information security 365 -- policies, data classification, employee training and awareness

Information Security 365/765, Fall Semester, 2016

Course Instructor, Nicholas DavisLecture 4, Policies, Classification, Training

Today’s AgendaToday’s AgendaEat Kit Kat bars

Class exercise IT Risk Analysis ofHillary Clinton Email Server

Lecture Topics•Employee hiring, assignment and termination security practices•Security policies•Information classification•Security awareness training

Basis for written assignment #2

05/02/23 UNIVERSITY OF WISCONSIN 2

Today’s Chocolate BarToday’s Chocolate BarKit KatKit Kat

Kit Kat is a chocolate-covered wafer biscuit bar confection that was created by Rowntree's of York, England, and is now produced globally by Nestlé (which acquired Rowntree in 1988) with the exception of the United States where it is made under license by The Hershey Company. Each bar consists of fingers composed of three layers of wafer, covered in an outer layer of chocolate. Each finger can be snapped from the bar separately. Bars typically have two or four fingers.How NOT to eat a Kit Kat


Remember Our DiscussionRemember Our DiscussionAbout Background Checks?About Background Checks?

As mentioned in our last lecture, information security covers many areas not typically thought about, such as personnel background checks. An unqualified employee can do great damage to organizational assets and strategy. Let’s watch this video!

https://www.youtube.com/watch?v=Ic6cSzY4ptU


Hiring PracticesHiring Practices• Job skill screening• Reference check• Non-disclosure agreement (NDA)

signed• Education verification• Criminal background check• Credit report check• Sex offender check• Drug screening• Professional license check• Immigration status check• Social Security Number trace to

ensure validity05/02/23 UNIVERSITY OF WISCONSIN 5

Employee ControlsEmployee ControlsRotation of DutiesRotation of Duties

No one person should stay in one position for an uninterrupted period of time, as this may enable them to have too much control over a segment of business

Mandatory vacation policy


Employee ControlsEmployee ControlsSeparation of DutiesSeparation of Duties

Split knowledge system: No single employee has the knowledge to do a task by themselvesExample

Dual control: No single employee has the physical ability to do a task by themselvesExample


Termination PracticesTermination Practices• Each company needs a set of pre-

defined termination procedures• Example:• Once terminated, the employee must

be escorted out of the facility by their manager

• Employee must immediately surrender keys, employee badge, etc.

• Employee must be asked to complete an exit interview and return company property

• The terminated employee’s online accounts must be disabled immediately upon termination


Security PolicySecurity PolicyAn overall general statement, produced by senior management, which dictates the role which security management plays in the organization

•Made up of goals and responsibilities•Shows strategic and tactical value of the policy•Outlines how enforcement should be carried out


Security Policy ComponentsSecurity Policy ComponentsBusiness ObjectivesBusiness Objectives

Business objectives should drive the policy’s creation, implementation, enforcement. The policy should not dictate business objectives


Security Policy ComponentsSecurity Policy ComponentsMake It LegibleMake It Legible

The document should be written in plain language, which all the employees can easily understand the portions which apply to them, without question


Security Policy ComponentsSecurity Policy ComponentsUniformityUniformity

Make certain it fits all business functions and processes


Security PolicySecurity PolicyLegal ConformityLegal Conformity

It should support all legislation and regulations which apply to the company, local, national and international


Security PolicySecurity PolicyA Living DocumentA Living Document

It should be re-visited on a regular basis and updated as necessary, as changes occur within the company.Make certain that all changes are documented and changes are recorded


Security PolicySecurity PolicyAdaptabilityAdaptability

It should be written in such a way as to make it useful for several years at a time, under normal circumstances, and flexible enough to deal with minor changes, as they occur.


Security PolicySecurity PolicyLanguageLanguage

The tone of the policy must be certain and strong. Avoid using the word “should”, as it leaves room for interpretation. Instead, use the words “shall”, “will” and “must”, throughout the document


Security PolicySecurity PolicyStyleStyle

No frillsProfessional lookingConsistent presentation


Why is IT Security PolicyWhy is IT Security PolicySo Important?So Important?

• Helps identify company’s valuable assets

• Provides authority to the security team and their activities

• Provides a reference to review when conflicts pertaining to security arise

• States clearly the company’s goals and objectives in the area of security

• Outlines personal responsibility05/02/23 UNIVERSITY OF WISCONSIN 18

Why is IT Security PolicyWhy is IT Security PolicySo Important?So Important?

Helps prevent unanticipated events from occurringDefines the scope and boundaries for the security team and its functionsOutlines incident response responsibilitiesOutlines the company’s response to legal and regulatory requirements


Three Types ofThree Types ofSecurity Policies ExistSecurity Policies ExistRegulatoryAdvisoryInformative


Security Policy TypesSecurity Policy TypesRegulatoryRegulatory

Ensures that the company is following standards set by specific industry regulations. It is very detailed and specific to a type of industry:FinanceHealthcareGovernment


Security Policy TypeSecurity Policy TypeAdvisoryAdvisory

Tells employees which types of behaviors and activities shall and shall not take place within the organizationHow to handle:Medical informationFinancial transactionsConfidential information

Outlines ramifications for non-compliance


Security Policy TypeSecurity Policy TypeInformativeInformative

Informs employees on generalities of certain topics, but is not enforceable.

It teaches about issues important to the company, such as how the company would like employees to interact with business partners, the company’s goal and mission, or the corporate reporting structure


Security PolicySecurity PolicyDue DiligenceDue Diligence

Due Diligence, is the act of investigating and understanding the risks the company faces


Security PolicySecurity PolicyDue CareDue Care

Is a statement which demonstrates that the company has accepted and taken responsibility for activities which take place in the organization05/02/23 UNIVERSITY OF WISCONSIN 25

How Due DiligenceHow Due DiligenceDue Care are RelatedDue Care are RelatedDue diligence is the understanding of the threats and risks, while due care is the countermeasures which the company has put in place to address the threats and risks


Information ClassificationInformation ClassificationIn the field of data management, data classification is defined as a tool for categorization of data to enable/help organization to effectively answer following questions:

What data types are available?Where are certain data located?What access levels are implemented?What protection level is implemented and does it adhere to compliance regulations?


Data ClassificationData Classification

• Commercial Enterprise• Government and Military

You are business students, so we will focus on commercial enterprise data classification terminology


Data ClassificationData ClassificationTypes (typical)Types (typical)

• Public• Sensitive• Private• Confidential

Some models may differ in number of levels and/or how they are referred to


Data ClassificationData ClassificationPublicPublic

Definition: Disclosure is not welcome, but it would not cause an adverse impact or damage to the company or its employees

Examples:•How many people work at the company•Current job positions posted on the website


Data ClassificationData ClassificationSensitiveSensitive

Definition: Requires special precautions to ensure the integrity and confidentiality of the data, by preventing it from unauthorized modification or deletion. Requires higher than normal assurance of accuracy and completeness

Example:•Financial information•Details of projects•Profit earnings and forecasts


Data ClassificationData ClassificationPrivatePrivate

Definition: Personal information, for use only within the company. Unauthorized disclosure could adversely affect employees, the company, its business partners or customers

Examples:•Work history•HR information•Medical information


Data ClassificationData ClassificationConfidentialConfidential

Definition: For use within the company only. Exempt from disclosure under the Freedom of Information Act. Unauthorized disclosure could seriously affect a company

Examples:•Trade secrets•Programming software code•Information that keeps the company competitive


Data ClassificationData ClassificationProceduresProcedures

1. Define classification levels2. Specify the criteria by which

data will be classified3. Have the data owner indicate

the classification level for their data

4. Identify the data custodian, who will be responsible for maintaining the data and its security level

5. Indicate the controls to be applied at each classification level


Data ClassificationData ClassificationProceduresProcedures

6. Document any exceptions in detail7. Indicate the methods which are used to transfer data custody to a different owner8. Create a procedure to periodically review the data’s classification and ownership9. Indicate declassification procedures10. Integrate this knowledge into a security awareness program05/02/23 UNIVERSITY OF WISCONSIN 35

If You Choose to CreateIf You Choose to CreateYou Own Data Classification You Own Data Classification

SystemSystem• Too many levels will make classification complex and confusing

• Too few levels will encourage sloppy data classification

• There should be no overlap between classification levels

• Classification levels should be developed for both data and the systems housing the data, and they should match


Security AwarenessSecurity AwarenessTraining ProgramTraining Program

One for senior managementOne for staffOne for technical employees

•Responsibilities of everyone•Potential Liabilities if program is not followed•Expectations of everyone


Security AwarenessSecurity AwarenessSenior ManagementSenior Management

Focus on: corporate assets, financial gains and losses which can occur due to information security incidents. They are the leaders, they must demonstrate the proper mindset to the rest of the company


Security AwarenessSecurity AwarenessMid-ManagementMid-Management

Focus on: policies, standards and guidelines and how they map to individual departments, responsibility for ensuring their employees adherence to the security policies, and how the managers will be held accountable for enforcement


Security AwarenessSecurity AwarenessEmployeesEmployees

Focus: on the operational aspects of information security, proper system usage, how to recognize a security issue and how to properly handle and report a suspected information security incident


Next ClassNext ClassUnited States of SecretsUnited States of Secrets

Fantastic video, will last for the entire duration of the class

Video will serve as background information to serve as basis for written assignment #2

https://www.youtube.com/watch?v=W2hqLPqJAa0





Assignment #2Assignment #2Responding to a Responding to a

National Security LetterNational Security LetterNational Security Letters (NSLs) are an extraordinary search procedure which gives the FBI the power to compel the disclosure of customer records held by banks, telephone companies, Internet Service Providers, and others. These entities are prohibited, or "gagged," from telling anyone about their receipt of the NSL, which makes oversight difficult. The Number of NSLs issued has grown dramatically since the Patriot Act expanded the FBI's authority to issue them.


National Security LetterNational Security LetterReferencesReferences

Electronic Frontier Foundationhttps://www.eff.org/issues/foia/07656JDB

Wikipediahttps://en.wikipedia.org/wiki/National_security_letter


https://www.eff.org/issues/foia/07656JDB

https://www.eff.org/issues/foia/07656JDB

https://en.wikipedia.org/wiki/National_security_letter

