Upload
christina-miles
View
225
Download
1
Tags:
Embed Size (px)
Citation preview
Policy, Regulation, and Ethics
Policy Systems and procedures must meet policy
requirements. Regulation
Organizations must comply with requirements of the laws to which it is subject.
Ethics Organizations may choose to generate desired
ethical behavior.
How Security, Regulation, and Ethics Are Related?
All three complement each other. A minimum is defined by regulatory requirements. Policies help ensure that these requirements and
met and in fact, more is done where it is deemed appropriate and cost effective.
Promotion of ethical behavior is likely to generate desired behavior, aligned with meeting regulatory requirements and honoring policies.
Environment where ethical behavior is stressed could foster a sense of duty. People may tend to do the right thing, beyond the law and policies.
Organization and Accountability
Organization structure should ideally represent accountability consistent with roles of personnel.
Accountability for information security is typically assigned to information security director who may report to CEO or CIO or Other top level executive
This role must be managed in a multidisciplinary context because issues of information security are multidisciplinary.
Security Policies Policy: A high level document independent of all
functions, roles, powers, and personalities. Security policy: A formal statement of the rules by
which people who are given access to organization’s technology and information assets must abide.
Standards: Tend to enforce and tried and tested practices.
Procedures: Describe, where necessary, specific ways of securing information assets.
Guidelines: Provide examples and interpretation of the policy and related standards to facilitate policy implementation.
Purposes of a Security Policy
Informs users, staff, and managers of obligations concerning protection of information technology and assets.
Provides a baseline to provide assurance for compliance with the policy.
Provides a basis for determine what security tools to use to adequately protect information assets.
Characteristics of a Policy Tenure: Generally, a policy should have a long
tenure, during which it may not change much. Requisite variety: Each policy must have requisite
variety. All anticipated requirements to provide control must be addressed in a policy.
Feasibility: Policies must go through the test if feasibility.
Understandability: Policy must be written so that it is easy to understand.
Balance: Policy must balance the need for security with functionality and usability of information systems.
Content Areas of an Information Security Policy
Purpose Scope Policy Definitions Responsibilities Administration and interpretations Amendments/termination of the policy References to applicable policies and standards Exceptions Violations/enforcement
Area Description of content within the area
Purpose Narrates why this policy is written and how it will benefit the organization.
Scope To whom does the policy apply is clarified in this area.
Policy This is the core of policy – the statement(s) that describe the policy.
Definitions If the policy includes certain terms, these are defined in this area. This allows for a very specific interpretation of the policy, irrespective of how these terms are used in the profession.
Responsibilities Identifies who is responsible for enforcement of the policy. If more than one party is responsible, a clear identification of responsibility of each party with respect to the policy enforcement should be included.
Administration and interpretations
Identifies who is responsible to answer questions regarding this policy, to maintain records regarding the policy issues and how they were resolved, and to document violations of the policy and their resoluton.
Amendments/Termination of the policy
This part states that (1) the organization reserves the right to modify, amend or terminate the policy at any time and (2) the policy does not constitute a contract between the organization and its employees.
References to applicable standards
This section lists policies related to the policy.
Exceptions Here, the policy identifies how to request an exception to the policy, what information should the request provide, and to whom it should be addressed. Typically, all exception requests are handled in accordance with an information security exception policy.
Violations/Enforcement Specifies where to report any know violations of the policy, and what consequences could result from such violations. For example, consequences may result in immediate suspension of user privileges, a disciplinary action, or reporting the case to appropriate law enforcement agencies.
Classification of Policies
Various alternative classifications are possible.
Information security policies may be categorized: Using components of an information system. In terms of physical security and logical security. As system specific or issue specific.
Policy Development Process The process must mirror risk management processes. Identify critical information systems processes and
assets. Understand what risks each information asset faces.
Identify the asset’s vulnerabilities and anticipate types of threat the asset might be subject to.
Identify control and security measures to protect the information asset.
Develop a policy that provide cost effective protection measures.
Periodically, review the policy in light of changes in the organization and its environment.
Regulatory Requirements
Regulations exist in the area of information assets protection, and must be met.
Such regulations typically define the threshold needs to protect information assets.
Compliance of such requirements provides an assurance that the entity is meeting needs for protection of information assets at the levels required by law.
At the same time, compliance helps the entity protect its information assets and prosecute those who compromise the security.
Regulatory Requirements and Security Objectives
Information assets protection Authentication Integrity of logic Integrity of communication Confidentiality and privacy System availability Computer crimes
Objectives, vulnerabilities, and regulation
Security objectiveSelected Vulnerabilities Illustrative regulatory requirements
Information assets protection
TheftSoftware piracy
Computer Software Copyright Act of 1980Digital Millenium Copyright Act (1998)
Authentication ImpersonationSpoofingSession hijackingMan-in-the-middle attack
Electronic signature legislationDigital signature laws
Integrity of logic (programs)
Malicious codeBuffer overflow
Uniform Commercial Code
Integrity of communication
Website defacementActive wiretapFalsification of message
The Electronic Communications Privacy Act of 1986
Confidentiality and privacy
EavesdroppingPassive wiretap
Right to Financial Privacy Act of 1978The Gramm-Leach-Bliley Act (1999) Children’s Online Privacy Prevention Act [COPPA] (1998) Health Insurance Portability and Accountability Act [HIPAA] (1996)
System availability Connection floodingDenial of Service (DNS) attackDistributed Denial of Service
Computer Fraud and Abuse Act (1984, 1986, 1996)
Policy, Regulation, and Ethics
Policy Systems and procedures must meet policy
requirements. Regulation
Organizations must comply with requirements of the laws to which it is subject.
Ethics Organizations may choose to generate desired
ethical behavior.
How Security, Regulation, and Ethics Are Related?
All three complement each other. A minimum is defined by regulatory requirements. Policies help ensure that these requirements and
met and in fact, more is done where it is deemed appropriate and cost effective.
Promotion of ethical behavior is likely to generate desired behavior, aligned with meeting regulatory requirements and honoring policies.
Environment where ethical behavior is stressed could foster a sense of duty. People may tend to do the right thing, beyond the law and policies.
Organization and Accountability
Organization structure should ideally represent accountability consistent with roles of personnel.
Accountability for information security is typically assigned to information security director who may report to CEO or CIO or Other top level executive
This role must be managed in a multidisciplinary context because issues of information security are multidisciplinary.
Security Policies Policy: A high level document independent of all
functions, roles, powers, and personalities. Security policy: A formal statement of the rules by
which people who are given access to organization’s technology and information assets must abide.
Standards: Tend to enforce and tried and tested practices.
Procedures: Describe, where necessary, specific ways of securing information assets.
Guidelines: Provide examples and interpretation of the policy and related standards to facilitate policy implementation.
Purposes of a Security Policy
Informs users, staff, and managers of obligations concerning protection of information technology and assets.
Provides a baseline to provide assurance for compliance with the policy.
Provides a basis for determine what security tools to use to adequately protect information assets.
Characteristics of a Policy Tenure: Generally, a policy should have a long
tenure, during which it may not change much. Requisite variety: Each policy must have requisite
variety. All anticipated requirements to provide control must be addressed in a policy.
Feasibility: Policies must go through the test if feasibility.
Understandability: Policy must be written so that it is easy to understand.
Balance: Policy must balance the need for security with functionality and usability of information systems.
Content Areas of an Information Security Policy
Purpose Scope Policy Definitions Responsibilities Administration and interpretations Amendments/termination of the policy References to applicable policies and standards Exceptions Violations/enforcement
Area Description of content within the area
Purpose Narrates why this policy is written and how it will benefit the organization.
Scope To whom does the policy apply is clarified in this area.
Policy This is the core of policy – the statement(s) that describe the policy.
Definitions If the policy includes certain terms, these are defined in this area. This allows for a very specific interpretation of the policy, irrespective of how these terms are used in the profession.
Responsibilities Identifies who is responsible for enforcement of the policy. If more than one party is responsible, a clear identification of responsibility of each party with respect to the policy enforcement should be included.
Administration and interpretations
Identifies who is responsible to answer questions regarding this policy, to maintain records regarding the policy issues and how they were resolved, and to document violations of the policy and their resoluton.
Amendments/Termination of the policy
This part states that (1) the organization reserves the right to modify, amend or terminate the policy at any time and (2) the policy does not constitute a contract between the organization and its employees.
References to applicable standards
This section lists policies related to the policy.
Exceptions Here, the policy identifies how to request an exception to the policy, what information should the request provide, and to whom it should be addressed. Typically, all exception requests are handled in accordance with an information security exception policy.
Violations/Enforcement Specifies where to report any know violations of the policy, and what consequences could result from such violations. For example, consequences may result in immediate suspension of user privileges, a disciplinary action, or reporting the case to appropriate law enforcement agencies.
Classification of Policies
Various alternative classifications are possible.
Information security policies may be categorized: Using components of an information system. In terms of physical security and logical security. As system specific or issue specific.
Policy Development Process The process must mirror risk management processes. Identify critical information systems processes and
assets. Understand what risks each information asset faces.
Identify the asset’s vulnerabilities and anticipate types of threat the asset might be subject to.
Identify control and security measures to protect the information asset.
Develop a policy that provide cost effective protection measures.
Periodically, review the policy in light of changes in the organization and its environment.
Regulatory Requirements
Regulations exist in the area of information assets protection, and must be met.
Such regulations typically define the threshold needs to protect information assets.
Compliance of such requirements provides an assurance that the entity is meeting needs for protection of information assets at the levels required by law.
At the same time, compliance helps the entity protect its information assets and prosecute those who compromise the security.
Regulatory Requirements and Security Objectives
Information assets protection Authentication Integrity of logic Integrity of communication Confidentiality and privacy System availability Computer crimes
Ethical Behaviour in Organizations
Ethics: The principles of conduct individuals and groups use in making and implementing choices.
Principles of moral conduct are the foundation for ethical behavior.
Ethical behavior may have implications for information security.
Business Ethics
An organization is a group of individuals with shared values and goals.
Business as an organization should deserve its place within the society. Organizational legitimacy is a result of the degree of
congruence between social values associated with or implied by the firm’s activities and the norms of acceptable behavior in the larger social system to which they belong.
Individuals as employees should ask questions concerning consequences of an action, serving others’ rights, consistency of decisions with basic values, and feasibility of their actions in the world as it is.
Developing Information Management Policies
Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement
ePolicies typically include: Ethical computer use policy Information privacy policy Acceptable use policy E-mail privacy policy Internet use policy Anti-spam policy
ETHICAL COMPUTER USE POLICY
Ethical computer use policy – contains general principles to guide computer user behavior
The ethical computer user policy ensures all users are informed of the rules and, by agreeing to use the system on that basis, consent to abide by the rules
ETHICAL COMPUTER USE POLICY
INFORMATION PRIVACY POLICY
The unethical use of information typically occurs “unintentionally” when it is used for new purposes For example, social insurance numbers started as a way to
identify government retirement benefits and are now used as a sort of universal personal ID
Information privacy policy - contains general principles regarding information privacy
INFORMATION PRIVACY POLICY
Information privacy policy guidelines1. Adoption and implementation of a privacy policy
2. Notice and disclosure
3. Choice and consent
4. Information security
5. Information quality and access
ACCEPTABLE USE POLICY
Acceptable use policy (AUP) – a policy that a user must agree to follow in order to be provided access to a network or to the Internet
An AUP usually contains a nonrepudiation clause Nonrepudiation – a contractual stipulation to ensure that
e-business participants do not deny (repudiate) their online actions
ACCEPTABLE USE POLICY
E-MAIL PRIVACY POLICY
Organizations can mitigate the risks of e-mail and instant messaging communication tools by implementing and adhering to an e-mail privacy policy
E-mail privacy policy – details the extent to which e-mail messages may be read by others
E-MAIL PRIVACY POLICY
E-MAIL PRIVACY POLICY
INTERNET USE POLICY Internet use policy – contains general principles
to guide the proper use of the Internet
MONITORING TECHNOLOGIES
Monitoring – tracking people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed Key logger or key trapper software Hardware key logger Cookie Adware Spyware Web log Clickstream
EMPLOYEE MONITORING POLICIES Employee monitoring policies – explicitly state how, when, and
where the company monitors its employees
Assurance Considerations Policy development, implementation, and enforcement
Is the policy current? Is it enforced? Are violations and exceptions to the policy tracked and reported? Who acts on such violations? Are such actions proper? Overall, is the policy effective?
Compliance with regulations Is an integrated approach used, where legal, technological and
operational aspects are considered together? Or is the compliance a patch work?
Who is responsible for compliance? Are the compliance solutions documented? Are changes in the regulatory requirements monitored? Is the whistle-blower system effective?
Ethical behavior Does the organization have a code of conduct? What structure is in place to nurture ethical behavior in the
organization? Who is accountable for promoting organization-wide ethical
conduct? What programs are in place to achieve the objective? Are they
effective?
42
Where are MOST of the Continuity Challenges ??
CONTINUITY ISSUES
Catastrophic Catastrophic InterruptionsInterruptions
Minor InterruptionsMinor Interruptions
Everyday BlipsEveryday Blips
Process Process DysfunctionsDysfunctions
BCARE SOLUTIONS
CContinuityontinuity
AAvailabilityvailability
RReliabilityeliability
EEngineeringngineering
43
Physical Access Security
Establishing Perimeters Implementing and Maintaining a System,
Equipment, Procedures Defensive Depth, Universal Application Monitoring / Detection / Response Common Intrusion Techniques
44
What is a Perimeter?
Controlled border• External: Public / First Level. May be outside of
building.• Second: Building Access. May include elevators
and stairways.• Multiple interior: authorization related to function-
based “need to know”
45
Systems, Equipment, Procedures
System components: hardware, software, devices, data, personnel (operators and staff)
Equipment: readers, tokens, cameras and video recorders, screen monitors, barriers (turnstiles, man-traps)
Procedures: operator, equipment maintenance, log review, token issuance, authorization maintenance. System upgrading. Guards.
46
Defensive Depth
Multiple barriers to breach: make an intruder work harder
Multiple levels, multiple techniques Multiple levels of monitoring and detection Introduce random supplemental checks
47
Universal Application
Every time Every person Every control point Weekdays, nights and weekends Especially no “official piggybacking” Why: keeps the “bright line” between
authorized and unauthorized
48
Monitoring/Detection/Response
Monitoring: what conditions, when Detection: manual, automatic, alarms; who is
notified? Response:
√ Who, what, when√ How contacted√ Logistics and SLA
Failure in any area “breaks the chain” of response
49
Common Intrusion Techniques
“Piggy-backing” Poor housekeeping of access privileges
• Terminated employees• Transferred employees
“I have a delivery for Mr./Ms. X.” Concealment within interior protected areas Exploitation of known system flaws
50
WHAT YOU ALREADY KNOW
Good Things:
• Card readers and physical access control systems
• Cameras
• Locked doors Bad Things:
• Piggybacking
• Easy-to-guess passwords
• Asleep at the console No need to hear that again
51
WHAT YOU MAY NOT KNOW... Facilities & Security co-dependencies How they affect the enterprise risk picture How formal risk assessment techniques
developed for other industries are emerging as tools to reduce critical facilities risks
How all this relates to BCP/DR
…UNTIL NOW
52
SO WHAT? WHO CARES?
Poor Facilities/Security/IT/BCP coordination = Wasted resources Risk picture not fully understood Risks not fully addressed
Copyright 2004 Strategic Facilities Inc. All rights reserved
CEOs, CFOs, CIOs, CHAIRMEN AND DIRECTORS CARE ABOUT THESE THINGS...
...AND SO DO REGULATORS
53
SECURITY & FACILITIES SECURITY NEEDS FACILITIES
Surveillance & Access Control need power Cameras need light Guard force needs decent environment just
like everyone else FACILITIES NEEDS SECURITY
Extra eyes and ears to for building problems Help screen visiting technicians Reduce tampering with building systems
54
RELIABILITY
RELIABILITY• What is the probability that a system will
operate correctly?
• Over what mission time?
• Severity of failure is part of the risk conversation, not the reliability conversation
• Duration of failure is also a separate variable
• Duration is also part of the risk conversation and also NOT part of the reliability conversation
55
MORE RELIABILITY Can be expressed as Mean Time To Failure
(MTTF) MTTF is OK, but lacks mission time context Probability of success over mission time does
a better job of depicting the situation Probability of failure
= 1 - (Probability of success) Duration of failure known as Mean Time To
Restore, or MTTR Probability of success or failure of an
individual system does not depend on MTTR
56
AVAILABILITY
• Different concept entirely
• Comparison of MTTF & MTTR
• Mathematically: MTTF / (MTTF + MTTR)
• Grossly misused throughout industry in the form of “nines”; usually, MTTF >> MTTR
• Misuse due to two-dimensional nature
• Does not mean that MTTR and Availability do not matter
57
AVAILABILITY - IT DEPENDS
58
RELIABILITY VS. AVAILABILITY
System “A” 1 failure; end of year 9 Down entire year 10
Reliability: MTTF = 9 yrs; only 1 sample
Availability: 90 % More reliable (?), less
available Less certain
System “B” 4 failures, avg. 1/2.5 yrs Down 5 min each time
Reliability: MTTF = 2.5 yrs, 4 samples
Availability: 99.996 % More available, less
reliable More certain
59
HOW SYSTEMS FAIL• Independently due to internal, local failure
• Due to a “common cause” effect; that is, something that affects entire system at once
• Natural or man-made disaster, for example; tend to be high severity, low frequency
• Human error is most frequent common-cause failure mode; often less severe than disasters
Applies to Facilities, Security, IT, BCP
60
CASE #1 - WHO CAN GO INTO THE DATA CENTER
Client is a hedge fund; they develop and use proprietary applications to execute trades.
Frequent hacker target; security is tight. Big battle over who has access to data center. Facilities team is responsible for power and
cooling in there! Facilities team members are not employees:
Should they be allowed in?
61
CASE #1 - WHO CAN GO INTO THE DATA CENTER
Result for Case #1:
Debate spurred client to grow in-house staff and reduce presence of non-employees while expanding the ability to grant and track physical access privileges.
62
CASE #2 - OPERATOR TRAINING FOR NEW SITE
Client was considering building a new facility specifically designed as a data center.
Limited pool of building engineers to transfer to new facility; mostly air conditioning guys.
Client is late in recognizing problem and planning for commencing operations.
How should the client prepare to operate and how much should they spend to do it?
63
CASE #2 - OPERATOR TRAINING FOR NEW SITE
Result for Case #2:
Client saw the folly of spending $25 million on a new site and risking outage due to human error; instead implemented a full program of procedure writing and training to reduce errors.
64
CASE #3 - WHO SEES STATUS INFO ON BUILDING SYSTEMS
Client agreed to lease space in former co-lo site taken over by landlord.
Landlord has never managed critical facilities before.
Power and cooling status info goes to NOC via HP OpenView and other means systems.
NOC personnel are trained in only IT, not Facilities. Analysis finds AVAILABILITY too low What should the landlord do?
65
CASE #3 - WHO SEES STATUS INFO ON BUILDING SYSTEMS
Case #3 Results:
Landlord contracted for fast emergency response, added auto-paging capability, and trained NOC staff to relay vital information to qualified responder en route.
66
1. When confronting a risk, ask yourself: How often is it likely to occur? How bad will its impact be if it does occur?
2. Then, compare this risk to others you face: Is it likely to occur more or less frequently? Is its likely impact more or less severe than
others?
3. Apply this approach consistently across IT, Facilities and Security
RECOMMENDATIONS & CONCLUSIONS
67
4. When evaluating a risk reduction measure: What does it require of other sectors - e.g., if
it’s a Facilities measure, what do IT and Security need to do to make it work?
Who will do those things and how? Same question for Security and IT initiatives
5. Then, look across sectors... What other exposures are out there? Who should address them?
MORE RECOMMENDATIONS & CONCLUSIONS
Payment Card Industry (PCI) Security Standard
Developed by the PCI Security Council formed by major card issuers like Visa, MasterCard and American Express.
Requires agent financial institutions and major merchants (over 6 million transactions annually) to have an annual external audit for compliance.
Failure to comply can lead to a fine of $500,000.
PCI Standards
1.Install and maintain a firewall to protect cardholder data
2. Do not use vendor supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.4. Encrypt transmission of cardholder data
across the Internet
PCI Standards
5. Use regularly updated anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business on a need-to-know basis
8. Assign a unique ID to each person with computer access
PCI Standards
9. Restrict physical access to cardholder data
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and
processes
12. Maintain a policy that addresses
information security