Chapter 4 reading
Need for Information Security
Provides information on the importance of information security in the organization and the legal and ethical obligation to protect critical information about customers, employees, and markets
objectives
Sometimes used synonymously with goals; the intermediate states obtained to achieve progress toward a goal or goals.
goals
Sometimes used synonymously with objectives; the desired end of a planning cycle.
access control list (ACL)
Specifications of authorization that govern the rights and privileges of users to a particular information asset. ACLs include user access lists, matrices, and capabilities table
Reference to Other Information Standards and Guidelines
Lists other standards that influence this policy document and are influenced by it, perhaps including relevant federal laws, state laws, and other policies.
Combination SysSPs
Many organizations create a single document that combines the managerial guidance SysSP and the technical specifications SysSP.
Like laws, policies define what is right and wrong, the penalties for violating policy, and the appeal process. ____________, on the other hand, are more detailed statements of what must be done to comply with policy.
standards
Governance
"The set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly."
The components of a good EISP
Statement of purpose information security elements need for information information secuirity responsibilities and roles reference to other information standards and guidelines.
procedures
Step-by-step instructions designed to assist employees in following policies, standards, and guidelines. If the policy states to "use strong passwords, frequently changed," the procedure might advise that "in order to change your password, first click the Windows Start button, then...."
According to the Information Technology Governance Institute (ITGI), information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide
Strategic direction • Establishment of objectives • Measurement of progress toward those objectives • Verification that risk management practices are appropriate • Validation that the organization's assets are used properly
Strategic plans are used to create
Tactical Plans which in turn are used to develop operational plans
information security governance
The application of the principles of corporate governance to the information security function.
strategic plan
The documented product of strategic planning; a plan for the organization's intended strategic efforts over the next several years
tactical plan
The documented product of tactical planning; a plan for the organization's intended tactical efforts over the next few years
enterprise information security policy (EISP)
The high-level security policy that is based on and directly supports the mission, vision, and direction of the organization and sets the strategic direction, scope, and tone for all security efforts.
configuration rules
The instructions a system administrator codes into a server, networking device, or security device to specify how it operates
Review (reading):
The organization must be able to demonstrate that it disseminated the document in an intelligible form, including versions for employees who are illiterate, reading-impaired, and unable to read English. Common techniques include recording the policy in English and other languages.
Compliance (agreement):
The organization must be able to demonstrate that the employee agrees to comply with the policy through act or affirmation. Common tech- niques include logon banners, which require a specific action (mouse click or key- stroke) to acknowledge agreement, or a signed document clearly indicating the employee has read, understood, and agreed to comply with the policy.
Comprehension (understanding):
The organization must be able to demonstrate that the employee understands the requirements and content of the policy. Common techni ques include quizzes and other assessments.
Dissemination
The organization must be able to demonstrate that the policy has been made readily available for review by the employee. Common dissemination techniques include hard copy and electronic distribution.
Uniform enforcement (fairness in application):
The organization must be able to demonstrate that the policy has been uniformly enforced, regardless of employee status or assignment.
Access Control Lists
consists of details about user access and use permissions and privileges for an organizational asset or resource, such as a file storage system, software component, or network communications device. ACLs focus on assets and the users who can access and use them.
policy should never
contradict law; policy must be able to stand up in court, if challenged; and policy must be properly adminis- tered through dissemination and documented acceptance. Otherwise, an organization leaves itself exposed to significant liability.
The first priority of the CISO and the information security management team is the
creation of a strategic plan to accomplish the organization's information security objectives. While each organization may have its own format for the design and distribution of a strategic plan, the fundamental elements of planning share characteristics across all types of enter- prises.
Standards may be informal or part of an organizational culture, as in ________
de facto standards
The EISP guides the
development, implementation, and management of the security program.
The level of detail may differ from system to system, but in general ACLs can restrict access for a particular user, computer, time, or duration—even a particular file. This specificity provides powerful control to the administrator. In general, ACLs regulate the following:
• Who can use the system • What authorized users can access • When authorized users can access the system • Where authorized users can access the system
Policies
direct how issues should be addressed and how technologies should be used. Policies do not specify the proper operation of equipment or software—this information should be placed in the standards, procedures, and practices of users' manuals and systems documentation.
The plan is an evolving statement of how the CISO and various elements of the orga- nization will implement the objectives of the information security charter, which is expressed in the
enterprise information security policy (EISP). You will learn about EISPs later in this chapter.
Security policies are the
least expensive control to execute, but the most difficult to implement properly. They have the lowest cost in that their creation and dissemination require only the time and effort of the management team. Even if the management team hires an outside consultant to help develop policy, the costs are minimal compared to those of technical controls
Information security is primarily a
management problem not a technical one
policy is a __________that obliges personnel to function in a manner that preserves the security of information assets
management tool
SysSPs can be separated into two general groups
managerial guidance SysSPs and technical specifications SysSPs, or they can be combined into a single policy document that contains elements of both
(EISP)
sets out the requirements that must be met by the information security blueprint or frame- work.
Configuration rules
(or policies) govern how a security sys- tem reacts to the data it receives. Rule-based policies are more specific to the operation of a system than ACLs, and they may or may not deal with users directly. Many security systems—for example, firewalls, intrusion detection and prevention systems (IDPSs), and proxy servers—use specific configuration scripts that represent the configuration rule policy to determine how the system handles each data element they process.
Although the specifics of EISPs vary among organizations, most EISP documents should include the following elements:
.An overview of the corporate philosophy on security • Information on the structure of the information security organization and people who fulfill the information security role • Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) • Fully articulated responsibilities for security that are unique to each role within the organization
The five goals of information security governance are:
1. Strategic alignment of information security with business strategy to support organiza- tional objectives 2. Risk management by executing appropriate measures to manage and mitigate threats to information resources 3. Resource management by using information security knowledge and infrastructure effi- ciently and effectively 4. Performance measurement by measuring, monitoring, and reporting information secu- rity governance metrics to ensure that organizational objectives are achieved 5. Value delivery by optimizing information security investments in support of organiza- tional objectives2
a policy must meet the following criteria to be effective and thus legally enforceable:
1. dissemination 2. review(reading) 3. comprehension(understanding) 4. compliance(agreement) 5. Uniform enforcement (fairness in application):
sunset clause
A component of policy or law that defines an expected end date for its applicability
standard
A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance. If the policy states that employees must "use strong passwords, frequently changed," the standard might specify that the password "must be at least 8 characters, with at least one number, one letter, and one special character."
capabilities table
A lattice-based access control with rows of attributes associated with a particular subject (such as a user).
Managerial Guidance SysSPs
A managerial guidance SysSP document is created by management to guide the implementation and configuration of technology and to address the behavior of employees in ways that support information security. For example, while the method for implementing a firewall belongs in the technical specifications SysSP, the fire- wall's configuration must follow guidelines established by management. An organization might not want its employees to access the Internet via the organization's network, for instance; in that case, the firewall should be implemented accordingly
de jure standard
A standard that has been formally evaluated, approved, and ratified by a formal standards organization. Contrast with a de facto standard.
de facto standard
A standard that has been widely adopted or accepted by a public group rather than a formal standards organization. Contrast with a de jure standard.
managerial guidance SysSP
A systems-specific security policy that expresses management's intent for the acquisition, implementation, configuration, and management of a particular technology, written from a business perspective
technical specifications SysSP
A type of systems-specific security policy that expresses technical details for the acquisition, implementation, configuration, and management of a particular technology, written from a technical perspective. Typically the policy includes details on configuration rules, systems policies, and access control.
policy administrator
An employee responsible for the creation, revision, distribution, and storage of a policy in an organization
access control matrix
An integration of access control lists (focusing on assets) and capability tables (focusing on users) that results in a matrix with organizational assets listed in the column headings and users listed in the row headings. The matrix contains ACLs in columns for a particular device or asset and capability tables in rows for a particular user
issue-specific security policy (ISSP
An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies
Policy Review and Modification
Because any document is only useful if it is up to date, each policy should contain procedures and a timetable for periodic review. As the organization's needs and technologies change, so must the policies that govern their use. This section should specify a methodology for reviewing and modifying the policy to ensure that users do not begin circumventing it as it grows obsolete
Information Security Elements
Defines information security. For example: "Protecting the confidentiality, integrity, and availability of information while in processing, transmission, and storage, through the use of policy, education and training, and technology ..." This section can also lay out security definitions or philosophies to clarify the policy.
Just like governments, corporations and other organizations have guiding documents— corporate charters or partnership agreements—as well as appointed or elected leaders or officers, and planning and operating procedures. These elements in combination provide
Corporate Governance
Information Security Responsibilities and Roles
Defines the organizational structure designed to support information security within the organization. Identifies categories of people with responsibility for information security (IT department, management, users) and those responsibilities, including maintenance of this document.
Management must define three types of security policy, according to Special Publication (SP) 800-14 of the National Institute of Standards and Technology (NIST):
Enterprise information security policies 2. Issue-specific security policies 3. Systems-specific security policies
practices
Examples of actions that illustrate compliance with policies. If the policy states to "use strong passwords, frequently changed," the practices might advise that "according to X, most organizations require employees to change passwords at least semi-annually."
corporate governance
Executive management's responsibility to provide strategic direction, ensure the accomplishment of objectives, oversee that risks are appropriately managed, and validate responsible resource use.
Arthur Andersen and Enron
I obstructed justice,"
Limitations of Liability
If an employee is caught conducting illegal activities with the organization's equipment or assets, management does not want the organization held liable. The policy should state that if employees violate a company policy or any law using com- pany technologies, the company will not protect them, and the company is not liable for their actions. In fact, many organizations assist in the prosecution of employees who violate laws when their actions violate policies. It is assumed that such violations occur without knowledge or authorization by the organization.
Several approaches are used to create and manage ISSPs within an organization. Three of the most common are:
Independent ISSP documents, each tailored to a specific issue 2. A single comprehensive ISSP document that covers all issues 3. A modular ISSP document that unifies policy creation and administration while maintaining each specific issue's requirements
For examples of ISSP policies and recommendations for how to prepare them, we recommend using _____________ , published by Information Shield. The book includes a wide variety of working policy documents and can assist in defining which are needed and how to create them.
Information Security Policies Made Easy by Charles Cresson Wood
Each operating unit within an organization also has controlling customs, processes, committees, and practices. The information security group's leadership monitors and manages all of the organizational structures and processes that safeguard informa- tion. _____________ then applies these principles and management structures to the information security function.
Information security governance
information security blueprint or framework.
It defines the purpose, scope, constraints, and applicability of the security program. It also assigns responsibilities for the various areas of security, including systems administra- tion, maintenance of the information security policies, and the practices and responsibilities of users.
guidelines
Nonmandatory recommendations the employee may use as a reference in complying with a policy. If the policy states to "use strong passwords, frequently changed," the guidelines might advise that "we recommend you don't use family or pet names, or parts of your Social Security number, employee number, or phone number in your password."
Managers and employees use ________ derived from tactical planning to organize the ongoing, day-to-day performance of tasks. An operational plan includes the necessary tasks for all relevant departments as well as communication and reporting requirements, which might include weekly meetings, progress reports, and other associated tasks. These plans must reflect the organizational structure, with each subunit, department, or project
Operational Planning
systems-specific security policies (SysSPs)
Organizational policies that often function as standards or procedures to be used when configuring or maintaining systems. SysSPs can be separated into two general groups—managerial guidance and technical specifications—but may be written as a single unified SysSP document
Schedule of Reviews
Policies can only retain their effectiveness in a changing envi- ronment if they are periodically reviewed for currency and accuracy and then modified. accordingly. Policies that are not kept current can become liabilities as outdated rules are enforced (or not) and new requirements are ignored.
what is the relationships among policies, standards, guidelines, procedures, and practices
Policies- Sanctioned by management Standards- Detailed minimum specifications for compliance Guidelines-Recommendations for compliance Procedures- Step-by‐step instructions for compliance
Violations of Policy
The people to whom the policy applies must understand the penalties and repercussions of violating it. Violations of policy should carry penalties that are appropriate—neither draconian nor overly lenient. This section of the policy statement should contain not only specific penalties for each category of violation, but instructions for how people in the organization can report observed or suspected violations.
Statement of Policy
The policy should begin with a clear statement of purpose—in other words, what exactly is this policy supposed to accomplish? Consider a policy that cov- ers the issue of fair and responsible Internet use. The introductory section of this policy should address the following questions: What is the scope of this policy? Who is responsible and accountable for policy implementation? What technologies and issues does it address?
strategic planning
The process of defining and specifying the long-term direction (strategy) to be taken by an organization, and the allocation and acquisition of resources needed to pursue this effort.
Systems Management
The systems management section of the ISSP policy statement focuses on the users' relationship to systems management. Specific rules from management
These specifications frequently take the form of complex matrices rather than simple lists or tables, resulting in an _______________ that combines the information in ACLs and capability tables.
These specifications frequently take the form of complex matrices rather than simple lists or tables, resulting in an access control matrix that combines the information in ACLs and capability tables.
Authorized Access and Usage of Equipment
This section of the policy state- ment addresses who can use the technology governed by the policy, and what it can be used for. Remember that an organization's information systems are its exclusive property, and users have no particular rights of use. Each technology and process is provided for busi- ness operations. Use for any other purpose constitutes misuse of equipment. This section defines "fair and responsible use" of equipment and other organizational assets and should address key legal issues, such as protection of personal information and privacy.
prohibited use of Equipment
Unless a particular use is clearly prohibited, the organization cannot penalize its employees for misuse. For example, the following can be prohibited: personal use, disruptive use or misuse, criminal use, offensive or harassing mate- rials, and infringement of copyrighted, licensed, or other intellectual property. As an alterna- tive approach, categories 2 and 3 of Table 4-2 can be collapsed into a single category called "Appropriate Use." Many organizations use such an ISSP section to cover both categories
Technical Specifications SysSPs
While a manager can work with a systems administrator to create managerial policy, as described in the preceding section, the systems administrator in turn might need to create a policy to implement the managerial policy. Each type of equipment requires its own set of policies, which are used to translate manage- ment's intent for the technical control into an enforceable technical approach. For example, an ISSP may require that user passwords be changed quarterly; a systems administrator can implement a technical control within a specific application to enforce this policy. There are two general methods of implementing such technical controls: access control lists and con- figuration rules.
information security policy
Written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets
the EISP
addresses legal compliance. According to NIST, the EISP typically addresses compliance in two areas:
To demonstrate due diligence
an organization must actively seek to meet the requirements of the market in which it operates. This applies to government, academic, and nonprofit organizations as well as private, for-profit organizations. A properly organized schedule of reviews should be defined and published as part of the document. Typically, a policy should be reviewed at least annually to ensure that it is still an effective control.
Strate- gic plans formed at the highest levels of the organization are used to create
an overall corpo- rate strategy. As lower levels of the organizational hierarchy are involved (moving down the hierarchy), the plans from higher levels are evolved into more detailed, more concrete plan- ning. So, higher-level plans are translated into more specific plans for intermediate layers of management.
Tactical planning
focuses on short-term undertakings that will be completed within one or two years. The process of tactical planning breaks each strategic goal into a series of incre- mental objectives. Each objective in a tactical plan should be specific and should have a deliv- ery date within a year of the plan's start.
When the EISP has been developed, the CISO begins
forming the security team and initiating necessary changes to the information security program.
The governance of information security
is a strategic planning responsibility whose impor- tance has grown in recent years. To secure information assets, management must integrate information security practices into the fabric of the organization, expanding corporate gover- nance policies and controls to encompass the objectives of the information security process.
A capabilities table
is similar to an ACL, but it focuses on users, the assets they can access, and what they can do with those assets. In some systems, capability tables are called user profiles or user policies.
Policies function like
laws in an organization because they dictate acceptable and unaccept- able behavior there, as well as the penalties for failure to comply.
Govern- mental agencies view security policy in terms of
national security and national policies to deal with foreign states. A security policy can also communicate a credit card agency's method for processing credit card numbers. In general, a security policy is a set of rules that protects an organization's assets. An information security policy provides rules for protection of the organization's information assets.
The chief information security officer (CISO) and security managers use the tactical plan to
organize, prioritize, and acquire resources necessary for major projects and to provide support for the overall strategic plan.
Management from all communities of interest, including general staff, information technol- ogy, and information security, must make _______ the basis for all information security plan- ning, design, and deployment.
policies
Just as information systems and information security projects must have champions and managers, so must policies. The policy manager is often called the
policy administrator
Tactical plans often
project plans and resource acquisition planning documents (such as product specifications), project bud- gets, project reviews, and monthly and annual reports.
atement of Purpose
swers the question "What is this policy for?" Provides a framework that helps the reader understand the intent of the document. Can include text such as the following: "This document will: • Identify the elements of a good security policy • Explain the need for information security • Specify the various categories of information security • Identify the information security responsibilities and roles • Identify appropriate levels of security through standards and guidelines This document establishes an overarching security policy and direction for our company. Individual departments are expected to establish standards, guidelines, and operating procedures that adhere to and reference this policy while addressing their specific and individual needs."
issue-specific policies are formalized as written documents readily identifiable as policy ____________ sometimes have a different look. SysSPs often function as standards or procedures to be used when configuring or maintaining systems. For example, a SysSP might describe the configuration and operation of a network firewall.
systems-specific security policies (SysSPs)
That layer of strategic planning by function (such as financial, IT, and opera- tions strategies) is then converted into
tactical planning for supervisory managers and eventu- ally provides direction for the operational plans undertaken by non-management members of the organization. This multi-layered approach encompasses two key objectives: general strat- egy and overall strategic planning. First, general strategy is translated into specific strategy; second, overall strategic planning is translated into lower-level tactical and operational planning.
Governance describes
the entire function of controlling, or governing, the processes used by a group to accomplish some objective. It represents the strategic controlling function of an organization's senior management, which is designed to ensure informed, prudent strategic decisions made in the best interest of the organization.
an organization supports routine operations by executing various technologies and pro- cesses, it must instruct employees on their proper use. In general, _______________, (1) addresses specific areas of technology as listed below, (2) requires frequent updates, and (3) contains a statement about the organization's position on a specific issue. 10 An ISSP may cover the following topics, among others: • E-mail • Use of the Internet and World Wide Web • Specific minimum configurations of computers to defend against worms and viruses • Prohibitions against hacking or testing organization security controls • Home use of company-owned computer equipment • Use of personal equipment on company networks (BYOD: bring your own device) • Use of telecommunications technologies, such as fax and phone • Use of photocopy equipment • Use of portable storage devices such as USB memory sticks, backpack drives, game players, music players, and any other device capable of storing digital files • Use of cloud-based storage services that are not self-hosted by the organization or engaged under contract; such services include Google Drive, Dropbox, and Microsoft Live
the issue-specific security policy, or ISSP
The process of strategic planning seeks to
transform broad, general, sweeping statements into more specific and applied objectives.
