Liberty CSIS 340 Second Half - Robert Tucker
Implementing policies and libraries entail 4 major steps
1. Building consensus on intent 2. Reviews and approvals for your documents 3. Publication of the documents 4. Awareness and training
Procedures and Guidelines
Answer Where, When, and How?
Policies and standards
Answers Who, What, and Why?
Family Educational Rights and Privacy Act (FERPA)
Applies to educational institutions such as college and universities. Information related to the educational process that can uniquely identify the student
Awareness and training
Awareness is obligated to make people understand that IT exists and need to be involved in. Train is detailed how to do that
Motivation
Combination of pride, self interest, and success
Building consensus on intent
Discussion on the intent of the policy
Integration Principle
Documents should be coordinated and integrated with each other. Should integrate with other relevant measures, practices and procedures.
(SP) 800-53
Geared to U.S. government agencies and their subcontractors
Reviews and approvals for your documents
Goal is to gain senior executive approval of the policy or standard
Data classification
Identifying value of data. Placing label on data. Level of protection based on data type.
Limited use of personal data
Key idea is that the company can use the information collected for the immediate service provided, or transaction made, such as a purchase.
Defense-in-depth principle
Overlapping layers of controls prevention, detection, and response
Least Privilege principle
People granted only enough privilege to accomplish tasks - no more
Pride
Perceived importance of work - Working on something that is important, understanding of the overall goals and objectives, creates competition and sense of self-worth
Three most common needs for classifying data
Protect, Retain, and Recover information
Publication of the documents
Publishing your policy and standards library depends on the communications tools available
Federal Information security Management Act (FISMA)
Requires government agencies to adopt a common set of information security standards - Creates mandatory requirements to ensure the integrity, confidentiality, and availability of data
Federal Information Security Management Act (FISMA)
Requires government agencies to adopt common set of information security standards. Creates mandatory requirements to ensure they integrity, confidentiaity, and availability of data.
Separation of duty principle
Responsibilities and privileges should be divided to inappropriate control of multiple key aspects
National Institute of Standards and Technology (NIST)
Responsible for developing FISMA-mandated information security standards and procedures
Self-interest
Rewards and discipline - self-preservation, those who achieve goals receive rewards
Security Posture
Risk appetite and risk tolerance
Multidisciplinary principle
States that the policy and standards library documents should be written to consider everyone - Contracts / who is the audience?
Children's Internet Protection Act (CIPA)
Tells schools and libraries that receive federal funding that they must block pornographic and explicit sexual material on their computers.
Full Disclosure
The concept that an individual should know what information about them is being collected. A company must give written notice on how it plans to use your information
Public interest
The concept that an organization has an obligation to the general public beyond its self-interest
Informed consent
The concept that someone is of legal age, has the needed facts, and is without undue pressure to make an informed judgment
Opt-in/Opt-out
The practice of asking permission on how person information can be used beyond its original purpose.
Organizational Culture
The traditions, customs, patterns of behavior, values, and beliefs shared by members of an organization.
Risk Appetite
Understanding risks and determining how much potential risk and related problems the business is willing to accept
Control Objectives for Information and Related Technology (COBIT)
Widely accepted framework that brings together business and control requirements with technical issues
Data Privacy
a company must tell an individual how personal information will be protected and limits placed on how the data will be shared
Detective or response controls
act like alarms and warnings (kick in after an incident begins)
Detective or Response Controls
act like alarms and warnings. kick in after an incident begins
Timeliness principle
all personnel, assigned agents, and third-party providers should act in a timely and coordinated manner to prevent and to respond to breaches of the security.
Family Educational Rights and Privacy Act (FERPA)
applies to educational institutions such as college and universities - any information related to the educational process that can uniquely identify the student
Commanders
are demanding and not tactful. They might come across as best as impolite, at worst rude and abrupt. They are forceful in an attempt to achieve stated goals. They can be agents for change, breaking from the past and overcoming barriers within the organization
Technical security controls
are the devices, protocols, and other technology used to protect assets - Include antivirus systems, cryptographic systems, firewalls, and more
Success
being on a winning team - individuals build confidence when frequently recognized for their successes. Measured as perception of how well you perform your work
Multidisciplinary principle
policy and standards library documents should be written to consider everyone affected, including technical, administrative, organizational, operational, commercial, educational, and legal personnel
Opt-in/opt-out
practice of asking permission on how personal information can be used beyond its original purpose
Physical security controls
prevent intentional or unintentional security threats - Include network access policies, firewall rules, and locks on wiring closets and server room doors
Preventive security controls
prevents security threats. (i.e. network access policies, firewall rules, locks on doors, Website Application Firewall (focuses on packet data rather than meta))
Risk Tolerance
relates to how much variance in the process an organization will accept
Separation of duty principle
responsibilities and privileges should be divided to prevent a person or a small group of collaborating people from inappropriately controlling multiple key aspects of a process and causing harm or loss
Defense-in-depth-principle
security increases when it is implemented as a series of overlapping layers of controls and countermeasures that provide three elements to secure assets: prevention, detection, and response
Proportionality Principle
security levels, costs, practices, and procedures should be appropriate and proportionate to the value of the data and the degree of reliance on the system
Proportionality princple
security levels, costs, practices, and procedures should be appropriate and proportionate to the value of the data and the degree of reliance on the system. They should also be proportionate to the potential severity, probability, and extent of harm to the system or loss of data
democracy principle
security should be balanced against rights of customers, users, and others. Consider your users or partners when requiring information
Reassessment principle
security systems be periodically and aperiodically reassessed
Corrective controls
takes care of situation without getting far enough for recovery / before full incident
Children's Internet Protection Act (CIPA)
tells schools and libraries that receive federal funding that they must block pornographic and explicit sexual material on their computers
Full disclosure
the concept that individuals should know what information about them is being collected
Informed consent
the concept that someone is of legal age, has the needed facts, and is without undue pressure to make an informed judgement
Risk Tolerance
the dominant view within an organization of how much risk is acceptable
Accountability principle
the personal responsibility of information systems security should be explicit
Administrative controls
the policies, standards, and procedures that guide employees when conducting the organization's business
Authentication
the process used to prove the identity of the person
Democracy principle
the security of an information system should be balanced against the rights of customers, users, and other people affected by the system versus your rights as the owners and operators of these systems.
Reassessment principle
the security of information systems should be periodically reassessed.
Organizational Culture
the traditions, customs, patterns of behavior, values, and beliefs shared by members of an organization.
Ethics principle
the way information systems are designed, and the level of access to data reflected in the security controls, should operate in accordance with the organization's ethical standards. This includes the level of disclosure and access to customer data. (moving target)
Simplicity principle
try to favor small and simple safeguards over large and complex ones. Security is improved when its made simpler
Drifters
uncomfortable with structure and deadlines. They might be great with people and communications. What they lack in discipline may be offset by their creativity and thinking out of the box
drifter
unconfortable with deadlines, but might be great with people and communication. creative
adversary principle
who are your adversaries? Anticipate attack, and adversaries that could attack
timeliness principle
who makes what happen when personnel, agents, and 3rd party providers act in timely manner
Integration principle
your documents should be coordinated and integrated with each other. They should also integrate with other relevant measures, practices, and procedures for a coherent system of security
Simplicity principle
favor small and simple safeguards over large and complex
Reviews and approvals
gain senior executive approval of policy or standard
Recovery controls
help you put a system back into operation once an incident ends. Disaster recovery and tape backups fit into this category
Recovery
help you put system back into operations once incident ends
Corrective controls
help you respond to and fix a security incident. Corrective controls are also used to limit or stop further damage.
Risk Appetite
how much risk is your organization willing to accept to achieve its goal
Continuity principle
identify needs for recovery and continuity (bring back up to acceptable level of operation)
Continuity principle
identify your organization's needs for disaster recovery and continuity of operations. Prepare the organization and its information systems accordingly
Internal control principle
information security forms the core of an organization's information internal control systems
ISO/IEC 27000 series
internationally adopted standard, can be found in the information security management program of virtually any organization
Limited use of personal data
key idea is that the company can use the information collected only for immediate service provided
personality types
key to understanding how to motivate people
Awareness principle
owners, providers, and users of information systems, as well as other parties, should be informed of policies, responsibilities, practices, procedures, and organization for security of information systems
Least privilege principle
people should be granted only enough privilege to accomplish assigned tasks and no more
internal control principle
policies must mandate that internal controls must be used
Policy-centered principle
policies, standards, and procedures established as formal basis for managing the planning, control, evaluation
Policy-centered security principle
policies, standards, and procedures should be established as the formal basis for managing the planning, control, and evaluation of all information security activities
Administrative controls
policies, standards, and procedures that guide employees
implementing policies and standards
4 steps: Building consensus reviews and approvals publication of documents awareness and training
Data privacy
A company must tell an individual how personal information will be protected and limits placed on how the data will be shared
Principles for Policy and Standards Development
Accountability Principle, Awareness Principle, Ethics Principle, Multidisciplinary Principle, Proportionality principle
Health Insurance Portability and Accountability Act (HIPAA)
Defines someone's health record as protected health information
Public interest
concept that an organization has an obligation to the general public beyond its self-interest.
Adversary princple
controls, security strategies, architectures, and [policy library documents should be developed and implemented in anticipation of attack from intelligent, rational, and irrational adversaries who may intend to harm
Security classification
data classification drives what type of security you should use to protect the information
Health Insurance Portability and Accountability Act (HIPAA
defines someone's health record as protected health information
Commanders
demanding. can come across as impolite, rude abrupt. forceful to achieve goals, agent for change
publishing policies
depends on communication tools available
Physical security controls
devices controlling physical access
Technical security controls
devices, protocols, and other technology used to protect (i.e. antivirus, cryptographic systems, firewalls, etc.)
Building consensus
discussion on the intent of policy, need for policy