Policy Review(Top-Down Methodology)

Lesson 7

Policies

From the Peltier Text, p. 81“The cornerstones of effective information security programs are well-written policy statements. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents.”“The top-down portion of the network vulnerability assessment (NVA) looks at the policies requested in the Pre-NVA Checklist”

Documents from checklistNetwork Topology (diagram)Firewall ArchitectureRemote Access Server ArchitectureDetailed list of Mission-Critical Applications

Brief description (purpose)Data storage method (database)Who is the data owner/administrator?Who are the users (job title)?Security mechanismsSensitive or critical data

Information Security PoliciesPassword & ID PolicyConfidential information policies and proceduresData classification

System Access Policy and ProceduresCorporate Communication Policies

Electronic/paper communicationsDisposal PolicyInternet Usage Policy

Mission StatementsOrganization Charts

Policy Management Life Cycle

Some DefinitionsPolicy

A high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area.

General Program PolicySets the strategic directions of the enterprise for global behavior and assigns resources for its implementation (e.g. conflict of interest, standards of conduct,…)

Topic-specific policyAddresses specific issues of concern to the organization (e.g. email, Internet and phone usage, physical security..)

System- or Application-specific policyFocus on decisions taken by management to protect a particular application or system.

Exhibit 1, p85-86 contains a list of possible policies

Components of a policy

TopicDefines the goals of the policy.

ScopeUsed to broaden or narrow the topic

ResponsibilitiesWho is responsible for what actions.

ComplianceDiscusses what actions occur when an individual is found to be in noncompliance and what actions an organization must take when found in noncompliance.

Writing (or reviewing) a policy

“5 W’s of Journalism 101” (and 1 H)What: what is to be protected (the topic)Who: who is responsible (responsibilities)Where: where within the organization does the policy reach (scope)How: how compliance will be monitored (compliance)When: when does the policy take effectWhy: why the policy was developed

The last two may actually not be in the policy itself.

When and why are often covered in a cover letter with policy issuance

The Information Security Policy

Should beApproved by managementPublished and communicated with all employeesState management commitmentOutline the organization’s approach to managing information security

Should includeA definition of information securityA statement of management intent, supporting the goals and principles of information securityA definition of general and specific responsibilitiesReferences to documentation that may support the policy

From The Texas Code

California SB 1386

This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Any customer injured by a violation of this title may institute a civil action to recover damages.

GLBRequires clear disclosure by all financial institutions of their privacy policy regarding the sharing of non-public personal information with both affiliates and third parties. Requires a notice to consumers and an opportunity to "opt-out" of sharing of non-public personal information with nonaffiliated third parties subject to certain limited exceptions. Clarifies that the disclosure of a financial institution's privacy policy is required to take place at the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship.

Sarbanes-Oxley Act of 2002

The result of a number of corporate accounting scandals.Mandates specific actions to improve corporate reporting.Reaffirms necessity for financial statement audit process and role of external auditors.IT security and controls considered part of effective fraud management.

HIPAA

Health Insurance Portability and Accountability ActStandards require that measures be taken to secure health information covered by this act while in the custody of entities governed by HIPAA as well as in transit between covered entities and from covered entities to others.Wants to ensure the confidentiality, integrity, and availability of electronic protected health information.

Some useful (possibly) documents

NIST Special publication 800-14, “Generally accepted principles and practices for securing Information Technology Systems”

Includes discussion on policies and risk management.

NIST Special publication 800-53, “Recommended Security Controls for Federal Information Systems”

Includes discussion of “Baseline Security Controls” at three level (low, med, high)

NIST Special publication 800-26 “Security Self-Assessment Guide for Information Technology Systems”

Has nice checklist as well as a method to interpret results

NIST Special publication 800-18 “Guide for developing security plans for Information Technology Systems”

A final note…

Download from web site and read the document “Building and Implementing a Successful Information Security Policy” by Dancho Danchev at windowsecurity.com

Summary

What is the importance and significance of this material?

How does this topic fit into the subject of “Security Risk Analysis”?