chapter 4: security policy documents & organizational security policies
TRANSCRIPT
![Page 1: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/1.jpg)
Chapter 4: Security Policy Documents & Organizational Security Policies
![Page 2: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/2.jpg)
2
Objectives
Compose a statement of authority Develop and evaluate policies related to the
information security policies documents objectives and ownership
Create and asses policies associated with the management of security-related activities
Assess and manage the risks inherent in working with third parties
![Page 3: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/3.jpg)
3
Composing a Statement of Authority
The statement should be issued by an authority figure such as a CEO, President… Buy-in from top management is a must It provides adequate credibility to the policy for all
employees
![Page 4: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/4.jpg)
4
Composing a Statement of Authority Cont. The statement is an introduction to the policy
It sets the tone for the document Statement of authority & statement of culture
Exposes the values of the company and security measures to be deployed to protect them
An attempt at “recruiting” employees to act in a secure fashion to protect the company
![Page 5: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/5.jpg)
5
Composing a Statement of Authority Cont. The goal of the statement of authority: to
deliver a clear message about the importance of information security for all employees If the message is not clear, employees will either
act erroneously by mistake or will disregard the whole document altogether
The statement is a teaching tool It should be created, promoted and used as such
![Page 6: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/6.jpg)
6
Composing a Statement of Authority Cont. The statement should reflect the company
culture in both format and content Information security is first and foremost cultural
and behavioral Employees need to identify and embrace with the
company culture It is made easier if the documents that are part of
the security policy are clearly in accordance with the company policy
![Page 7: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/7.jpg)
7
Security Policy Document Policy
States the need for written information security policies as well as who is responsible for creating, approving, enforcing & reviewing policies These responsibilities must be clearly stated in the
document so that no phase of the process is “abandoned” or ignored
Strong leadership is always a part of successful information security policies
![Page 8: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/8.jpg)
8
Security Policy Document Policy Cont.
Emphasizes management’s approach and commitment to information security No Information policy can be successful without
full and unequivocal support from Management
It’s a policy about needing and having policies!
![Page 9: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/9.jpg)
9
Federal Law & Information Security Policy
Many private sector industries are federally regulated: Financial Sector:
GLBA (Gramm-Leach-Bliley Act) SOX (Sarbanes-Oxley, which affects publicly-traded
companies) Healthcare:
HIPAA (Health Insurance Portability & Accountability Act Educational Institutions:
FERPA (Family Educational Rights & Privacy Act)
![Page 10: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/10.jpg)
10
Federal Law & Information Security Policy Cont. Some organizations may fall under several
federal mandates If necessary, companies should hire 3rd-party
experts to identify under which mandates a company falls
ISO 17799 can be mapped to several federal mandate regulations Here again, it may be advantageous to hire 3rd-
party compliance experts to guide and support the company’s compliance team
![Page 11: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/11.jpg)
11
Security Policy Document Policy Cont. The Information Security Policy Document
policy should reference federal and state regulations to which the organization is subject It is important to integrate those regulations in the
policies written for and deployed by the company The first step towards compliance is awareness!
![Page 12: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/12.jpg)
12
The Need for an Employee Version of the Security Policies
Whole document can be too complex & intimidating The goal is to create a guide of what is acceptable and
what is not. Making the document too complex defeats that purpose
The goal is for employees to read, understand and act according to the policies The policies are useless without adequate employee
support
![Page 13: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/13.jpg)
13
The Need for an Employee Version of the Security Policies Cont. Employees should only be given those
policies that apply to them Need-to-know and the concept of least privilege
apply here as well! Acceptable Use Agreement should be drafted
and distributed to all employees It should include (but is not limited to):
An Internet use policy An Email use policy
![Page 14: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/14.jpg)
14
The Need for an Employee Version of the Security Policies Cont. Remind all employees that information
cannot be protected if they don’t all buy in and adopt the policies that regulate the company Again, information security is behavioral and
cultural There is no technical device that a company can
deploy to protect the confidentiality, integrity and availability of data if employees are not also enrolled in actively protecting the company’s data
![Page 15: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/15.jpg)
15
Policies are Dynamic
Organizations change, either directly or indirectly. Their policies must also change to reflect this dynamic situation
Scheduled, regular reviews should take place
Change drivers are events within an organization that affect culture, procedures, activities, responsibilities, and more Change drivers must be identified and analyzed
![Page 16: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/16.jpg)
16
Policies are Dynamic Cont.
Change drivers may introduce new activities and/or vulnerabilities Identified change drivers should trigger new risk &
vulnerability assessments Companies should also have regularly scheduled
risk and vulnerability assessments For separation of duties purposes, vulnerability
assessments should be conducted by 3rd-party consultants
![Page 17: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/17.jpg)
17
Policies are Dynamic Cont.
Who is responsible for this document? The ISO, or a member of Upper Management
What “ownership” means: Developing, maintaining & reviewing policies
Policy owner does not approve policies. A higher level of the company is responsible.
Information Security Policy Document defines both ownership and authority
![Page 18: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/18.jpg)
18
Policies are Dynamic Cont.
Decisions should include:
Who is in charge of security management? What is the scope of their enforcement authority? When should third-party expertise be brought in?
![Page 19: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/19.jpg)
19
Managing Organizational Security
Three topics on which to focus:
Information Security Infrastructure Identification of risks from 3rd-party consultants Security Requirements for outsourcing
![Page 20: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/20.jpg)
20
Managing Organizational Security Cont. Designing & maintaining a secure environment
requires input from representatives of each department of the company: Management IT (developers, network engineers, administrators) HR Legal & Financial services
Collaboration of all these parties is required to create and maintain a successful information security policy
![Page 21: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/21.jpg)
21
Managing Organizational Security Cont. Designing & maintaining a secure
environment requires input from representatives of each department of the company: Management IT (developers, network engineers, administrators) HR Legal & Financial services
![Page 22: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/22.jpg)
22
Managing Organizational Security Cont. Who is a third-party?
Business partners Vendors Contractors (including temporary workers)
![Page 23: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/23.jpg)
Managing Organizational Security Cont. Physical Security
Protecting the network from attacks from the outside is recommended, but a company should not forget to protect the physical security of the servers Why bother to hack when you can steal?
![Page 24: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/24.jpg)
24
Managing Organizational Security Cont. If physical access for 3rd-party is allowed,
proper control must be deployed to: Select who gets physical access To which areas is physical access granted Has due diligence been extended to verify the
integrity and credibility of those 3rd-party contractors?
![Page 25: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/25.jpg)
25
Outsourcing Is a Growing Trend
Outsourcing is seen by some as a business tool used to lower costs. It also comes with risks: Is the work being outsourced out of the country?
If so, to which country? How is security handled in the culture of that country? How effectively are Intellectual Property laws enforced and
respected in that country?
![Page 26: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/26.jpg)
26
Outsourcing Is a Growing Trend Cont.
Is the data secure during transmission? Is the data transferred electronically?
What secure protocols are used? Is the data physically sent overseas?
What courier system is used? How reliable/reputable/dependable is this courier system?
![Page 27: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/27.jpg)
27
Outsourcing Is a Growing Trend Cont.
Is the data securely stored while away from the corporate network? What security controls are deployed at the periphery of
the target network? What access control methods are used on the target
control? What auditing methods are used on the target network?
![Page 28: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/28.jpg)
28
Outsourcing Is a Growing Trend Cont.
How do you conduct due diligence on a company located halfway across the world? Is this company foreign-owned, or a subsidiary of a US-
owned corporation? Is this company reputable? Has the company sent a representative on-site to verify
the information provided to them?
![Page 29: Chapter 4: Security Policy Documents & Organizational Security Policies](https://reader038.vdocuments.us/reader038/viewer/2022102906/56649cc45503460f9498cdd2/html5/thumbnails/29.jpg)
29
Summary
Standards such as the ISO 17799 exist to help organizations better define appropriate ways to protect their information assets.
Written policies are not enough, and the proper security infrastructures must be deployed.
A multidisciplinary approach to security that involves all departments will result in a unified security posture that can be adopted by the whole company.
Because companies are not static, also must policies evolve with the company. In order to achieve a higher level of protection, it is recommended that companies would hire security experts.