Seven Requirements for Successfully Implementing Information Security Policies and Standards

Similar documents
Virginia Commonwealth University School of Medicine Information Security Standard

Employee Security Awareness Training Program

01.0 Policy Responsibilities and Oversight

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Donor Credit Card Security Policy

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Security Policies and Procedures Principles and Practices

SECURITY & PRIVACY DOCUMENTATION

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Cyber Security Program

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

CYBER SECURITY POLICY REVISION: 12

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Checklist: Credit Union Information Security and Privacy Policies

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Access to University Data Policy

7.16 INFORMATION TECHNOLOGY SECURITY

Data Processing Agreement

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Identity Theft Prevention Policy

Table of Contents. PCI Information Security Policy

Security and Privacy Governance Program Guidelines

Apex Information Security Policy

DETAILED POLICY STATEMENT

Information Security Management Criteria for Our Business Partners

Policies and Procedures Date: February 28, 2012

INFORMATION ASSET MANAGEMENT POLICY

Information Security Controls Policy

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

Mobile Device policy Frequently Asked Questions April 2016

UTAH VALLEY UNIVERSITY Policies and Procedures

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

ACCEPTABLE USE ISO INFORMATION SECURITY POLICY. Author: Owner: Organisation: Document No: Version No: 1.0 Date: 10 th January 2010

Virginia Commonwealth University School of Medicine Information Security Standard

Google Cloud & the General Data Protection Regulation (GDPR)

WELCOME ISO/IEC 27001:2017 Information Briefing

CCISO Blueprint v1. EC-Council

_isms_27001_fnd_en_sample_set01_v2, Group A

The Common Controls Framework BY ADOBE

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

Department of Public Health O F S A N F R A N C I S C O

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Information Security Policy

Information Technology General Control Review

Acceptable Use Policy

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Oracle Data Cloud ( ODC ) Inbound Security Policies

Information Security Policy

PTLGateway Data Breach Policy

Responsible Officer Approved by

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

INFORMATION SECURITY AND RISK POLICY

<Document Title> INFORMATION SECURITY POLICY

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Security and Privacy Breach Notification

Credit Card Data Compromise: Incident Response Plan

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

IT ACCEPTABLE USE POLICY

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Lakeshore Technical College Official Policy

Name of Policy: Computer Use Policy

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ

Information Security Incident Response Plan

ISO27001 Preparing your business with Snare

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Information Security Incident Response Plan

REPORTING INFORMATION SECURITY INCIDENTS

Juniper Vendor Security Requirements

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

CITADEL INFORMATION GROUP, INC.

Data Protection Policy

Information technology security and system integrity policy.

The University of British Columbia Board of Governors

1. Policy Responsibilities & Oversight

Institute of Technology, Sligo. Information Security Policy. Version 0.2

Information Technology Branch Organization of Cyber Security Technical Standard

A company built on security

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

INFORMATION SECURITY- DISASTER RECOVERY

ADIENT VENDOR SECURITY STANDARD

Number: USF System Emergency Management Responsible Office: Administrative Services

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

RMU-IT-SEC-01 Acceptable Use Policy

Master Information Security Policy & Procedures [Organization / Project Name]

GM Information Security Controls

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Mobility Policy Bundle

Cyber Risks in the Boardroom Conference

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Regulation P & GLBA Training

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Standard for Security of Information Technology Resources

Transcription:

Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information Group August 2011 Copyright 2011. Citadel Information Group, Inc. All rights reserved.

P a g e 2 o f 10 TABLE OF CONTENTS WHY AN ORGANIZATION NEEDS INFORMATION SECURITY POLICIES AND STANDARDS 3 INFORMATION SECURITY POLICY OBJECTIVES 4 SEVEN REQUIREMENTS FOR SUCCESSFULLY IMPLEMENTING INFORMATION SECURITY POLICIES AND STANDARDS 4 REQUIREMENT 1. IDENTIFY ORGANIZATIONAL ISSUES THAT IMPACT INFORMATION SECURITY POLICY 4 REQUIREMENT 2. IDENTIFY THE VARIOUS CLASSES OF POLICY USERS 5 REQUIREMENT 3. ORGANIZE INFORMATION SECURITY POLICIES AND STANDARDS INTO MEANINGFUL CATEGORIES 6 REQUIREMENT 4. REVIEW DRAFT POLICIES AND STANDARDS WITH MANAGEMENT, USERS, AND LEGAL COUNSEL 6 REQUIREMENT 5. TRAIN ALL PERSONNEL IN THE ORGANIZATION S INFORMATION SECURITY POLICIES AND STANDARDS 7 REQUIREMENT 6. ENFORCE THE INFORMATION SECURITY POLICIES AND STANDARDS 7 REQUIREMENT 7. REVIEW AND MODIFY POLICIES AND STANDARDS, AS APPROPRIATE BUT AT LEAST ANNUALLY 7 PRO-FORMA INFORMATION SECURITY POLICIES AND STANDARDS TABLE OF CONTENTS 8 A FEW SAMPLE INFORMATION SECURITY POLICIES AND STANDARDS 9

P a g e 3 o f 10 WHY AN ORGANIZATION NEEDS INFORMATION SECURITY POLICIES AND STANDARDS Information security policies form the cornerstone of an organization s information security program. Without formal information security policies and standards, an organization cannot effectively secure its critical information assets. The simple fact that policies and standards are the necessary foundation of effective information protection is why 1 Legal compliance with Information security regulations like HIPAA and Gramm-Leach- Bliley require information security policies and standards MasterCard and Visa require organizations that accept their credit and debit cards to have information security policies and standards Every information security effective practice contains a requirement for organizationwide information security policies and standards In the event of an information incident negatively affecting 3 rd -parties, it may be argued that the absence of information security policies and standards is evidence of information negligence Information security policies and standards can significantly reduce the frequency, duration and cost of information security incidents. Information security policies and standards establish management s commitment to securing critical information assets establish uniform organizational standards for securing critical information assets provide guidance to managers and other employees as to their information security responsibilities, obligations and duties provide standards for use by IT personnel in securely configuring and maintaining the IT Infrastructure provide the foundation for complying with legal responsibilities associated with holding sensitive information of others, such as personal health or financial information, or proprietary information belonging to others set the security tone for the organization 1 An Emerging Information Security Minimum Standard Of Due Care, Robert Braun and Stan Stahl, Privacy and Data Security Law Journal, March 2006

INFORMATION SECURITY POLICY OBJECTIVES Seven Requirements for Successfully Implementing P a g e 4 o f 10 According to ISO 27002/17799, 2 information security policies and standards should include, at a minimum, the following guidance: a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing a statement of management intent, supporting the goals and principles of information security a brief explanation of the security policies and standards, principles, standards and compliance requirements of particular importance to the organization SEVEN REQUIREMENTS FOR SUCCESSFULLY IMPLEMENTING INFORMATION SECURITY POLICIES AND STANDARDS Management s biggest challenge lies not in the writing of specific policies and standards but in the orderly development and implementation of policies and standards. An organization can increase the odds that its information security policies and standards will actually influence security by adhering to the following seven requirements. Requirement 1. Identify organizational issues that impact information security policy Information security policies and standards need to accurately reflect the organization they are to serve. To the extent they do not, the organization will find itself in conflict between information security policies and standards and desired practices. Conflict between information security policies and standards and organizational realities can Waste organizational energy Increase cynicism towards the organization s commitment to information security Diminish the effectiveness of the information security policies and standards Increase the probability of serious costly information security failures 2 Information Technology Code of practice for information security management, International Standards Organization, ISO 27002.

P a g e 5 o f 10 Consequently, it is very important to build information security policies and standards in the broader context of the organization s business. Here are a dozen things to consider: 1. The organization s strategic focus and evolving business direction 2. The nature and type of information used in the organization 3. The different classes of information users and the types of information each uses 4. The needs for information sharing and protection between different parts of the organization 5. The needs for information sharing and protection between the organization and its suppliers, vendors, customers, and other business partners 6. Legal information privacy compliance requirements, obligations and duties 7. The organization s security culture and the its opportunities for cultural change 8. The organization s current and evolving technology infrastructures 9. Any history of information losses that might provide lessons-learned for policy developers 10. Other informational needs for confidentiality, integrity or availability 11. Already existing information security policies and standards 12. Other organization policies and standards Requirement 2. Identify the various classes of policy users Different classes of users have different information security roles and responsibilities. Your receptionist, your lead IT director, and a vendor all have different responsibilities. The organization may very well need different information security policies and standards for each of its different classes of users. These will, of course, have to be consistent across different classes of users. These different kinds of users may include: 1. Management, including Boards, executive management, and other management 2. End users, including employees, contractors, and consultants 3. Information system personnel, including employees, contractors, and consultants 4. Customers 5. Vendors, suppliers and other business partners

P a g e 6 o f 10 Make sure you understand these different kinds of users and the different kinds of information they are going to need to do their job. Requirement 3. Organize information security policies and standards into meaningful categories While information security policies and standards can be organized in many different ways, we have found that they are most useful when organized as follows: 1. Introductory policies and standards, including information security management structure and responsibilities 2. Information classification and control 3. Physical security 4. Personnel security 5. Policies and standards for employees and other Information users 6. IT Infrastructure policies and standards 7. System and Application Development Policies and standards These categories (or other information security categories, such as, e.g., the chapter headings of ISO 27002) form the top level of a Table of Contents for the organization s policies and standards. Below is a sample pro-forma Table of Contents for an organization s information security policies and standards. Requirement 4. Review draft policies and standards with management, users, and legal counsel This is a critical feedback step that is too-easily overlooked. Policy validation is required to ensure that management and users will support the policies and standards, and that the policies and standards are consistent with the business and other needs of the organization. Information security policies and standards need to be reviewed by the enterprise s legal counsel to assure they comply with State and US laws, legally protect the enterprise, and are otherwise consistent with the enterprise s business practices.

P a g e 7 o f 10 Requirement 5. Train all personnel in the organization s information security policies and standards All staff needs to be provided regular awareness training and education. Without such training and education, personnel will not know what they are to do nor why they are to do it. Training and education programs need to emphasize: The enterprise s need to secure critical information assets Management s commitment to securing the critical information assets Each person s individual responsibilities for securing critical information assets Consequences for failure to abide by the policies and standards, both organizational and individual Requirement 6. Enforce the information security policies and standards Without enforcement, adherence to the policies and standards will degrade over time. In addition, unless policies and standards are uniformly enforced, the organization may find itself in legal jeopardy should it choose to enforce the policies and standards, particularly if the enforcement is directed against an individual in a legally protected class. Technology can make it easier to enforce certain information security policies and standards. For example, prohibitions on employee access to pornographic or gambling-related web sites can be blocked by web filters. Workstation backup policies and standards can be implemented by programs running on the organization s servers. Password policies and standards can be enforced with systems that require regular password changes and that refuse to accept weak passwords. The technology infrastructure can also be used to monitor and/or log user compliance with policies and standards. While some may argue that this violates employee privacy rights, increasing numbers of organizations are deciding to monitor and/or log employee behaviors. Because of the potential legal implications, surveillance activities must be coordinated with legal counsel. Requirement 7. Review and modify policies and standards, as appropriate but at least annually Situations change: business and operational needs, legal duties and obligations, technology opportunities. Information security policies and standards must evolve to reflect changing circumstances.

P a g e 8 o f 10 Consequently an organization needs to regularly review and, if necessary, modify its information security policies and standards. PRO-FORMA INFORMATION SECURITY POLICIES AND STANDARDS TABLE OF CONTENTS 1 INFORMATION SECURITY POLICIES 2 INFORMATION SECURITY STANDARDS GENERAL 2.1 SCOPE AND AUTHORITY 2.2 INFORMATION SECURITY LAWS, REGULATIONS AND CONTRACTUAL REQUIREMENTS 2.3 INFORMATION SECURITY LIBRARY 2.4 THIRD-PARTY SECURITY MANAGEMENT 2.5 SECURITY REVIEWS 3 INFORMATION SECURITY STANDARD CLASSIFICATION AND CONTROL 3.1 INFORMATION INVENTORY 3.2 INFORMATION OWNERS, USERS, AND CUSTODIANS 3.3 SECURITY CLASSIFICATIONS 4 INFORMATION SECURITY STANDARD INFORMATION USERS 4.1 ACCESS CONTROL TO NETWORK AND PROTECTED SYSTEMS 4.2 WORKSTATION SECURITY 4.3 USE OF HOME COMPUTERS, LAPTOPS, IPADS, PDAS, SMARTPHONES AND OTHER REMOTE DEVICES 4.4 ELECTRONIC MAIL 4.5 TECHNOLOGY PROHIBITIONS 4.6 PHYSICAL PROTECTION OF NON-PUBLIC INFORMATION 4.7 OTHER USER RESPONSIBILITIES 5 INFORMATION SECURITY STANDARD STAFFING & PERSONNEL 5.1 SECURITY IN JOB DEFINITION AND STAFFING 5.2 BACKGROUND INVESTIGATIONS 5.3 CONFIDENTIALITY AGREEMENT 5.4 EMPLOYEE PERFORMANCE, TERMINATION AND ABSENCE NOTIFICATION 6 INFORMATION SECURITY STANDARD PHYSICAL SECURITY

P a g e 9 o f 10 6.1 FACILITIES 6.2 FACILITIES CONTROLS 6.3 FACILITY VISITOR CONTROL 6.4 SERVER ROOM SECURITY 7 INFORMATION SECURITY STANDARD IT INFRASTRUCTURE 7.1 IT VENDOR SELECTION AND MANAGEMENT 7.2 SECURING THE IT INFRASTRUCTURE 7.3 APPLICATION SECURITY, INCLUDING WEBSITES AND OTHER INTERNET-FACING APPLICATIONS 7.4 CHANGE CONTROL 7.5 LOGGING AND REVIEW 7.6 BACK UP, INFORMATION CONTINUITY, INCIDENT RESPONSE AND INTERNAL INVESTIGATIONS 7.7 ACCESS CONTROL MANAGEMENT 7.8 ENCRYPTION 7.9 OTHER IT INFRASTRUCTURE POLICIES 7.10 INFORMATION SECURITY TRAINING AND EDUCATION A FEW SAMPLE INFORMATION SECURITY POLICIES AND STANDARDS The following are two sample policy statements and four standards for a fictitious company named BeBop Inc. Policy 3: Bebop manages the security of sensitive information in its possession through an Information Security Manager (ISM), who a. is appointed by the President and has the responsibility, accountability and authority for information security management and leadership; b. publishes security documents, including standards, processes, procedures, and guidelines designed to extend and make real these policies; c. provides training and education to information users and leads the Bebop community in creating a security-aware culture. Policy 4: Working in collaboration with the Information Security Manager, each Department is responsible for managing the security of the information it generates and uses. Department managers are expected to a. identify, classify and control their information in accordance with the harm that would result from a loss of confidentiality, integrity or availability; b. identify those groups or individuals authorized access to information, granting only the access needed to do one's job ( least privilege and need-to-know ) based upon the job duties and job requirements of each individual;

P a g e 10 o f 10 c. manage the security of sensitive information in accordance with security documents established in collaboration with the Information Security Manager. Standard 3.3: Security Classifications Information Owners determine the sensitivity of the information they own. In doing so, they follow a standard language that helps ensure that everyone will know how to protect the information they use in performing their professional duties. Bebop classifies information into three categories: Public Information Internal Use Only Information Restricted Information Standard 4.1.1: Login-ID and Passwords Access to the Bebop IT network and information systems is protected and managed by access control procedures. Prior to gaining access to the Bebop IT network systems or protected information systems, a user must present both a Login ID and a password. Both of these are unique to the user, thereby providing a measure of certainty that the user is who he/she claims to be. Standard 7.2.5: Malware Protection IT is to install ISM-approved anti-malware software on all workstations and servers to prevent, detect, and eradicate malicious code (e.g., viruses, Trojan horses, spyware, key loggers, adware etc.). IT is to configure anti-malware software so that All files coming from external sources are checked before execution or usage Suspected malware is logged and IT is alerted Full malware scans are conducted daily Malware signature files are updated daily Program updates are installed as soon as available The ISM is to be notified immediately if malware is found on any device. Standard 7.7.2: Access to Restricted Information Based Upon Need-to-Know IT is to limit access to restricted systems and information to only those individuals whose job requires such access, as determined by the information Owner. IT is to implement a mechanism for systems with multiple users that restricts access based on a user s need to know, and is set to deny all unless specifically allowed.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback