Security Policies 3.1
Security Planning Principles
*Comply with legal and regulatory compliance issues. *Demonstrate ethical practices *Practicing due care in the development of security policy and procedures. Due care means that security has been examined and reasonable security measures have been put in place. Due care eliminates an organizations burden of negligence in case of a security breach. *Implementing due process by adhering to laws regarding evidence and fairness to protect individuals rights. Due process ensures that any part charged with a crime is fully aware of the charges held against them and has the opportunity to fully defend themselves.
Protecting against privacy legal issues
- Define the types of actions and communications that will be monitored. For instance, it is typical for a business to reserve the right to monitor all activities performed on company computers, even if those activities might be of a personal nature. - Clearly communicate all monitoring activities. Users should know that monitoring is being performed. - Apply monitoring to all employees. Targeting specific employees could be grounds for discrimination. - Comply with all legal requirements for privacy. For example, personal medical information is protected and cannot be shared without prior authorization.
Plans and Policies Steps
1. Asses the risk 2. Create a policy 3. Implement the policy 4. Train the organization on the policy 5. Audit the plan to make sure its working
Change Control Process Steps
1. Identify the need for a change and submit it for approval. 2. Conduct a feasibility analysis, including technical and budgetary considerations. 3. Design the method for implementing the change. 4. Implement the change 5. Test the implementation to make sure it confirms to the plan and that the change does not adversely affect confidentiality, integrity, and accessibility. 6. Document the change. 7. Analyze feedback. In the event that a change unintentionally diminishes security, an effective change control process includes rollback.
Password Policy
A policy that detail the requirements for passwords used in an organization.
Health Insurance Portability and Accountability Act (HIPAA)
Defines security guidelines that enforce the protection of privacy. Specifically, HIPAA protects the privacy of medical records, including the transmission of these records.
Security awareness and training
Designed to: Familiarize employees with the security policy. Communicate standards, procedures, and baselines that apply to the employee's job. Facilitate employee ownership and recognition of security responsibilities Establish reporting procedures for suspected security violations When an updated version of a security plan is produced, the most critical activity to prevent is public release of older versions of the document. Even an out of date plan can provide sufficient information to attackers to perform serious security intrusions. When the security plan is updated, users should be made aware of the changes, the document should be distributed internally to appropriate parties, and all old versions should be destroyed.
Password policies
Details the requirements for passwords for the organization. Including the following: The same password should never be used for different systems. Accounts should be disabled or locked out after a specified amount of failed login attempts. Passwords should never contain words, slang, or acronyms. Users should be required to change their passwords within a certain time frame and use a rotation policy A strong password policy should be enforced. Strong Passwords: Contain multiple character types (uppercase, lowercase, numbers, and symbols) Are a minimum length of eight characters more. User no part of a user name or email address.
Acceptable Use Policy (AUP)
Identifies the employees rights to use company property such as internet access and computer equipment for personal use.
Termination Policies
Identify processes to be implemented when terminating employees.. For example network access and user accounts are disabled immediately, exit interviews are conducted, employees are escorted out at all times following termination, all company property is returned, appropriate documents are signed.
Hiring Policies
Identify processes to follow before hiring. Policy might specify that pre-employment screening include employment, reference, and education history checks. A drug screening or a background check.
PTA Purpose
Identify programs and systems that are privacy sensitive Demonstrate the inclusion of privacy considerations during the review of a program or system Provide a record of the program or system and its privacy requirements at the DHS Privacy Office Demonstrate compliance with privacy laws and regulations
Rollback
Makes it possible to revert the system back to the state it was in before the change was put into effect.
Resource Allocation
Outlines how resources are allocated. Resources could include staffing, technology, and budgets.
Privacy Policy
Outlines how the organization will secure private information for employees, clients, and customers. The privacy policy outlines how personally identifiable information (PII) can be used and how it is protected from disclosure PII could include: Full Name Address Telephone Number Drivers License National Identification Number Credit Card Numbers Email Address
Employee Management
Reduces asset vulnerability from employees by implementing process that include the following: Pre-employment processing Employee agreement documents Employee monitoring Termination Procedures
The Gramm-Leach-Bliley Act (GLBA)
Requires all banks and financial institutions to implement the following Financial Privacy Rule - requires banks and financial institutions to alert customers to their policies and practices in disclosing customer information. Safeguards Rule- requires banks and financial institutions to develop a written information security plan detailing how they plan to protect electronic and paper files containing personally identifiable financial information. Pretexting Protection - requires banks and financial institutions to train their staff how to recognize social engineering exploits.
Sarbanes-Oxley Act (SARBOX)
Requires publicly traded companies to adhere to stringent reporting requirements and internal controls on electronic financial reporting systems. A key aspect of the law is the requirement for retaining copies of business records, including email for a specified period of time.
Code of ethics requirements
Requires that everyone associated with the security policy: - Conduct themselves in accordance with the highest standards of moral, ethical, and legal behavior. - Not commit or be a party to unlawful or unethical act that may negatively affect their professional reputation or the reputation of their profession -Appropriately report activity related to the profession that they believe to be unlawful and cooperate with the resulting investigations..
Recommendations for SLA
SLAs should define, in sufficient detail, any penalties incurred if the level of service is not maintained. In the information security realm, it is also vital that the providers role in disaster recovery operations and continuity planning is clearly defined. Industry standard templates are frequently used as a starting point for SLA design, but must be tailored to the specific project or relationship to be effect If you depend on an SLA for mission-critical code, you should consider a code escrow arrangement. Code escrow is a storage facility hosted by a trusted third party which will ensure access to the mission critical code even if the development company, the company with whom you have SLA, goes out of business.
Security Awareness
Security awareness is designed to: Familiarize employees with the security policy Communicate standards, procedures, and baselines that apply to an employee's job Facilitate employee ownership and recognition of security responsibilities Establish reporting procedures for suspected security violations Follow up and gather training metrics to validate: -Employee compliance -The organizations security posture
Role-based security awareness training
Should be tailored for the role of the employee: Data owner, System Administrator, System Owner, User, Privileged User, Executive User
Service Level Agreement (SLA)
Sometimes called a maintenance contract this is an agreement between a customer and provider that guarantees the quality of a network service providers care to a subscriber.
SLA Description
The mean time between failures (MTBF) identifies the average lifetime of a system or component. Components should be replaced about the time that the MTBF is reached. The mean time to repair (MTTR) identifies the average amount of time necessary to repair a failed component or to restore operations.
Security Management
The overall security vision for an organization as well as the ongoing implementation and maintenance of security. The goal is to preserve the confidentiality, integrity, and availability of all critical and valuable assets. Senior management is responsible for security management. Senior management defines the corporate security posture or tone (organizations outlook and approach to security) and provides funding for the security program.
Defense in depth
The premise that no single layer is completely effective in securing the organization. The most secure system has many layers of security, eliminating single points of failure.
Physical Security
The protection of assets from physical threats. Physical security procedures include the following: Choosing a secure site and securing the facility Protecting both data and equipment from theft, destruction, or compromise Implementing environmental and safety measures to protect personal and the facility Disposing of sensitive material that is no longer needed
Privacy
The right of individuals to keep personal information from unauthorized exposure or disclosure. In a business environment, business might need to be able to monitor and record actions taken by employees. Such monitoring might be view as a violation of individual privacy.
California Database Security Breach Act of 2003
a California state law that specifies that any agency, person, government entity, or company that does business in the state of California must inform California residents within 48 hours if a database breach or other security breach occurs in which personal information has been stolen or believed to have been stolen.
Gramm-Leach-Billey Act
a US federal law designed to protect private information held at financial institutions.
Patriot Act of 2001
a US federal law that gives law enforcement the authority to request information from organizations to detect and suppress terrorism.
Children's Online Privacy Protection Act of 1998 (COPPA)
a US federal law that requires organizations that provide online services designed for children below the age of 13 to obtain parental consent prior to collecting a child's personal information.
Sarbanes-Oxley Act of 2002
a US federal law that requires publicly traded companies to adhere to very stringent reporting requirements and implement strong controls on electronic financial reporting systems
Health Insurance Portability and Accountability Act of 1996 (HIPPA)
a US federal law that specifies that all organizations must protect the health information that they maintain.
Code Escrow Agreement
a document that specifies the storage and conditions of release of source code. For example, a code escrow agreement could specify that you can obtain the source code from a vendor if the vendor went out of business.
Organizational Security Policy
a high level overview of the corporate security program.
Organizational Security
a high-level overview of the corporate security program. The organizational security policy: Is usually written by the security professionals, but must be wholly supported and endorsed by senior management. Identifies roles and responsibilities to support and maintain the elements of the security program. Identifies what is acceptable and unacceptable regarding security management Identifies the rules and responsibilities of the enforcement of the policy
User Management Policy
a policy that identify actions to follow when employee status changes to ensure the security of the system, including hiring new employees, promoting and transferring employees, and terminating employees.
Acceptable Access Policy (AAP)
a policy that regulate changes to policies, practices, and equipment that could impact the security of your IT infrastructure.
Change Management and Configuration Management Policy
a policy that regulate changes to policies, practices, and equipment that could impact the security of your IT infrastructure.
Human Resource Policy
a policy used by HR that defines hiring and termination processes, job rotation requirements, and personal time off procedures.
User Education and Awareness policy
a policy with provisions for user education and awareness training.
Guideline
a recommendation that is used when a specific standard or procedure does not exist.
Privacy Threshold Assessment (PTA)
a required document that serves as the official determination by the department of homeland security (DHS) as to whether a department program or system has privacy implications and whether additional privacy compliance documentation is required, such as a privacy impact assessment (PIA) and System of Records Notice (SORN). The PTA is built into departmental processes for technology investments and security. PTAs expire and must be reviewed and re-certified every three years.
Regulation
a requirement published by a government or other licensing body that must be followed.
Code of Ethics
a set of rules or standards that help individuals to act ethically in various situations.
Code of ethics
a set of rules or standards that help you to act ethically in various situations. Because issues involved in various situations can be complex, the code of ethics does not prescribe actions to take for every situation. Rather, it identifies general principles of ethical behavior that can be applied to various situations.
Baseline
a standard that dictates the settings and security mechanisms that must be imposed on a system in order to comply with required security standards. Baselines are mandatory standards with which all systems must comply.
Procedure
a step-by-step process that outlines how to implement a specific action. The design of a procedure is guided by goals defined in a policy, but go beyond the policy by identifying specific steps that are to be implemented. The use of consistent procedures ensure that the goals defined in a policy are met and that the actions of multiple administrators are consistent.
Job rotation requirement
cross-trains individuals and rotates users between position on a regular basis. This helps catch irregularities that could arise when one person is unsupervised over an area of responsibility.
Prudent man rule (the exercise of due care and due diligence)
demonstrates that management has taken reasonable actions to ensure safety standards according to accepted best practices. The ability to demonstrate due care and due diligence protects the organization and its staff from accusations of negligence or incompetence in security-related issues
Authorized access policy
documents access control to company resource and information. This policy specifies who is allowed to access the various systems of the organization.
Privacy Impact Assessment (PIA)
is a process that assists organizations in identifying and minimizing the privacy risk of new projects or policies.
USA Patriot Act
mandates organizations to provide information, including records and documents, to law enforcement agencies under the authority of a valid court order, subpoena, or other authorized agency Many states mandate that after a security incident involving privacy happens, organizations are obligated to inform users that their information could have been compromised.
User Management
policies identify actions that must take place when employee status changes. The administrator of a network for an organization needs to be aware of new employees, employee advancements and transfers, and terminated employees to ensure the security of the system. All of these activities could result in changes to network access, equipment configuration, software configuration.
Configuration Management Policy
provides a structured approach to securing company assets and making change. Configuration management: -Establishes hardware, software, and infrastructure configurations that are to be deployed universally throughout the corporation. - Tracks and documents significant changes to the infrastructure. - Assesses the risk of implementing new processes, hardware, or software - Ensure that proper testing and approval processes are followed before changes are allowed.
Change control
regulates changes to policies and practices that could impact security. The primary purpose of change control is to prevent unchecked change that could introduce reductions in security. Change control must be a formal, filly documented process.
Regulation (law)
required published by a government or other licensing body that must be followed. While you are not responsible for writing regulations, you are responsible for knowing which regulations apply to your organization and making sure that those regulations are understood and adhered to. Policies are often written in response to regulations.
Mandatory Vacations
requires employees to take vacations of specified length. These vacations can be used to audit actions taken by the employee and provide a passage of time where problems caused by misconduct could become evident.
Children's Online Privacy Protection Act (COPPA)
requires online services or websites designed for children under the age of 13 to: obtain parental consent prior to the collection, use, disclosure, or display of a child's personal information allow children's participation without the need to disclose more personal information that is reasonably necessary to participate.
Security Policy
the overall security goals and processes for an organization. To be effective the security policy must be.. *Planned. Good security is the result of good planning. *Maintained. A good security plan must be constantly evaluated and modified as needs change. *Used. The most common failure of a security policy is the lack of user awareness. The most effective way of improving security is through user awareness.