaltar Togtuun
 
create your own Security Management Model using the NIST Special Pub.pdf
create your own Security Management Model using the NIST Special Pub.pdfcreate your own Security Management Model using the NIST Special Pub.pdf
create your own Security Management Model using the NIST Special Pub.pdf
FORTUNE2505
 

More Related Content

What's hot

Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
trainersenthil14
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
Ishrath Sultana
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
MLG College of Learning, Inc
 
Cissp combined notes
Cissp combined notesCissp combined notes
Cissp combined notes
Joshua Fonseca
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
primeteacher32
 
Lesson 3- Remote Access
Lesson 3- Remote AccessLesson 3- Remote Access
Lesson 3- Remote Access
MLG College of Learning, Inc
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introduction
yuliana_mar
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Kumawat Dharmpal
 
Software security
Software securitySoftware security
Software security
Roman Oliynykov
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Data security
Data securityData security
Data security
AbdulBasit938
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
Dhani Ahmad
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 

What's hot (20)

Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Security policy
Security policySecurity policy
Security policy
 
Lesson 2- Information Asset Valuation
Lesson 2- Information Asset ValuationLesson 2- Information Asset Valuation
Lesson 2- Information Asset Valuation
 
Cissp combined notes
Cissp combined notesCissp combined notes
Cissp combined notes
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
Information security
Information securityInformation security
Information security
 
Lesson 3- Remote Access
Lesson 3- Remote AccessLesson 3- Remote Access
Lesson 3- Remote Access
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Information Security Management.Introduction
Information Security Management.IntroductionInformation Security Management.Introduction
Information Security Management.Introduction
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Software security
Software securitySoftware security
Software security
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Data security
Data securityData security
Data security
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Information security
Information securityInformation security
Information security
 

Similar to Security policy and standards

Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
Khaltar Togtuun
 
create your own Security Management Model using the NIST Special Pub.pdf
create your own Security Management Model using the NIST Special Pub.pdfcreate your own Security Management Model using the NIST Special Pub.pdf
create your own Security Management Model using the NIST Special Pub.pdf
FORTUNE2505
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
LiiewaOfficial
 
cyber security ppt.pptx
cyber security ppt.pptxcyber security ppt.pptx
cyber security ppt.pptx
lidiyamekonnen
 
Ch.5 rq (1)
Ch.5 rq (1)Ch.5 rq (1)
Ch.5 rq (1)
anthnydvs
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specifications
SsendiSamuel
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
PECB
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
MLG College of Learning, Inc
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
sivadnolram
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
AbuHanifah59
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
AlliedConSapCourses
 
CYBER SECURITY.pptx
CYBER SECURITY.pptxCYBER SECURITY.pptx
CYBER SECURITY.pptx
lidiyamekonnen
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
Ahmed Riad .
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
Ch04_MoIS5e_v02.pptx business business business business business business bu...
Ch04_MoIS5e_v02.pptx business business business business business business bu...Ch04_MoIS5e_v02.pptx business business business business business business bu...
Ch04_MoIS5e_v02.pptx business business business business business business bu...
JawaherAlbaddawi
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
MLG College of Learning, Inc
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
MLG College of Learning, Inc
 

Similar to Security policy and standards (20)

Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
 
create your own Security Management Model using the NIST Special Pub.pdf
create your own Security Management Model using the NIST Special Pub.pdfcreate your own Security Management Model using the NIST Special Pub.pdf
create your own Security Management Model using the NIST Special Pub.pdf
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
 
cyber security ppt.pptx
cyber security ppt.pptxcyber security ppt.pptx
cyber security ppt.pptx
 
Ch.5 rq (1)
Ch.5 rq (1)Ch.5 rq (1)
Ch.5 rq (1)
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specifications
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
CYBER SECURITY.pptx
CYBER SECURITY.pptxCYBER SECURITY.pptx
CYBER SECURITY.pptx
 
ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview ISO/IEC 27001:2013 An Overview
ISO/IEC 27001:2013 An Overview
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
Ch04_MoIS5e_v02.pptx business business business business business business bu...
Ch04_MoIS5e_v02.pptx business business business business business business bu...Ch04_MoIS5e_v02.pptx business business business business business business bu...
Ch04_MoIS5e_v02.pptx business business business business business business bu...
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
 
Lesson 3
Lesson 3Lesson 3
Lesson 3
 

Recently uploaded

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 

Recently uploaded (20)

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 

Security policy and standards

  • 2. Computer Science CPSC 449/Fall 2005 Security Information Management 2 Part I 1. Introduction 2. Policy 3. Enterprise Information Security Policy 4. Issue-Specific Security Policy (ISSP) 5. System-Specific Policy 6. Guidelines for Policy Management 7. Another Approach to Policy Development 8. SP 800-18 Guide for Developing
  • 3. Computer Science CPSC 449/Fall 2005 Security Information Management 3 Introduction This chapter focuses on information security policy:  What it is  How to write it  How to implement it  How to maintain it
  • 4. Computer Science CPSC 449/Fall 2005 Security Information Management 4 Policy Policy is an essential foundation of effective infosec program The success of an information resources protection program depends on the policy generated, & on the attitude of management toward securing information on automated systems.
  • 5. Computer Science CPSC 449/Fall 2005 Security Information Management 5 You, the policy maker, set the tone & the emphasis on how important a role infosec will have within your agency. Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws & regulations, & assurance of operational continuity, information integrity, & confidentiality.”
  • 6. Computer Science CPSC 449/Fall 2005 Security Information Management 6 A quality infosec program begins & ends with policy Policies are least expensive means of control & often the most difficult to implement Basic rules to follow when shaping policy:  Never conflict with law  Stand up in court  Properly supported and administered  Contribute to the success of the organization  Involve end users of information systems
  • 7. Computer Science CPSC 449/Fall 2005 Security Information Management 7 Focus on the systemic solutions, not specifics
  • 8. Computer Science CPSC 449/Fall 2005 Security Information Management 8 Bulls-eye model layers 1. Policies: first layer of defense 2. Networks: threats first meet organization’s network 3. Systems: computers & manufacturing systems 4. Applications: all applications systems
  • 9. Computer Science CPSC 449/Fall 2005 Security Information Management 9 Policies are important reference documents for internal audits & for resolution of legal disputes about management’s due diligence Policy documents can act as a clear statement of management’s intent
  • 10. Computer Science CPSC 449/Fall 2005 Security Information Management 10
  • 11. Computer Science CPSC 449/Fall 2005 Security Information Management 11 Policy: plan or course of action that influences & determines decisions Standards: more detailed statement of what must be done to comply with policy Practices, procedures & guidelines:explain how employees will comply with policy
  • 12. Computer Science CPSC 449/Fall 2005 Security Information Management 12 For policies to be effective, they must be:  Properly disseminated  Read  Understood  Agreed-to
  • 13. Computer Science CPSC 449/Fall 2005 Security Information Management 13 Policies require constant modification & maintenance In order to produce a complete infosec policy, management must define 3 types of infosec policy:  Enterprise infosec program policy  Issue-specific infosec policies  Systems-specific infosec policies
  • 14. Computer Science CPSC 449/Fall 2005 Security Information Management 14 Part I 1. Introduction 2. Policy 3. Enterprise Information Security Policy 4. Issue-Specific Security Policy (ISSP) 5. System-Specific Policy 6. Guidelines for Policy Management 7. Another Approach to Policy Development 8. SP 800-18 Guide for Developing
  • 15. Computer Science CPSC 449/Fall 2005 Security Information Management 15 Enterprise InfoSec Policy (EISP) Sets strategic direction, scope, & tone for organization’s security efforts Assigns responsibilities for various areas of infosec Guides development, implementation,& management requirements of infosec program
  • 16. Computer Science CPSC 449/Fall 2005 Security Information Management 16 EISP documents should provide: An overview of corporate philosophy on security Information about infosec organization & infosec roles:  Responsibilities for security shared by all organization members  Responsibilities for security unique to each organizational role
  • 17. Computer Science CPSC 449/Fall 2005 Security Information Management 17 Components of the EISP Statement of Purpose: What the policy is for Information Technology Security Elements: Defines infosec Need for Information Technology Security: justifies importance of infosec in the organization Information Technology Security Responsibilities & Roles: Defines organizational structure References Information Technology standards & guidelines
  • 18. Computer Science CPSC 449/Fall 2005 Security Information Management 18 Sample EISP Protection Of Information: Information must be protected in a manner commensurate with its sensitivity, value, & criticality Use Of Information: Company X information must be used only for business purposes expressly authorized by management Information Handling, Access, & Usage: Information is a vital asset & all accesses to, uses of, & processing of Company X information must be consistent with policies & standards
  • 19. Computer Science CPSC 449/Fall 2005 Security Information Management 19 Data & Program Damage Disclaimers: Company X disclaims any responsibility for loss or damage to data or software that results from its efforts to protect the confidentiality, integrity, & availability of the information handled by computers & communications systems Legal Conflicts: Company X infosec policies were drafted to meet or exceed the protections found in existing laws & regulations, & any Company X infosec policy believed to be in conflict with existing laws or regulations must be promptly reported to infosec management
  • 20. Computer Science CPSC 449/Fall 2005 Security Information Management 20 Exceptions To Policies: Exceptions to infosec policies exist in rare instances where a risk assessment examining the implications of being out of compliance has been performed, where a standard risk acceptance form has been prepared by the data owner or management, & where this form has been approved by both InfoSec management & Internal Audit management Policy Non-Enforcement: Management's non- enforcement of any policy requirement does not constitute its consent
  • 21. Computer Science CPSC 449/Fall 2005 Security Information Management 21 Violation Of Law: Company X management must seriously consider prosecution for all known violations of the law Revocation Of Access Privileges: Company X reserves the right to revoke a user’s information technology privileges at any time Industry-Specific InfoSec Standards: Company X information systems must employ industry-specific infosec standards
  • 22. Computer Science CPSC 449/Fall 2005 Security Information Management 22 Use Of infosec Policies & Procedures: All Company X infosec documentation including, but not limited to, policies, standards, & procedures, must be classified as “Internal Use Only,” unless expressly created for external business processes or partners Security Controls Enforceability: All information systems security controls must be enforceable prior to being adopted as a part of standard operating procedure
  • 23. Computer Science CPSC 449/Fall 2005 Security Information Management 23 Thinking about the EISP (10 min):  Information Security Policy Documents  Review and Evaluation  Appropriate Use of Information Technology Resources  Identification of Risks from Third Party Access  Physical Security Area  Personnel Security Screening  Information Security Education and Training
  • 24. Computer Science CPSC 449/Fall 2005 Security Information Management 24 Part I 1. Introduction 2. Policy 3. Enterprise Information Security Policy 4. Issue-Specific Security Policy (ISSP) 5. System-Specific Policy 6. Guidelines for Policy Management 7. Another Approach to Policy Development 8. SP 800-18 Guide for Developing
  • 25. Computer Science CPSC 449/Fall 2005 Security Information Management 25 Issue-Specific Security Policy (ISSP) Provides detailed, targeted guidance to instruct organization in secure use of tech systems Begins with intro to fundamental technological philosophy of organization Serves to protect employee & organization from inefficiency/ambiguity Documents how technology-based system is controlled Identifies Processes & authorities that provide this control Serves to indemnify organization against liability for inappropriate or illegal system use
  • 26. Computer Science CPSC 449/Fall 2005 Security Information Management 26 ISSP should Address specific technology-based systems Require frequent updates Contain an issue statement on the organization’s position on an issue
  • 27. Computer Science CPSC 449/Fall 2005 Security Information Management 27 ISSP topics could include email use of Internet & World Wide Web specific minimum configurations of computers to defend against malware prohibitions against hacking or testing organization security controls home use of company-owned computer equipment use of personal equipment on company networks use of telecommunications technologies use of photocopy equipment
  • 28. Computer Science CPSC 449/Fall 2005 Security Information Management 28 Components of the ISSP Statement of Purpose:  Scope & Applicability  Definition of Technology Addressed  Responsibilities Authorized Access & Usage of Equipment:  User Access  Fair & Responsible Use  Protection of Privacy more ...
  • 29. Computer Science CPSC 449/Fall 2005 Security Information Management 29 Prohibited Usage of Equipment:  Disruptive Use or Misuse  Criminal Use  Offensive or Harassing Materials  Copyrighted, Licensed, or other Intellectual Property  Other Restrictions Systems Management:  Management of Stored Materials  Employer Monitoring  Virus Protection  Physical Security  Encryption more ...
  • 30. Computer Science CPSC 449/Fall 2005 Security Information Management 30 Violations of Policy:  Procedures for Reporting Violations  Penalties for Violations Policy Review & Modification:  Scheduled Review of Policy & Procedures for Modification Limitations of Liability:  Statements of Liability or Disclaimers
  • 31. Computer Science CPSC 449/Fall 2005 Security Information Management 31 Common approaches to implementing ISSP Number of independent ISSP documents Single comprehensive ISSP document Modular ISSP document that unifies policy creation & administration Recommended approach is modular policy, which provides a balance between issue orientation & policy management
  • 32. Computer Science CPSC 449/Fall 2005 Security Information Management 32 Discussion (10 min)  Guidelines on anti-virus process  Email-policy  Password  Third party connection agreement  Acceptable use policy
  • 33. Computer Science CPSC 449/Fall 2005 Security Information Management 33 Part I 1. Introduction 2. Policy 3. Enterprise Information Security Policy 4. Issue-Specific Security Policy (ISSP) 5. System-Specific Policy 6. Guidelines for Policy Management 7. Another Approach to Policy Development 8. SP 800-18 Guide for Developing
  • 34. Computer Science CPSC 449/Fall 2005 Security Information Management 34 Systems-Specific Policies (SysSPs) They may often be created to function as standards or procedures to be used when configuring or maintaining systems SysSPs can be separated into:  Management guidance  Technical specifications  Combined in a single policy document
  • 35. Computer Science CPSC 449/Fall 2005 Security Information Management 35 Created by management to guide the implementation & configuration of technology Applies to any technology that affects the confidentiality, integrity or availability of information Informs technologists of management intent Management Guidance SysSPs
  • 36. Computer Science CPSC 449/Fall 2005 Security Information Management 36 Technical Specifications SysSPs System administrators’ directions on implementing managerial policy Each type of equipment has its own type of policies Two general methods of implementing such technical controls: 1. Access control lists 2. Configuration rules
  • 37. Computer Science CPSC 449/Fall 2005 Security Information Management 37
  • 38. Computer Science CPSC 449/Fall 2005 Security Information Management 38 Access Control Lists ACLs enable administrations to restrict access according to user, computer, time, duration, or even a particular file more ...
  • 39. Computer Science CPSC 449/Fall 2005 Security Information Management 39 Include user access lists, matrices, & capability tables that govern rights & privileges Can control access to file storage systems, object brokers, or other network communications devices Capability Table: similar method that specifies which subjects & objects users or groups can access Specifications are frequently complex matrices, rather than simple lists or tables Level of detail & specificity (often called granularity) may vary from system to system
  • 40. Computer Science CPSC 449/Fall 2005 Security Information Management 40 ACLs regulate Who can use the system What authorized users can access When authorized users can access the system Where authorized users can access the system from How authorized users can access the system Restricting what users can access, e.g. printers, files, communications, & applications
  • 41. Computer Science CPSC 449/Fall 2005 Security Information Management 41 ACL Administrators set user privileges  Read  Write  Create  Modify  Delete  Compare  Copy
  • 42. Computer Science CPSC 449/Fall 2005 Security Information Management 42 Configuration rules are specific configuration codes entered into security systems to guide execution of system when information is passing through it Rule policies are more specific to system operation than ACLs & may or may not deal with users directly Many security systems require specific configuration scripts telling systems what actions to perform on each set of information processed
  • 43. Computer Science CPSC 449/Fall 2005 Security Information Management 43
  • 44. Computer Science CPSC 449/Fall 2005 Security Information Management 44
  • 45. Computer Science CPSC 449/Fall 2005 Security Information Management 45
  • 46. Computer Science CPSC 449/Fall 2005 Security Information Management 46 Combination SysSPs Often organizations create a single document combining elements of both Management Guidance & Technical Specifications SysSPs While this can be confusing, it is very practical Care should be taken to articulate required actions carefully as procedures are presented
  • 47. Computer Science CPSC 449/Fall 2005 Security Information Management 47 Part I 1. Introduction 2. Policy 3. Enterprise Information Security Policy 4. Issue-Specific Security Policy (ISSP) 5. System-Specific Policy 6. Guidelines for Policy Management 7. Another Approach to Policy Development 8. SP 800-18 Guide for Developing
  • 48. Computer Science CPSC 449/Fall 2005 Security Information Management 48 Guidelines for Policy Development Often useful to view policy development as a two-part project: 1. Design & develop policy (or redesign & rewrite outdated policy) 2. Establish management processes to perpetuate policy within organization The former is an exercise in project management, while the latter requires adherence to good business practices
  • 49. Computer Science CPSC 449/Fall 2005 Security Information Management 49 Policy development or re-development projects should be well planned, properly funded, & aggressively managed to ensure completion on time & within budget When a policy development project is undertaken, the project can be guided by the SecSDLC process
  • 50. Computer Science CPSC 449/Fall 2005 Security Information Management 50 1. Investigation Phase The policy development team should:  Obtain support from senior management, & active involvement of IT management, specifically CIO  Clearly articulate goals of policy project  Gain participation of correct individuals affected by recommended policies  more ...
  • 51. Computer Science CPSC 449/Fall 2005 Security Information Management 51  Be composed from Legal, Human Resources & end-users  Assign project champion with sufficient stature & prestige  Acquire a capable project manager  Develop detailed outline of & sound estimates for, the cost & scheduling of the project
  • 52. Computer Science CPSC 449/Fall 2005 Security Information Management 52 2. Analysis Phase Should include the following activities: New or recent risk assessment or IT audit documenting the current infosec needs of the organization Key reference materials, including any existing policies
  • 53. Computer Science CPSC 449/Fall 2005 Security Information Management 53 3 & 4. Design phase Should include:  How policies will be distributed  How verification of distribution will be accomplished  Specifications for any automated tools  Revisions to feasibility analysis reports based on improved costs & benefits as design is clarified
  • 54. Computer Science CPSC 449/Fall 2005 Security Information Management 54 5. Implementation Phase Write the policies! Make certain policies are enforceable as written Policy distribution is not always as straightforward Effective policy:  Is written at a reasonable reading level  Attempts to minimize technical jargon & management terminology
  • 55. Computer Science CPSC 449/Fall 2005 Security Information Management 55 One way to measure readability
  • 56. Computer Science CPSC 449/Fall 2005 Security Information Management 56 6. Maintenance Phase Maintain & modify policy as needed to ensure that it remains effective as a tool to meet changing threats Policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously Periodic review should be built into the process
  • 57. Computer Science CPSC 449/Fall 2005 Security Information Management 57
  • 58. Computer Science CPSC 449/Fall 2005 Security Information Management 58 Part I 1. Introduction 2. Policy 3. Enterprise Information Security Policy 4. Issue-Specific Security Policy (ISSP) 5. System-Specific Policy 6. Guidelines for Policy Management 7. Another Approach to Policy Development 8. SP 800-18 Guide for Developing
  • 59. Computer Science CPSC 449/Fall 2005 Security Information Management 59 The InfoSec Policy Made Easy Approach (ISPME) Gathering Key Reference Materials Defining A Framework For Policies Preparing A Coverage Matrix Making Critical Systems Design Decisions Structuring Review, Approval, & Enforcement Processes
  • 60. Computer Science CPSC 449/Fall 2005 Security Information Management 60
  • 61. Computer Science CPSC 449/Fall 2005 Security Information Management 61 ISPME Checklist Perform risk assessment or information technology audit to determine your org’s unique infosec needs Clarify what “policy” means within your org so that you are not preparing a “standard,” “procedure,” or some other related material Ensure that roles & responsibilities related to infosec are clarified, including responsibility for issuing & maintaining policies more ...
  • 62. Computer Science CPSC 449/Fall 2005 Security Information Management 62 Convince management that it is advisable to have documented infosec policies Identify top management staff who will be approving final infosec document & all influential reviewers Collect & read all existing internal infosec awareness material & make a list of the included bottom-line messages Conduct a brief internal survey to gather ideas that stakeholders believe should be included in a new or updated infosec policy more ...
  • 63. Computer Science CPSC 449/Fall 2005 Security Information Management 63 Examine other policies issued by your organization, such as those from HR management, to identify prevailing format, style, tone, length, & cross-references Identify audience to receive infosec policy materials & determine whether they will each get a separate document or a separate page on an intranet site Determine extent to which audience is literate, computer knowledgeable, & receptive to security messages more ...
  • 64. Computer Science CPSC 449/Fall 2005 Security Information Management 64 Decide whether some other awareness efforts must take place before infosec policies are issued Using ideas from the risk assessment, prepare a list of absolutely essential policy messages that must be communicated If there is more than one audience, match the audiences with the bottom-line messages to be communicated through a coverage matrix. more ...
  • 65. Computer Science CPSC 449/Fall 2005 Security Information Management 65 Determine how the policy material will be disseminated, noting the constraints & implications of each medium of communication Review compliance checking, disciplinary, & enforcement processes to ensure they all can work smoothly with new policy document Determine whether number of messages is too large to be handled all at one time, & if so, identify different categories of material that will be issued at different times more ...
  • 66. Computer Science CPSC 449/Fall 2005 Security Information Management 66 Have an outline of topics to be included in the first document reviewed by several stakeholders Based on comments from stakeholders, revise initial outline & prepare a first draft Have first draft document reviewed by stakeholders for initial reactions, presentation suggestions, & implementation ideas Revise draft in response to comments from stakeholders more ...
  • 67. Computer Science CPSC 449/Fall 2005 Security Information Management 67 Request top management approval on policy Prepare extracts of policy document for selected purposes Develop awareness plan that uses policy document as a source of ideas & requirements Create working papers memo indicating disposition of all comments received from reviewers, even if no changes were made more ...
  • 68. Computer Science CPSC 449/Fall 2005 Security Information Management 68 Write memo about project, what you learned, & what needs to be fixed so that next version of policy document can be prepared more efficiently, better received by readers, & more responsive to unique circumstances facing your organization Prepare list of next steps that will be required to implement requirements specified in policy document
  • 69. Computer Science CPSC 449/Fall 2005 Security Information Management 69 ISPME Next Steps Post Polices To Intranet Or Equivalent Develop A Self-Assessment Questionnaire Develop Revised User ID Issuance Form Develop Agreement To Comply With InfoSec Policies Form Develop Tests To Determine If Workers Understand Policies Assign InfoSec Coordinators Train InfoSec Coordinators more ...
  • 70. Computer Science CPSC 449/Fall 2005 Security Information Management 70 Prepare & Deliver A Basic InfoSec Training Course Develop Application Specific InfoSec Policies Develop A Conceptual Hierarchy Of InfoSec Requirements Assign Information Ownership & Custodianship Establish An infosec Management Committee Develop An infosec Architecture Document
  • 71. Computer Science CPSC 449/Fall 2005 Security Information Management 71 A Final Note on Policy Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy Policies exist first & foremost to inform employees of what is & is not acceptable behaviour in the organization Policy seeks to improve employee productivity, & prevent potentially embarrassing situations
  • 72. Computer Science CPSC 449/Fall 2005 Security Information Management 72 Summary Why Policy? Enterprise InfoSec Policy Issue-Specific Security Policy System-Specific Policy Guidelines for Policy Development
  • 73. Computer Science CPSC 449/Fall 2005 Security Information Management 73 Part II 1. Introduction 2. Security Standard Criteria and Product Security Evaluation Process 3. Computer Products Evaluation Standards 4. Major Evaluation Criteria
  • 74. Computer Science CPSC 449/Fall 2005 Security Information Management 74 1 Introduction Security Evaluation Process Security Standards and Criteria  The Orange Book  U.S. Federal Criteria  Information Technology Security Evaluation Criteria (ITSEC)  The Trusted Network Interpretation (TNI): The Red Book  Common Criteria (CC)
  • 75. Computer Science CPSC 449/Fall 2005 Security Information Management 75 2 Security Standards, Criteria and Evaluation Process Purpose Criteria Process Structure Outcome/benefit
  • 76. Computer Science CPSC 449/Fall 2005 Security Information Management 76 2.1 Purpose of Evaluation Certification Accreditation Evaluation Potential market benefit
  • 77. Computer Science CPSC 449/Fall 2005 Security Information Management 77 2.2 Criteria Defines several degrees of rigor acceptable at each testing level of security Defines the formal requirements the product need to meet at each Assurance level Assurance levels are based on Trusted Computer System Evaluation (TCSEC)
  • 78. Computer Science CPSC 449/Fall 2005 Security Information Management 78 2.3 Process of Evaluation Two evaluation directions:  Product-oriented  Process-oriented 6-steps  Proposal review  Technical assessment  Advice  Intensive preliminary technical review  Evaluation  Rating maintenance phase
  • 79. Computer Science CPSC 449/Fall 2005 Security Information Management 79 2.4 Structure of Evaluation Functionality – what and how much the product can do Effectiveness – whether the product meets the effectiveness threshold Assurance – give buyer assurance and guarantee
  • 80. Computer Science CPSC 449/Fall 2005 Security Information Management 80 2.5 Outcome/Benefits A great product  For evaluator, cut down the evaluation cost without cutting the value of evaluation  For buyer, result in good product to enhance the security Evaluation of a computer product can be done using either a standard or a criteria
  • 81. Computer Science CPSC 449/Fall 2005 Security Information Management 81 3 Computer Products Evaluation Standards American National Standards Institute (ANSI) British Standards Institute (BSI) Institute of Electrical and Electronic Engineers Standards Association (IEEE-SA) International Information System Security Certification Consortium (ISC)2 International Organization for Standardization (ISO) National Institute of Standards and Technology (NIST) National Security Agency (NSA) International Architecture Board (IAB) Organization for the Advancement of Structured Information Standards (OASIS) Underwriters Laboratories Worldwide Web Consortium (W3C)
  • 82. Computer Science CPSC 449/Fall 2005 Security Information Management 82 4 Major Evaluation Criteria The Orange Book U.S. Federal Criteria Information Technology Security Evaluation Criteria (ITSEC) The Trusted Network Interpretation (TNI): The Red Book Common Criteria (CC)
  • 83. Computer Science CPSC 449/Fall 2005 Security Information Management 83 The Orange Book Three Objectives  A yardstick for user  Guidance for manufacturer  Basis for security requirements Two requirements  Specific security feature requirements  Assurance requirements
  • 84. Computer Science CPSC 449/Fall 2005 Security Information Management 84 The Orange Book Four Assurance Levels  Class D – Minimal Protection  Class C  C1: Discretionary Security Protection (DSP)  C2: Controlled Access Protection (CAP)  Class B  B1: Labeled Security Protection  B2: Structured Protection  B3: Security Domain  Class A1: Verified Protection
  • 85. Computer Science CPSC 449/Fall 2005 Security Information Management 85 Questions Does evaluation mean security? One advantage of process-oriented security evaluation is that it is cheap. Find other reasons why it is popular. Why, despite its popularity, is it reliable? Why is the product rated as B2/B3/A1 better than that rated C2/B1, or is it? How do I know if a product is evaluated? How do I get my product evaluated?