Information Security Policy | Lecture Notes PDF
Document Details
Uploaded by EruditeVorticism1110
University of Sharjah
2024
Dr. Saddaf Rubab
Tags
Summary
These lecture notes from the University of Sharjah cover information security policy. The notes discuss policy development, including the role of policy in an information security program, why it is essential to understand the basics of policy to guide user behavior, the types of policies, and how to implement effective strategies. These notes provide a comprehensive overview of the strategic planning process.
Full Transcript
LECTURE 4 – INFORMATION SECURITY POLICY 1502373 - INFORMATION SECURITY MANAGEMENT SPRING 2024-25 M5 – 220 [email protected] Dr. Saddaf Rubab “Each problem that I...
LECTURE 4 – INFORMATION SECURITY POLICY 1502373 - INFORMATION SECURITY MANAGEMENT SPRING 2024-25 M5 – 220 [email protected] Dr. Saddaf Rubab “Each problem that I solved became a rule which served afterwards to solve other problems.” -RENE DESCARTES INTRODUCTION The success of any information security program lies in policy development. Policy is the essential foundation of an effective information security program The significance of information security polices to virtually everything that happens in the information security field An effective information security training and awareness effort cannot be initiated without writing information security policies NIST–EXECUTIVE GUIDE TO THE PROTECTION OF INFORMATION RESOURCES “The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems. You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency. Your primary responsibility is to set the information resource security policy for the organization within the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality.” NIST SP 500-169 BASIC RULES IN SHAPING A POLICY Policy should never conflict with law Policy must be able to stand up in court, if challenged Policy must be properly supported and administered Example: Enron’s dubious business practices and misreporting the financial records Policy of shredding working papers by accountants A quality information security program begins and ends with policy Although information security policies are the least expensive means of control to execute, they are often the most difficult to implement WHY POLICY Policy controls cost only the time and effort that the management team spends to create, approve and communicate them, and that employees spend integrating the policies into their daily activities Cost of hiring a consultant is minimal compared to technical controls Management must ensure the adequate sharing of Ensure responsibility for proper use of information systems GUIDELINES End users of information systems should be involved in the FOR POLICY End User steps of policy formulation FORMATION Contribute All policies must contribute to the success of the organization BULL’S EYE MODEL Proven mechanism for prioritizing complex changes Issues are addressed by moving from general to specifics Focus of systemic solutions instead of individual problems BULL’S EYE MODEL Policies – the outer layer as initial viewpoint. It is available from the published documents that express the will of management and seeks to guide user behavior Networks – the place where threats from public networks meet the organization’s networking infrastructure; in the past, most information security efforts have focused on networks, and until recently information security was often thought to be synonymous with network security Systems – computers being used as servers, desktop computers, and systems used for process control and manufacturing systems Applications – all applications systems, ranging from packed applications such as office automation and e-mail programs, to high-end ERP packages and custom application software developed by the organization POLICY, STANDARDS, AND PRACTICES Policy represents the formal statement of the organization’s managerial policy, in case of our focus, the organization’s information security philosophy Tradition communities of interest use policy to express their views which then becomes the basis of planning, management and maintenance of the information security profile Policies – set of rules that dictate acceptable and unacceptable behavior within an organization Policies should not specify the proper operation of equipment or software POLICY, STANDARDS, AND PRACTICES (CONTD…) Policies must specify the penalties for unacceptable behavior and define an appeals process To execute the policy, the organization must implement a set of standards that clarify and define exactly what is inappropriate in the workplace and to what degree the org will stop to act the inappropriate behavior Standard – More detailed statement of what must be done to comply with policy Technical controls and their associated procedures might be established such that the network blocks access to pornographic websites Why do I need to do this ? What is required ? What is recommended guidance How do I do it ? POLICY, STANDARDS, AND PRACTICES Example Why do I need to do this ? POLICY, STANDARDS, AND PRACTICES Example What is required ? POLICY, STANDARDS, AND PRACTICES Example POLICY, STANDARDS, AND PRACTICES - GUIDELINES Example What is recommended guidance POLICY, STANDARDS, AND PRACTICES - PROCEDURES How do I do it ? Example TYPE OF INFOSEC POLICIES Based on NIST Special Publication 800-14, the three types of information security policies are Enterprise information security policy - EISP Issue-specific security policy - ISSP System-specific security policy - SysSPS The usual procedure First – creation of the enterprise information security policy – the highest level of policy Next – general policies are met by developing issue- and system-specific policies ENTERPRISE INFORMATION SECURITY POLICY (EISP) EISP assigns responsibilities for the various areas of information EISP sets the strategic direction, security including maintenance of scope, and tone for all of an information security policies and organization’s security efforts the practices and responsibilities of other users. EISP guides the development, implementation, and management EISP should directly support the requirements of the information mission and vision statements security program INTEGRATING AN ORGANIZATION’S MISSION AND OBJECTIVES INTO THE EISP One of the important role is to state the importance of EISP InfoSec to the organization’s mission and objectives. plays a number InfoSec strategic planning derives from IT strategic planning which is itself derived from the organization’s of vital strategic planning roles Policy will become confusing if EISP does not directly reflect the above association EISP ELEMENTS An overview of the corporate philosophy on security Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role Fully articulated responsibilities for security that are shared by all members of the organization Fully articulated responsibilities for security that are unique to each role within the organization COMPONENTS OF A GOOD EISP Statement of Purpose Information Technology Security Elements Need for Information Technology Security Information Technology Security Responsibilities and Roles Reference to Other Information Technology Standards and Guidelines ISSUE-SPECIFIC SECURITY POLICY (ISSP) Provides a common understanding of the Should not be presented as a foundation for legal purposes for which an employee can and prosecution or administrative enforcement cannot use a technology Protects both the employee and organization from inefficiency and ambiguity EFFECTIVE ISSP Articulates expectations for use of technology-based system Identifies the processes and authorities that provide documented control Guarantees the organization against liability for an employee’s inappropriate or illegal use of the system ISSP TOPICS – TECHNOLOGY AREAS TO TARGET Use of Internet, e- Disaster/business Minimum system mail, phone, and Incident response continuity configuration office equipment planning requirements Prohibitions Use of personal Home use of against equipment on company-owned hacking/testing company systems security controls networks Statement of Purpose Outlines scope and applicability: what is the purpose and who is responsible for implementation ISSP Authorized Uses COMPONENTS Users have no particular rights of use, outside that specified in the policy Prohibited Uses Common prohibitions: criminal use, personal use, misuse, and offensive materials Systems Management Users' relationship to systems/assests management Outline users’ and administrators’ responsibilities ISSP Violations of Policy COMPONENTS Penalties specified for each kind of violation (CONTD…) Procedures for (often anonymously) reporting policy violation Policy Review/Modification Limitations of Liability – limiting who is liable if any policy is violated ISSP IMPLEMENTATION Three common approaches for creating/managing ISSP Create a modular ISSP Create individual independent document unifying overall policy Create a single ISSP document ISSP documents, tailored for creation/management while covering all issues specific issues addressing specific details with respect to individual issues SYSTEM SPECIFIC SECURITY POLICY (SYSSPS) SysSPs provide guidance and procedures for configuring specific systems, technologies, and applications Intrusion detection systems Firewall configuration Workstation configuration SysSPs are most often technical in nature, but can also be managerial Separated in two groups, Technical Specifications and Managerial Guidance Guiding technology application to enforce higher level policy (e.g. firewall to restrict Internet access) GUIDELINES FOR EFFECTIVE POLICY Developed using industry-accepted practices Distributed using all appropriate methods Reviewed or read by all employees Understood by all employees Formally agreed to by act or assertion Uniformly applied and enforced DEVELOPING INFORMATION SECURITY POLICY Investigation Phase Analysis Phase Design Phase Implementation Phase Maintenance Phase DEVELOPING INFORMATION SECURITY POLICY Investigation Phase Analysis Phase Design Phase Implementation/Development Phase Maintenance Phase DEVELOPING INFORMATION SECURITY POLICY Investigation Phase Analysis Phase Design Phase Implementation/Development Phase Maintenance Phase DEVELOPING INFORMATION SECURITY POLICY Investigation Phase Analysis Phase Design Phase Implementation/Development Phase Maintenance Phase DEVELOPING INFORMATION SECURITY POLICY Investigation Phase Analysis Phase Design Phase Implementation/Development Phase Maintenance Phase POLICY DISTRIBUTION Hand policy to employees Post policy on a public bulletin board E-mail Intranet Document management system POLICY COMPREHENSION Language Understanding of issues 1. At a reasonable reading level Assessments 2. With minimal technical jargon and management terminology POLICY COMPLIANCE Corporations incorporate Policies must be agreed to policy confirmation by act or affirmation statements into employment contracts, annual evaluations POLICY ENFORCEMENT High standards of due care with Uniform and impartial regard to policy management – enforcement – must be able to to defend against claims made withstand external scrutiny by terminated employees AUTOMATED TOOLS VigilEnt Policy Center – a centralized policy approval and implementation center Manage the approval process Reduces need to distribute paper copies Manage policy acknowledgement forms VIGILENT POLICY CENTER ARCHITECTURE COMPLIANCE SHIELD - ANOTHER TOOL POLICY MANAGEMENT – NIST SP 800-18. REV 1 Policy administrator - Champion, Mid-level staff member Solicits input from business and information security communities Makes sure policy document and subsequent revisions are distributed Review schedule - Periodically reviewed for currency and accuracy, and modified to keep current Organized schedule of review Reviewed at least annually Solicit input from representatives of all affected parties, management, and staff Review procedures and practices Easy submission of recommendations, All comments examined, Management approved changes implemented Policy and revision dates - Should include date of origin, revision dates, and expiration date INFORMATION SECURITY POLICY – ANY APPROACH FINAL NOTE Policies are a Policies exist to inform countermeasure to protect employees of acceptable assets from threats (unacceptable) behavior Are meant to improve employee productivity and Communicate penalties for prevent potentially noncompliance embarrassing situations REFERENCES Chapter 04 – Michael, E. W., Herbert, J. M. (2016). Management of Information Security. ISBN: 9781337405713
