IAM414 Chapter 04
policy compliance:
- the employee must agree to the policy by act (occurs when the employee performs an action, which requires them to acknowledge understanding of the policy, prior to use of a technology or organizational resource) or affirmation. (Policy Compliance)
policy administrator:
- the policy champion position combined with the manager position. (-)
EISP NEED Component justifies the need for the organization:
- to have a program for information security by providing information on the importance of InfoSec in the organization and the obligation (legal and ethical) to protect critical information. (EISP Elements)
CPM (similar to the PERT method), relies on a scheduling process designed:
- to identify the sequence of tasks that make up the shortest elapsed time to complete the project; other tasks may then be scheduled in ways that do not lengthen the total time of the project. (Project Management Tools)
PERT was originally developed in the late 1950s:
- to meet the needs of the rapidly expanding engineering projects associated with government acquisitions such as weapons systems. (Project Management Tools)
Targeted at U.S. federal agencies, NIST's Special Publication 800-18, Rev. 1 reinforces a business process-centered approach
- to policy management; a very practical approach to InfoSec planning that many other organizations may be able to use. (Next Steps)
Policies define what you can do and not do:
- whereas "standards," "procedures," "practices," and "guidelines." focus on the how. (Policy, Standards, and Practices)
ISSP element Authorized Uses explains:
- who can use the technology governed by the policy and for what purposes. (Elements of the ISSP)
Organizations that handle extremely sensitive information should not have:
- relaxed InfoSec policies. (Why Policy?)
Organizations with little need for strong security measures would be poorly:
- served with a stringent policy environment. (Why Policy)
A statement of purpose:
- should address the following questions: What purpose does this policy serve? Who is responsible and accountable for policy implementation? What technologies and issues does the policy document address? (Issue-Specific Security Policy)
A clear statement of purpose that outlines the scope and applicability of the policy:
- should appear at the beginning of the ISSP. (Issue-Specific Security Policy)
The Policy Review and Modification section:
- should contain procedures and a timetable for periodic review and should outline a specific methodology for the review and modification of the ISSP. (Issue-Specific Security Policy)
Additional resources should be spent on controls only after:
- sound and usable IT and InfoSec policy is developed, communicated, and enforced. (Why Policy?)
The Violations of Policy section:
- specifies the penalties and repercussions of violating the usage and systems management policies. Penalties should be laid out for each violation. (Issue-Specific Security Policy)
ISSP element Prohibited Uses:
- specifies what the issue or technology cannot be used for. (Elements of the ISSP)
The highest level of policy:
- the EISP, is usually created first. (Policy, Standards, and Practices)
ISSP element Violations of Policy specifies
- the penalties and repercussions of failing to follow the usage and systems management policies with clear penalties laid out for each. (Elements of the ISSP)
Who must be clearly identified on the policy document as the primary contact for providing additional information or suggesting revisions to the policy:
- the policy administrator. (Policy Administrator)
While information security policies are considered the least expensive means of control:
- they are often the most difficult to implement and guarantee compliance. (Why Policy)
Policies that are too complex:
- can cause confusion and possibly demoralize employees. (Why Policy)
Effective policy must be properly:
- 1. Developed using industry-accepted practices, and formally approved by management 2. Distributed using all appropriate methods 3. Read by all employees 4. Understood by all employees 5. Formally agreed to by act or affirmation 6. Uniformly applied and enforced (Effective Policy Development and Implementation)
Program Evaluation and Review Technique (PERT):
- A diagramming technique developed in the late 1950s that involves specifying activities and their sequence and duration. (Project Management Tools)
Gantt chart:
- A diagramming technique named for its developer, Henry Gantt, which lists activities on the vertical axis of a bar chart and provides a simple timeline on the horizontal axis. (Project Management Tools)
Critical Path Method (CPM):
- A diagramming technique, similar to PERT, designed to identify the sequence of tasks that make up the shortest elapsed time needed to complete a project. (Project Management Tools)
work breakdown structure (WBS):
- A list of the tasks to be accomplished in the project; it provides details for the work to be accomplished, the skill sets or even specific individuals to perform the tasks, the start and end dates for the task, the estimated resources required, and the dependencies between and among tasks. (Project Management Tools)
projectitis:
- A situation in project planning in which the project manager spends more time documenting project tasks than accomplishing meaningful project work. (Project Management Tools)
How can a good policy administrator can prevent a policy that requires hundreds of staff hours of development time being inserted into a three-ring binder, placed on a manager's bookcase to gather dust:
- by making sure that the policy document and all subsequent revisions to it are appropriately distributed. (Policy Administrator)
EISP ELEMENTS Component:
- Defines the whole topic of information security within the organization as well as its critical components. (EISP Elements)
Why should policies be drafted and published with its date of origin, along with the dates, if any, of revisions included?:
- Doing otherwise can create problems, including legal ones, if employees are complying with an out-of-date policy. (Policy and Revision Date)
RENÉ DESCARTES said:
- Each problem that I solved became a rule which served afterwards to solve other problems. (Introduction)
policy:
- High level organizational guidance that dictates certain behavior within the organization. (Policy, Standards, and Practices)
We use policy to specify computer system configuration when discussing:
- IT. (Why Policy?)
We typically use the document version of the term policy when discussing:
- InfoSec (Why Policy?)
guidelines:
- Non mandatory recommendations the employee may use as a reference in complying with a policy; if the policy states to "use strong passwords, frequently changed," it might advise that "we recommend you don't use family names, parts of your Social Security number, or phone number in your password." (Policy, Standards, and Practices)
access control lists:
- Specifications of authorization that govern the rights and privileges of users to a particular information asset. (System-Specific Security Policy)
procedures:
- Step-by-step instructions designed to assist employees in following policies, standards and guidelines so if the policy states to "use strong passwords, frequently changed," it might advise that "in order to change your password, first click on the Windows Start button, then...." (Policy, Standards, and Practices)
enterprise information security policy (EISP):
- The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts, it is also known as an IT security policy, or simply an InfoSec policy. (-)
Why should the policy administrator implement a mechanism by which individuals can easily make recommendations for revisions to the policies and other related documentation?:
- To facilitate policy reviews. (Review Procedures and Practices )
ISSP element Statement of Purpose should address the following questions
- What purpose does this policy serve? Who is responsible and accountable for policy implementation? What technologies and issues does the policy document address? (Elements of the ISSP)
Managerial Guidance SysSPs:
- a document created by management to guide the implementation and configuration of technology.. (System-Specific Security Policy)
Technical Specification SysSPs:
- a set of policies created by the systems administrator to implement the managerial policy. (System-Specific Security Policy)
ISSP element Systems Management focuses on the users' relationships to systems management:
- and should specify users' and systems administrators' responsibilities, so that all parties know what they are accountable for. (Elements of the ISSP)
In the bull's-eye model issues:
- are addressed by moving from the general to the specific, always starting with policy; the focus is on systemic solutions instead of individual problems. (Why Policy?)
practices:
- are examples of actions that illustrate compliance with policies, for example if the policy states to "use strong passwords, frequently changed," they might advise that "according to X, most organizations require employees to change passwords at least semi-annually." (Policy, Standards, and Practices)
Configuration Rules:
- are instructional codes that guide the execution of the system when information is passing through it and are more specific to the operation of a system than ACLs are, and they may or may not deal with users directly. (System-Specific Security Policy)
systems:
- are the collections of hardware and software being used as servers or desktop computers as well as those used for process control and manufacturing systems. (Why Policy?)
applications:
- are the programmed resources, ranging from packaged programs, such as office automation and e-mail, to high-end enterprise resource planning (ERP) packages to custom software developed by the organization. (Why Policy?)
System-specific security policy are organizational policies that often function :
- as standards or procedures to be used when configuring or maintaining systems. (System-Specific Security Policy)
To be certain that employees understand the policy, the document must:
- be written at a reasonable reading level, with minimal technical jargon and management terminology. (Policy Comprehension)
The bull's-eye model has become widely accepted among InfoSec professionals:
- because it provides a proven mechanism for prioritizing complex changes. (Why Policy)
Policy Reading:
- can be problematic as barriers to employees' reading policies can arise from literacy or language issues. (Policy Reading)
EISP ROLES AND RESPONSIBILITIES Component:
- defines the staffing structure designed to support InfoSec within the organization, describing the placement of the governance elements for InfoSec as well as the categories of individuals with responsibility for InfoSec and their InfoSec responsibilities, including maintenance of this document. (EISP Elements)
PERT diagram:
- depicts a number of events followed by key activities and their durations. (Project Management Tools)
Quizzes and other forms of examination can be employed to assess quantitatively which employees understand the policy:
- determine which employees require additional training and awareness efforts. (Policy Comprehension)
A management problem, not a technical one:
- developing proper guidelines for an InfoSec program. (Chapter Summary)
Authorized Uses Policy section:
- explains who can use the technology governed by the policy and for what purposes. (Issue-Specific Security Policy)
The Systems Management Policy section:
- focuses on the users' relationships to systems management. (Issue-Specific Security Policy)
ACLs:
- is Access Control Lists (System-Specific Security Policy)
EISP:
- is Enterprise Information Security Policy (-)
ISSP:
- is Issue-Specific Security Policies (-)
ISSP:
- is Issue-Specific Security Policy (Issue-Specific Security Policy)
PERT:
- is Program Evaluation and Review Technique. (Project Management Tools)
SysSP:
- is System-Specific Security Policies (System-Specific Security Policy)
standard:
- is a detailed statement of what must be done to comply with policy; for example if the policy states that employees must "use strong passwords, frequently changed," it might specify that the password "must be at least 8 characters, with at least one number, one letter, and one special character." (Policy, Standards, and Practices)
Combination SysSP:
- is a single document that combines elements of the management guidance SysSP and the technical specifications SysSP. (System-Specific Security Policy)
A work breakdown structure (WBS):
- is a very simple planning tool that can create a project plan. (Project Management Tools)
issue-specific security policy or fair and responsible use policy:
- is designed to regulate the use of some technology or resource issue within the organization. (Issue-Specific Security Policy)
The essential foundation of an effective information security program:
- is policy (Why Policy?)
The information security program functions almost seamlessly within the workplace.when:policy
- is properly developed and implemented. (Why Policy?)
networks:
- is the environment where threats from public networks meet the organization's digital communications infrastructure. (Why Policy?)
policies:
- is the outer layer in the bull's-eye diagram, reflecting that it is the initial viewpoint that most users have for interacting with InfoSec. (Why Policy?)
EISP REFERENCES Component:
- lists other standards that influence and are influenced by this policy document, including relevant federal and state laws and other policies. (EISP Elements)
Policy Distribution:
- might seem straightforward, but actually getting the policy document into the hands of employees can require a substantial investment by the organization; unless the organization can prove that the policy actually reached the end users, it cannot be enforced because ignorance of policy, is considered an acceptable excuse. (Policy Distribution)
An organization must conform to its own policy and that policy:
- must be consistently applied. (Why Policy)
Policy Enforcement is the final component of the design and implementation of effective policies and it:
- must be uniform and impartial enforcement because if an employee is punished, censured, or dismissed as a result of a refusal to follow policy and is subsequently able to demonstrate that the policies are not uniformly applied or enforced, the organization may find itself facing punitive as well as compensatory damages. (Policy Enforcement)
The EISP plays the vital role of stating the importance of InfoSec to the organization's mission and objectives; and to be clear:
- must reflect the derivative associations InfoSec strategic planning derives from other organizational strategic policies, such as the IT strategic plans and key business unit strategic plans, which are in turn derived from the organization's strategic planning. (Integrating an Organization's Mission and Objectives into the EISP)
EISP assigns responsibilities for the various areas:
- of InfoSec, including maintenance of InfoSec policies and the practices and responsibilities of end users. (Enterprise Information Security Policy)
The Limitations of Liability section:
- offers a general statement of liability or a set of disclaimers; in other words, if employees violate a company policy using company technologies, the company will not protect them and is not liable for their actions. (Issue-Specific Security Policy)
The Gantt chart lists activities:
- on the vertical axis of a bar chart and provides a simple time line on the horizontal axis. (Project Management Tools)
Prohibited Uses Policy section:
- outlines what the issue or technology cannot be used for; unless a particular use is clearly prohibited, the organization cannot penalize employees for it. (Issue-Specific Security Policy)
A quality information security program begins and ends with:
- policy. (Why Policy)
In the term "network scheduling." the word "network" :
- refers to the web of possible pathways to project completion from the beginning task to the ending task. (Project Management Tools)
EISP PURPOSE Component:
- will: • Identify the elements of good security policy • Explain the need for information security • Specify categories of information security • Identify information security responsibilities and roles • Identify appropriate levels of security through standards and guidelines. (EISP Elements)
EISP documents should include the following elements:
- • An overview of the corporate philosophy on security • Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role • Fully articulated responsibilities for security that are shared by all members of the organization • Fully articulated responsibilities for security that are unique to each role within the organization. (EISP Elements)
Three types of Info-Sec policies:
- • Enterprise information security policy (EISP) • Issue-specific security policies (ISSP) • System-specific security policies (SysSP). (Policy, Standards, and Practices)
An ISSP has these characteristics:
- • It addresses specific technology-based resources. • It requires frequent updates. • It contains an issue statement explaining the organization's position on a particular issue. (Issue-Specific Security Policy)
Every ISSP has three characteristics: • It addresses specific technology-based resources. • It requires frequent updates. • It contains an issue statement explaining the organization's position on a particular issue
- • It addresses specific technology-based resources. • It requires frequent updates. • It contains an issue statement explaining the organization's position on a particular issue. (Issue-Specific Security Policy)
Bull's-eye model layers:
- • Policies • Networks • Systems • Applications (Why Policy?)
Some basic rules must be followed when developing a policy:
- • Policy should never conflict with law. • Policy must be able to stand up in court if challenged. • Policy must be properly supported and administered. (Why Policy?)
User privileges (also known as permissions) are access restrictions assigned by administrators such as the following:
- • Read • Write • Execute • Delete (System-Specific Security Policy)
ACLs regulate the following aspects of access:
- • Who can use the system • What authorized users can access • When authorized users can access the system • Where authorized users can access the system from • How authorized users can access the system. (System-Specific Security Policy)
An effective ISSP includes these accomplishments:
- • articulates the organization's expectations about how its technology-based resources should be used. • documents how the technology-based resource is controlled and identifies the processes and authorities that provide this control. • indemnifies the organization against liability for an employee's inappropriate or illegal use of the resource. (Issue-Specific Security Policy)
Effective ISSP accomplishes the following:
- • articulates the organization's expectations about how its technology-based resources should be used. • documents how the technology-based resource is controlled. • indemnifies the organization against liability for an employee's inappropriate use of the resource. (Issue-Specific Security Policy)