Stories from the trenches: Designing a good security policy
description
Transcript of Stories from the trenches: Designing a good security policy
Stories from the trenches:Designing a good security policy
Jean-Michel Lamby
Architect
Microsoft & Security Solutions
Risk
is the mirror image of
opportunity
Agenda.Presentation Objectives
Some questions…
Information security policy
Information security & the business
Information security & ICT
Managing information security
A framework for managing operations
ICT Operations: Management Framework
Tracks for quick wins…
Where are you today?
To provide high level guidance for the process of developping a good information security policy
To identify tracks for « quick wins »
Objectives
Stories from the trenchesI once was an infosec manager
Real life experiences....
Some questions...Just a few questions...
Easy ones...
Some questions... (Ctd)
Are you in control?
Some questions... (Ctd)
Is information a strategic and valuable asset for your company?
Do your employees know it?
Do they know it is considered as such by the management?
Do they know who’s in charge?
Do they care?
Some questions... (Ctd)
The human being is weak and we all make mistakes from time to time... But
When it comes about information security, do your employees know what their responsibilities are?
Is this somehow integrated in the work regulation?
Are they aware of the risks?
Do they know where to find guidelines and procedures?
Do they know how to react in case of an incident?
Do they know they are controlled?
Do you comply with the legislation about privacy protection?
Some questions...(Ctd)
Do your employees know how to manage sensitive data?
What about removable storage media?
What about outdated backup tapes?
What about crashed disks?
What about laptops.
What about e-mail attachment?
What about « 3rd party webmail »?
What about data transfer?
More questions...A critical business process is down.....because of the unavailability of an ICT service....
Was your service delivery in line with the business requirements?
Business what?
Where does your responsibility start?
Where does your responsibility end?
More questions... (ctd)
Do you know whether your systems are securely configured?
Are you sure of this?
When was it controlled for the last time?
What was the results of the control?
Any corrective action?
Implemented?
How many changes implemented since then?
How many new vulnerabilities since then?
And do you exclusively expose services required by the business?
Stop with these questions!!!Ok
Stop with these questions!!!Still in control?
Information security policyAimed at providing a complete and consistent reference framework for the management of information security
Will cleraly state the respective roles and responsibilities
Will ensure your security posture is appropriate for your business
Will ensure the level of achieved security is maintained and controlable.
Will help maintain awareness and involvement
Information Security & the BusinessSecuring the busines process by protecting
Information, Service and SystemConfidentiality, Integrity and Availability
Information security & ICT
Information Security is a global business issue…
ICT is part of the Busines…
ICT to participate to the collaborative effort aimed at protecting the business
Information is a strategic asset…
Managing Information Security
Managing Information Security
Information SecurityStrategy
Information SecurityStrategy
CorporateInformation Security Policy
Visibility Credibility Direction
Commitment Responsibilities
Information Security Program
Scope and objectives Sponsorship
CorporateInformation Security Policy
Visibility Credibility Direction
Commitment Responsibilities
Information Security Program
Scope and objectives Sponsorship
Security AwarenessSecurity Awareness
Legal RequirementsLegal Requirements
Regulatory RequirementsRegulatory Requirements
Standard RequirementsStandard Requirements
Assets IdentificationAssets Identification
Business Impact AnalysisBusiness Impact Analysis
Risk AssessmentRisk Assessment
Risk ManagementRisk Management
Managing Information Security
Standard and Best Practice Requirements:ISO/IEC 17799
ISO13335BS7799
ITIL Security ManagementFIRM
WebTrustX9.79
TS101456…
Standard and Best Practice Requirements:ISO/IEC 17799
ISO13335BS7799
ITIL Security ManagementFIRM
WebTrustX9.79
TS101456…
Security ManagementFramework
Security ManagementFramework
TailoredSecurity Management
Framework:Policies
StandardsProcedures
Controls
CISPSecurity Organization
Asset Classification and ControlPersonnel Security
Physical and Environmental Security
Operations and Communications Management
Access ControlSystem Development
and MaintenanceBusiness Continuity
Compliance
TailoredSecurity Management
Framework:Policies
StandardsProcedures
Controls
CISPSecurity Organization
Asset Classification and ControlPersonnel Security
Physical and Environmental Security
Operations and Communications Management
Access ControlSystem Development
and MaintenanceBusiness Continuity
Compliance
Legal RequirementsLegal Requirements
Regulatory RequirementsRegulatory Requirements
Certification RequirementsCertification Requirements
Assets IdentificationAssets Identification
Business Impact AnalysisBusiness Impact Analysis
Risk AssessmentRisk Assessment
Policies, standards & proceduresNot litterature!
Operational documents!
Policies: recognition of a problematic and high level statements about the intentions of the management
Standards:What you are going to do about this problematic.
Procedures:How you are going to do it (auditability)
Technology: to support specific controls
A framework for managing operationsInformation security is not an additional layer
It is to be integrated within daily business
And for ICT it is to be integrated in the management of daily operations (MOF, ITIL, TOM, eTOM...)
ICT Operations: Mgt Framework
Tracks for Quick WinsCISP
SAD program
Personnel security
E-Mail and Internet acceptable use
Malicious software protection
System & Svc Management (including patch mgt and fw mgt)
Network management
Business continuity: crisis mgt framework
Where are you today?Initiate Security Management
Stage 1:Initiation
Stage 2:Requirements and Strategy
Stage 3:Implementation
Stage 4:Operational Management
Maturity LevelMaturity Level
Assets Identification
Business Impact Analysis
Risk Assessment
Strategy
Develop Policies Develop InfoSec Plans Implement Risk Mitigation
Organization and Implementation Planning
Develop and Implement Standards and procedures
Initial Testing
Assurance
Educationand awareness
ReviewTesting Change
Control
Training
1
2
3
4
5
6
Freely adapted from the ITIL BCM Maturity Model
Thank youIf you have any question or request for information feel free to contact me at: