ISM 4323 CH.4

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Developing Information Security Policy

It is often useful to view policy development as a two-part project -First, design and develop the policy (or redesign and rewrite an outdated policy) -Second, establish management processes to perpetuate the policy within the organization The former is an exercise in project management, while the latter requires adherence to good business practices

Developing Information Security Policy

Maintenance Phase Maintain and modify the policy as needed to ensure that it remains effective as a tool to meet changing threats The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously Periodic review should be built in to the process

Technical Specifications SysSPs

System administrators' directions on implementing managerial policy Each type of equipment has its own type of policies General methods of implementing technical controls -Access control lists -Configuration rules

Developing Information Security Policy Implementation phase includes

Writing the policies Making certain the policies are enforceable as written Policy distribution is not always straightforward Effective policy is written at a reasonable reading level, and attempts to minimize technical jargon and management terminology

According to Charles Cresson Wood "policies are important reference documents for internal ____ and for the resolution of legal disputes about management's due diligence; policy documents can act as a clear statement of management's intent".

audits

The ____ model describes the layers at which marginal assessment of security controls can be performed and is a proven mechanism for prioritizing complex changes.

bull's-eye

A ____ specifies which subjects and objects users or groups can access.

capability table

System-Specific Security Policy (SysSPs)

frequently do not look like other types of policy They may function as standards or procedures to be used when configuring or maintaining systems SysSPs can be separated into: -Management guidance -Technical specifications -Or combined in a single policy document

Policies are important reference documents

For internal audits For the resolution of legal disputes about management's due diligence Policy documents can act as a clear statement of management's intent

Guidelines for Effective Policy

For policies to be effective, they must be properly: -Developed using industry-accepted practices -Distributed or disseminated using all appropriate methods -Reviewed or read by all employees -Understood by all employees -Formally agreed to by act or assertion -Uniformly applied and enforced

Every organization's (ISSP) Issue-Specific Security Policy should

-Address specific technology-based systems -Require frequent updates -Contain an issue statement on the organization's position on an issue

ISPME checklist

-Gather ideas that stakeholders believe should be included in a new or updated information security policy -Examine other policies issued by your organization to identify prevailing format, style, tone, length, and cross-references -Identify the audience and distribution method of information security policy materials -Determine the extent to which the audience is literate, computer knowledgeable, and receptive to security messages -Decide whether some other awareness efforts must take place before information security policies are issued -Using ideas from the risk assessment, prepare a list of absolutely essential policy messages that must be communicated

Developing Information Security Policy Design phase includes

-How the policies will be distributed -How verification of the distribution will be accomplished -Specifications for any automated tools -Revisions to feasibility analysis reports based on improved costs and benefits as the design is clarified

ISPME checklist

-If there is more than one audience, match the audiences with the bottom-line messages to be communicated through a coverage matrix -Determine how the policy material will be disseminated, noting the constraints and implications of each medium of communication -Review the compliance checking process, disciplinary process, and enforcement process to ensure that they all can work smoothly with the new policy document Determine whether the number of messages is too large to be handled all at one time If so, identify different categories of material to be issued at different times

Technical Specifications SysSPs Access control lists

-Include the user access lists, matrices, and capability tables that govern the rights and privileges -A similar method that specifies which subjects and objects users or groups can access is called a capability table -These specifications are frequently complex matrices, rather than simple lists or tables Enable administrations to restrict access according to user, computer, time, duration, or even a particular file

Developing Information Security Policy Investigation phase

-Obtain support from senior management, and active involvement of IT management, specifically the CIO -Clearly articulate the goals of the policy project -Gain participation of correct individuals affected by the recommended policies -Involve legal, human resources and end-users -Assign a project champion with sufficient stature and prestige -Acquire a capable project manager -Develop a detailed outline of and sound estimates for project cost and scheduling

ISPME checklist

-Outline the topics to be included in the first document reviewed by several stakeholders -Based on comments from the stakeholders, revise the initial outline and prepare a first draft -Have the first draft reviewed by stakeholders for initial reactions, suggestions, and implementation ideas -Revise the draft in response to comments from stakeholders -Request top management approval on the policy -Prepare extracts of the policy document for selected purposes -Develop an awareness plan that uses the policy document as a source of ideas and requirements

Technical Specifications SysSPs Access control lists regulate

-Who can use the system -What authorized users can access -When authorized users can access the system -Where authorized users can access the system from -How authorized users can access the system -Restricting what users can access, e.g. printers, files, communications, and applications

Implementing the (ISSP) Issue-Specific Security Policy

1. Common approaches -Several independent ISSP documents -A single comprehensive ISSP document -A modular ISSP document that unifies policy creation and administration 2. The recommended approach is the modular policy -Provides a balance between issue orientation and policy management

Issue-Specific Security Policy (ISSP) Components

1. Statement of Purpose -Scope and applicability -Definition of technology addressed -Responsibilities 2. Authorized Access and Usage of Equipment. -User access -Fair and responsible use -Protection of privacy 3. Prohibited Usage of Equipment -Disruptive use or misuse -Criminal use -Offensive or harassing materials -Copyrighted, licensed or other intellectual property -Other restrictions 4. Systems management Management of stored materials -Employer monitoring -Virus protection -Physical security -Encryption 5. Violations of policy -Procedures for reporting violations -Penalties for violations 6. Policy review and modification Scheduled review of policy and -procedures for modification 7. Limitations of liability -Statements of liability or disclaimers

NIST Special Publication 800-18, Rev. 1

: Guide for Developing Security Plans for Federal Information Systems reinforces a business process-centered approach to policy management Policies are living documents These documents must be properly disseminated (distributed, read, understood and agreed to), and managed Good management practices for policy development and maintenance make for a more resilient organization Policy requirements An individual responsible for reviews A schedule of reviews A method for making recommendations for reviews An indication of policy and revision date

Standards

A more detailed statement of what must be done to comply with policy

Which of the following would not necessarily be a good reference or resource in writing good policy documents from scratch?

A public bookstore

Enterprise information security program policy, EISP documents should provide

An overview of the corporate philosophy on security Information about information security organization and information security roles -Responsibilities for security that are shared by all members of the organization -Responsibilities for security that are unique to each role within the organization

Technical Specifications SysSPs

Configuration rules -Specific configuration codes entered into security systems -Guide the execution of the system when information is passing through it Rule policies are more specific to system operation than ACLs -May or may not deal with users directly

ISPME checklist

Convince management that it is advisable to have documented information security policies Identify the top management staff who will be approving the final information security document and all influential reviewers Collect, read and summarize all existing internal information security awareness material

Managerial Guidance SysSPs

Created by management to guide the implementation and configuration of technology Applies to any technology that affects the confidentiality, integrity or availability of information Informs technologists of management intent

Types of information security policy

Enterprise information security program policy (EISP) Issue-specific information security policies Systems-specific policies

Developing Information Security Policy Analysis phase should produce

New or recent risk assessment or IT audit documenting the current information security needs of the organization Key reference materials Including any existing policies

ISPME checklist

Perform a risk assessment or information technology audit To determine your organization's unique information security needs Clarify the meaning of "policy" within your organization Ensure clear roles and responsibilities related to information security Including responsibility for issuing and maintaining policies

Policy

Policies are the least expensive means of control and often the most difficult to implement A plan or course of action that influences decisions For policies to be effective they must be properly disseminated, read, understood, agreed-to, and uniformly enforced Policies require constant modification and maintenance Policies exist, first and foremost, to inform employees of what is and is not acceptable behavior in the organization Policy seeks to improve employee productivity, and prevent potentially embarrassing situations

Bulls-eye model layers

Policies: first layer of defense Networks: threats first meet the organization's network Systems: computers and manufacturing systems Applications: all applications systems

Developing Information Security Policy

Policy development projects should be Well planned Properly funded Aggressively managed to ensure that it is completed on time and within budget

rules for shaping a policy

Policy should never conflict with law Policy must be able to stand up in court if challenged Policy must be properly supported and administered

ISPME next steps

Post polices to intranet or equivalent Develop a self-assessment questionnaire Develop revised user ID issuance form Develop agreement to comply with information security policies form Develop tests to determine if workers understand policies Assign information security coordinators Train information security coordinators

Practices

Procedures and guidelines explain how employees will comply with policy

Issue-Specific Security Policy (ISSP)

Provides detailed, targeted guidance -Instructs the organization in secure use of a technology systems -Begins with introduction to fundamental technological philosophy of the organization Protects organization from inefficiency and ambiguity -Documents how the technology-based system is controlled Protects organization from inefficiency and ambiguity (cont'd.) -Identifies the processes and authorities that provide this control. Indemnifies the organization against liability for an employee's inappropriate or illegal system use

Administrators set user privileges

Read, write, create, modify, delete, compare, copy

Enterprise information security program policy (EISP)

Sets strategic direction, scope, and tone for organization's security efforts Assigns responsibilities for various areas of information security Guides development, implementation, and management requirements of information security program

Example Enterprise information security program policy (ESIP)

Statement of purpose -What the policy is for Information technology security elements -Defines information security Need for information technology security - Justifies importance of information security in the organization Information technology security responsibilities and roles -Defines organizational structure

Typically, the information security policy administrator is ____.

mid-level staff member

Standards are created from

policies

The ____ layer is the outermost layer of the bull's-eye model, hence the first to be assessed for marginal improvement.

policies

____ comprise a set of rules that dictates acceptable and unacceptable behavior within an organization.

policies

A standard is built from a

policy


Kaugnay na mga set ng pag-aaral

Peds Evolve Quizzing Hematologic

View Set

Chapters 1-3: Basic Economic Concepts

View Set

Extra HESI 290 Practice Questions

View Set

BUS112 Chapter 13: Subculture and Social Class

View Set