Cis 249 ch.4
Are policies different from standards? In what way?
Yes, a standard is a more detailed statement of what must be done in order to comply with the policy.
Are policies different from procedures? In what way?
Yes, procedures explain what steps an employee needs to take to comply with the policy. Though additional steps that are not in the policy may be included in the procedure.
Prohibited Uses
a. Disruptive Use or Misuse b. Criminal Use c. Offensive or Harassing Materials d. Copyrighted, Licensed, or Other Intellectual Property e. Other Restrictions
Systems Management
a. Management of Stored Materials b. Employer Monitoring c. Virus Protection d. Physical Security e. Encryption
Violations of Policy
a. Procedures for Reporting Violations b. Penalties for Violations
Policy Review and Modification
a. Scheduled Review of Policy b. Procedures for Modification
Statement of Purpose
a. Scope and Applicability b. Definition of Technology Addressed c. Responsibilities
Limitations of Liability
a. Statements of Liability b. Other Disclaimers
Authorized Uses
a. User Access b. Fair and Responsible Use c. Protection of Privacy
An enterprise information security policy (EISP)
assigns responsibilities for the various areas of InfoSec, including maintenance of InfoSec policies and the practices and responsibilities of end users. In
Access control lists (ACLs)
include the user access lists, matrices, and capability tables that govern the rights and privileges of users.
List and describe the three challenges in shaping policy.
• An organizations policy should never conflict with the law • It should stand up in court if challenged • It should be properly supported and administered
List and describe the four elements that should be present in the EISP
. Answer: The four elements that should be present in the EISP are: • An overview of the corporate philosophy on security • Information on the structure of the information security organization and individuals that fulfill the information security role • Fully articulated responsibilities for security that are shared by all members of the organization • Fully articulated responsibilities for security that are unique to each role within the organization
What is the purpose of a SysSP
A system-specific security policy is designed to specify and detail standards or procedures to be used when configuring or maintaining systems.
For a policy to have any effect, what must happen after it is approved by management? What are some ways to accomplish this?
All members/employees of the organization must read, understand and agree to abide by the policy. For policies to be effective they must be distributed and available to read.
What is the purpose of an EISP
An enterprise information security policy is designed to outline the strategic direction and scope for all of an organization's security efforts as well as assigning responsibilities for the various areas of information security. It also guides the development, implementation, and management requirements of the information security program.
What is the purpose of an ISSP
An issue-specific security policy is designed to provide detailed and targeted guidelines and expectations about how the technology-based system in question should be used.
issue-specific security policy (ISSP):
An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technology
Is policy considered static or dynamic? Which factors might determine this status?
Answer: A policy could be considered either static or dynamic depending on its context. A policy's rules and standards should be static and maintained once they are set, and should not be bent or ignored to benefit individual gains. On the other hand, policies should be dynamic so they can change with the times and not become outdated and useless; they should evolve with the company and the company's goals.
practices
Examples of actions that illustrate compliance with policies. If the policy states to "use strong passwords, frequently changed," the practices might advise that "according to X, most organizations require employees to change passwords at least semi-annually."
1.Policy:
Information must be protected in a manner commensurate with its sensitivity, value, and criticality.
List and describe three functions that the ISSP serves in the organization
It explains how the organization expects the technology in question is to be used; it documents how the technology is controlled, identifies the process, and identifies who has the authority to provide that control; and it protects the organization against misuse of the technology.
guidelines
Non mandatory recommendations the employee may use as a reference in complying with a policy. If the policy states to "use strong passwords, frequently changed," the guidelines might advise that "we recommend you don't use family or pet names, or parts of your Social Security number, employee number, or phone number in your password." policy: Organizational guidelines that dictate certain behavior within the organization.
Sys security policy (SysSP):
Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. SysSPs can be separated into two general groups, managerial guidance and technical specifications, but may be written as a single unified SysSP document.
To what degree should the organizations values mission and objectives be integrated into the policy documents
Organizational values, mission, and objectives should be a central part of any policy document. The goal of any security policy should be to support the overall values and objectives of an organization and should be implemented to address the behavior of people in the organization in ways that support the security of information.
List and describe the three common ways in which ISSP documents are created and or managed
Policies can be created to manage a specific issue, such as Internet use at work. Policies can be created with the intent of covering all issues, giving the policy broad and wider range for implementation and enforcement. Policies can be written with a modular approach, which gives them a detailed topic focus to address issues within a responsible department while also allowing centrally managed procedures and topic coverage
Of the controls or countermeasures used to control information security risk, which is viewed as the least expensive? What are the primary costs of this type of control?
Security policies are inexpensive but difficult to implement. Therefore, the primary cost is managements time and effort.
access control lists (ACLs):
Specifications of authorization that govern the rights and privileges of users to a particular information asset. ACLs include user access lists, matrices, and capability tables.
procedures
Step-by-step instructions designed to assist employees in following policies, standards and guidelines. If the policy states to "use strong passwords, frequently changed," the procedure might advise that "in order to change your password, first click on the Windows Start button, then...." standard: A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. If the policy states that employees must "use strong passwords, frequently changed," the standard might specify that the password "must be at least 8 characters, with at least one number, one letter, and one special character."
What should be the first component of an ISSP when it is presented? Why? What should be the second major component? Why?
The ISSP should begin with a statement of purpose that outlines its objectives, who is responsible for the policy outlined, and what technology it is addressing. For a policy to be effective, it has to have an overall framework before the detailed steps can be outlined. The second major heading should address who is allowed to have access to the technology. Security levels are based on the level of risk if the information is compromised; therefore, it is critical to determine who needs access to certain information or systems
What is information security policy? Why is it critical to the success of the InfoSec program?
The Information Security Policy sets out strategies for employees and employer so that each is aware of security expectations. It is important because it helps employees to understand the direction and needs of the organization.
Describe the bull's-eye model. What does it say about policy in the information security program?
The bulls eye model policies are on the outside, because polices deal with every aspect. Followed by networks where a breach is more likely. Next is Systems, such as desktops computers and servers. In the center is the applications.The bull eye model is effective because it starts with policy, having a good policy keeps your networks and systems more secure.
enterprise information security policy (EISP):
The high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts. An EISP is also known as a security program policy, general security policy, IT security policy, high-level
List and describe the two general groups of material included in most SysSP documents
The two types of materials included in the system-specific policy are: • Management guidance to guide the implementation and configuration of technology and address the behavior of the users to ensure the security of the information. • The technical specification, whose purpose is to create a managerial policy to translate the managerial intent for the technical control into an enforceable technical approach.
Commentary:
This policy applies regardless of the media on which information is stored, the locations where the information is stored, the systems technology used to process the information, or the people who handle the information. This policy encourages examining the ways information flows through an organization. The policy also points to the scope of Information Security management's work throughout, and often even outside, an organization.
List and describe the three approaches to policy development presented in this chapter. In your opinion, which is best suited for use by a smaller organization and why? if the target organization were very much larger , which approach would be more suitable and why?
Three approaches to policy are the enterprise information security policy, issue- specific security policy, and the system-specific policy. The EISP is broad-based, encompassing and defining large areas of responsibility and implementation. The ISSP is tailored toward the organization's intent for how a certain technology-based system is to be used. The system-specific policy is written more as a standard and procedure to be used in the configuration of a system. A large organization would need a policy written along the lines of an EISP in order to cover all of the various systems and information security needs. For instance, a government contractor might have a very detailed policy to protect confidential information when it is required by the customer, the federal government. A smaller company, say a restaurant, might only need a system to help track its daily sales, inventory, and labor records. All of these records may be confidential, but could easily be handled by a policy like the SysSP.
List and describe the three types of Infosec policy as described by NIST SP 800-14
• The first type of information security policy described by NIST SP 800-14 is the enterprise information security policy (EISP). The EISP is used to determine the scope, tone and strategic direction for a company and all the security topics within. This policy should directly reflect the goals and mission of the company. • The second is the issue-specific security policy (ISSP). The ISSP is used to guide employees on the use of specific types of technology (such as e-mail or Internet use). This policy should be carefully designed to uphold a company's ethical codes, while providing the employees with a detailed list to ensure they understand the policy and how it is beneficial to the company. • The final policy is the system-specific security policy (SysSP). The SysSP should be designed and created to focus on a specific type of system (such as firewalls). It should provide a guideline for the implementation and standards by which these systems are configured and maintained.