SECURITY MANAGEMENT - comp.utm.my · SECURITY MANAGEMENT CHAPTER 4 SECURITY POLICY Each problem that I solved became a rule which served afterwards to solve other problems – René

SECURITY MANAGEMENT

CHAPTER 4

SECURITY POLICY

Each problem that I solved became a rule which served

afterwards to solve other problems – René Descartes

– Define information security policy and understand its central role in a successful information security program

– Describe the three major types of information security policy and explain what goes into each type

– Develop, implement, and maintain various types of information security policies

Objectives Chapter 4

Management of Information Security, 3rd ed.

Information security policies provide

vital support to security professionals

as they strive to reduce the risk profile

of a business and fend off both

internal and external threats.

http://searchsecurity.techtarget.com/definition/security-policy

Introduction

POLICY: “A plan or course of action that influences decisions”

• Policy is the essential foundation of an effective information security program – “The success of an information resources protection program depends on

the policy generated, and on the attitude of management toward securing information on automated systems”

• Policy maker sets the tone and emphasis on the importance of information security


Security Policy PURPOSES

• The basic purposes of policy are it should:

Protect people and information

Set the rules for expected behaviour by users, system administrator, management, and security personnel

Authorize security personnel to monitor, probe, and investigate

Define and authorize the consequences of violation

Define the company consensus baseline stance on security

Help minimize risk

Help track compliance with regulations and legislation

Management of Information Security, 3rd Edition

Security Policy OBJECTIVES

• Policy objectives

a) Reduced risk

b) Compliance with laws and regulations

c) Assurance of operational continuity, information integrity, and confidentiality

• For policies to be EFFECTIVE they must be properly

disseminated, read, understood, agreed-to, and uniformly enforced

• Policies require CONSTANT modification and maintenance


Why Policy?

• A quality information security program begins and ends with policy

• Policies are the least expensive means of control and often the most difficult to implement

• Basic rules for shaping a policy – Policy should never conflict with law

– Policy must be able to stand up in court if challenged

– Policy must be properly supported and administered


Why Policy? (cont’d.)

Figure 4-1 The bull’s eye model

Source: Course Technology/Cengage Learning


Why Policy? (cont’d.)

• Bulls-eye model layers

– Policies: first layer of defense

– Networks: threats first meet the organization’s network

– Systems: computers and manufacturing systems

– Applications: all applications systems


Why Policy is Important?

• Policies are important reference documents

– For internal audits

– For the resolution of legal disputes about management's due diligence

– Policy documents can act as a clear statement of management's intent

Source: Educause Review Online, 2013

Naïve User

Insufficient Funding

• REFERENCES FOR DEVELOPING SECURITY PLANS SP 800-18 Rev.1 (NIST)

Can freely be downloaded from: http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf


Examples of Information Security Policy

• Bluetooth Device Security Policy – This policy provides for more secure Bluetooth Device operations. It protects the

company from loss of Personally Identifiable Information (PII) and proprietary company data.

• Dial-in Access Policy – Defines appropriate dial-in access and its use by authorized personnel.

• Ethics Policy – Defines the means to establish a culture of openness, trust and integrity in

business practices.

• Acquisition Assessment Policy – Defines responsibilities regarding corporate acquisitions, and defines the

minimum requirements of an acquisition assessment to be completed by the information security group.


• Information Sensitivity Policy – Defines the requirements for classifying and securing the organization's

information in a manner appropriate to its sensitivity level.

• Internal Lab Security Policy – Defines requirements for internal labs to ensure that confidential information and

technologies are not compromised, and that production services and interests of the organization are protected from lab activities.

• Personal Communication Devices and Voicemail Policy – Describes Information Security's requirements for Personal Communication Devices and

Voicemail.

• Risk Assessment Policy – Defines the requirements and provides the authority for the information security team

to identify, assess, and remediate risks to the organization's information infrastructure associated with conducting business.

• Technology Equipment Disposal - Policy SANS Technology Institute White Paper

• Web Application Security Assessment Policy


Other Examples of IS Policy


E.g: Bluetooth

Device Security

Policy

• Types of information security policy 1) Enterprise information security program policy (EISP) 2) Issue-specific information security policies (ISSP)

e-mail privacy or Internet connectivity approach 3) Systems-specific policies (SysSP)

System user - acceptable use of workstations for their actions on the system

• Standards – A more detailed statement of what must be done to comply

with policy

• Practices – Procedures and guidelines explain how employees will comply

with policy


Policies, Standards, & Practices


Figure 4-2 Policies, standards and practices





Let’s Do CLASS ACTIVITY


Open: http://www.sans.org/security-resources/policies

Exercise: Working in a group

Assume that you are a Security Manager:

a) Choose TWO policies from the same Policy Category as listed in the SANS’s web (either general, network , server,

application or old/retired)

b) Discuss what are the differences between the two policies

c) Choose ONE from the two chosen policies and change the policy document to make it such a POLICY you make for your OWN ORGANIZATION


1) Enterprise Information Security Policy (EISP)

• Sets strategic direction, scope, and tone for organization’s security efforts

• Assigns responsibilities for various areas of information security

• Guides development, implementation, and management requirements of information security program



EISP sample 1

EISP Elements

• EISP documents should provide:

– An overview of the corporate philosophy on security

– Information about information security organization and information security roles

• Responsibilities for security that are shared by all members of the organization

• Responsibilities for security that are unique to each role within the organization


Example EISP Components

• Statement of purpose – What the policy is for

• Information technology security elements – Defines information security

• Need for information technology security – Justifies importance of information security in the

organization

• Information technology security responsibilities and roles – Defines organizational structure

• Reference to other information technology standards and guidelines

2) Issue-Specific Security Policy (ISSP)

• Provides detailed, targeted guidance

– Instructs the organization in secure use of a technology systems

– Begins with introduction to fundamental technological philosophy of the organization

• Protects organization from inefficiency and ambiguity

– Documents how the technology-based system is controlled


(ISSP)

• Protects organization from inefficiency and ambiguity (cont’d.)

– Identifies the processes and authorities that provide this control

• Indemnifies the organization against liability for an employee’s inappropriate or illegal system use


• Every organization’s ISSP should:

– Address specific technology-based systems

– Require frequent updates

– Contain an issue statement on the organization’s position on an issue

(ISSP)


• ISSP topics

– Email and internet use

– Minimum system configurations

– Prohibitions against hacking

– Home use of company-owned computer equipment

– Use of personal equipment on company networks

– Use of telecommunications technologies

– Use of photocopy equipment

(ISSP)


Components of the ISSP

• Statement of Purpose

– Scope and applicability

– Definition of technology addressed

– Responsibilities

• Authorized Access and Usage of Equipment

– User access

– Fair and responsible use

– Protection of privacy


Components of the ISSP (cont’d.)

• Prohibited Usage of Equipment

– Disruptive use or misuse

– Criminal use

– Offensive or harassing materials

– Copyrighted, licensed or other intellectual property

– Other restrictions



• Systems management

– Management of stored materials

– Employer monitoring

– Virus protection

– Physical security

– Encryption

• Violations of policy

– Procedures for reporting violations

– Penalties for violations Management of Information Security, 3rd ed.


• Policy review and modification

– Scheduled review of policy and procedures for modification

• Limitations of liability

– Statements of liability or disclaimers

• Sample ISSP


ISSP-WLAN.doc

Implementing the ISSP

• Common approaches

– Several independent ISSP documents

– A single comprehensive ISSP document

– A modular ISSP document that unifies policy creation and administration

• The recommended approach is the modular policy

– Provides a balance between issue orientation and policy management


3) System-Specific Security Policy

• System-specific security policies (SysSPs) frequently do not look like other types of policy – They may function as standards or procedures to be used

when configuring or maintaining systems – E.g.: a) how to select, configure, or operate a firewall, b) access

control list that defines levels of access for each authorized user

• SysSPs can be separated into a) Management guidance b) Technical specifications c) Or combined in a single policy document



SysSPs sample 1

a) Managerial Guidance SysSPs

• Created by management to guide the implementation and configuration of technology

• Applies to any technology that affects the confidentiality, integrity or availability of information

• Informs technologists of management intent


b) Technical Specifications SysSPs

• System administrators’ directions on implementing managerial policy

• Each type of equipment has its own type of policies

• General methods of implementing technical controls

a) Access Control List (ACL)

b) Configuration rules


A) Access control lists

– Include the user access lists, matrices, and capability tables that govern the rights and privileges

– A similar method that specifies which subjects and objects users or groups can access is called a capability table

– These specifications are frequently complex matrices, rather than simple lists or tables

Technical Specifications SysSPs (cont’d.)


• Access control lists (cont’d.)

– Enable administrations to restrict access according to user, computer, time, duration, or even a particular file

• Access control lists regulate

– Who can use the system

– What authorized users can access

– When authorized users can access the system



• Access control lists regulate (cont’d.)

– Where authorized users can access the system from

– How authorized users can access the system

– Restricting what users can access, e.g. printers, files, communications, and applications

• Administrators set user privileges

– Read, write, create, modify, delete, compare, copy




Figure 4-5 Windows XP ACL Source: Course Technology/Cengage Learning



B) Configuration rules

– Specific configuration codes entered into security systems

• Guide the execution of the system when information is passing through it

• Rule policies are more specific to system operation than ACLs

– May or may not deal with users directly



• Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process



Figure 4-6 Firewall configuration rules



• Often organizations create a single document combining elements of both management guidance and technical specifications SysSPs

• This can be confusing, but practical

• Care should be taken to articulate the required actions carefully as the procedures are presented



Figure 4-7 IDPS configuration rules


Guidelines for Effective Policy

• For policies to be effective, they must be properly:

Developed using industry-accepted practices

Distributed or disseminated using all appropriate methods

Reviewed or read by all employees

Understood by all employees

Formally agreed to by act or assertion

Uniformly applied and enforced


Develop Security Policy

• It is often useful to view policy development as a 2-part project – 1st - design and develop the policy (or redesign and rewrite an

outdated policy)

– 2nd - establish management processes to perpetuate/carry on the policy within the organization

• The former is an exercise in project management, while the latter requires adherence to good business practices


• Policy development projects should be

– Well planned

– Properly funded

– Aggressively managed to ensure that it is completed on time and within budget

• The policy development project can be guided by the SecSDLC process


Developing Security Policy (cont’d.)

Common Phases in Developing Security Policy

1) Investigation

2) Analysis

3) Design

4) Implementation

5) Maintenance



1) Investigation phase

– Obtain support from senior management, and active involvement of IT management, specifically the CIO

– Clearly articulate the goals of the policy project

– Gain participation of correct individuals affected by the recommended policies


• Investigation phase (cont’d.)

– Involve legal, human resources and end-users

– Assign a project champion with sufficient stature and prestige

– Acquire a capable project manager

– Develop a detailed outline of and sound estimates for project cost and scheduling



2) Analysis phase should produce

– New or recent risk assessment or IT audit documenting the current information security needs of the organization

– Key reference materials

• Including any existing policies



Figure 4-8 End user license agreement for Microsoft Windows XP




3) Design phase includes

– How the policies will be distributed

– How verification of the distribution will be accomplished

– Specifications for any automated tools

– Revisions to feasibility analysis reports based on improved costs and benefits as the design is clarified



4) Implementation phase includes

– Writing the policies

• Making certain the policies are enforceable as written

• Policy distribution is not always straightforward

• Effective policy is written at a reasonable reading level, and attempts to minimize technical jargon and management terminology



5) Maintenance Phase

– Maintain and modify the policy as needed to ensure that it remains effective as a tool to meet changing threats

– The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously

– Periodic review should be built in to the process



STANDARD SP 800-18 Rev.1: Guide for Developing Security Plans for Federal

Information Systems

• NIST Special Publication 800-18, Rev. 1 reinforces a business process-centered approach to policy management

• Policies are living documents

– These documents must be properly disseminated (distributed, read, understood and agreed to), and managed



• Good management practices for policy development and maintenance make for a more resilient organization

• Policy requirements

– An individual responsible for reviews

– A schedule of reviews

• Policy requirements (cont’d.)

– A method for making recommendations for reviews

– An indication of policy and revision date

SP 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems

The Information Securities Policy Made Easy Approach (ISPME)

• Gathering key reference materials

• Defining a framework for policies

• Preparing a coverage matrix

• Making critical systems design decisions

• Structuring review, approval, and enforcement processes


ISPME (con’t)

Figure 4-11 A sample coverage matrix


ISPME (con’t)

• ISPME checklist

– Perform a risk assessment or information technology audit

• To determine your organization's unique information security needs

– Clarify the meaning of “policy” within your organization

– Ensure clear roles and responsibilities related to information security

• Including responsibility for issuing and maintaining policies


A Final Note on Policy

• Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy

– Policies exist, first and foremost, to inform employees of what is and is not acceptable behavior in the organization

– Policy seeks to improve employee productivity, and prevent potentially embarrassing situations


Summary

• Introduction

• Why Policy?

• Type of Security Policy:

– Enterprise Information Security Policy

– Issue-Specific Security Policy

– System-Specific Policy

• Guidelines for Policy Development
