Ch 4: Information Security Policy

Objectives
• Upon completion of this material you should be
able to:
– Define information security policy and understand its
central role in a successful information security
program
– Describe the three major types of information security
policy and explain what goes into each type
– Develop various types various types of information
security policies

1
Management of Information Security, 3rd ed.
 Introduction
• Policy is the essential foundation of an
effective information security program
• Policy maker sets the tone and emphasis
on the importance of information security
• Objectives
– Reduced risk
– Compliance with laws and regulations
– Assurance of operational continuity,
information integrity, and confidentiality

2
Management of Information Security, 3rd ed.
 Why Policy?
• Policies are the least expensive means of
control and often the most difficult to
implement
• Basic rules for shaping a policy
– Policy should never conflict with law
– Policy must be able to stand up in court if
challenged
– Policy must be properly supported and
administered

3
Management of Information Security, 3rd ed.
 Why Policy? (cont’d.)

• Bulls-eye model
– Networks: threats first meet the organization’s network
– Systems: computers and manufacturing systems
– Applications: all applications systems
4
Management of Information Security, 3rd ed.
 Why Policy? (cont’d.)
Policies are important reference documents
– For internal audits
– For the resolution of legal disputes about
management's due diligence
– Policy documents can act as a clear
statement of management's intent
Types of information security policy
– Enterprise information security program policy
– Issue-specific information security policies
– Systems-specific policies
5
Management of Information Security, 3rd ed.
 Policy, Standards, and Practices
• Policy : A plan or course of action that influences
decisions
– must be properly disseminated, read, understood,
agreed-to, and uniformly enforced
– require constant modification and maintenance
• Standards
– A more detailed statement of what must be done to
comply with policy
• Practices
– Procedures and guidelines explain how employees will
comply with policy

6
Management of Information Security, 3rd ed.
 Policies, Standards, & Practices

Figure 4-2 Policies, standards and practices 7

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
 Enterprise Information Security
Policy (EISP)

• Sets strategic direction, scope, and tone for

organization’s security efforts
• Assigns responsibilities for various areas of
information security
• Guides development, implementation, and
management requirements of information
security program

8
Management of Information Security, 3rd ed.
 Example ESIP Components
• Statement of purpose
• Information technology security elements
• Need for information technology security
• Information technology security
responsibilities and roles
• Reference to other information technology
standards and guidelines

9
Management of Information Security, 3rd ed.
 Issue-Specific Security Policy
(ISSP)
• Provides detailed, targeted guidance
– Instruction for secure use of a technology systems
– Begins with introduction to fundamental technological
philosophy of the organization
• Protects organization from inefficiency and
ambiguity
– Documents how the technology-based system is
controlled
– Identifies the processes and authorities that provide
this control
• Indemnifies the organization against liability for
an employee’s inappropriate or illegal system use
10
Management of Information Security, 3rd ed.
Issue-Specific Security Policy- contd
• ISSP topics
– Email and internet use
– Minimum system configurations
– Prohibitions against hacking
– Home use of company-owned computer
equipment
– Use of personal equipment on company
networks
– Use of telecommunications technologies
– Use of photocopy equipment
11
Management of Information Security, 3rd ed.
 Components of the ISSP
• Statement of Purpose
– Scope and applicability
– Definition of technology addressed
– Responsibilities
• Authorized Access and Usage of
Equipment
– User access
– Fair and responsible use
– Protection of privacy

12
Management of Information Security, 3rd ed.
 Components of the ISSP - contd
• Prohibited Usage of Equipment
– Disruptive use or misuse
– Criminal use
– Offensive or harassing materials
– Copyrighted, licensed or other intellectual property
– Other restrictions
• Systems management
– Management of stored materials
– Employer monitoring
– Virus protection
– Physical security
– Encryption
13
Management of Information Security, 3rd ed.
 Components of the ISSP - contd

• Violations of policy
– Procedures for reporting violations
– Penalties for violations
• Policy review and modification
– Scheduled review of policy and procedures for
modification
• Limitations of liability
– Statements of liability or disclaimers

14
Management of Information Security, 3rd ed.
 System-Specific Security Policy
• System-specific security policies (SysSPs)
frequently do not look like other types of
policy
– may function as standards or procedures to be
used when configuring or maintaining systems
• SysSPs can be separated into
– Management guidance
– Technical specifications
– Or combined in a single policy document

15
Management of Information Security, 3rd ed.
 Managerial Guidance SysSPs
• Created by management to guide the
implementation and configuration of technology
• Applies to any technology that affects the
confidentiality, integrity or availability of
information, e.g. firewall configuration
• Informs technologists of management intent

16
Management of Information Security, 3rd ed.
 Technical Specifications SysSPs
• System administrators’ directions on
implementing managerial policy
• Each type of equipment has its own type of
policies
• General methods of implementing technical
controls
– Access control lists
– Configuration rules

17
Management of Information Security, 3rd ed.
 Technical Specifications SysSPs - contd
• Access control lists
– Include the user access lists, matrices, and capability
tables that govern the rights and privileges
– A similar method that specifies which subjects and
objects users or groups can access is called a
capability table
– These specifications are frequently complex matrices,
rather than simple lists or tables
– Enable administrations to restrict access according to
user, computer, time, duration, or even a particular file

18
Management of Information Security, 3rd ed.
 Technical Specifications SysSPs - contd

• Access control lists regulate

– Who can use the system
– What authorized users can access
– When authorized users can access the system
– Where authorized users can access the system from
– How authorized users can access the system
– Restricting what users can access, e.g. printers, files,
communications, and applications
• Administrators set user privileges
– Read, write, create, modify, delete, compare, copy

19
Management of Information Security, 3rd ed.
 Technical Specifications SysSPs - contd

Figure 4-5 Windows XP ACL 20

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
 Technical Specifications SysSPs - contd

• Configuration rules
– Specific configuration codes entered into security
systems
• Guide the execution of the system when information is
passing through it
• Many security systems require specific
configuration scripts telling the systems what
actions to perform on each set of information they
process

21
Management of Information Security, 3rd ed.
 Technical Specifications SysSPs
(cont’d.)

Figure 4-6 Firewall configuration rules

22
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
 Guidelines for Effective Policy
• policies must be properly:
– Developed using industry-accepted practices
– Distributed or disseminated using all
appropriate methods
– Reviewed or read by all employees
– Understood by all employees
– Formally agreed to by act or assertion
– Uniformly applied and enforced

23
Management of Information Security, 3rd ed.
 Development steps
• Investigation (goals, support, particiption)
• Analysis (risk assessment)
• Design (components, dissemination)
• Implement (detailed specification)
• Maintenance
• Distribution

24
 Policy Comprehension

Figure 4-9 Readability statistics

25
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
 Automated Tools

Figure 4-10 The VigilEnt policy center

26
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
 The Information Securities Policy
Made Easy Approach (cont’d.)

Figure 4-11 A sample coverage matrix

27
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning
 A Final Note on Policy
• Lest you believe that the only reason to
have policies is to avoid litigation, it is
important to emphasize the preventative
nature of policy
– Policies exist, first and foremost, to inform
employees of what is and is not acceptable
behavior in the organization
– Policy seeks to improve employee productivity,
and prevent potentially embarrassing situations

28
Management of Information Security, 3rd ed.
 Summary

• Introduction
• Why Policy?
• Enterprise Information Security Policy
• Issue-Specific Security Policy
• System-Specific Policy
• Guidelines for Policy Development

29
Management of Information Security, 3rd ed.