System Security: Lecture 2 PDF
Document Details
Uploaded by EasedApostrophe9058
Princess Nourah Bint Abdulrahman University
Dr Tahani Aljohani
Tags
Related
- Boca Raton Police Services Department Criminal Justice Information Systems Security PDF
- Incident Response Guidelines for Incident Containment PDF
- Information Systems Security Policy Management PDF
- أمن الحاسب والمعلومات PDF
- ITM 100 Class 9 Securing Information Systems PDF
- Lecture 6 Securing Information Systems PDF
Summary
This lecture provides an overview of information security policies, standards, guidelines, and baselines. It covers topics such as organizational, security program, user, and system controls.
Full Transcript
System Security: Lecture 2 Security Policies and Plans Dr Tahani Aljohani 1 INFORMATION SECURITY POLICY BASICS Information security policy is the general term referring to any document that conveys an element of the security program in order to e...
System Security: Lecture 2 Security Policies and Plans Dr Tahani Aljohani 1 INFORMATION SECURITY POLICY BASICS Information security policy is the general term referring to any document that conveys an element of the security program in order to enforce organizational security goals and objectives. Information Security Policy (1) Information security policies are the highest level of information security policy sets. These policies are approved and issued by the senior management of the organization as their expectations for the overall security program, system controls, and user behavior. Information security policies are mandatory in that all information systems and users are expected to conform to the policy statements. An example policy statement may read: “The organization shall ensure that all information systems implement authentication with sufficient strength of mechanism for their intended use.” Information Security Policy (2) Key characteristics of information security policies include: Overarching guidance: They establish the overall direction for the organization's security program. Mandated compliance: All systems and users are expected to adhere to the policies. Senior management approval: Policies are typically approved by top-level executives. Four Levels of Information Security Policies Organizational Level: These policies provide a high-level overview of the organization's commitment to information security and define its overall security goals and objectives. Examples include: General security policy Data classification policy Risk management policy Four Levels of Information Security Policies Security Program Level: These policies outline the specific measures and processes that the organization will implement to achieve its security goals. Examples include: Incident response policy Business continuity plan Access control policy Four Levels of Information Security Policies User Level: These policies govern the behavior of individuals within the organization and establish rules for using information systems and data. Examples include: Acceptable use policy Password policy Social media policy Four Levels of Information Security Policies System Level: These policies focus on the technical aspects of information security and provide guidelines for managing systems and networks. Examples include: Network security policy Firewall policy Encryption policy Information security standards Information security standards are specific rules or guidelines that must be followed to achieve the objectives outlined in information security policies. They provide a more granular level of detail than policies, specifying the exact procedures, technologies, or practices that need to be implemented. An example standard statement may read: “The organization shall ensure that for password-based authentication, all information systems enforce the following minimum parameter settings: (a) password complexity—8 characters with both numeric and alphabetic characters, (b) password lifetime—60 days maximum, 1 day minimum, (c) password reuse—6 generations.” Information security standards Key characteristics of information security standards: Detailed requirements: Standards provide specific instructions or specifications. Policy-based: They are derived from and support overarching policies. For example: the information security policy document “System Protection Policy” would have a corresponding information security standard document “System Protection Standard.” Mandatory compliance: Organizations must adhere to standards to ensure compliance with policies. Information security standards Examples of information security standards: Password complexity standards: Specify minimum requirements for passwords, such as length, character types, and frequency of changes. Data encryption standards: Define the encryption algorithms and key management practices that must be used to protect sensitive data. Access control standards: Outline the rules and procedures for granting and revoking access to information systems and data. Information security Guidelines Refinement of policies: Guidelines provide more specific instructions on how to achieve the security goals outlined in policies. Non-mandatory: Unlike standards, which are mandatory, guidelines are optional. They suggest ways to improve security but are not strictly required. Methods, techniques, and devices: Guidelines offer recommendations for specific tools, strategies, and technologies that can enhance security. Approval process: While guidelines can be formally approved by senior management, they often don't require the same level of approval as policies or standards. Subject matter experts: Sometimes, security professionals can create and share guidelines without formal approval. Information security Guidelines Cloud Security Guidelines Data privacy: Suggest best practices for protecting sensitive data stored in the cloud. Access control: Recommend measures for controlling access to cloud resources. Data backup and recovery: Suggest guidelines for backing up and recovering data stored in the cloud. Information security Guidelines Mobile Device Security Guidelines Device management: Recommend using mobile device management (MDM) tools to enforce security policies. Data encryption: Suggest encrypting sensitive data on mobile devices. App store security: Recommend guidelines for selecting and using secure mobile apps. Information security Baselines Information security baselines (also called benchmarks) are mandatory minimum-security controls for a selected area or application. They are also a refinement of security requirements in the information security policies but they are used for devices, applications, or other areas where a number of settings, parameters, and activities are related to the effectiveness of a security control. Information security Baselines An example guideline statement may read, when deploying a browser within the production environment organizations shall implement the associated United States Government Configuration Baseline (USGCB) for the browser. The USGCB is a configuration baseline for various operating information systems and applications and covers security settings and parameters for the specific application. Information security baselines Settings and parameters: Baselines often involve numerous specific configurations to address known vulnerabilities. Vulnerability updates: Baselines need to be regularly updated as new vulnerabilities are discovered. Organizational resources: Many organizations lack the resources to maintain up-to-date baselines. External organizations: Organizations often rely on external sources like NIST, CIS, and security product vendors for baseline creation and maintenance. Information security baselines In summary, information security baselines are a set of specific security requirements that are designed to address known vulnerabilities in applications or systems. They are often complex, requiring extensive knowledge and resources to maintain. Many organizations rely on external experts to create and update baselines to ensure that their security measures are effective and up-to-date. Information security Procedures Information security procedures are step-by-step instructions for the implementation of security controls or processes dictated in the information security policies, standards, guidelines, or baselines. They are also a refinement of security requirements in the information security policies but they provide the “how” and the “who.” For example, an information security procedure in support of an account management/account initialization policy or standard would provide detailed instructions and screenshots for how an account would be created, assigned rights, and communicated to the user. Information security Procedures Examples of procedures: Incident response procedures: Outline the steps to be taken in the event of a security incident. Password management procedures: Specify the rules and procedures for creating, storing, and changing passwords. Access control procedures: Define the processes for granting and revoking access to information systems and data. The Importance of Documenting Procedures Documenting procedures is crucial for several reasons: Clarity and Consistency: Documentation provides a clear and consistent approach to tasks, ensuring that everyone involved understands their roles and responsibilities. Efficiency: Well-documented procedures can streamline processes, reducing errors and improving efficiency. Compliance: Documentation helps organizations demonstrate compliance with regulations and industry standards. Knowledge Transfer: Procedures serve as a valuable resource for training new employees or for reference during audits. Collaboration: Documentation facilitates collaboration among different departments and roles involved in a process. Examples of Information Security Policy Types Using a File System (Policies) Policies General Security Policy: States that all files on the file system must be encrypted at rest and in transit. Access Control Policy: Defines the roles and permissions for accessing files on the file system. For example, administrators may have full access, while regular users may only have read-only access. Data Classification Policy: Specifies different levels of sensitivity for files (e.g., confidential, internal, public) and determines who can access each level. Examples of Information Security Policy Types Using a File System (Standards) Standards Password Complexity Standard: Requires passwords for file system access to be at least 12 characters long, containing a combination of uppercase and lowercase letters, numbers, and symbols. Data Retention Standard: Defines the retention periods for different types of files on the file system. For example, financial records may need to be retained for seven years. Examples of Information Security Policy Types Using a File System (Procedures) Procedures Incident Response Procedure: Outlines the steps to be taken if a file system is compromised, such as isolating the affected system, notifying relevant parties, and restoring data. Backup and Recovery Procedure: Specifies the frequency and method for backing up files on the file system, as well as the process for recovering data in case of a loss. Examples of Information Security Policy Types Using a File System (Baselines) Baselines File System Configuration Baseline: Defines the minimum security settings for the file system, such as disabling guest accounts, enabling auditing, and setting appropriate permissions. Antivirus Baseline: Specifies the minimum antivirus software requirements for the file system, including signature updates and scanning frequency. Examples of Information Security Policy Types Using a File System (Guidelines) Guidelines Best Practices for File Sharing: Recommends using secure protocols (e.g., FTPs, SFTP) for sharing files over a network. Data Encryption Guidelines: Suggests using strong encryption algorithms and appropriate key management practices. Exercise Write an information security policies for cloud application. Information Security Plans: An Overview
