Info. Sec. Organization / Structure (cont.)

Transcription

1 Info. Sec. Organization / Structure (cont.) Identify Protect Detect Respond Recover

2 Info. Sec. Organization / Structure (cont.) Functions Related to Info. Sec. Program (cont.) Functions Performed by Business Units Outside IT Legal Training identify, protect... Functions Performed by IT Groups, but not Info Sec Systems Administration Network Administration protect, detect

3 Info. Sec. Organization / Structure (cont.) Functions Related to Info. Sec. Program (cont.) Functions Performed by Info Sec Department, or Possibly Outsourced Risk Assessment Vulnerability Assessment Incident Response Audit Functions Performed by Info Sec Department (Security) Policy (Security) Risk Management Data Security,

4 Info. Sec. Organization / Structure (cont.) Example: test your knowledge of security functions

5 Security Policy

6 Policy, Standard, Procedure NIST Cybersecurity Framework: 22 Core Functions (cont.) Protect Information Protection Processes and Procedures: manage protection of information & information systems in accordance to established policies, processes & procedures

7 Policy, Standard, Procedure (cont.) Example: Policy

8 Policy, Standard, Procedure (cont.) Security Policy foundation of an effective info. security system/program What is it? concise and easy to understand statement that: (1) defines a set of conditions that are critical for protecting organization s assets, and its ability to conduct business (2) defines general security practices that management expects employees and other stakeholders to follow Why do we need it? helps organizations demonstrate their commitment to protect their information assets and/or comply with law heightens security awareness of company personnel or third-party users/customers

9 Policy, Standard, Procedure (cont.) Example: Organization without policy Consider scenario: An employee (A) behaves inappropriately at the work place, by reading another employee s . Another employee (B) is aggrieved by this behavior and sues the company. The company does not have policy that prohibits such behavior, hence no legal action against offender (A) can be taken Nevertheless, company may be legally obliged to protect the privacy of employee B. The company loses the lawsuit, and lots of money

10 Policy, Standard, Procedure (cont.) Although least expensive security protection, Policies are often most difficult to implement/enforce. To ensure effectiveness, failure to comply with a Policy should imply a disciplinary action.

11 Policy, Standard, Procedure (cont.) Example: Policy that is hard to implement Employees are not allowed to take out of the company s premise any IP-related documentation.

12 Policy, Standard, Procedure (cont.) conceptual Why? What? How? hands-on

13 Policy, Standard, Procedure (cont.) Security Standard more specific directives that are mandatory describe what to do (or not do) to comply with the policy also, extension of the policy into the real world specifies technology settings, platforms or behaviors it is important to audit adherence to standards to ensure their implementation Security Procedure specify actual steps of how to implement or comply with a standard example: specific instructions on how to download and install centrally managed antivirus software

14 Policy, Standard, Procedure (cont.) Example: Policy vs. Standard vs. Procedure Many Info. Sec. departments have specific protocols for performing backups of server hard drives. Policy: Describes the need for backups, for storage off-site, and for safeguarding the backup media. Standard: Defines the software to be used to perform backups and how to configure this software (e.g. Acronis, SmartSync, etc.) Procedure: Describes how to use the backup software, the timing for making backups, and other ways that humans humans interact with the backup system.

15

16 Policy, Standard, Procedure (cont.) Security Guideline discretionary set of directives designed to achieve a policy/security objectives needed in complex & uncertain situations for which rigid standards cannot be specified examples: company might have a guideline that each new employee should have a background check however, in an emergency, department head might be allowed to hire a person before a background check is completed Security Recommended Practices set of policies / standards / procedures /guidelines recommended by trade associations and government agencies Security Best Practices descriptions of what best firms in the industry are doing about security

17 Policy, Standard, Procedure (cont.) Example: Microsoft Best Security Practices

18 Security Policy Important rule to follow when shaping a policy: Policy should never conflict with existing law. Policy must be able to stand up in court if challenged. Policy must be properly supported and administered. For policies to be effective, they must be: A. Developed using industry-accepted practices. B. Distributed or disseminated using all appropriate methods. C. Read by all employees. D. Comprehended by all employees. E. Formally agreed / complied to by act or affirmation. F. Enforced and applied uniformly.

19 Security Policy: Development A. Development of Security Policy - 5 stage process A.1 Investigation Phase. Form the right policy design team consisting of representatives from groups that will be affected by new policy (e.g. legal dept., HR, end users of various IT systems covered by policy) Make an outline of the scope and goals of the policy, as well as the cost and scheduling of its implementation. Obtain general support from senior management. Without enough attention, any policy has a reduced chance of success mid-management and users not likely to implement it. A.2 Analysis Phase. Obtain all recent & relevant information - risk assessment, IT audits, - as well as other references (e.g. past law suits) concerning positive / negative outcome of similar policies.

20 Security Policy: Development (cont.) Why is Analysis Phase performed after Investigation Phase? Wouldn t it be beneficial to approach the management with already gathered legal/audit (reference) information? Sometimes policy documents that affect information security is housed in the HR department, as well as accounting, finances, legal, or corporate security departments.

21 Security Policy: Development (cont.) A. Development of Security Policy: 5 stage process (cont.) A.3 Design / Distribution Planning Phase. Create a plan on how to distribute and verify the distribution of the policy. (e.g. through internet or hard-copy form may impact the content of the policy) A.4 Implementation Phase. Design team actually writes the policy. Can rely on existing policies found on the Web, Government Sites, Professional Literature. A.5 Maintenance Phase. Monitor, maintain, and modify the policy to ensure that it remains effective as a tool against ever changing threats. (ongoing process!)

22 Security Policy: Development (cont.) Example: Policy templates

23 Security Policy: Distribution B. Policy Distribution Getting the policy document into the hands of all employees may require a substantial effort / investment. Techniques of distribution: hard-copy distribution bulletin-board distribution distribution via distribution via intranet (in html or PDF form) Organization must be able to prove distribution of the policy document, e.g. via auditing log in case of electronic distribution.

24 Security Policy: Distribution (cont.)

25 Security Policy: Reading & Comprehension C. & D. Policy Reading and Comprehension Policy must be written/presented in a way that all employees can read and comprehend. illiterate or low-literate workers ESL workers visually impaired, etc. Example: Importance of policy reading & comprehension Assume an employee is fired for failure to comply with a policy. If the organization cannot verify that the employee was in fact properly educated on the policy, the employee could sue the organization for wrongful termination.

26 Security Policy: Compliance E. Policy Compliance (Consequences of not complying with policy should be clearly stated and agreed upon by the employees.) Failure to agree to or follow a policy may jeopardize organization s interests and, thus, be sufficient to decide on termination. However, the legal system may not support such decision. Organization can/should incorporate policy confirmation statement into employment contract or annual evaluation.

27 Security Policy: Enforcement F. Policy Enforcement Because of potential scrutiny during legal proceedings, organizations must establish high standards of policy implementation. example: if policy mandates that all employees wear ID badges in a clearly visible location, and some management members decide not to follow this policy, any action taken against other employees will not withstand legal challenges

28 Security Policy Categories Three types of security policies found in most organizations: 1) Enterprise Information Security Policy (EISP) 2) Issue-specific Security Policy (ISSP) 3) System-specific Security Policy (SysSP)

29 Security Policy Categories: EISP 1) Enterprise Information Security Policy (EISP) Aka as general security policy sets strategic direction, scope, and tone for all security matters and efforts. Short (2 10 page) executive-level document usually drafted by chief IT officer of the organization. Common components of a good EISP: Statement of purpose explains the intent of the document. States info. sec. philosophy for the given enterprise. Explains the importance of info. sec. for the enterprise. Defines the info. sec. organization/structure of the enterprise. Lists other standards that influence and are influenced by this document.

30

31 Security Policy Categories: ISSP 2) Issue-Specific Security Policy (ISSP) Provides detailed, targeted guidance concerning the use of a particular process, technology or a system. ISSP may cover one or more of the following: use of electronic mail use of the Internet and WWW use of company-owned computer equipment use of personal equipment on company networks

32 Security Policy Categories: ISSP (cont.) 2) Issue-Specific Security Policy (ISSP) (cont.) Components of a typical ISSP : 1) Statement of Purpose what is the scope of the policy what technology and issue it addresses who is responsible and accountable for policy implementation 2) Authorized Access and Usage who can use the technology governed by the policy what the technology can be used for what constitutes fair and responsible use of technology and it may impact personal information and privacy 3) Prohibitive Use of Equipment - unless a particular use is clearly prohibited, the company cannot penalize its employees for misuse what constitutes disruptive use, misuse, criminal use what other possible restrictions may apply

33 Security Policy Categories: ISSP 2) Issue-Specific Security Policy (ISSP) (cont.) Components of a typical ISSP : 4) Systems Management which kind of authorized employer monitoring is involved (e.g. electronic scrutiny of & other electronic documents) 5) Violation of Policy what specific penalties, for each category of violation, will apply how to report observed or suspected violations openly or anonymously 6) Limitation of Liability company does not want to be liable if an employee is caught conducting illegal activity with company s asset how is liable if an employee violates a company policy or law

34 Security Policy Categories: SysSP 3) System-Specific Security Policy (SysSP) Both EISP and ISSP are formalized as written documents readily identifiable as policy. SysSP has a look of a standard or a procedure to be used when configuring / maintaining a system intended for (not regular users but) information security personnel Managerial Guidance SysSP created by management to guide implementation / configuration of technology as well as to address people behavior in ways to support EISP and ISSP. Technical Specifications SysSP in some cases system administrators need to create / implement their own policy in order to enforce EISP, ISSP or managerial policy.

35 Security Policy Categories: SysSP (cont.) Example: EISP vs. ISSP vs. Managerial SysSP EISP: ISSP 1: ISSP 2: Company s IT system should only be used to access and/or exchange corporate information. server should/will discard/quarantine all s with non-corporate sender/receiver addresses. Firewall should/will be set in a way to prevent access to outside web-sites. Managerial SysSP: All outgoing IP packets carrying HTTP content and port numbers x, y, z should be dropped.