Upload
nicholas-davis
View
83
Download
1
Embed Size (px)
DESCRIPTION
Security Policy Development, Data Classification Methods and Workplace Controls
Citation preview
Information Security 365/765, Fall Semester, 2014
Course Instructor, Nicholas DavisLecture 4, Security Policy Development, Data Classification Methods, Workplace Controls
Next TimeNext Time
Security policiesInformation classificationSecurity awareness training
04/10/23 UNIVERSITY OF WISCONSIN 2
Security PolicySecurity Policy
An overall general statement, produced by senior management, which dictates the role which security management plays in the organization
Made up of goals and responsibilitiesShows strategic and tactical value of the policyOutlines how enforcement should be carried out04/10/23 UNIVERSITY OF WISCONSIN 3
Security Policy ComponentsSecurity Policy ComponentsBusiness ObjectivesBusiness Objectives
Business objectives should drive the policy’s creation, implementation, enforcement. The policy should not dictate business objectives
04/10/23 UNIVERSITY OF WISCONSIN 4
Security Policy ComponentsSecurity Policy ComponentsMake It LegibleMake It Legible
The document should be written in plain language, which all the employees can easily understand the portions which apply to them, without question
04/10/23 UNIVERSITY OF WISCONSIN 5
Security Policy ComponentsSecurity Policy ComponentsUniformityUniformity
Make certain it fits all business functions and processes
04/10/23 UNIVERSITY OF WISCONSIN 6
Security PolicySecurity PolicyLegal ConformityLegal Conformity
It should support all legislation and regulations which apply to the company, local, national and international
04/10/23 UNIVERSITY OF WISCONSIN 7
Security PolicySecurity PolicyA Living DocumentA Living Document
It should be re-visited on a regular basis and updated as necessary, as changes occur within the company.
Make certain that all changes are documented and changes are recorded
04/10/23 UNIVERSITY OF WISCONSIN 8
Security PolicySecurity PolicyAdaptabilityAdaptability
It should be written in such a way as to make it useful for several years at a time, under normal circumstances, and flexible enough to deal with minor changes, as they occur.
04/10/23 UNIVERSITY OF WISCONSIN 9
Security PolicySecurity PolicyLanguageLanguage
The tone of the policy must be certain and strong. Avoid using the word “should”, as it leaves room for interpretation. Instead, use the words “shall”, “will” and “must”, throughout the document
04/10/23 UNIVERSITY OF WISCONSIN 10
Security PolicySecurity PolicyStyleStyle
No frillsProfessional lookingConsistent presentation
04/10/23 UNIVERSITY OF WISCONSIN 11
Why is IT Security PolicyWhy is IT Security PolicySo Important?So Important?
Helps identify company’s valuable assetsProvides authority to the security team and their activitiesProvides a reference to review when conflicts pertaining to security ariseStates clearly the company’s goals and objectives in the area of securityOutlines personal responsibility04/10/23 UNIVERSITY OF WISCONSIN 12
Why is IT Security PolicyWhy is IT Security PolicySo Important?So Important?
Helps prevent unanticipated events from occurringDefines the scope and boundaries for the security team and its functionsOutlines incident response responsibilitiesOutlines the company’s response to legal and regulatory requirements
04/10/23 UNIVERSITY OF WISCONSIN 13
Three Types ofThree Types ofSecurity Policies ExistSecurity Policies ExistRegulatoryAdvisoryInformative
04/10/23 UNIVERSITY OF WISCONSIN 14
Security Policy TypesSecurity Policy TypesRegulatoryRegulatory
Ensures that the company is following standards set by specific industry regulations. It is very detailed and specific to a type of industry:FinanceHealthcareGovernment
04/10/23 UNIVERSITY OF WISCONSIN 15
Security Policy TypeSecurity Policy TypeAdvisoryAdvisory
Tells employees which types of behaviors and activities shall and shall not take place within the organizationHow to handle:Medical informationFinancial transactionsConfidential information
Outlines ramifications for non-compliance
04/10/23 UNIVERSITY OF WISCONSIN 16
Security Policy TypeSecurity Policy TypeInformativeInformative
Informs employees on generalities of certain topics, but is not enforceable.
It teaches about issues important to the company, such as how the company would like employees to interact with business partners, the company’s goal and mission, or the corporate reporting structure
04/10/23 UNIVERSITY OF WISCONSIN 17
Security PolicySecurity PolicyDue Diligence ForwardDue Diligence ForwardDue Diligence, is the act of investigating and understanding the risks the company faces
04/10/23 UNIVERSITY OF WISCONSIN 18
Security PolicySecurity PolicyDue CareDue Care
Is a statement which demonstrates that the company has accepted and taken responsibility for activities which take place in the organization
04/10/23 UNIVERSITY OF WISCONSIN 19
How Due DiligenceHow Due DiligenceDue Care are RelatedDue Care are RelatedDue diligence is the understanding of the threats and risks, while due care is the countermeasures which the company has put in place to address the threats and risks
04/10/23 UNIVERSITY OF WISCONSIN 20
Information ClassificationInformation Classification
In the field of data management, data classification is defined as a tool for categorization of data to enable/help organization to effectively answer following questions:
What data types are available?Where are certain data located?What access levels are implemented?What protection level is implemented and does it adhere to compliance regulations?
04/10/23 UNIVERSITY OF WISCONSIN 21
Data ClassificationData Classification
Commercial EnterpriseMilitary
You are business students, so we will focus on commercial enterprise data classification terminology
04/10/23 UNIVERSITY OF WISCONSIN 22
Data ClassificationData ClassificationTypesTypes
PublicSensitivePrivateConfidential
04/10/23 UNIVERSITY OF WISCONSIN 23
Data ClassificationData ClassificationPublicPublic
Definition: Disclosure is not welcome, but it would not cause an adverse impact or damage to the company or its employees
Examples:How many people work at the companyCurrent job positions posted on the website
04/10/23 UNIVERSITY OF WISCONSIN 24
Data ClassificationData ClassificationSensitiveSensitive
Definition: Requires special precautions to ensure the integrity and confidentiality of the data, by preventing it from unauthorized modification or deletion. Requires higher than normal assurance of accuracy and completeness
Example:Financial informationDetails of projectsProfit earnings and forecasts
04/10/23 UNIVERSITY OF WISCONSIN 25
Data ClassificationData ClassificationPrivatePrivate
Definition: Personal information, for use only within the company. Unauthorized disclosure could adversely affect employees, the company, its business partners or customers
Examples:Work historyHR informationMedical information
04/10/23 UNIVERSITY OF WISCONSIN 26
Data ClassificationData ClassificationConfidentialConfidential
Definition: For use within the company only. Exempt from disclosure under the Freedom of Information Act. Unauthorized disclosure could seriously affect a company
Examples:Trade secretsProgramming software codeInformation that keeps the company competitive
04/10/23 UNIVERSITY OF WISCONSIN 27
Data ClassificationData ClassificationProceduresProcedures
1. Define classification levels2. Specify the criteria by which
data will be classified3. Have the data owner indicate
the classification level for their data
4. Identify the data custodian, who will be responsible for maintaining the data and its security level
5. Indicate the controls to be applied at each classification level
04/10/23 UNIVERSITY OF WISCONSIN 28
Data ClassificationData ClassificationProceduresProcedures
6. Document any exceptions in detail7. Indicate the methods which are used to transfer data custody to a different owner8. Create a procedure to periodically review the data’s classification and ownership9. Indicate declassification procedures10. Integrate this knowledge into a security awareness program04/10/23 UNIVERSITY OF WISCONSIN 29
If You Choose to CreateIf You Choose to CreateYou Own Data Classification You Own Data Classification
SystemSystemToo many levels will make classification complex and confusingToo few levels will encourage sloppy data classificationThere should be no overlap between classification levelsClassification levels should be developed for both data and the systems housing the data, and they should match04/10/23 UNIVERSITY OF WISCONSIN 30
Hiring PracticesHiring Practices
Job skill screeningReference checkNon-disclosure agreement (NDA) signedEducation verificationCriminal background checkCredit report checkSex offender checkDrug screeningProfessional license checkImmigration status checkSocial Security Number trace to ensure validity
04/10/23 UNIVERSITY OF WISCONSIN 31
Employee ControlsEmployee ControlsRotation of DutiesRotation of Duties
No one person should stay in one position for an uninterrupted period of time, as this may enable them to have too much control over a segment of business
Mandatory vacation policy
04/10/23 UNIVERSITY OF WISCONSIN 32
Employee ControlsEmployee ControlsSeparation of DutiesSeparation of Duties
Split knowledge system: No single employee has the knowledge to do a task by themselvesExample
Dual control: No single employee has the physical ability to do a task by themselvesExample
04/10/23 UNIVERSITY OF WISCONSIN 33
Termination PracticesTermination Practices
Each company needs a set of pre-defined termination proceduresExample:Once terminated, the employee must be escorted out of the facility by their managerEmployee must immediately surrender keys, employee badge, etc.Employee must be asked to complete an exit interview and return company propertyThe terminated employee’s online accounts must be disabled immediately upon termination
04/10/23 UNIVERSITY OF WISCONSIN 34
Beware of DisgruntledBeware of DisgruntledFormer EmployeesFormer Employees
04/10/23 UNIVERSITY OF WISCONSIN 35
Security AwarenessSecurity AwarenessTraining ProgramTraining Program
One for senior managementOne for staffOne for technical employees
ResponsibilitiesLiabilitiesExpectations
04/10/23 UNIVERSITY OF WISCONSIN 36
Security AwarenessSecurity AwarenessSenior ManagementSenior Management
Focus on: corporate assets, financial gains and losses which can occur due to information security incidents. They are the leaders, they must demonstrate the proper mindset to the rest of the company
04/10/23 UNIVERSITY OF WISCONSIN 37
Security AwarenessSecurity AwarenessMid-ManagementMid-Management
Focus on: policies, standards and guidelines and how they map to individual departments, responsibility for ensuring their employees adherence to the security policies, and how the managers will be held accountable for enforcement
04/10/23 UNIVERSITY OF WISCONSIN 38
Security AwarenessSecurity AwarenessEmployeesEmployees
Focus: on the operational aspects of information security, proper system usage, how to recognize a security issue and how to properly handle and report a suspected information security incident
04/10/23 UNIVERSITY OF WISCONSIN 39
Next ClassNext ClassAccess ControlAccess Control
04/10/23 UNIVERSITY OF WISCONSIN 40
04/10/23 UNIVERSITY OF WISCONSIN 41
04/10/23 UNIVERSITY OF WISCONSIN 42
04/10/23 UNIVERSITY OF WISCONSIN 43
04/10/23 UNIVERSITY OF WISCONSIN 44
04/10/23 UNIVERSITY OF WISCONSIN 45
04/10/23 UNIVERSITY OF WISCONSIN 46
04/10/23 UNIVERSITY OF WISCONSIN 47
04/10/23 UNIVERSITY OF WISCONSIN 48
04/10/23 UNIVERSITY OF WISCONSIN 49
04/10/23 UNIVERSITY OF WISCONSIN 50