information security 365 -- policies, data classification, employee training and awareness
TRANSCRIPT
Information Security 365/765, Fall Semester, 2016
Course Instructor, Nicholas DavisLecture 4, Policies, Classification, Training
Today’s AgendaToday’s AgendaEat Kit Kat bars
Class exercise IT Risk Analysis ofHillary Clinton Email Server
Lecture Topics•Employee hiring, assignment and termination security practices•Security policies•Information classification•Security awareness training
Basis for written assignment #2
05/02/23 UNIVERSITY OF WISCONSIN 2
Today’s Chocolate BarToday’s Chocolate BarKit KatKit Kat
Kit Kat is a chocolate-covered wafer biscuit bar confection that was created by Rowntree's of York, England, and is now produced globally by Nestlé (which acquired Rowntree in 1988) with the exception of the United States where it is made under license by The Hershey Company. Each bar consists of fingers composed of three layers of wafer, covered in an outer layer of chocolate. Each finger can be snapped from the bar separately. Bars typically have two or four fingers.How NOT to eat a Kit Kat
05/02/23 UNIVERSITY OF WISCONSIN 3
Remember Our DiscussionRemember Our DiscussionAbout Background Checks?About Background Checks?
As mentioned in our last lecture, information security covers many areas not typically thought about, such as personnel background checks. An unqualified employee can do great damage to organizational assets and strategy. Let’s watch this video!
https://www.youtube.com/watch?v=Ic6cSzY4ptU
05/02/23 UNIVERSITY OF WISCONSIN 4
Hiring PracticesHiring Practices• Job skill screening• Reference check• Non-disclosure agreement (NDA)
signed• Education verification• Criminal background check• Credit report check• Sex offender check• Drug screening• Professional license check• Immigration status check• Social Security Number trace to
ensure validity05/02/23 UNIVERSITY OF WISCONSIN 5
Employee ControlsEmployee ControlsRotation of DutiesRotation of Duties
No one person should stay in one position for an uninterrupted period of time, as this may enable them to have too much control over a segment of business
Mandatory vacation policy
05/02/23 UNIVERSITY OF WISCONSIN 6
Employee ControlsEmployee ControlsSeparation of DutiesSeparation of Duties
Split knowledge system: No single employee has the knowledge to do a task by themselvesExample
Dual control: No single employee has the physical ability to do a task by themselvesExample
05/02/23 UNIVERSITY OF WISCONSIN 7
Termination PracticesTermination Practices• Each company needs a set of pre-
defined termination procedures• Example:• Once terminated, the employee must
be escorted out of the facility by their manager
• Employee must immediately surrender keys, employee badge, etc.
• Employee must be asked to complete an exit interview and return company property
• The terminated employee’s online accounts must be disabled immediately upon termination
05/02/23 UNIVERSITY OF WISCONSIN 8
Security PolicySecurity PolicyAn overall general statement, produced by senior management, which dictates the role which security management plays in the organization
•Made up of goals and responsibilities•Shows strategic and tactical value of the policy•Outlines how enforcement should be carried out
05/02/23 UNIVERSITY OF WISCONSIN 9
Security Policy ComponentsSecurity Policy ComponentsBusiness ObjectivesBusiness Objectives
Business objectives should drive the policy’s creation, implementation, enforcement. The policy should not dictate business objectives
05/02/23 UNIVERSITY OF WISCONSIN 10
Security Policy ComponentsSecurity Policy ComponentsMake It LegibleMake It Legible
The document should be written in plain language, which all the employees can easily understand the portions which apply to them, without question
05/02/23 UNIVERSITY OF WISCONSIN 11
Security Policy ComponentsSecurity Policy ComponentsUniformityUniformity
Make certain it fits all business functions and processes
05/02/23 UNIVERSITY OF WISCONSIN 12
Security PolicySecurity PolicyLegal ConformityLegal Conformity
It should support all legislation and regulations which apply to the company, local, national and international
05/02/23 UNIVERSITY OF WISCONSIN 13
Security PolicySecurity PolicyA Living DocumentA Living Document
It should be re-visited on a regular basis and updated as necessary, as changes occur within the company.Make certain that all changes are documented and changes are recorded
05/02/23 UNIVERSITY OF WISCONSIN 14
Security PolicySecurity PolicyAdaptabilityAdaptability
It should be written in such a way as to make it useful for several years at a time, under normal circumstances, and flexible enough to deal with minor changes, as they occur.
05/02/23 UNIVERSITY OF WISCONSIN 15
Security PolicySecurity PolicyLanguageLanguage
The tone of the policy must be certain and strong. Avoid using the word “should”, as it leaves room for interpretation. Instead, use the words “shall”, “will” and “must”, throughout the document
05/02/23 UNIVERSITY OF WISCONSIN 16
Security PolicySecurity PolicyStyleStyle
No frillsProfessional lookingConsistent presentation
05/02/23 UNIVERSITY OF WISCONSIN 17
Why is IT Security PolicyWhy is IT Security PolicySo Important?So Important?
• Helps identify company’s valuable assets
• Provides authority to the security team and their activities
• Provides a reference to review when conflicts pertaining to security arise
• States clearly the company’s goals and objectives in the area of security
• Outlines personal responsibility05/02/23 UNIVERSITY OF WISCONSIN 18
Why is IT Security PolicyWhy is IT Security PolicySo Important?So Important?
Helps prevent unanticipated events from occurringDefines the scope and boundaries for the security team and its functionsOutlines incident response responsibilitiesOutlines the company’s response to legal and regulatory requirements
05/02/23 UNIVERSITY OF WISCONSIN 19
Three Types ofThree Types ofSecurity Policies ExistSecurity Policies ExistRegulatoryAdvisoryInformative
05/02/23 UNIVERSITY OF WISCONSIN 20
Security Policy TypesSecurity Policy TypesRegulatoryRegulatory
Ensures that the company is following standards set by specific industry regulations. It is very detailed and specific to a type of industry:FinanceHealthcareGovernment
05/02/23 UNIVERSITY OF WISCONSIN 21
Security Policy TypeSecurity Policy TypeAdvisoryAdvisory
Tells employees which types of behaviors and activities shall and shall not take place within the organizationHow to handle:Medical informationFinancial transactionsConfidential information
Outlines ramifications for non-compliance
05/02/23 UNIVERSITY OF WISCONSIN 22
Security Policy TypeSecurity Policy TypeInformativeInformative
Informs employees on generalities of certain topics, but is not enforceable.
It teaches about issues important to the company, such as how the company would like employees to interact with business partners, the company’s goal and mission, or the corporate reporting structure
05/02/23 UNIVERSITY OF WISCONSIN 23
Security PolicySecurity PolicyDue DiligenceDue Diligence
Due Diligence, is the act of investigating and understanding the risks the company faces
05/02/23 UNIVERSITY OF WISCONSIN 24
Security PolicySecurity PolicyDue CareDue Care
Is a statement which demonstrates that the company has accepted and taken responsibility for activities which take place in the organization05/02/23 UNIVERSITY OF WISCONSIN 25
How Due DiligenceHow Due DiligenceDue Care are RelatedDue Care are RelatedDue diligence is the understanding of the threats and risks, while due care is the countermeasures which the company has put in place to address the threats and risks
05/02/23 UNIVERSITY OF WISCONSIN 26
Information ClassificationInformation ClassificationIn the field of data management, data classification is defined as a tool for categorization of data to enable/help organization to effectively answer following questions:
What data types are available?Where are certain data located?What access levels are implemented?What protection level is implemented and does it adhere to compliance regulations?
05/02/23 UNIVERSITY OF WISCONSIN 27
Data ClassificationData Classification
• Commercial Enterprise• Government and Military
You are business students, so we will focus on commercial enterprise data classification terminology
05/02/23 UNIVERSITY OF WISCONSIN 28
Data ClassificationData ClassificationTypes (typical)Types (typical)
• Public• Sensitive• Private• Confidential
Some models may differ in number of levels and/or how they are referred to
05/02/23 UNIVERSITY OF WISCONSIN 29
Data ClassificationData ClassificationPublicPublic
Definition: Disclosure is not welcome, but it would not cause an adverse impact or damage to the company or its employees
Examples:•How many people work at the company•Current job positions posted on the website
05/02/23 UNIVERSITY OF WISCONSIN 30
Data ClassificationData ClassificationSensitiveSensitive
Definition: Requires special precautions to ensure the integrity and confidentiality of the data, by preventing it from unauthorized modification or deletion. Requires higher than normal assurance of accuracy and completeness
Example:•Financial information•Details of projects•Profit earnings and forecasts
05/02/23 UNIVERSITY OF WISCONSIN 31
Data ClassificationData ClassificationPrivatePrivate
Definition: Personal information, for use only within the company. Unauthorized disclosure could adversely affect employees, the company, its business partners or customers
Examples:•Work history•HR information•Medical information
05/02/23 UNIVERSITY OF WISCONSIN 32
Data ClassificationData ClassificationConfidentialConfidential
Definition: For use within the company only. Exempt from disclosure under the Freedom of Information Act. Unauthorized disclosure could seriously affect a company
Examples:•Trade secrets•Programming software code•Information that keeps the company competitive
05/02/23 UNIVERSITY OF WISCONSIN 33
Data ClassificationData ClassificationProceduresProcedures
1. Define classification levels2. Specify the criteria by which
data will be classified3. Have the data owner indicate
the classification level for their data
4. Identify the data custodian, who will be responsible for maintaining the data and its security level
5. Indicate the controls to be applied at each classification level
05/02/23 UNIVERSITY OF WISCONSIN 34
Data ClassificationData ClassificationProceduresProcedures
6. Document any exceptions in detail7. Indicate the methods which are used to transfer data custody to a different owner8. Create a procedure to periodically review the data’s classification and ownership9. Indicate declassification procedures10. Integrate this knowledge into a security awareness program05/02/23 UNIVERSITY OF WISCONSIN 35
If You Choose to CreateIf You Choose to CreateYou Own Data Classification You Own Data Classification
SystemSystem• Too many levels will make classification complex and confusing
• Too few levels will encourage sloppy data classification
• There should be no overlap between classification levels
• Classification levels should be developed for both data and the systems housing the data, and they should match
05/02/23 UNIVERSITY OF WISCONSIN 36
Security AwarenessSecurity AwarenessTraining ProgramTraining Program
One for senior managementOne for staffOne for technical employees
•Responsibilities of everyone•Potential Liabilities if program is not followed•Expectations of everyone
05/02/23 UNIVERSITY OF WISCONSIN 37
Security AwarenessSecurity AwarenessSenior ManagementSenior Management
Focus on: corporate assets, financial gains and losses which can occur due to information security incidents. They are the leaders, they must demonstrate the proper mindset to the rest of the company
05/02/23 UNIVERSITY OF WISCONSIN 38
Security AwarenessSecurity AwarenessMid-ManagementMid-Management
Focus on: policies, standards and guidelines and how they map to individual departments, responsibility for ensuring their employees adherence to the security policies, and how the managers will be held accountable for enforcement
05/02/23 UNIVERSITY OF WISCONSIN 39
Security AwarenessSecurity AwarenessEmployeesEmployees
Focus: on the operational aspects of information security, proper system usage, how to recognize a security issue and how to properly handle and report a suspected information security incident
05/02/23 UNIVERSITY OF WISCONSIN 40
Next ClassNext ClassUnited States of SecretsUnited States of Secrets
Fantastic video, will last for the entire duration of the class
Video will serve as background information to serve as basis for written assignment #2
https://www.youtube.com/watch?v=W2hqLPqJAa0
05/02/23 UNIVERSITY OF WISCONSIN 41
Assignment #2Assignment #2Responding to a Responding to a
National Security LetterNational Security LetterNational Security Letters (NSLs) are an extraordinary search procedure which gives the FBI the power to compel the disclosure of customer records held by banks, telephone companies, Internet Service Providers, and others. These entities are prohibited, or "gagged," from telling anyone about their receipt of the NSL, which makes oversight difficult. The Number of NSLs issued has grown dramatically since the Patriot Act expanded the FBI's authority to issue them.
05/02/23 UNIVERSITY OF WISCONSIN 42
National Security LetterNational Security LetterReferencesReferences
Electronic Frontier Foundationhttps://www.eff.org/issues/foia/07656JDB
Wikipediahttps://en.wikipedia.org/wiki/National_security_letter
05/02/23 UNIVERSITY OF WISCONSIN 43