Lecture Notes for Postgraduates Students.ppt

QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Information Security
Policies: General Principles
Lecture_4

Introduction: What is Policy?
• POLICY: “A plan or course of action that influences decisions”
• Policy is the essential foundation of an effective
information security program
–“The success of an information resources protection program
depends on the policy generated, and on the attitude of
management toward securing information on automated systems”
• Policy maker sets the tone and emphasis on the
importance of information security

Security Policy PURPOSES
• The basic purposes of policy are that it should:
 Protect people and information
 Set the rules for expected behaviour by users, system
administrator, management, and security personnel
 Authorize security personnel to monitor, probe, and investigate
 Define and authorize the consequences of violation
 Define the company consensus baseline stance on security
 Help minimize risk
 Help track compliance with regulations and legislation

Security Policy OBJECTIVES
• Policy objectives
• a)Reduced risk
• b)Compliance with laws and regulations
• c)Assurance of operational continuity, information
integrity, and confidentiality
• For policies to be EFFECTIVE they must be properly
disseminated, read, understood, agreed-to, and uniformly
enforced
• Policies require CONSTANT modification and maintenance

Why Policy?
• A quality information security program begins and
ends with policy
• Policies are the least expensive means of control and
often the most difficult to implement
• Basic rules for shaping a policy
–Policy should never conflict with law
–Policy must be able to stand up in court if challenged
–Policy must be properly supported and administered

Why Policy? (cont’d.) Figure

Why Policy? (cont’d.)
• Bulls-eye model layers
–Policies: first layer of defense
–Networks: threats first meet the organization’s
network
–Systems: computers and manufacturing
systems
–Applications: all applications systems

Why Policy is Important?
• Policies are important reference
documents
–For internal audits
–For the resolution of legal disputes
about management's due diligence
–Policy documents can act as a clear
statement of management's intent

• REFERENCES FOR
DEVELOPING
SECURITY PLANS
SP 800-18
Rev.1 (NIST)
• Can freely be downloaded from: http://csrc.nist.gov/publications/nistpubs/800-
18-Rev1/sp800-18-Rev1-final.pdf

Examples of Information Security
Policy
• Bluetooth Device Security Policy
–This policy provides for more secure Bluetooth Device operations. It protects the
company from loss of Personally Identifiable Information (PII) and proprietary
company data.
• Dial-in Access Policy
–Defines appropriate dial-in access and its use by authorized personnel.
• Ethics Policy
–Defines the means to establish a culture of openness, trust and integrity in business
practices.
• Acquisition Assessment Policy
–Defines responsibilities regarding corporate acquisitions, and defines the minimum
requirements of an acquisition assessment to be completed by the information
security group.

Other Examples of IS Policy
• Information Sensitivity Policy
–Defines the requirements for classifying and securing the organization's information in a manner
appropriate to its sensitivity level.
• Internal Lab Security Policy
–Defines requirements for internal labs to ensure that confidential information and technologies are
not compromised, and that production services and interests of the organization are protected
from lab activities.
• Personal Communication Devices and Voicemail Policy
–Describes Information Security's requirements for Personal Communication Devices and Voicemail.
• Risk Assessment Policy
–Defines the requirements and provides the authority for the information security team to identify,
assess, and remediate risks to the organization's information infrastructure associated with
conducting business.
• Technology Equipment Disposal - Policy SANS Technology Institute White Paper
• Web Application Security Assessment Policy

Policies, Standards, & Practices
• Types of information security policy
1)Enterprise information security program policy (EISP)
2)Issue-specific information security policies (ISSP)
e-mail privacy or Internet connectivity approach
3)Systems-specific policies (SysSP)
System user - acceptable use of workstations for their actions on the
system
• Standards
–A more detailed statement of what must be done to comply with policy
• Practices
–Procedures and guidelines explain how employees will comply with policy

Policies, Standards, & Practices

1) Enterprise Information Security Policy
(EISP)
• Sets strategic direction, scope, and tone for
organization’s security efforts
• Assigns responsibilities for various areas of
information security
• Guides development, implementation, and
management requirements of information
security program

EISP Elements
• EISP documents should provide:
–An overview of the corporate philosophy on security
–Information about information security organization
and information security roles
• Responsibilities for security that are shared by
all members of the organization
• Responsibilities for security that are unique to
each role within the organization

Example EISP Components
• Statement of purpose
–What the policy is for
• Information technology security elements
–Defines information security
• Need for information technology security
– Justifies importance of information security in the organization
• Information technology security responsibilities
and roles
–Defines organizational structure
• Reference to other information technology
standards and guidelines

2) Issue-Specific Security Policy (ISSP)
• Provides detailed, targeted guidance
–Instructs the organization in secure use of a technology
systems
–Begins with introduction to fundamental technological
philosophy of the organization
• Protects organization from inefficiency and
ambiguity
–Documents how the technology-based system is
controlled

(ISSP)
• Protects organization from
inefficiency and ambiguity (cont’d.)
–Identifies the processes and authorities
that provide this control
• Indemnifies the organization against
liability for an employee’s
inappropriate or illegal system use

• Every organization’s ISSP should:
–Address specific technology-based
systems
–Require frequent updates
–Contain an issue statement on the
organization’s position on an issue
(ISSP)

• ISSP topics
–Email and internet use
–Minimum system configurations
–Prohibitions against hacking
–Home use of company-owned computer equipment
–Use of personal equipment on company networks
–Use of telecommunications technologies
–Use of photocopy equipment
(ISSP)

Components of the ISSP
• Statement of Purpose
–Scope and applicability
–Definition of technology addressed
–Responsibilities
• Authorized Access and Usage of
Equipment
–User access
–Fair and responsible use
–Protection of privacy

Components of the ISSP (cont’d.)
• Prohibited Usage of Equipment
–Disruptive use or misuse
–Criminal use
–Offensive or harassing materials
–Copyrighted, licensed or other
intellectual property
–Other restrictions

• Systems management
–Management of stored materials
–Employer monitoring
–Virus protection
–Physical security
–Encryption
• Violations of policy
–Procedures for reporting violations
–Penalties for violations

• Policy review and modification
–Scheduled review of policy and procedures for modification
• Limitations of liability
–Statements of liability or disclaimers

Implementing the ISSP
• Common approaches
–Several independent ISSP documents
–A single comprehensive ISSP document
–A modular ISSP document that unifies policy creation and
administration
•The recommended approach is the modular
policy
–Provides a balance between issue orientation and policy
management

• System-specific security policies (SysSPs)
frequently do not look like other types of policy
–They may function as standards or procedures to be used
when configuring or maintaining systems
–E.g.: a) how to select, configure, or operate a firewall, b) access
control list that defines levels of access for each authorized
user
•SysSPs can be separated into
a)Management guidance
b)Technical specifications
c)Or combined in a single policy document
3) System-Specific Security Policy

• Created by management to guide the
implementation and configuration of
technology
• Applies to any technology that affects the
confidentiality, integrity or availability of
information
• Informs technologists of management
intent
a) Managerial Guidance SysSPs

• System administrators’ directions on
implementing managerial policy
• Each type of equipment has its own type of
policies
• General methods of implementing technical
controls
a)Access Control List (ACL)
b)Configuration rules
b) Technical Specifications SysSPs

A) Access control lists
–Include the user access lists, matrices, and
capability tables that govern the rights and
privileges
–A similar method that specifies which subjects
and objects users or groups can access is called a
capability table
–These specifications are frequently complex
matrices, rather than simple lists or tables
Technical Specifications SysSPs (cont’d.)

• Access control lists (cont’d.)
–Enable administrations to restrict access
according to user, computer, time, duration, or
even a particular file
• Access control lists regulate
–Who can use the system
–What authorized users can access
–When authorized users can access the system

• Access control lists regulate (cont’d.)
–Where authorized users can access the system
from
–How authorized users can access the system
–Restricting what users can access, e.g. printers,
files, communications, and applications
• Administrators set user privileges
–Read, write, create, modify, delete, compare, copy

Figure 5: Windows XP ACL

B) Configuration rules
–Specific configuration codes entered into
security systems
•Guide the execution of the system when
information is passing through it
•Rule policies are more specific to system
operation than ACLs
–May or may not deal with users directly

• Many security systems require
specific configuration scripts telling
the systems what actions to
perform on each set of information
they process

Figure 6: Firewall configuration rules

• Often organizations create a single
document combining elements of both
management guidance and technical
specifications SysSPs
• This can be confusing, but practical
• Care should be taken to articulate the
required actions carefully as the
procedures are presented

• For policies to be effective, they must be
properly:
Developed using industry-accepted practices
Distributed or disseminated using all appropriate methods
Reviewed or read by all employees
Understood by all employees
Formally agreed to by act or assertion
Uniformly applied and enforced
Guidelines for Effective Policy

• It is often useful to view policy development
as a 2-part project
–1st - design and develop the policy (or redesign and
rewrite an outdated policy)
–2nd - establish management processes to
perpetuate/carry on the policy within the organization
• The former is an exercise in project
management, while the latter requires
adherence to good business practices
Develop Security Policy

• Policy development projects should
be
–Well planned
–Properly funded
–Aggressively managed to ensure that it is
completed on time and within budget
• The policy development project can be
guided by the SecSDLC process
Develop Security Policy Cont’d

1) Investigation
2) Analysis
3) Design
4) Implementation
5) Maintenance
Common Phases in Developing Security Policy

1) Investigation phase
 Obtain support from senior management,
and active involvement of IT management,
specifically the CIO
 Clearly articulate the goals of the policy
project
 Gain participation of correct individuals
affected by the recommended policies
Developing Security Policy
(cont’d.)

• Investigation phase (cont’d.)
 Involve legal, human resources and end-
users
 Assign a project champion with sufficient
stature and prestige
 Acquire a capable project manager
 Develop a detailed outline of and sound
estimates for project cost and scheduling
(cont’d.)

2) Analysis phase should produce
 New or recent risk assessment or IT aud
documenting the current information
security needs of the organization
 Key reference materials
 Including any existing policies
(cont’d.)

(cont’d.)
Figure 8 End user license agreement for Microsoft Windows XP

4) Implementation phase includes
 Writing the policies
 Making certain the policies are enforceable as
written
 Policy distribution is not always straightforward
 Effective policy is written at a reasonable reading
level, and attempts to minimize technical jargon
and management terminology
(cont’d.)

3) Design phase includes
 How the policies will be distributed
 How verification of the distribution will be
accomplished
 Specifications for any automated tools
 Revisions to feasibility analysis reports based on
improved costs and benefits as the design is
clarified
(cont’d.)

5) Maintenance Phase
 Maintain and modify the policy as needed to
ensure that it remains effective as a tool to
meet changing threats
 The policy should have a built-in mechanism via
which users can report problems with the
policy, preferably anonymously
 Periodic review should be built in to the process
(cont’d.)

• Gathering key reference materials
• Defining a framework for policies
• Preparing a coverage matrix
• Making critical systems design decisions
• Structuring review, approval, and
enforcement processes
The Information Securities Policy Made Easy Approach (ISPME)

• ISPME checklist
–Perform a risk assessment or information technology
audit
To determine your organization's unique information
security needs
–Clarify the meaning of “policy” within your organization
–Ensure clear roles and responsibilities related to
information security
Including responsibility for issuing and maintaining
policies

• Lest you believe that the only reason to have
policies is to avoid litigation, it is important to
emphasize the preventative nature of policy
 Policies exist, first and foremost, to inform
employees of what is and is not acceptable
behavior in the organization
 Policy seeks to improve employee productivity,
and prevent potentially embarrassing situations
A Final Note on Policy

• The rules the members of a society
create to balance the individual rights
to self-determination against the needs
of the society as a whole are called laws.
Laws are rules that mandate or prohibit
certain behavior; they are drawn from
ethics, which define socially acceptable
behaviors.
Law and Ethics in Information
Security

• The key difference between laws
and ethics is that laws carry the
authority of a governing body, and
ethics do not. Ethics in turn are
based on cultural mores: the fixed
moral attitudes or customs of a
particular group.
Law and Ethics in Information
Security

• Within an organization, information
security professionals help maintain
security via the establishment and
enforcement of policies. These
policies are guidelines that describe
acceptable and unacceptable
employee behaviors in the workplace.
Policy Versus Law

• They function as organizational laws,
complete with penalties, judicial practices,
and sanctions to require compliance.
Because these policies function as laws,
they must be crafted and implemented
with the same care to ensure that they
are complete, appropriate, and fairly
applied to everyone in the workplace.
Policy Versus Law

• The difference between a policy and a
law, however, is that ignorance of a policy
is an acceptable defense. Thus, for a policy
to become enforceable, it must meet the
following five criteria:
• Dissemination (Distribution), Review (reading),
Comprehension (understanding), Compliance
(agreement), Uniform enforcement.
Policy Versus Law

• Civil law comprises a wide variety of laws that govern a nation or
state and deal with the relationships and conflicts between
organizational entities and people.
• Criminal law addresses activities and conduct harmful to society,
and is actively enforced by the state. Law can also be categorized as
private or public.
• Private law encompasses family law, commercial law, and labor law,
and regulates the relationship between individuals and
organizations.
• Public law regulates the structure and administration of
government agencies and their relationships with citizens,
employees, and other governments. Public law includes criminal,
administrative, and constitutional law.
Types of Law

From The Computer Ethics Institute
•Thou shalt not use a computer to harm other people.
•Thou shalt not interfere with other people’s computer
work.
•Thou shalt not snoop around in other people’s
computer files.
•Thou shalt not use a computer to steal.
•Thou shalt not use a computer to bear false witness.
Ethics and Information Security

• Thou shalt not copy or use proprietary software for which
you have not paid.
• Thou shalt not use other people’s computer resources
without authorization or proper compensation.
• Thou shalt not appropriate other people’s intellectual
output.
• Thou shalt think about the social consequences of the
program you are writing or the system you are designing.
• Thou shalt always use a computer in ways that ensure
consideration and respect for your fellow humans.
Ethics and Information Security

Lecture Notes for Postgraduates Students.ppt

More Related Content

Similar to Lecture Notes for Postgraduates Students.ppt (20)

More from Muhammad54342 (14)

Recently uploaded (20)

Lecture Notes for Postgraduates Students.ppt