it security policy framework ● policies ● standards ● procedures ● guidelines
TRANSCRIPT
![Page 1: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/1.jpg)
IT Security Policy Framework
●Policies●Standards●Procedures●Guidelines
![Page 2: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/2.jpg)
Policy
● A written statement from an authority declaring a course of action for the sake of expediency.– Example: Policy dictates that all employees will
read and sign the AUP before receiving access to the computing system.
![Page 3: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/3.jpg)
Standard
● A detailed level of attainment.– IT standards ensure that consistent security
controls are adopted.– Example: The Common Criteria have established
standards for hardware and software security.
![Page 4: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/4.jpg)
Procedures
● A description of the process used to accomplish a task.– Example: A procedure checklist is used to perform
and verify backups.
![Page 5: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/5.jpg)
Guidelines
● A suggested course of action which can be specific or general.– Example: The guidelines for a secure password
include but are not limited to ...
![Page 6: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/6.jpg)
IT Policy Framework Purpose
● The purpose is to achieve an acceptable level of risk.
![Page 7: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/7.jpg)
Data Classification Standards
● US Government● Private enterprise
![Page 8: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/8.jpg)
US Government
● Executive order 13526 (2009)– Top secret– Secret– Confidential– Public domain information is considered
unclassified and is not part of the classification standard.
![Page 9: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/9.jpg)
Top Secret
● Would cause grave damage to national security if it were disclosed.
![Page 10: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/10.jpg)
Secret
● Would cause serious damage to national security if it were disclosed.
![Page 11: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/11.jpg)
Confidential
● Would cause damage to national security if it were disclosed.
![Page 12: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/12.jpg)
Guidelines
● Yes there are guidelines for separating information into the appropriate categories.
![Page 13: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/13.jpg)
Unclassified
● Would you believe there are classifications for unclassified information?
![Page 14: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/14.jpg)
Unclassified
● Poses no threat to national security if exposed.
![Page 15: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/15.jpg)
Controlled Unclassified
● For official use only.– Example: law enforcement classified
![Page 16: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/16.jpg)
Alternative classifications
● Top Secret● Secret● Confidential● Restricted● Protect● Unclassified
![Page 17: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/17.jpg)
Private Enterprise Data Classification*
*(Kim, Solomon)● Private● Confidential● Internal use only● Public domain data
![Page 18: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/18.jpg)
*Private
● Data about people,– Example: compliance laws like HIPAA
![Page 19: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/19.jpg)
Confidential
● Information owned by the enterprise– Customer lists– Pricing information– Intellectual property– Internal use only information
![Page 20: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/20.jpg)
Internal Use Only
● Information shared internally by an organization.– Most communications are not intended to be
shared.
![Page 21: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/21.jpg)
Public Domain Data
● Shared with the public– Web site content– White papers
![Page 22: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/22.jpg)
Alternative
• Confidential• Restricted• Protected• Unclassified (public)
![Page 23: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/23.jpg)
Alternative
● Confidential
– Substantially would undermine the financial viability of the organization.
![Page 24: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/24.jpg)
Alternative
● Restricted
– Cause a substantial loss of earning potential. Advantage to competitors
![Page 25: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/25.jpg)
Alternative
● Protected
– Cause financial loss
![Page 26: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/26.jpg)
Data Classification Challanges
● Perfection is the enemy of the good!
– If you insist on perfection, your system will be difficult to implement.
– Employees must be properly educated in order to classify data effectively.
![Page 27: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/27.jpg)
Data Classification Challenges
● Perfection is the enemy of the good!
– If too complex it will fail due to lack of use
– You are better served by keeping your classification scheme simple (no more complex than is necessary)
![Page 28: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/28.jpg)
Data Classification Challenges
● Perfection is the enemy of the good!
– Development and implementation of a data classification scheme will require resources.
– If its complex, it will likely be expensive to implement
![Page 29: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/29.jpg)
Implementation Tips
● Understand what is achievable – any data classification policy must become less complex as more individuals become involved in implementing the policy.
![Page 30: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/30.jpg)
Implementation Tips
● Those who have something at stake should be involved in the data classification policy development.
![Page 31: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/31.jpg)
Implementation Tips
● Provide appropriate education and visibility.
– Any data classification scheme should be posted on the company/agency internal web-page.
![Page 32: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/32.jpg)
Implementation Tips
● Align your data classification scheme with regulatory (compliance) requirements.
![Page 33: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/33.jpg)
Compliance Laws
● Legislation exists mandating security controls to protect private and confidential data.
![Page 34: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/34.jpg)
Example Compliance Legislation
● SOX (Sarbanes-Oxley, 2002)– Requires security controls to protect the
confidentiality and integrity of financial reporting.
![Page 35: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/35.jpg)
Example Compliance Legislation
● GLBA (Gramm-Leach-Bliley, 1999)– Financial institutions must protect client's private
financial information.
![Page 36: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/36.jpg)
Example Compliance Legislation
● HIPAA (Health Insurance Portability and Accountability, 1996)– Health care organizations must secure patient
information.
![Page 37: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/37.jpg)
Example Compliance Legislation
● CIPA (Children's Internet Protection Act, 2000)– Requires public schools and public libraries to
implement an Internet safety policy.
![Page 38: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/38.jpg)
Example Compliance Legislation
● FERPA (Family Educational Rights and Privacy Act, 1974)– Protects the school records and other private data
of students.
![Page 39: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/39.jpg)
Example Compliance Standard
● PCI-DSS (Payment Card Industry Data Security Standard)– An information security standard for organizations
that handle payment card information.● Debit● Credit● Prepaid ● ATM● etc
![Page 40: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/40.jpg)
Professionalization of the SA Discipline
● Establishment of professional societies/organizations
● Credentials– By study and examination– University degrees
![Page 41: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/41.jpg)
Example Professional Organizations
● LISA (SAGE), Large Installation System Administration
● (ISC)2 – International Information Systems Security Certification Consortium.
![Page 42: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/42.jpg)
Professional Organizations
● Offer credentials through study and examination
● Code of ethics● Professional networking● A forum for sharing new technology, ideas,
etc.
![Page 43: IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines](https://reader035.vdocuments.mx/reader035/viewer/2022062408/56649f155503460f94c2a647/html5/thumbnails/43.jpg)
Recommended Areas of Knowledge
● Access controls● Cryptography● Network security● Risk management● Application development security● Legal regulations and compliance● Operations security