managing information security€¦ · some high-level viewpoints outline 1 some high-level...
TRANSCRIPT
Managing Information SecurityCOMM037 Computer Security
Dr Hans Georg Schaathun
University of Surrey
Autumn 2010 – Week 3
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 1 / 47
Session objectives
Understand fundamental concepts of managementBe able to use management concepts to plan effective andcost-efficient security measuresUnderstand the principles of accountability and responsibility ininformation security
Whitman and Mattord Ch. 5Raggad Ch. 2–3(Additional) Gollmann Ch. 2.2–2.6
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 2 / 47
Some high-level viewpoints
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 3 / 47
Some high-level viewpoints
Security and Management
... information security is primarily a management problem,not a technical one ...
Whitman & Mattord 2005
Why do they say this?
Security is not a product or service in itself.It is a feature of other products, services, or processes.Management of these processes must encompass security
product development processesservice provision processesother business processes
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 4 / 47
Some high-level viewpoints
The CObIT Information CriteriaQuick Recap
Security is only part of thecriteriaThe CIA requirements guardthe value of information
together with other CObITcriteria
A large organisation and itsinformation assets
is a fine and complexmachineryrequires management withattention to all requirements
Effectiveness Efficiency
Confidentiality Integrity
Availability
Compliance Reliability
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 5 / 47
Some high-level viewpoints
The fundamental dilemmaIBM Whitepaper view
Ambivalent attitude to security in businesses1 security problems cause serious losses
moneyreputation
2 security does not contribute to business processesit becomes a pure cost, like insurance and estates
Security is important, but it has to be cheap
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 6 / 47
Some high-level viewpoints
Value for Money in Security
How do you measure value for money in security?
Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?
What would have been the impact if you did not pay forsecurity?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 7 / 47
Some high-level viewpoints
Value for Money in Security
How do you measure value for money in security?
Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?
What would have been the impact if you did not pay forsecurity?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 7 / 47
Some high-level viewpoints
Value for Money in Security
How do you measure value for money in security?
Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?
What would have been the impact if you did not pay forsecurity?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 7 / 47
Some high-level viewpoints
Value for Money in Security
How do you measure value for money in security?
Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?
What would have been the impact if you did not pay forsecurity?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 7 / 47
Some high-level viewpoints
Value for Money in Security
How do you measure value for money in security?
Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?
What would have been the impact if you did not pay forsecurity?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 7 / 47
Some high-level viewpoints
Value for Money in Security
How do you measure value for money in security?
Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?
What would have been the impact if you did not pay forsecurity?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 7 / 47
Some high-level viewpoints
Security in Context
We want security to serve business processesWe cannot build a wall around the business
the business operates in a world of hazardsSecurity must be part of the processes
protecting the business in a world of hazards... not shield it from the world
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 8 / 47
Management Concepts
Outline
1 Some high-level viewpoints
2 Management ConceptsLayers of ManagementFunctional Organisation
3 Information Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 9 / 47
Management Concepts Layers of Management
Outline
1 Some high-level viewpoints
2 Management ConceptsLayers of ManagementFunctional Organisation
3 Information Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 10 / 47
Management Concepts Layers of Management
Different Layers of Management
Strategic Management Upper management do long-term planning.They define and evealuate organisation-wide, overallgoals.
Functional Management Middle management is specialised fordifferent functional areas of the organisation, such asfinance, IT, (security?), estates, production, etc. Yet,functional managers have a long-term view, and workclosely with upper management.
Operational Management Lower management is responisble for theday-to-day running of the business. Operationalmanagers steer towards goals and targets set byhigher-level managers, and manage the finer detail of theorganisation.
Which layer is responsible for information security?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 11 / 47
Management Concepts Layers of Management
Different Layers of Management
Strategic Management Upper management do long-term planning.They define and evealuate organisation-wide, overallgoals.
Functional Management Middle management is specialised fordifferent functional areas of the organisation, such asfinance, IT, (security?), estates, production, etc. Yet,functional managers have a long-term view, and workclosely with upper management.
Operational Management Lower management is responisble for theday-to-day running of the business. Operationalmanagers steer towards goals and targets set byhigher-level managers, and manage the finer detail of theorganisation.
Which layer is responsible for information security?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 11 / 47
Management Concepts Layers of Management
Strategic Management
Security PlanningSecurity Auditing and CertificationRisk apetite
expensive, high-security servicelow-cost service with some risk
Strategic choices depends on customer base and target market
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 12 / 47
Management Concepts Layers of Management
Senior Information Risk Owner (SIRO)
Government requirement for all government departmentsBoard-level individual responsible for information security acrossthe departmentWhat’s the purpose of this role?Raise security awareness to board-level
integrate security in board-level managementConsistent risk management
one individual to decide on acceptable riskLiability and accountability?
someone to sack when it goes wrong?or will the SIRO be able to pin the blame on someone else?
Some departments have reached farther than others
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 13 / 47
Management Concepts Layers of Management
Senior Information Risk Owner (SIRO)
Government requirement for all government departmentsBoard-level individual responsible for information security acrossthe departmentWhat’s the purpose of this role?Raise security awareness to board-level
integrate security in board-level managementConsistent risk management
one individual to decide on acceptable riskLiability and accountability?
someone to sack when it goes wrong?or will the SIRO be able to pin the blame on someone else?
Some departments have reached farther than others
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 13 / 47
Management Concepts Layers of Management
Senior Information Risk Owner (SIRO)
Government requirement for all government departmentsBoard-level individual responsible for information security acrossthe departmentWhat’s the purpose of this role?Raise security awareness to board-level
integrate security in board-level managementConsistent risk management
one individual to decide on acceptable riskLiability and accountability?
someone to sack when it goes wrong?or will the SIRO be able to pin the blame on someone else?
Some departments have reached farther than others
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 13 / 47
Management Concepts Layers of Management
Senior Information Risk Owner (SIRO)
Government requirement for all government departmentsBoard-level individual responsible for information security acrossthe departmentWhat’s the purpose of this role?Raise security awareness to board-level
integrate security in board-level managementConsistent risk management
one individual to decide on acceptable riskLiability and accountability?
someone to sack when it goes wrong?or will the SIRO be able to pin the blame on someone else?
Some departments have reached farther than others
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 13 / 47
Management Concepts Layers of Management
Senior Information Risk Owner (SIRO)
Government requirement for all government departmentsBoard-level individual responsible for information security acrossthe departmentWhat’s the purpose of this role?Raise security awareness to board-level
integrate security in board-level managementConsistent risk management
one individual to decide on acceptable riskLiability and accountability?
someone to sack when it goes wrong?or will the SIRO be able to pin the blame on someone else?
Some departments have reached farther than others
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 13 / 47
Management Concepts Layers of Management
Functional Management
Risk managementRisk-driven programme
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 14 / 47
Management Concepts Layers of Management
Operational Management
Implementationsfire wallssecurity software deployments
Administration and Maintenancesoftware patchesmonitoringconfiguration
Response to IncidentsRecoveryReporting
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 15 / 47
Management Concepts Functional Organisation
Outline
1 Some high-level viewpoints
2 Management ConceptsLayers of ManagementFunctional Organisation
3 Information Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 16 / 47
Management Concepts Functional Organisation
Security in the OrganisationQuestion
Do we need a functional unit for (Information) Security?
Information Security could be part of IT.Information Security could be a separate Unit.
Alongside IT
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 17 / 47
Management Concepts Functional Organisation
Security in the OrganisationQuestion
Do we need a functional unit for (Information) Security?
Information Security could be part of IT.Information Security could be a separate Unit.
Alongside IT
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 17 / 47
Management Concepts Functional Organisation
Security in the OrganisationQuestion
Do we need a functional unit for (Information) Security?
Information Security could be part of IT.Information Security could be a separate Unit.
Alongside IT
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 17 / 47
Management Concepts Functional Organisation
Organisational ModelWith Security Functional Unit (Raggad)
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 18 / 47
Management Concepts Functional Organisation
Organisational ModelWithout Security Functional Unit (Raggad)
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 19 / 47
Management Concepts Functional Organisation
Security in the Organisation
Do we need a functional unit for (Information) Security?
Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit
Security is represented in Upper ManagementWithout the Security Functional Unit
the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.
Could the Head of General IT take the role as SIRO?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 20 / 47
Management Concepts Functional Organisation
Security in the Organisation
Do we need a functional unit for (Information) Security?
Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit
Security is represented in Upper ManagementWithout the Security Functional Unit
the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.
Could the Head of General IT take the role as SIRO?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 20 / 47
Management Concepts Functional Organisation
Security in the Organisation
Do we need a functional unit for (Information) Security?
Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit
Security is represented in Upper ManagementWithout the Security Functional Unit
the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.
Could the Head of General IT take the role as SIRO?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 20 / 47
Management Concepts Functional Organisation
Security in the Organisation
Do we need a functional unit for (Information) Security?
Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit
Security is represented in Upper ManagementWithout the Security Functional Unit
the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.
Could the Head of General IT take the role as SIRO?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 20 / 47
Management Concepts Functional Organisation
Security in the Organisation
Do we need a functional unit for (Information) Security?
Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit
Security is represented in Upper ManagementWithout the Security Functional Unit
the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.
Could the Head of General IT take the role as SIRO?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 20 / 47
Management Concepts Functional Organisation
Security in the Organisation
Do we need a functional unit for (Information) Security?
Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit
Security is represented in Upper ManagementWithout the Security Functional Unit
the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.
Could the Head of General IT take the role as SIRO?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 20 / 47
Information Security Lifecycle
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security LifecycleLife CyclesInformation Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 21 / 47
Information Security Lifecycle Life Cycles
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security LifecycleLife CyclesInformation Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 22 / 47
Information Security Lifecycle Life Cycles
Managing a Project
1 Analyse2 Plan3 Implement4 Enjoy the fruits of your work ...5 Done. Leave it behind you.6 Next Project.
What is missing here?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 23 / 47
Information Security Lifecycle Life Cycles
Managing a Project
1 Analyse2 Plan3 Implement4 Enjoy the fruits of your work ...5 Done. Leave it behind you.6 Next Project.
What is missing here?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 23 / 47
Information Security Lifecycle Life Cycles
Managing a Project
1 Analyse2 Plan3 Implement4 Enjoy the fruits of your work ...5 Done. Leave it behind you.6 Next Project.
What is missing here?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 23 / 47
Information Security Lifecycle Life Cycles
Managing a Project
1 Analyse2 Plan3 Implement4 Enjoy the fruits of your work ...5 Done. Leave it behind you.6 Next Project.
What is missing here?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 23 / 47
Information Security Lifecycle Life Cycles
Managing a Project
1 Analyse2 Plan3 Implement4 Enjoy the fruits of your work ...5 Done. Leave it behind you.6 Next Project.
What is missing here?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 23 / 47
Information Security Lifecycle Life Cycles
Learning Cyclesa general cycle
What havewe done?
What tochange?
What shallit be?
What todo?
Do it!Enjoy it!
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 24 / 47
Information Security Lifecycle Life Cycles
Learning Cyclesa general cycle (2)
Evaluation
Analysis Vision
Plan
ActionBenefit
Learn from each step –input into next step
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 25 / 47
Information Security Lifecycle Life Cycles
Learning Cyclesa general cycle (2)
Evaluation
Analysis Vision
Plan
ActionBenefit
Learn from each step –input into next step
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 25 / 47
Information Security Lifecycle Life Cycles
Using the cycle
Evaluation and Reflectionthink through what you have done at each stepuse your experience in the next stepmake each iteration better than the last step
Experience does not always give improvementimprovement is a concious effort, based on experiencemany people have a beginner’s experience over and over again
Adapt it to your style and the problem at handwhere do you start? (analysis? action? plan?)many short cycles? or fewer long cycles?
Don’t overdo itconstant reflection and evaluation leaves no time for real workreserve time for reflection – to think backuse the rest of the time to act – to move forward
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 26 / 47
Information Security Lifecycle Life Cycles
Using the cycle
Evaluation and Reflectionthink through what you have done at each stepuse your experience in the next stepmake each iteration better than the last step
Experience does not always give improvementimprovement is a concious effort, based on experiencemany people have a beginner’s experience over and over again
Adapt it to your style and the problem at handwhere do you start? (analysis? action? plan?)many short cycles? or fewer long cycles?
Don’t overdo itconstant reflection and evaluation leaves no time for real workreserve time for reflection – to think backuse the rest of the time to act – to move forward
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 26 / 47
Information Security Lifecycle Life Cycles
Using the cycle
Evaluation and Reflectionthink through what you have done at each stepuse your experience in the next stepmake each iteration better than the last step
Experience does not always give improvementimprovement is a concious effort, based on experiencemany people have a beginner’s experience over and over again
Adapt it to your style and the problem at handwhere do you start? (analysis? action? plan?)many short cycles? or fewer long cycles?
Don’t overdo itconstant reflection and evaluation leaves no time for real workreserve time for reflection – to think backuse the rest of the time to act – to move forward
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 26 / 47
Information Security Lifecycle Life Cycles
Using the cycle
Evaluation and Reflectionthink through what you have done at each stepuse your experience in the next stepmake each iteration better than the last step
Experience does not always give improvementimprovement is a concious effort, based on experiencemany people have a beginner’s experience over and over again
Adapt it to your style and the problem at handwhere do you start? (analysis? action? plan?)many short cycles? or fewer long cycles?
Don’t overdo itconstant reflection and evaluation leaves no time for real workreserve time for reflection – to think backuse the rest of the time to act – to move forward
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 26 / 47
Information Security Lifecycle Life Cycles
Application the cycle
Software Development LifecycleWaterfall methodologies – few iterationsAgile development – many iterations
rapid iterations to aquire understanding and experienceuse this to improve planning
Personal DevelopmentPlan your own developmentReflect to improve
ManagementPeriodic reviews of the organisationDevelop new plans and implement changes
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 27 / 47
Information Security Lifecycle Life Cycles
Application the cycle
Software Development LifecycleWaterfall methodologies – few iterationsAgile development – many iterations
rapid iterations to aquire understanding and experienceuse this to improve planning
Personal DevelopmentPlan your own developmentReflect to improve
ManagementPeriodic reviews of the organisationDevelop new plans and implement changes
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 27 / 47
Information Security Lifecycle Life Cycles
Application the cycle
Software Development LifecycleWaterfall methodologies – few iterationsAgile development – many iterations
rapid iterations to aquire understanding and experienceuse this to improve planning
Personal DevelopmentPlan your own developmentReflect to improve
ManagementPeriodic reviews of the organisationDevelop new plans and implement changes
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 27 / 47
Information Security Lifecycle Information Security Lifecycle
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security LifecycleLife CyclesInformation Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 28 / 47
Information Security Lifecycle Information Security Lifecycle
The Information Security LifecycleISO 27004
Plan Do
Act Check
1 Assess realistic likelihood ofsecurity failures
2 Select objectives andcontrols
1 Implement controls2 Define how to measure the
effectiveness of controls3 Measure the effectivenesss
of controlsto verify that securityrequirements are met
1 Regular review2 Review Risk Assessments3 Include results of
effectivenessmeasurements
4 Management Review of theISMS
5 Output of the reviewincludes
update of risksIprovement decissions
1 Implement identifiedimprovement in the ISMS
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 29 / 47
Information Security Lifecycle Information Security Lifecycle
The Information Security LifecycleISO 27004
Plan Do
Act Check
1 Assess realistic likelihood ofsecurity failures
2 Select objectives andcontrols
1 Implement controls2 Define how to measure the
effectiveness of controls3 Measure the effectivenesss
of controlsto verify that securityrequirements are met
1 Regular review2 Review Risk Assessments3 Include results of
effectivenessmeasurements
4 Management Review of theISMS
5 Output of the reviewincludes
update of risksIprovement decissions
1 Implement identifiedimprovement in the ISMS
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 29 / 47
Information Security Lifecycle Information Security Lifecycle
The Information Security LifecycleISO 27004
Plan Do
Act Check
1 Assess realistic likelihood ofsecurity failures
2 Select objectives andcontrols
1 Implement controls2 Define how to measure the
effectiveness of controls3 Measure the effectivenesss
of controlsto verify that securityrequirements are met
1 Regular review2 Review Risk Assessments3 Include results of
effectivenessmeasurements
4 Management Review of theISMS
5 Output of the reviewincludes
update of risksIprovement decissions
1 Implement identifiedimprovement in the ISMS
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 29 / 47
Information Security Lifecycle Information Security Lifecycle
The Information Security LifecycleISO 27004
Plan Do
Act Check
1 Assess realistic likelihood ofsecurity failures
2 Select objectives andcontrols
1 Implement controls2 Define how to measure the
effectiveness of controls3 Measure the effectivenesss
of controlsto verify that securityrequirements are met
1 Regular review2 Review Risk Assessments3 Include results of
effectivenessmeasurements
4 Management Review of theISMS
5 Output of the reviewincludes
update of risksIprovement decissions
1 Implement identifiedimprovement in the ISMS
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 29 / 47
Information Security Lifecycle Information Security Lifecycle
The Information Security LifecycleISO 27004
Plan Do
Act Check
1 Assess realistic likelihood ofsecurity failures
2 Select objectives andcontrols
1 Implement controls2 Define how to measure the
effectiveness of controls3 Measure the effectivenesss
of controlsto verify that securityrequirements are met
1 Regular review2 Review Risk Assessments3 Include results of
effectivenessmeasurements
4 Management Review of theISMS
5 Output of the reviewincludes
update of risksIprovement decissions
1 Implement identifiedimprovement in the ISMS
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 29 / 47
Policies and Documents
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security Lifecycle
4 Policies and DocumentsCommunicationCase Study (Policy)
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 30 / 47
Policies and Documents Communication
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security Lifecycle
4 Policies and DocumentsCommunicationCase Study (Policy)
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 31 / 47
Policies and Documents Communication
Communication with your Organisation
The organisation is a fine machineryeach part must know its roleall the parts must be co-ordinated to work together
Management is responsible for co-ordination and consistencyhas the overview
Everyone must no his/her own partgood communication is key to co-ordination
Policies, standards, and other documents are essentialcommunication tools
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 32 / 47
Policies and Documents Communication
Communication with your Organisation
The organisation is a fine machineryeach part must know its roleall the parts must be co-ordinated to work together
Management is responsible for co-ordination and consistencyhas the overview
Everyone must no his/her own partgood communication is key to co-ordination
Policies, standards, and other documents are essentialcommunication tools
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 32 / 47
Policies and Documents Communication
Communication with your Organisation
The organisation is a fine machineryeach part must know its roleall the parts must be co-ordinated to work together
Management is responsible for co-ordination and consistencyhas the overview
Everyone must no his/her own partgood communication is key to co-ordination
Policies, standards, and other documents are essentialcommunication tools
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 32 / 47
Policies and Documents Communication
Communication with your Organisation
The organisation is a fine machineryeach part must know its roleall the parts must be co-ordinated to work together
Management is responsible for co-ordination and consistencyhas the overview
Everyone must no his/her own partgood communication is key to co-ordination
Policies, standards, and other documents are essentialcommunication tools
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 32 / 47
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
Policies and Documents Communication
Warning
Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose
otherwise it is not worth writingEach document has a target audience
and must be written specifically for that audiencedifferent audiences have different needs and abilities
Don’t write documents that no one will readdon’t make the document longer than what will be read
If you do not know why you write a particular document, it isbound to be a bad one.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 33 / 47
Policies and Documents Communication
Documents
Policy
Standard
Guideline
Why
What
How
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 34 / 47
Policies and Documents Communication
Security Policy
Definition (Organisational Security Policy)The laws, rules, and practices regulating how an organisationmanages, protects, and distributes resources to achieve specifiedsecurity policy objectives.
Definition (Automated Security Policy)Set of restrictions and properties that specify how a computing systemprevents information and computing resources from being used toviolate an organisational security policy.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 35 / 47
Policies and Documents Communication
Security Policy
Definition (Organisational Security Policy)The laws, rules, and practices regulating how an organisationmanages, protects, and distributes resources to achieve specifiedsecurity policy objectives.
Definition (Automated Security Policy)Set of restrictions and properties that specify how a computing systemprevents information and computing resources from being used toviolate an organisational security policy.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 35 / 47
Policies and Documents Communication
Scope of the Security Policy
The organisational security policyaims to secure the resources of the organisationnot limited to software and hardwarethe users are part of the system
The automated security policyone of the means to implement the organisational security policylimited to software and hardware
Organisation and managementcontributes to securityprivileges must be assigned intelligentlyprivileged users must use their rights correctly.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 36 / 47
Policies and Documents Communication
Scope of the Security Policy
The organisational security policyaims to secure the resources of the organisationnot limited to software and hardwarethe users are part of the system
The automated security policyone of the means to implement the organisational security policylimited to software and hardware
Organisation and managementcontributes to securityprivileges must be assigned intelligentlyprivileged users must use their rights correctly.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 36 / 47
Policies and Documents Communication
Scope of the Security Policy
The organisational security policyaims to secure the resources of the organisationnot limited to software and hardwarethe users are part of the system
The automated security policyone of the means to implement the organisational security policylimited to software and hardware
Organisation and managementcontributes to securityprivileges must be assigned intelligentlyprivileged users must use their rights correctly.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 36 / 47
Policies and Documents Communication
Policies and Other Documents
Policy defines the priorities and focus on the why of security.Responsibilities are assigned, and security requirementsmay be defined.
Standard defines mandatory rules of conduct, aiming to implementthe policy.
Guidelines is a set of best practice and advice to help units andindividuals to implement the policies and the standards.They are not mandatory.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 37 / 47
Policies and Documents Communication
The AudienceThe Organisational Security Policy
Different audiencesUsersOwnersSystem AdministratorsCustomers (and other beneficiaries)Developers (system designers and programmers)
Each group needs1 Assurance
their security needs are taken care of2 Awareness of their responsibility
they know to act correctly, maintaining security
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 38 / 47
Policies and Documents Communication
The AudienceThe Organisational Security Policy
Different audiencesUsersOwnersSystem AdministratorsCustomers (and other beneficiaries)Developers (system designers and programmers)
Each group needs1 Assurance
their security needs are taken care of2 Awareness of their responsibility
they know to act correctly, maintaining security
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 38 / 47
Policies and Documents Communication
Structure of the Policy
No set format for policiesyou write what the application requiresdifferent organisations — different needs
It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis
Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...
Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)
Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires
Policies must be managed over timeWe will return to this
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 39 / 47
Policies and Documents Communication
Structure of the Policy
No set format for policiesyou write what the application requiresdifferent organisations — different needs
It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis
Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...
Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)
Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires
Policies must be managed over timeWe will return to this
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 39 / 47
Policies and Documents Communication
Structure of the Policy
No set format for policiesyou write what the application requiresdifferent organisations — different needs
It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis
Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...
Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)
Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires
Policies must be managed over timeWe will return to this
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 39 / 47
Policies and Documents Communication
Structure of the Policy
No set format for policiesyou write what the application requiresdifferent organisations — different needs
It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis
Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...
Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)
Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires
Policies must be managed over timeWe will return to this
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 39 / 47
Policies and Documents Communication
Structure of the Policy
No set format for policiesyou write what the application requiresdifferent organisations — different needs
It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis
Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...
Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)
Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires
Policies must be managed over timeWe will return to this
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 39 / 47
Policies and Documents Communication
Structure of the Policy
No set format for policiesyou write what the application requiresdifferent organisations — different needs
It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis
Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...
Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)
Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires
Policies must be managed over timeWe will return to this
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 39 / 47
Policies and Documents Communication
Information Security Management Life CycleIlona Ilvonen 2009
1. Define goals,roles, andresponsibilities
2. Analysecurrent statusand risks
3. Define/Updatepolicies andprocedures
4. Training andawareness
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 40 / 47
Policies and Documents Communication
Security Policy in ContextSystems Design
Working as a system designerwhat is the role of the security policy?
Requirements gatheringmany requirements are stated in the policymany requirements follow from the policy
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 41 / 47
Policies and Documents Communication
Security Policy in ContextSystems Design
Working as a system designerwhat is the role of the security policy?
Requirements gatheringmany requirements are stated in the policymany requirements follow from the policy
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 41 / 47
Policies and Documents Case Study (Policy)
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security Lifecycle
4 Policies and DocumentsCommunicationCase Study (Policy)
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 42 / 47
Policies and Documents Case Study (Policy)
The Enron/Andersen Scandal
The Enron Energy Corporation (USA)Criminal investigation for fraud (a few years ago)
Arthur Andersen ConsultingWorld renowned accounting company
Andersen was implicated when they destroyed client files... relating to Enron
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 43 / 47
Policies and Documents Case Study (Policy)
Security Policyor Obstruction of Justice
Andersen staff charged with obstruction of justiceshredding documents relevant for the investigation
Claimed to be following policyAnderson should not keep client files longer than necessary
Who’s right? Should client files be destroyed?
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 44 / 47
Policies and Documents Case Study (Policy)
A question of timing
When policy contradicts lawthe law is rightthe policy is illegal
However, that was not the problemIncosistent implementation of the policy
Shredded started after the investigationConsistent and timely shredding according to policy
one could get away with thatTimely shredding according to policy before the investigation isknown
That’s OK.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 45 / 47
Policies and Documents Case Study (Policy)
A question of timing
When policy contradicts lawthe law is rightthe policy is illegal
However, that was not the problemIncosistent implementation of the policy
Shredded started after the investigationConsistent and timely shredding according to policy
one could get away with thatTimely shredding according to policy before the investigation isknown
That’s OK.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 45 / 47
Policies and Documents Case Study (Policy)
A question of timing
When policy contradicts lawthe law is rightthe policy is illegal
However, that was not the problemIncosistent implementation of the policy
Shredded started after the investigationConsistent and timely shredding according to policy
one could get away with thatTimely shredding according to policy before the investigation isknown
That’s OK.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 45 / 47
Policies and Documents Case Study (Policy)
A question of timing
When policy contradicts lawthe law is rightthe policy is illegal
However, that was not the problemIncosistent implementation of the policy
Shredded started after the investigationConsistent and timely shredding according to policy
one could get away with thatTimely shredding according to policy before the investigation isknown
That’s OK.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 45 / 47
Policies and Documents Case Study (Policy)
A question of timing
When policy contradicts lawthe law is rightthe policy is illegal
However, that was not the problemIncosistent implementation of the policy
Shredded started after the investigationConsistent and timely shredding according to policy
one could get away with thatTimely shredding according to policy before the investigation isknown
That’s OK.
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 45 / 47
Closing
Outline
1 Some high-level viewpoints
2 Management Concepts
3 Information Security Lifecycle
4 Policies and Documents
5 Closing
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 46 / 47
Closing
Summary
Security Awareness and Decissions are required at all levels ofmanagement
Strategic managementFunctional managementOperational management
Good communications is essential to implement decissions in theorganisationManagement and Development require continuous learning andimprovement
Lifecycles is a common and useful modelEvaluation and Reflection is key to the cycle
Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 47 / 47