Information SecurityIBK3IBV01 College 2

Paul J. Cornelisse

▸ Information systems and the information processed on them are often considered to be critical assets that support the mission of an organization.

Basis

▸ The cost and benefits of information security should be carefully examined in both monetary and nonmonetary terms to ensure that the cost of controls does not exceed the expected benefits.

Cost

▸ Information security controls should be appropriate and proportionate.

Controls

▸ responsibilities and accountabilities of the▸ information owners▸ providers, ▸ and users of computer services and other parties concerned with the protection of information and computer assets should be explicit.

R & A

▸ If a system has external users,

its owners have a responsibility to share appropriate knowledge about the existence

and general extent of control measures

so that other users can be confident that the system is adequately secure.

External users

▸ As we expand the user base to include

suppliers,vendors,clients,customers,shareholders, and the like,

it is incumbent upon the enterprise to have clear and identifiable controls.

External users

▸ For many organizations, the initial sign-on screen is the first indication that there are controls in place.

First sign

▸ It should contain three basic elements:

1. The system is for authorized users only 2. Activities are monitored 3. By completing the sign-on process, the user agrees

to the monitoring

Basic elements of logon screen

▸ An information security program is more than establishing controls for the computer-held data.

More than Just Computer Security

▸ the “paperless office” ▸ To be an effective program, information security

must move beyond the narrow scope of IT and address the issues of information security.

More than Just Computer Security

▸ Employee Mindset Toward Controls1. Offices secured 2. Desks and cabinets secured 3. Workstations secured 4. Information secured 5. Electronic media secured

More than Just Computer Security

▸ the typical office environment will have a 90% to 95% noncompliance rate with at least one of these basic control mechanisms.

▸ When conducting a review, employee privacy issues must be remembered.

More than Just Computer Security

Developing Policies

Policy Is the Cornerstone• The cornerstone of an effective

information security architecture is a well-written policy statement.

• This is the source from which all other directives, standards, procedures, guidelines, and other supporting documents will spring.

Developing Policies

• The internal portion tells employees what is expected of them and how their actions will be judged

• The external portion tells the world how the enterprise sees its responsibilities.

Developing Policies

Definitions

Developing Policies

Policy• A policy is a high-level statement of• enterprise beliefs• goals• objectives and the general means for their attainment for a specified subject area

Developing Policies

Standards• Standards are mandatory requirements

that support individual policies• Standards can range from what software

or hardware can be used, to what remote access protocol is to be implemented, to who is responsible for approving what

Developing Policies

Procedures• Procedures are • Mandatory• step-by-step• detailed actions requiredto successfully complete a task

Developing Policies

Guidelines• Guidelines are documented suggestions

for the regular and consistent implementation of accepted practices

Policy Key Elements

To meet the needs of an organization, a good policy should:

• Be easy to understand• Be applicable• Be doable• Be enforceable• Be phased in• Be proactive• Avoid absolutes• Meet business objectives

Developing Policies

Policy Format• Depends on the policies look and feel in

your own organization• Content

• Topic• Scope• Responsibilities• Compliance or Consequences

Developing Policies

The three types of policies are1. Global (tier 1)2. Topic-specific (tier 2)3. Application-specific (tier 3)

Developing Policies

Global (tier 1)• used to create the organization’s overall

vision and direction

Developing Policies

Topic-specific (tier 2)address particular subjects of concern.

Developing Policies

Application-specific policies• focus on decisions taken by

management to control particular applications

• (financial reporting, payroll, etc.) or systems (budgeting system)

Developing Policies

More on tier 3:◾ Who has the authority to read or modify

data?◾ Under what circumstances can data be

read or modified?◾ How is remote access to be controlled?

Resume

Reason:To provide direction regarding the protection of .... information resources from unauthorized access, modification, duplication, destruction or disclosure

Resume

• The policy applies to all .... personnel including employees, interns, vendors, contractors, and volunteers

• The policy pertains to all information resources used to conduct .... business or used to transmit or store .... Restrictedor Confidential information

Developing Policies

• Information Resource• Information Owner• Business Owner• Information Classification Categories

• Restricted• Confidential• Public

• Reclassification• Custodian• Users

Developing Policies

Information includes, but is not limited to:a. Personally identifiable information (PII)b. Reports, files, folders, memorandac. Statements, examinations, transcriptsd. Images, ande. Communications

Developing Policies

Information Owner• the Director of a Division where the

information resource is created, or who is the primary user of the information resource

Developing Policies

Business Owner• Where multiple information owners for

the same information resource occur, the information owners must designate a Business Owner who will have authority to make decisions on behalf of all the owners of the information resource

Developing Policies

Information Classification Categories• All information shall be classified by the

information owner into one of three classification categories:• Restricted• Confidential• Public

Developing Policies

Reclassification• the information owner is to establish a

review cycle for all information classified as Restricted or Confidential

• Reclassify it when it no longer meets the criteria established for such information

• This cycle should be commensurate with the value of the information but should not exceed 1 year

Developing Policies

Custodian• the individual or entity designated by the

information owner that is responsible for maintaining safeguards established by the information owner

Developing Policies

Users• authorized personnel responsible for

using and safeguarding the information resources under their control according to the directions of the information owner

Developing Policies

The information owner has the responsibility to

a. Identify the classification level of all information resources within their division

b. Define and verify implementation of appropriate safeguards to ensure the confidentiality, integrity, and availability of the information resource

c. Monitor the safeguards to ensure their compliance and report instances of noncompliance

d. Authorize access to those who have a demonstrated business need for the information resource, and

e. Remove access to those who no longer have a business need for the information resource

Developing Policies

The Custodian has the responsibility toa. Implement integrity controls and access control

requirements specified by the information ownerb. Advise the information owner of any major deficiency or

vulnerability encountered that results in a failure to meet requirements

c. Comply with all specific guidelines and procedures to implement, support, and maintain information security

Developing Policies

The Users have the responsibility toa. Access only the information for which they have been

authorizedb. Use the information only for the purpose intendedc. Ensure that authenticating information (e.g., password) is

in compliance with existing security standardsd. Maintain the integrity, confidentiality and availability of

information accessed consistent with the information owner’s expectations while under their control

e. Comply with all specific guidelines and procedures to implement, support, and maintain Information Security policies and standards

f. Report violations or suspected violations of policies and standards to the appropriate management or Information Security Project Manager