Cybersecurity Policy PDF

Summary

This document is a cybersecurity policy presented by Saji K Mathew, PhD, from the Indian Institute of Technology Madras. The policy details the importance of policies, standards, and practices in information security. It also outlines different types of information security policies, their components, and implementation.

Full Transcript

Cyber Security and Privacy
MS6880

Cybersecurity policy
Saji K Mathew, PhD
Professor, Management Studies
INDIAN INTITUTE OF TECHNOLOGY MADRAS
Policy influences progress
} India’s policy landmarks
} Industrial policy: 1949
} Entry of foreign players restricted:1972
} New Computer Policy:1984
} Policy on Computer Software Export, Development, and
Training: 1986
} Software Technology Park (STP): 1990
} Economic liberalization: 1991
Policy influences behavior

Source: Richard Heeks,
https://ict4dblog.wordpress.com/author/richardheeks/page/4/
Policy influences individual behavior
(Moody et al., 2018)
Introduction
} Policy is the essential foundation of an effective
information security program
} Some basic rules must be followed when shaping a policy:
} Never conflict with law
} Stand up in court
} Properly supported and administered
} Contribute to the success of the organization
} Involve end users of information systems
}

Slide 5
 The Bulls-eye Model

Policies are important reference documents for internal audits and for the resolution of
legal disputes about management's due diligence, and policy documents can act as a
clear statement of management's intent
Slide 6
 Policies, Standards, & Practices

Policy is a plan or course of action that
influences and determine decisions

Standards are a more detailed statement
of what must be done to comply with policy
practices

Procedures and guidelines explain how
employees will comply with policy

Policy must be properly disseminated, read, understood, and agreed-to
Security Education Training Awareness (SETA)
Policy, Standards, and Practices
} Policies require constant modification and maintenance
} In order to produce a complete information security
policy, management must define three types of
information security policy:

1. Enterprise information security program policy (EISP)
2. Issue-specific information security policies (ISSP)

3. Systems-specific information security policies (SysSP)

Slide 8
Enterprise Information Security Policy
(EISP)
} Sets strategic direction, scope, and tone for organization’s
security efforts
} Assigns responsibilities for various areas of information
security
} Guides development, implementation, and management
requirements of information security program

Slide 9
Components of the EISP
} Statement of Purpose - What the policy is for
} Information Technology Security Elements - Defines
information security
} Need for Information Technology Security - Justifies
importance of information security in the organization
} Information Technology Security Responsibilities and
Roles - Defines organizational structure
} References Information Technology standards and
guidelines

Slide 10
Issue-Specific Security Policy (ISSP)
} Provides detailed, targeted guidance to instruct the
organization in secure use of technology systems, and
begins with introduction to fundamental technological
philosophy of the organization
} Documents how the technology-based system is
controlled; and identifies the processes and authorities
that provide this control
} ISSP requires frequent updates
} Serves to indemnify the organization against liability for an
employee’s inappropriate or illegal system use
ISSP issues/topics
} Contains a statement on the organization’s position on an
issue
} ISSP topics could include:
} electronic mail,
} use of the Internet and the World Wide Web,
} specific minimum configurations of computers to defend
against worms and viruses,
} prohibitions against hacking or testing organization security
controls,
} home use of company-owned computer equipment,
} use of personal equipment on company networks,
} use of telecommunications technologies

Slide 12
Components of the ISSP
} Statement of purpose
} Scope and applicability
} Definition of technology addressed
} Responsibilities
} Authorized access and usage of equipment
} User access
} Fair and responsible use
} Protection of privacy

Slide 13
Components of the ISSP (contd)
} Prohibited usage of equipment
} Disruptive use or misuse
} Criminal use
} Offensive or harassing materials
} Copyrighted, licensed, or other intellectual property
} Other restrictions
} Systems management
} Management of stored materials
} Employer monitoring
} Virus protection
} Physical security
} Encryption

Slide 14
Components of the ISSP (contd)
} Violations of policy
} Procedures for reporting violations
} Penalties for violations
} Policy review and modification
} Scheduled review of policy and procedures for modification
} Limitations of liability
} Statements of liability or disclaimers

Slide 15
Systems-Specific Policy (SysSP)
} Systems-specific policies (SysSPs) are created to function
as standards or procedures to be used when configuring
or maintaining systems
} SysSPs can be separated into:
} Management guidance
} Eg: How to configure a firewall
} Technical specifications
} Eg.: Configuration of the firewall
Management Guidance SysSPs
} Created by management to guide the implementation and
configuration of technology
} Applies to any technology that affects the confidentiality,
integrity or availability of information
} Informs technologists on management’s intent

Slide 17
Technical Specifications SysSPs
} System administrator’s directions on implementing
managerial policy
} Each type of equipment has its own type of policies
} There are two general methods of implementing such
technical controls:
} Access control lists
} Configuration rules

Slide 18
Access Control Lists
} Include the user access lists, matrices, and capability tables
that govern the rights and privileges
} A similar method that specifies which subjects and
objects users or groups can access is called a capability
table
} These specifications are frequently complex matrices,
rather than simple lists or tables
} In general, ACLs enable administrations to restrict access
according to user, computer, time, duration, or even a
particular file

Slide 19
ACLs
} In general, ACLs regulate:
} Who can use the system
} What authorized users can access
} When authorized users can access the system
} Where authorized users can access the system from
} How authorized users can access the system
} Restricting what users can access, e.g., printers, files,
communications, and applications

} Set privileges of Read, Write, Create, Modify, Delete, Compare
and Copy

Slide 20
Windows XP ACLs

Slide 21
Configuration Rules
} Configuration rules are the specific configuration codes
entered into security systems to guide the execution of
the system when information is passing through it
} Rule policies are more specific to the operation of a
system than ACLs, and may or may not deal with users
directly
} Many security systems require specific configuration
scripts telling the systems what actions to perform on
each set of information they process

Slide 22
Firewall Configuration Rules

Slide 23
IDS Configuration Rules

Slide 24
Design elements (cont.)
} SETA – Security education, training and awareness
program contains
} Security education
} Security training
} Security awareness
} Purpose
} Improving awareness
} Developing skills & knowledge
} Building in-depth knowledge

25