Security Policies and Procedures Principles and Practices

Similar documents
TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Apex Information Security Policy

The Common Controls Framework BY ADOBE

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Information Security Management

Checklist: Credit Union Information Security and Privacy Policies

Cyber Criminal Methods & Prevention Techniques. By

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Information Security Policy

Advent IM Ltd ISO/IEC 27001:2013 vs

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

HIPAA Compliance Checklist

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

An Introduction to the ISO Security Standards

HIPAA Federal Security Rule H I P A A

SECURITY & PRIVACY DOCUMENTATION

01.0 Policy Responsibilities and Oversight

Seven Requirements for Successfully Implementing Information Security Policies and Standards

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

ISO27001 Preparing your business with Snare

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

WELCOME ISO/IEC 27001:2017 Information Briefing

ADIENT VENDOR SECURITY STANDARD

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Information Technology General Control Review

TEL2813/IS2820 Security Management

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Security Standards for Electric Market Participants

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Ohio Supercomputer Center

WORKSHARE SECURITY OVERVIEW

Information Security Management Criteria for Our Business Partners

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

Security Management Models And Practices Feb 5, 2008

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Information Security Data Classification Procedure

Trust Services Principles and Criteria

Cyber Risks in the Boardroom Conference

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Security Audit What Why

Baseline Information Security and Privacy Requirements for Suppliers

Juniper Vendor Security Requirements

Introduction to ISO/IEC 27001:2005

Effective Strategies for Managing Cybersecurity Risks

SDR Guide to Complete the SDR

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Red Flags/Identity Theft Prevention Policy: Purpose

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Standard CIP Cyber Security Critical Cyber Asset Identification

HIPAA Security and Privacy Policies & Procedures

Implementing an Audit Program for HIPAA Compliance

Standard CIP Cyber Security Critical Cyber Asset Identification

Information Security Management System

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Morningstar ByAllAccounts Service Security & Privacy Overview

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

THE PROCESS FOR ESTABLISHING DATA CLASSIFICATION. Session #155

Department of Public Health O F S A N F R A N C I S C O

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

INFORMATION SECURITY AND RISK POLICY

Employee Security Awareness Training Program

Information Security at the IEA DPC. IEA General Assembly October 10 12, 2011 Malahide, Ireland

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Data Processing Amendment to Google Apps Enterprise Agreement

NEN The Education Network

Security and Architecture SUZANNE GRAHAM

April Appendix 3. IA System Security. Sida 1 (8)

UTAH VALLEY UNIVERSITY Policies and Procedures

Oracle Data Cloud ( ODC ) Inbound Security Policies

Database Auditing and Forensics for Privacy Compliance: Challenges and Approaches. Bob Bradley Tizor Systems, Inc. December 2004

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

IT risks and controls

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Vendor Security Questionnaire

IT ACCEPTABLE USE POLICY

Securing Information Systems

INTERNATIONAL SOS. Information Security Policy. Version 2.00

Sparta Systems TrackWise Digital Solution

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Virginia Commonwealth University School of Medicine Information Security Standard

Putting It All Together:

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

SECURITY PLAN DRAFT For Major Applications and General Support Systems

ISO A Business Critical Framework For Information Security Management

Information Security Controls Policy

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Data Protection Policy

Recommendations for Implementing an Information Security Framework for Life Science Organizations

CYBER SECURITY AND MITIGATING RISKS

Computer Security Policy

Subject: University Information Technology Resource Security Policy: OUTDATED

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Inventory and Reporting Security Q&A

Transcription:

Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework

Objectives Plan the protection of the confidentiality, integrity and availability of corporate data the CIA Triad Classify data and information Identify information ownership roles Apply the ISO 17799/BS 7799 Code of Practice for Information Security Management Understand the intent of the 10 security domains of the ISO 17799:2000 Code of Practice Copyright 2006 Pearson Prentice Hall 2

Introduction The CIA Triad The Triad stands for Confidentiality, Integrity and Availability An attack against either or several of the elements of the CIA triad is an attack against the Information Security of the organization Protecting the CIA triad means protecting the assets of the company Copyright 2006 Pearson Prentice Hall 3

C is for Confidentiality Not all data owned by the company should be made available to the public Failing to protect data confidentiality can be disastrous for an organization: Dissemination of Protected Health Information (PHI) between doctor and patient Dissemination of Protected Financial Information (PFI) between Bank and customer Dissemination of Business-critical information to rival company Copyright 2006 Pearson Prentice Hall 4

C is for Confidentiality Cont. Only authorized users should gain access to information Information must be protected when it is used, shared, transmitted and stored Information must be protected from unauthorized users both internally and externally Information must be protected whether it is in digital or paper format Copyright 2006 Pearson Prentice Hall 5

C is for Confidentiality Cont. The threats to confidentiality must be identified. They include: Hackers Shoulder surfing Lack of shredding of paper documents Malicious Code (Virus, worms, Trojans) Unauthorized employee activity Improper access control Copyright 2006 Pearson Prentice Hall 6

C is for Confidentiality Cont. Identifying threats is important, but so is the reason why the company is vulnerable to those threats A risk assessment should be conducted prior to the creation of the policy The risk assessment will identify what threats exist, why the organization is vulnerable to them, and what the risk of a threat becoming an actual attack is Copyright 2006 Pearson Prentice Hall 7

I is for Integrity Protecting data integrity means protecting data from being tampered with by an unauthorized source A business that cannot trust the integrity of its data is a business that cannot operate An attack against data integrity can mean the end of an organization s ability to conduct business Copyright 2006 Pearson Prentice Hall 8

I is for Integrity Cont. Threats to data integrity include: Hackers Unauthorized user activity Improper access control Malicious code Interception and alteration of data during transmission Copyright 2006 Pearson Prentice Hall 9

I is for Integrity Cont. Controls that can be deployed to protect data integrity include: Technical controls: Digital signatures for email use File Integrity Verifier utilities for operating systems Behavioral controls: Separation of duties Rotation of duties End user security training Copyright 2006 Pearson Prentice Hall 10

A is for Availability Availability: the assurance that the data is accessible when it is needed by authorized users What is the cost of the loss of data availability to the organization? A risk assessment should be conducted to more efficiently protect data availability Copyright 2006 Pearson Prentice Hall 11

A is for Availability Cont. Threats to data availability include: Loss of processing abilities due to natural disaster Loss of processing abilities due to hardware failure Loss of processing abilities due to human error Loss of processing abilities due to malicious acts Loss of power Malicious code Temporary or permanent loss of key personnel Copyright 2006 Pearson Prentice Hall 12

Planning the Goals of an Information Security Program Which is more important to protect: Confidentiality, Integrity or Availability? No fixed answer: it depends on the information / process at hand Organization needs to define and rate all the business processes on which it relies in order to assign the right order of importance for each one Resources should be allocated in accordance with the ratings obtained Copyright 2006 Pearson Prentice Hall 13

Planning the Goals of an Information Security Program Cont. Impact of an attack on one aspect on the others: Risk assessment should outline how an attack on availability impacts the protection of data confidentiality and availability, for example Copyright 2006 Pearson Prentice Hall 14

The 5 A s of Information Security Accountability Assurance Authentication Authorization Accounting Copyright 2006 Pearson Prentice Hall 15

The 5 A s of Information Security Cont. Accountability All actions should be traceable to the person who committed them Logs should be kept, archived and secured Intrusion Detection Systems should be deployed Computer Forensic techniques can be used retroactively Accountability should be focused on both internal and external actions Copyright 2006 Pearson Prentice Hall 16

The 5 A s of Information Security Cont. Assurance Security measures need to be designed and tested to ascertain that they are efficient and appropriate The knowledge that these measures are indeed efficient is known as Assurance The activities related to assurance include: Auditing and monitoring Testing Reporting Copyright 2006 Pearson Prentice Hall 17

The 5 A s of Information Security Cont. Authentication Authentication is the cornerstone of most network security models It is the positive identification of the person or system seeking access to secured information and/or system Examples of authentication models: User ID and password combination Tokens Biometric devices Copyright 2006 Pearson Prentice Hall 18

The 5 A s of Information Security Cont. Authorization Act of granting users or systems actual access to information resources Note that the level of access may change based on the user s defined access level Examples of access level include the following: Read only Read and write Full Copyright 2006 Pearson Prentice Hall 19

The 5 A s of Information Security Cont. Accounting Defined as the logging of access and usage of resources Keeps track of who access what resource, when, and for how long Example of use: Internet Café, where users are charged by the minute of use of the service Copyright 2006 Pearson Prentice Hall 20

Classifying Data and Information Data Classification Data Classification is required when creating a risk assessment Not all information features the same security requirements The level of classification of data has a direct impact on the security of the server on which it is located Copyright 2006 Pearson Prentice Hall 21

Classifying Data and Information Cont. Each company can customize their own data classification model to better serve their security needs The most common classification system includes three levels: Confidential Sensitive Public Copyright 2006 Pearson Prentice Hall 22

Classifying Data and Information Cont. Confidential Data: Not to be shared with the public Not to be shared with all employees Only should be made available to a small subset of authorized employees Unauthorized disclosure of this data would bring harm to the organization Examples: Financial information, R&D discoveries, proprietary information Copyright 2006 Pearson Prentice Hall 23

Classifying Data and Information Cont. Sensitive Data: Not to be shared with the public Available on a need-to-know basis Usually available to more employees than confidential information Unauthorized disclosure would harm the company, especially in terms of reputation, privacy, credibility and regulatory compliance Copyright 2006 Pearson Prentice Hall 24

Classifying Data and Information Cont. Public Data: Can be shared with the public Disclosure of this data would not bring harm to the organization Examples: Official price list, published list of service phone numbers Copyright 2006 Pearson Prentice Hall 25

Identifying Information Ownership Roles Information Ownership Many are confused as to who the owner of information is, which can endanger the confidentiality of this information It is important for the organization to clearly define who the information owners are Information owners are those originally responsible for the policies and practices of information IT usually plays the role of data custodian, not data owner Copyright 2006 Pearson Prentice Hall 26

The ISO 17799/BS 7799 Code of Practice for Information Security Management A framework of information security recommendations applicable to public and private organizations of all sizes. Official definition: the ISO [ ] standard gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization (From the ISO Web Site) Copyright 2006 Pearson Prentice Hall 27

The ISO 17799/BS 7799 Code of Practice for Information Security Management Cont. Quick facts about the ISO 17799/BS 7799 Started as a British document in 1989 Was proposed as an international standard after two revisions in 1997 and 1999 Adopted by the ISO in August, 2000 There is currently no certification process for the ISO 17799 Adopted internationally Copyright 2006 Pearson Prentice Hall 28

Using the Ten Security Domains of the ISO 17799:2000 The Security Policy domain: Focuses on providing direction and support for the information security program Emphasizes the importance of a visible leadership and involvement of senior management This involvement should impact the following processes: establishing policy the direction of the information security program A commitment to protecting physical & logical resources Copyright 2006 Pearson Prentice Hall 29

Using the Ten Security Domains of the ISO 17799:2000 Cont. The Organizational Security domain: Focuses on establishing & supporting a management framework to implement and manage information security within, across and outside the organization Inward-facing controls: concentrate on employees and stakeholders relationships to information systems Outward-facing controls: concentrate on thirdparty access to information systems Copyright 2006 Pearson Prentice Hall 30

Using the Ten Security Domains of the ISO 17799:2000 Cont. The Asset Classification & Control domain: An accurate inventory of all information security assets should be maintained Information assets should be classified to receive the appropriate level of protection Information assets include: Intellectual property Raw data Mined information Software Copyright 2006 Pearson Prentice Hall 31

Using the Ten Security Domains of the ISO 17799:2000 Cont. The Personnel Security domain: Organizations need controls for security in the hiring, employing and termination of staff Such controls include: Personnel screening Acceptable use & confidentiality agreements Terms and conditions of employment Employees should be trained to be: Security conscious Ready to handle incident response situations Copyright 2006 Pearson Prentice Hall 32

Using the Ten Security Domains of the ISO 17799:2000 Cont. The Physical & Environmental Security domain: Focuses on designing & maintaining a secure physical environment to protect the company from: unauthorized access, damage & interference to business premises Achieved by: Control of the physical security perimeter & entry Creating secure offices and rooms Deploying physical access controls Must include several company departments Copyright 2006 Pearson Prentice Hall 33

Using the Ten Security Domains of the ISO 17799:2000 Cont. The Communications & Operations Management domain: Focuses on secure operation of information processing facilities Includes detailed operating instructions & incident response procedures Technical controls include IDS, antivirus, backup, auditing, logging and system monitoring, encryption for transmitted information. Copyright 2006 Pearson Prentice Hall 34

Using the Ten Security Domains of the ISO 17799:2000 Cont. The Access Control domain: Goal: to prevent unauthorized access to information systems Defines access control policy, user authentication and access management, network access controls, operating system access controls, monitoring and logging Also applies to mobile computing Copyright 2006 Pearson Prentice Hall 35

Using the Ten Security Domains of the ISO 17799:2000 Cont. The System Development & Maintenance domain: Security should be defined at the genesis of the product development cycle New product may require encryption Change control policies should be implemented to ensure the integrity of system and information files Copyright 2006 Pearson Prentice Hall 36

Using the Ten Security Domains of the ISO 17799:2000 Cont. The Business Continuity domain: Business-critical processes must be protected from the effects of disasters Focuses on data and system availability Identifies the impact of events that cause interruption of business processes Designs response, recovery & continuity plan Plan should be regularly tested and reassessed Copyright 2006 Pearson Prentice Hall 37

Using the Ten Security Domains of the ISO 17799:2000 Cont. The Compliance domain: All organizations must comply with regulations at different levels, which include: Local, national and international laws Criminal and civil laws Regulatory and/or contractual obligations Intellectual property rights Copyrights The organization s legal advisor should be involved in this domain Copyright 2006 Pearson Prentice Hall 38

Using the Ten Security Domains of the ISO 17799:2000 Cont. Quick facts: Based on the size of the company, not all policies related to the ISO 17799 need to be implemented Too many policies, especially when not all are needed, can become too confusion and result in the rejection of the whole policy The organization should identify which of the policies are appropriate and should be implemented Copyright 2006 Pearson Prentice Hall 39

Summary The CIA triad is the blue print of what assets needs to be protected in order to protect the organization. Protecting the organization s information security can seem vague and too conceptual. Protecting the confidentiality, integrity and availability of the data is a more concrete way of saying the same thing. Standards such as the ISO 17799 exist to help organizations better define appropriate ways to protect their information assets. Copyright 2006 Pearson Prentice Hall 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback