TEL382

Greene Chapter 3

9/7/09 2

Outline• Planning Goals of an Information Security Program• Classifying Data and Information• Identifying Information Ownership Roles• ISO 17799/BS 7799 Code of Practice• Using the 10 Security Domains of ISO 17799-2000

– Security Policy– Organizational Security– Asset Classification and Control– Personnel Security– Physical and Environmental Security– Communications and Operations Management– Access Control– System Development and Maintenance– Business Continuity Management– Compliance

9/7/09 3

Planning Goals of an Information Security Program

• Framework provides foundation and framing for information security program– Classify program needs into logical and manageable domains– Information Classification– Information Ownership

• CIA Triad– Confidentiality: prevent unauthorized disclosure of sensitive

information• Consider information states (stored, processed, transmitted), residences

(information systems, paper, humans), vulnerabilities, threats

– Integrity: protection from from intentional or accidental unauthorized modification

• Consider vulnerabilities and threats

– Availability: assurance that systems and data are accessible by authorized users when needed

• Uptime, Service Level Agreement • Consider threats

9/7/09 4

Five A’s of Information Security

• Accountability: process of tracing actions to their source

• Assurance: processes, policies, and controls used to develop confidence that security measures are working as intended

• Authentication: positive identification of the person or system seeking access to secured information or systems

• Authorization: granting users and systems a predetermined level of access to information resources

• Accounting: the logging of access and usage of information resources

9/7/09 5

Classifying Data and Information

• Different kinds of information has different levels of importance

• Classifications Systems: – Confidential, Sensitive, Public– Mandatory Access Control (MAC)– Discretionary Access Control (DAC)– Role-Based Access Control (RBAC)

9/7/09 6

Identifying Information Ownership Roles

• IT, IS Departments are rarely owners of organizational information; usually just custodians

• Information ownership is charged to those responsible for protecting the information and business results derived from using the information

9/7/09 7

ISO 17799/BS 7799 Code of Practice

• International Standards Organization (ISO) developed a framework of information security recommendations applicable to public and private organizations

• For use by those responsible for initiating, implementing, or maintaining security

9/7/09 8

Using the 10 Security Domains of ISO 17799-2000

• Policy• Organizational Security• Asset Classification

and Control• Personnel Security• Physical and

Environmental Security

• Organizations develop controls applicable to 10 Domains (areas, categories)

• Communications and Operations Management• Access control• System Development and Maintenance• Business continuity Management• Compliance

9/7/09 9

Security Policy

• Direction and support for information security program

• Establish policy, direction of program, commitment to protecting physical & logical information resources

• Requires visible leadership and senior management involvement

9/7/09 10

Organizational Security

• Establishing and supporting a management framework to implement and manage information security within, across and outside the organization

• Inward facing– Employees and stakeholders relationships to

information systems

• Outward facing– Third-party access to systems

9/7/09 11

Asset Classification and Control

• Maintain accurate inventory of information assets

• Classification indicates level of protection required

• Labels indicate level and appropriate procedures for access, use, storage, transmission, destruction

9/7/09 12

Personnel Security

• Most thefts, fraud and misuse are due to human error, negligence or misuse

• Controls for hiring, employing, and termination of staff, management, directors

• Screening, acceptable use, confidentiality agreements, terms and conditions of employment

• Employee training, incidence response

9/7/09 13

Physical and Environmental Security

• Focus on designing and maintaining a secure physical environment to prevent unauthorized access, damage, and interference to business premises

• Control physical security perimeter and physical entry, physical access control, fire, water and electromagnetic radiation protection

9/7/09 14

Communications and Operations Management

• Correct and secure operation of information processing facilities such as data centers

• Network management, housekeeping (antivirus and antispyware software, intrusion detection and prevention devices, backups, logging, system monitoring), special controls (encryption, VPNs, etc.)

9/7/09 15

Access Control

• Prevent unauthorized access

• Define access control policy, rules, user authentication, access management, network access controls, operating system access controls, use of system utilities, monitoring system access and use, ensuring information security when using mobile computing and teleworking facilities

9/7/09 16

System Development and Maintenance

• Develop security in from beginning

• Security requirements analysis and specification at every stage of development

• Strict change control procedure to track changes

• Ensure no covert channels, back doors, Trojans, etc. are introduced during development

9/7/09 17

Business Continuity Management

• Protecting critical business processes from effects of major failures or disasters and to minimize interruptions to business activities

• Identify impact of events that cause interruptions to processes and designing response, recovery and continuity plans

• Plan must be periodically tested, maintained, and reassessed based upon changing circumstances

9/7/09 18

Compliance

• Ensure that information systems comply with local, national, and international criminal and civil laws, regulatory or contractual obligations, intellectual property rights (IPR), and copyrights

TEL382

Greene Chapter 4

9/7/09 20

Outline

• Composing a Statement of Authority

• Security Policy Document Policy– Document Objective and Ownership– Employee Version– Policies are Dynamic

• Managing Organizational Security– Infrastructure Policy– Identification of Risk from Third Parties– Requirements in Outsourcing

9/7/09 21

Composing a Statement of Authority (SOA)

• Conveys organization’s intent, objective and commitment

• Must be issued by an authority figure– A leader and decision maker, enforcement role– Chairman of Board, CEO, President, Owner, etc.

• Delivers clear message about importance of information security

• Written for audience from diverse background, education, experience, age

9/7/09 22

Security Policy Document Policy

• First Policy: Information Security Policy Document Objective and Ownership Policy

• Must be consistent and unwavering; unequivocally states need for information security policies as well as who is responsible for creating, approving, enforcing and reviewing policies

• Objective is to direct, approve, publish, and communicate merits of an information security policy document (policy about the need for written and managed policies)

9/7/09 23

Security Policy Document Policy

• Relationship to Federal Law– Financial Modernization Act (Gramm-Leach-

Bliley (GLBA)) for Financial Institutions– Health Insurance Portability and Accountability

Act (HIPAA) for Healthcare Providers and Insurance Companies

– Sarbanes-Oxley (SOX) for Publicly Traded Companies

– Family Educational Rights and Privacy Act (FERPA)

9/7/09 24

Employee Version

• Comprehensive security policy may be too much for the average employee

• Separate document for user community

• May be called “Acceptable Use Agreement” or “Employee Affirmation Agreement”

9/7/09 25

Policies are Dynamic

• Events within an organization that affect culture, procedures, activities, employee responsibilities, relationships

• Trigger Risk and Vulnerability Assessments and a Review of Policies

• Examples: acquiring a new company, changing physical locations, introducing new technology, employee layoffs

• Policies are “owned” by Senior Management, Information Security Officer, etc.– Develop, maintain, review, etc.

9/7/09 26

Managing Organizational Security

• Policy must address and encourage a multidisciplinary approach to information security– Involves cooperation of managers, users,

administrators, application designers, auditors, security staff

• Policy must control type of access that third parties can have to information and and information systems– Also consider facility access– And outsourcing

TEL382

Greene Appendix B

9/7/09 28

Outline

• Policy Statement• Acceptable Use of Information Resources• Internet Use• E-mail Use Policy• Incidental Use of Information Resources• Password Policy• Portable Computing Policy• Distribution• Affirmation Agreement• Standard Definitions

9/7/09 29

Policy Statement

• Intentions

• Purpose – Motivation

• Chairman’s Statement

9/7/09 30

Acceptable Use of Information Resources

• Inappropriate Use• Official Business• No Personal Business• No Expectation of Privacy• Details

– Do not share accounts, passwords, PINs, tokens, etc.– Do not access data, programs, resources that you don’t have

authorization for– If receive material you should not have, secure material and report to

supervisor– Do not make unauthorized copies of copyrighted material– Do not install nonstandard software– Do not circumvent antivirus software– Do not download, install, or run programs that reveal weaknesses– Report discovered weaknesses or possible misuse

9/7/09 31

Internet Use

• Software used to access Internet must be part of company standard software suite

• Browsing software for business use only

• Do not download or install software from Internet

• E-commerce over Internet not allowed

• All user activity is subject to logging and review

9/7/09 32

E-mail Use Policy• Code of Ethics

– No intimidating or harassing– No political lobbying or campaigning– No violation of copyright laws– No posing as anyone other than oneself– No chain letters– No unsolicited messages to large groups– No excessively large messages– No sending of messages likely to contain viruses– No misrepresentation of self as company– No sending, receiving, forwarding of company confidential

information through non-company email– No sending, receiving, forwarding of company confidential

information through non-company mobile devices– Email messages and Internet sites are property of company

9/7/09 33

Incidental Use of Information Resources

• Incidental Use of resources may be allowed– Only for company-approved users– Must not result in direct cost to company– Must not interfere with normal performance of

work duties– Must not involve solicitation, outside business

activity, or result in embarrassment to company– Storage of email, voice messages, etc. must be

nominal– All messages, files, documents, etc. stored on

company resources are owned by the company

9/7/09 34

Password Policy

• Must be constructed and implemented according to company-approved standards

• Must not divulge to anyone

• Must be changed immediately if security is in doubt

• Must not attempt to circumvent

• Must not leave devices unattended without screensaver or other security

• Protect passwords if found

9/7/09 35

Portable Computing Policy

• Only company-approved devices may be used• Must be password protected• Company data should not be stored on device; if it

must, then it must be encrypted• Data must not be transmitted via wireless unless

encrypted• Must conform to standards for configuration and

connectivity• Unattended devices must be physically secure

9/7/09 36

Distribution

• Give copy to new employees upon hire

• Give copy to current employees

• Employees sign a statement confirming that it has been read

9/7/09 37

Affirmation Agreement

• “I certify that I have read and fully understand the information security policies set forth”

•

9/7/09 38

Standard Definitions