Information Security Policy

homuskratΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

154 εμφανίσεις

A security policy should
fulfil

many purposes. It should:


Protect people and information


Set the rules for expected
behaviour

by users, system
administrators, management, and security personnel


Authorize security personnel to monitor, probe, and
investigate


Define and authorize the consequences of violation


Define the company consensus baseline stance on
security


Help minimize risk


Help track compliance with regulations and legislation


highest level of overall intention and direction


as formally expressed and endorsed by management
for managing information / computer security


It outlines responsibilities and obligations



Shows management support for information
security



Should be consistent with relevant laws,
requirements and regulations



Assessment


Audit


Incident response



Essential component of an effective information
security process



Evaluation of the information security status of all
assets


Identify assets


Identify vulnerabilities


Identify threats


Determination of likelihood


Determination of consequence


Identify security controls


Risk mitigation


Security assessment areas cover;


Security Policy


Organisational

Security


Asset classification and control


Personnel security


Physical and Environmental Security


Communications and Operations Management


Access Control


System development and maintenance


Business Continuity Management


Compliance


other



Security tends to degrade during the
operational phase of the system life cycle.
Once it is in place it tends to be forgotten


One
-
time or regular evaluation of security
and controls


Examine an entire system or a single
anomalous event


Conformity to the requirements of relevant
legislation or regulations / managements


Resolution through the appropriate reaction
to, and containment of, the problem that
constitutes the incident


in other words


a security breach has been
detected, now what do we do to make sure
that it can’t harm us further, and how do we
fix the problem.


Provide an effective means to deal with the
situation that reduces the impact to the
organisation


Provide management with sufficient information
to decide on appropriate courses of action


Maintain and restore business/facility functions


Defend against future attacks


Defer future attacks through investigation and
prosecution


Web Application
Vulnerabilities


Social Networks


Malware / Virus


DDOS attacks (Denial of
Service)


Phishing,
Vishing
, Spear
-
Phishing


Social Engineering


Insider Threat


Software Vulnerabilities


Wireless


Botnets


Spam / Targeted mails



Murder


Reputation Loss


Scams


Identity Theft


Privacy Violation

Preparation


Assessment


Design & Deploy


Manage &
Update


Training &
Education


A BS7799
-
based, systematic baseline
identification of all network devices and
resources


the establishment of valuations for all groups of
data residing on the network.


Assessment converts general descriptions of the
network into measurable data sets that can then
be used to design an effective security
management policy and infrastructure.


Sample:


Vulnerability testing


Conversion of assessment data into lists of


network security applications,


deployment locations,


implementation strategies


specific configuration guidelines

for each network device or security application


the completion of this stage, the security
policy exists as a completed document,
accompanied by a deployment plan


The physical process of implementing the
plans created in the design phase.


Includes installation, testing, training and
conversion to a production environment.


Sample:


Managed Anti Virus Protection


Measuring performance data from the network
security infrastructure against the goals stated in
the security policy.


Non
-
compliant systems and events trigger
specific actions, as stated in the policy, including a
re
-
evaluation of the policy and restart of the
policy generation process.


Sample:


Service packs and patches,


Periodic Vulnerability Checks,


IDS monitoring


An ongoing effort to raise awareness of the need
for network security at the executive,
management, administrator and end user levels.


This process cuts across all other steps,


includes both administrator training for emerging
threats to systems and awareness among end
users of the benefits of working within the
security architecture.


Sample:


Security Policy Awareness Training


What is on the network


Identification of all network devices, applications
and services


Who has access


Value


Valuation of damage from compromise


Identification of all data stored on the network


Who has a access


Value


Valuation of damage from compromise


Identification of hosts, network devices and
databases already susceptible to attack


From inside or outside the network



Who needs to be involved in the security
policy decision
-
making process


Executive level


Which staff


What are the business goals that improved security
management support


IT Level


Will the threatened by new processes and procedures


Security Management Level


Human Resources & Legal Staff


Do current and proposed security measures meet
corporate employment policy standards


End users, vendors, partners, etc


What are the advantages to them for adopting a more
secure corporate posture


Details describing the network and its
contents become a comprehensive security
policy document


Create Standardized levels of security service
based on the data gathered in the assessment
stage


Deliveres

a web of interrelationships between
informations
, systems, users, and tightly
defined levels of security needs



Define implementation guidelines


Is this allowable event


Is this vulnerability allowed


Delineate chains of command for incident
escalation


Define the requirements for reporting


Most organizations currently concentrate their
security effort is actually the simplest and
most straight
-
forward aspect of security
management


Begins with the purchase or hardware and
software


Dictated by the plan created in the design phase


Rigorously installed and tested to ensure that
performance meets specifications


If the system is assured of matching the
requirements,


Moves out into the production environment


Education is a critical element for successful
deployment


Best opportunity to educate the entire range of
staff affected by the security policy


How benefit both individuals and the organization
in technical & financial terms


Determinant factor in whether a security
implementation thrives or fails



Process by which success of the security can
be measured


The security policy dictates how security is
supported once the deployment stage is
complete



ISO:27001


2005


PCI
-
DSS


CobiT


BS:25999


ISO 2000


ITIL


Clause 49 (SEBI Guideline,
Government of India)


CTCL


NERC
-
CIP


Data Protection Act


IT Act and applicable Criminal / Civil
legislation


HIPAA


GLBA


Sarbanes Oxley


Basel II


PCAOB


SAS 70


Privacy Laws (
e.g.PIPEDA
)


… many more…..



ISO 27001, BS 25999,
CobiT
, IIL
or ISO 20000



These are the most widely used
and recognized standard for
Information Security globally


Form the foundation of security
for various other framework and
regulatory requirements







“Information security is the protection of
information from a wide range of threats in
order to
ensure business continuity, minimize
business risk,
and

maximize return on
investments and business opportunities.



Plan

Do

Check

Act

Establish ISMS

Context and Risk
Assessment

Design and
Implement the ISMS

Monitor and
Review the ISMS

Development,
Improvement
and Maintenance
Cycle

Maintain and
Improve the
ISMS

Plan

Do

Check

Act


The Information Technology Infrastructure Library (ITIL) is a set of
concepts and practices for managing Information Technology (IT) services
(ITSM), IT development and IT operations.


ITIL gives detailed descriptions of a number of important IT practices and
provides comprehensive checklists, tasks and procedures that any IT
organization can tailor to its needs. ITIL is published in a series of books,
each of which covers an IT management topic.


Service Strategy


Service Design


Service Transition


Service Operation


Continual Service Improvement



IT resources are managed by IT processes to achieve IT goals
that respond to the business requirements. This is the basic
principle of the C
OBI
T framework, as illustrated by the C
OBI
T
cube.


Business
-
focused


Process
-
oriented


Controls
-
based


Measurement
-
driven


© IT Governance Institute

BUSINESS OBJECTIVES AND

GOVERNANCE OBJECTIVES

Efficiency

Applications

Information

Infrastructure

People

DELIVER

AND

SUPPORT

MONITOR

AND

EVALUATE

ACQUIRE

AND

IMPLEMENT

INFORMATION

IT

RESOURCES

C
O B I
T

F R A M E W O R K

Effectiveness

Confidentiality

Integrity

Availability

Compliance

DS1

Define and manage service
levels.

DS2

Manage third
-
party services.

DS3

Manage performance and
capacity.

DS4

Ensure continuous service.

DS5

Ensure systems security.

DS6

Identify and allocate costs.

DS7

Educate and train users.

DS8

Manage service desk and
incidents.

DS9

Manage the configuration.

DS10

Manage problems.

DS11

Manage data.

DS12

Manage the physical
environment.

DS13
Manage operations.


ME1

Monitor and evaluate IT
performance.

ME2

Monitor and evaluate internal
control.

ME3

Ensure compliance with
external requirements.

ME4

Provide IT governance.

PO1

Define a strategic IT plan.

PO2

Define the information
architecture.

PO3

Determine technological
direction.

PO4

Define the IT processes,
organisation and relationships.

PO5

Manage the IT investment.

PO6

Communicate management
aims and direction.

PO7

Manage IT human resources.

PO8

Manage quality.

PO9

Assess and manage IT risks.

PO10

Manage projects.


AI1

Identify automated solutions.

AI2

Acquire and maintain
application software.

AI3

Acquire and maintain
technology infrastructure.

AI4

Enable operation and use.

AI5

Procure IT resources.

AI6

Manage changes.

AI7

Install and accredit solutions and
changes.

PLAN

AND

ORGANISE

Reliability

© IT Governance Institute


The standard for Business Continuity Management.


Part 1 : Code of Practice


Section 1
-

Scope and Applicability.


Section 2
-

Terms and Definitions.


Section 3
-

Overview of Business Continuity Management.


Section 4
-

The Business Continuity Management Policy.


Section 5
-

BCM Programme Management.


Section 6
-

Understanding the organization.


Section 7
-

Determining BCM Strategies.


Section 8
-

Developing and implementing a BCM response.


Section 9
-

Exercising, maintenance, audit and self
-
assessment of the BCM culture.


Section 10
-

Embedding BCM into the organizations culture.


Part 2 : Specification


Section 1
-

Scope.


Section 2
-

Terms and Definitions.


Section 3
-

Planning the Business Continuity Management System (PLAN).


Section 4
-

Implementing and Operating the BCMS (DO)


Section 5
-

Monitoring and Reviewing the BCMS (CHECK)


Section 6 Maintaining and Improving the BCMS (ACT)


The Information Security
Lifecyle



key
element to success


Effective security management requires more than
firewalls and intrusion detection solutions.


security management must become a
closedloop

cycle of continuous security improvement.


an efficient and effective ongoing security
management system, including both
insourcing

and outsourcing options


IAEA, “Basic Concepts of Information / Computer
Security”


Internet Security System, “Creating,
Implementing and Managing the Information
Security Lifecycle”


Sans Institute, “Information Security Policy
-

A
Development Guide for Large and Small
Companies”


Dinesh

O
Bareja
, “
Information Security … the
profession; concepts, risks and more”,
Rajiv
Gandhi Institute of Technology




Case Study : Clicking blindly !

Settled in for a nice bit of surfing in the library!

Study ! Ah hah ! Just don’t click the link blindly !

Whoops ! That’s a big load of malware you just got with
sound effects !

From EDUCAUSE

Case Study : Clicking blindly !