information security ibk3ibv01 college 2 paul j. cornelisse
TRANSCRIPT
Information SecurityIBK3IBV01 College 2
Paul J. Cornelisse
▸ Information systems and the information processed on them are often considered to be critical assets that support the mission of an organization.
Basis
▸ The cost and benefits of information security should be carefully examined in both monetary and nonmonetary terms to ensure that the cost of controls does not exceed the expected benefits.
Cost
▸ Information security controls should be appropriate and proportionate.
Controls
▸ responsibilities and accountabilities of the▸ information owners▸ providers, ▸ and users of computer services and other parties concerned with the protection of information and computer assets should be explicit.
R & A
▸ If a system has external users,
its owners have a responsibility to share appropriate knowledge about the existence
and general extent of control measures
so that other users can be confident that the system is adequately secure.
External users
▸ As we expand the user base to include
suppliers,vendors,clients,customers,shareholders, and the like,
it is incumbent upon the enterprise to have clear and identifiable controls.
External users
▸ For many organizations, the initial sign-on screen is the first indication that there are controls in place.
First sign
▸ It should contain three basic elements:
1. The system is for authorized users only 2. Activities are monitored 3. By completing the sign-on process, the user agrees
to the monitoring
Basic elements of logon screen
▸ An information security program is more than establishing controls for the computer-held data.
More than Just Computer Security
▸ the “paperless office” ▸ To be an effective program, information security
must move beyond the narrow scope of IT and address the issues of information security.
More than Just Computer Security
▸ Employee Mindset Toward Controls1. Offices secured 2. Desks and cabinets secured 3. Workstations secured 4. Information secured 5. Electronic media secured
More than Just Computer Security
▸ the typical office environment will have a 90% to 95% noncompliance rate with at least one of these basic control mechanisms.
▸ When conducting a review, employee privacy issues must be remembered.
More than Just Computer Security
Developing Policies
Policy Is the Cornerstone• The cornerstone of an effective
information security architecture is a well-written policy statement.
• This is the source from which all other directives, standards, procedures, guidelines, and other supporting documents will spring.
Developing Policies
• The internal portion tells employees what is expected of them and how their actions will be judged
• The external portion tells the world how the enterprise sees its responsibilities.
Developing Policies
Definitions
Developing Policies
Policy• A policy is a high-level statement of• enterprise beliefs• goals• objectives and the general means for their attainment for a specified subject area
Developing Policies
Standards• Standards are mandatory requirements
that support individual policies• Standards can range from what software
or hardware can be used, to what remote access protocol is to be implemented, to who is responsible for approving what
Developing Policies
Procedures• Procedures are • Mandatory• step-by-step• detailed actions requiredto successfully complete a task
Developing Policies
Guidelines• Guidelines are documented suggestions
for the regular and consistent implementation of accepted practices
Policy Key Elements
To meet the needs of an organization, a good policy should:
• Be easy to understand• Be applicable• Be doable• Be enforceable• Be phased in• Be proactive• Avoid absolutes• Meet business objectives
Developing Policies
Policy Format• Depends on the policies look and feel in
your own organization• Content
• Topic• Scope• Responsibilities• Compliance or Consequences
Developing Policies
The three types of policies are1. Global (tier 1)2. Topic-specific (tier 2)3. Application-specific (tier 3)
Developing Policies
Global (tier 1)• used to create the organization’s overall
vision and direction
Developing Policies
Topic-specific (tier 2)address particular subjects of concern.
Developing Policies
Application-specific policies• focus on decisions taken by
management to control particular applications
• (financial reporting, payroll, etc.) or systems (budgeting system)
Developing Policies
More on tier 3:◾ Who has the authority to read or modify
data?◾ Under what circumstances can data be
read or modified?◾ How is remote access to be controlled?
Resume
Reason:To provide direction regarding the protection of .... information resources from unauthorized access, modification, duplication, destruction or disclosure
Resume
• The policy applies to all .... personnel including employees, interns, vendors, contractors, and volunteers
• The policy pertains to all information resources used to conduct .... business or used to transmit or store .... Restrictedor Confidential information
Developing Policies
• Information Resource• Information Owner• Business Owner• Information Classification Categories
• Restricted• Confidential• Public
• Reclassification• Custodian• Users
Developing Policies
Information includes, but is not limited to:a. Personally identifiable information (PII)b. Reports, files, folders, memorandac. Statements, examinations, transcriptsd. Images, ande. Communications
Developing Policies
Information Owner• the Director of a Division where the
information resource is created, or who is the primary user of the information resource
Developing Policies
Business Owner• Where multiple information owners for
the same information resource occur, the information owners must designate a Business Owner who will have authority to make decisions on behalf of all the owners of the information resource
Developing Policies
Information Classification Categories• All information shall be classified by the
information owner into one of three classification categories:• Restricted• Confidential• Public
Developing Policies
Reclassification• the information owner is to establish a
review cycle for all information classified as Restricted or Confidential
• Reclassify it when it no longer meets the criteria established for such information
• This cycle should be commensurate with the value of the information but should not exceed 1 year
Developing Policies
Custodian• the individual or entity designated by the
information owner that is responsible for maintaining safeguards established by the information owner
Developing Policies
Users• authorized personnel responsible for
using and safeguarding the information resources under their control according to the directions of the information owner
Developing Policies
The information owner has the responsibility to
a. Identify the classification level of all information resources within their division
b. Define and verify implementation of appropriate safeguards to ensure the confidentiality, integrity, and availability of the information resource
c. Monitor the safeguards to ensure their compliance and report instances of noncompliance
d. Authorize access to those who have a demonstrated business need for the information resource, and
e. Remove access to those who no longer have a business need for the information resource
Developing Policies
The Custodian has the responsibility toa. Implement integrity controls and access control
requirements specified by the information ownerb. Advise the information owner of any major deficiency or
vulnerability encountered that results in a failure to meet requirements
c. Comply with all specific guidelines and procedures to implement, support, and maintain information security
Developing Policies
The Users have the responsibility toa. Access only the information for which they have been
authorizedb. Use the information only for the purpose intendedc. Ensure that authenticating information (e.g., password) is
in compliance with existing security standardsd. Maintain the integrity, confidentiality and availability of
information accessed consistent with the information owner’s expectations while under their control
e. Comply with all specific guidelines and procedures to implement, support, and maintain Information Security policies and standards
f. Report violations or suspected violations of policies and standards to the appropriate management or Information Security Project Manager