IT Security Policy Framework
●Policies●Standards●Procedures●Guidelines
Policy
● A written statement from an authority declaring a course of action for the sake of expediency.– Example: Policy dictates that all employees will
read and sign the AUP before receiving access to the computing system.
Standard
● A detailed level of attainment.– IT standards ensure that consistent security
controls are adopted.– Example: The Common Criteria have established
standards for hardware and software security.
Procedures
● A description of the process used to accomplish a task.– Example: A procedure checklist is used to perform
and verify backups.
Guidelines
● A suggested course of action which can be specific or general.– Example: The guidelines for a secure password
include but are not limited to ...
IT Policy Framework Purpose
● The purpose is to achieve an acceptable level of risk.
Data Classification Standards
● US Government● Private enterprise
US Government
● Executive order 13526 (2009)– Top secret– Secret– Confidential– Public domain information is considered
unclassified and is not part of the classification standard.
Top Secret
● Would cause grave damage to national security if it were disclosed.
Secret
● Would cause serious damage to national security if it were disclosed.
Confidential
● Would cause damage to national security if it were disclosed.
Guidelines
● Yes there are guidelines for separating information into the appropriate categories.
Unclassified
● Would you believe there are classifications for unclassified information?
Unclassified
● Poses no threat to national security if exposed.
Controlled Unclassified
● For official use only.– Example: law enforcement classified
Alternative classifications
● Top Secret● Secret● Confidential● Restricted● Protect● Unclassified
Private Enterprise Data Classification*
*(Kim, Solomon)● Private● Confidential● Internal use only● Public domain data
*Private
● Data about people,– Example: compliance laws like HIPAA
Confidential
● Information owned by the enterprise– Customer lists– Pricing information– Intellectual property– Internal use only information
Internal Use Only
● Information shared internally by an organization.– Most communications are not intended to be
shared.
Public Domain Data
● Shared with the public– Web site content– White papers
Alternative
• Confidential• Restricted• Protected• Unclassified (public)
Alternative
● Confidential
– Substantially would undermine the financial viability of the organization.
Alternative
● Restricted
– Cause a substantial loss of earning potential. Advantage to competitors
Alternative
● Protected
– Cause financial loss
Data Classification Challanges
● Perfection is the enemy of the good!
– If you insist on perfection, your system will be difficult to implement.
– Employees must be properly educated in order to classify data effectively.
Data Classification Challenges
● Perfection is the enemy of the good!
– If too complex it will fail due to lack of use
– You are better served by keeping your classification scheme simple (no more complex than is necessary)
Data Classification Challenges
● Perfection is the enemy of the good!
– Development and implementation of a data classification scheme will require resources.
– If its complex, it will likely be expensive to implement
Implementation Tips
● Understand what is achievable – any data classification policy must become less complex as more individuals become involved in implementing the policy.
Implementation Tips
● Those who have something at stake should be involved in the data classification policy development.
Implementation Tips
● Provide appropriate education and visibility.
– Any data classification scheme should be posted on the company/agency internal web-page.
Implementation Tips
● Align your data classification scheme with regulatory (compliance) requirements.
Compliance Laws
● Legislation exists mandating security controls to protect private and confidential data.
Example Compliance Legislation
● SOX (Sarbanes-Oxley, 2002)– Requires security controls to protect the
confidentiality and integrity of financial reporting.
Example Compliance Legislation
● GLBA (Gramm-Leach-Bliley, 1999)– Financial institutions must protect client's private
financial information.
Example Compliance Legislation
● HIPAA (Health Insurance Portability and Accountability, 1996)– Health care organizations must secure patient
information.
Example Compliance Legislation
● CIPA (Children's Internet Protection Act, 2000)– Requires public schools and public libraries to
implement an Internet safety policy.
Example Compliance Legislation
● FERPA (Family Educational Rights and Privacy Act, 1974)– Protects the school records and other private data
of students.
Example Compliance Standard
● PCI-DSS (Payment Card Industry Data Security Standard)– An information security standard for organizations
that handle payment card information.● Debit● Credit● Prepaid ● ATM● etc
Professionalization of the SA Discipline
● Establishment of professional societies/organizations
● Credentials– By study and examination– University degrees
Example Professional Organizations
● LISA (SAGE), Large Installation System Administration
● (ISC)2 – International Information Systems Security Certification Consortium.
Professional Organizations
● Offer credentials through study and examination
● Code of ethics● Professional networking● A forum for sharing new technology, ideas,
etc.
Recommended Areas of Knowledge
● Access controls● Cryptography● Network security● Risk management● Application development security● Legal regulations and compliance● Operations security