MgmtOfInfoSec_6e-Ch04_pr.pptx

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

1

Upon completion of this material, you should be able to:
Define information security policy and discuss its central role in a successful information security program
List and describe the three major types of information security policy and discuss the major components of each
Explain what is necessary to implement effective policy and what consequences the organization may face if it does not
Discuss the process of developing, implementing, and maintaining various types of information security policies
Learning Objectives

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

2

Why Policy?
Chapter 04: Information Security Policy

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

Policy is the essential foundation of an effective information security program:
The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems
You, the policy maker, set the tone and the emphasis on how important a role information security will have within your agency
Your primary responsibility is to set the information resource security policy for the organization with the objectives of reduced risk, compliance with laws and regulations and assurance of operational continuity, information integrity, and confidentiality
(NIST, 1989)
Introduction

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

4

A quality information security program begins and ends with policy
In general, a policy is simply a manager’s or other governing body’s statement of intent; as such, a policy (document) actually contains multiple policies (statements)
Some basic rules must be followed when shaping a policy:
Policy should never conflict with law
Policy must be able to stand up in court if challenged
Policy must be properly supported and administered
Why Policy?

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

5

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

According to Bergeron and Bérubé, the following guidelines can help in the formulation of IT policy as well as InfoSec policy:
All policies must contribute to the success of the organization
Management must ensure the adequate sharing of responsibility for proper use of information systems
End users of information systems should be involved in the steps of policy formulation
Why Policy? (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

8

Bull’s-eye model layers:
Policies—first layer of defense
Networks—threats first meet the organization’s network
Systems—computers and manufacturing systems
Applications—all applications systems
Policies are important reference documents for internal audits and for the resolution of legal disputes about management’s due diligence [and] policy documents can act as a clear statement of management’s intent
(Wood, 2012)
Policy-Centric Decision Making

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

9

Policy is a set of “organizational guidelines that dictate certain behavior within the organization”
A standard is “a detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance”
Guidelines are “nonmandatory recommendations the employee may use as a reference in complying with a policy”
Procedures are “step-by-step instructions designed to assist employees in following policies, standards, and guidelines”
Practices are “examples of actions that illustrate compliance with policies”
Policies define what you can do and not do, whereas the other documents focus on the how
Policy, Standards, and Practices

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

10

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

11

Policies require constant modification and maintenance
In order to produce a complete information security policy, management must define three types of information security policy:
Enterprise information security program policy
Issue-specific information security policies
Systems-specific policies

Policy, Standards, and Practices (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

Enterprise Information Security Policy
Chapter 04: Information Security Policy

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

Enterprise information security policy (EISP) is high-level information security policy that sets the strategic direction, scope, and tone for all of an organization’s security efforts
An EISP is also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy
Enterprise Information Security Policy (EISP)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

14

An EISP assigns responsibilities for the various areas of InfoSec, including maintenance of InfoSec policies and the practices and responsibilities of end users
In particular, the EISP guides the development, implementation, and management requirements of the InfoSec program, which must be met by InfoSec management and other specific security functions
EISP Elements

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

15

The EISP plays a number of vital roles, not the least of which is to state the importance of InfoSec to the organization’s mission and objectives
The EISP should not contradict the organizational mission statement
However, it would be prudent for an institution to have policies that govern such access and ensure that such access does not interfere or create a hostile work environment for other employees
Integrating an Organization’s Mission and Objectives into the EISP

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

An overview of the corporate philosophy on security
Information on the structure of the InfoSec organization and individuals who fulfill the InfoSec role
Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors)
Fully articulated responsibilities for security that are unique to each role within the organization
EISP Elements

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

17

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

Issue-Specific Security Policy
Chapter 04: Information Security Policy

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

An issue-specific security policy (ISSP) is “an organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies”
In some organizations, ISSPs are referred to as fair and responsible use policies, describing the intent of the policy to regulate appropriate use
The ISSP should assure members of the organization that its purpose is not to establish a foundation for administrative enforcement or legal prosecution but rather to provide a common understanding of the purposes for which an employee can and cannot use the resource
Issue-Specific Security Policy (ISSP)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

20

An effective ISSP accomplishes the following:
It articulates the organization’s expectations about how its technology-based system should be used
It documents how the technology-based system is controlled and identifies the processes and authorities that provide this control
It indemnifies the organization against liability for an employee’s inappropriate or illegal use of the system
Every organization’s ISSPs should:
Address specific technology-based systems
Require frequent updates
Contain a statement on the organization’s position on an issue

Issue-Specific Security Policy (ISSP) (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

21

Issue-Specific Security Policy (ISSP) (Continued)
ISSP topics:
Use of electronic mail, IM, and other communications apps
Use of the Internet, the Web, and company networks by company equipment
Malware protection requirements
Use of nonorganizationally issued software or hardware on organization assets
Use of organizational information on nonorganizationally owned computers
Prohibitions against hacking or testing security controls or attempting to modify or escalate privileges
Personal and/or home use of company equipment
Removal of organizational equipment from organizational property
Use of personal equipment on company networks (BYOD)
Use of personal technology during work hours
Use of photocopying and scanning equipment
Requirements for storage and access to company information while outside company facilities
Specifications for the methods, scheduling, conduct, and testing of data backups
Requirements for the collection, use, and destruction of information assets
Storage of access control credentials by users

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

22

Statement of Purpose
Scope and Applicability
Definition of Technology Addressed
Responsibilities
Authorized Access and Usage of Equipment
User Access
Fair and Responsible Use
Protection of Privacy
Prohibited Usage of Equipment
Disruptive Use or Misuse
Criminal Use
Offensive or Harassing Materials
Copyrighted, Licensed, or Other Intellectual Property
Other Restrictions
Elements of the ISSP

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

23

Systems Management
Management of Stored Materials
Employer Monitoring
Virus Protection
Physical Security
Encryption
Violations of Policy
Procedures for Reporting Violations
Penalties for Violations
Policy Review and Modification
Scheduled Review of Policy and Procedures for Modification
Limitations of Liability
Statements of Liability or Disclaimers
Elements of the ISSP (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

24

Common approaches:
A number of independent ISSP documents, each tailored to a specific issue
A single comprehensive ISSP document that covers all issues
A modular ISSP document that unifies policy creation and administration while maintaining each specific issue’s requirements
The recommended approach is the modular policy, which provides a balance between issue orientation and policy management
Implementing the ISSP

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

25

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

System-Specific Security Policy
Chapter 04: Information Security Policy

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

System-Specific Security Policies (SysSPs) are “organizational policies that often function as standards or procedures to be used when configuring or maintaining systems”
SysSPs can be:
separated into managerial guidance and technical specifications; or
combined in a single unified SysSP document
System-Specific Security Policy

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

28

Created by the management to guide the implementation and configuration of technology, as well as to address the behavior of people in the organization in ways that support the security of information
Applies to any technology that affects the confidentiality, integrity, or availability of information
Informs technologists of management intent
Managerial Guidance SysSPs

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

29

System administrators’ directions and actions on implementing managerial policy
While the manager is primarily responsible for the creation of the managerial specifications, the sysadmins may be the primary authors or architects of the technical specifications version
There are two general methods of implementing such technical controls:
Access control lists
Configuration rules
Technical Specifications SysSPs

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

30

Include the user access lists, matrices, and capability tables that govern the rights and privileges
A capability table specifies which subjects and objects that users or groups can access
These specifications are frequently complex matrices, rather than simple lists or tables
In general, ACLs enable administrations to restrict access according to user, computer, time, duration, or even a particular file
Access Control Lists

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

31

In general ACLs regulate:
Who can use the system
What authorized users can access
When authorized users can access the system
Where authorized users can access the system from
How authorized users can access the system
Common user privileges (also known as permissions) include:
Read
Write
Execute
Delete
Access Control Lists (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

32

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

33

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

Configuration rules are instructional codes that guide the execution of the system when information is passing through it
Rule policies are more specific to the operation of a system than ACLs, and may or may not deal with users directly
Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process
Configuration Rules

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

36

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

37

Many organizations create a single document combining elements of both management guidance and technical specifications SysSPs
While this document can be somewhat confusing to the users of the policies, it is very practical to have the guidance from both perspectives in a single place
Such a document should carefully articulate the required actions for each procedure described
Combination SysSPs

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

38

Guidelines for Effective Policy Development and Implementation
Chapter 04: Information Security Policy

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

For policies to be effective, and legally defensible, they must be properly:
Developed using industry-accepted practices, and formally approved by management
Distributed using all appropriate methods
Read by all employees
Understood by all employees
Formally agreed to by act or affirmation
Uniformly applied and enforced

Guidelines for Effective Policy

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

40

It is often useful to view policy development as a three-part project
The policy is designed and written (or redesigned and rewritten)
A senior manager or executive at the appropriate level and the organization’s legal counsel review and formally approves the document
Management processes are established to perpetuate the policy within the organization
The first part is an exercise in project management, while the latter two require adherence to good business practices
Developing Information Security Policy

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

41

Can be accomplished by hard copy distribution and/or electronic distribution
Unless the organization can prove that the policy actually reached the end users, it cannot be enforced
Distribution of classified policies requires additional levels of controls, in the labeling of the document, in the dissemination of new policy, and in the collection and destruction of older versions to assure the confidentiality of the information contained within the policy documents themselves
Policy Distribution

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

Barriers to employees’ reading policies can arise from literacy or language issues
Literacy-challenged and visually impaired employees require additional assistance, either through audio or large-type versions of the document
Multinational organizations also must deal with the challenges of gauging reading levels and language translations for foreign citizens

Policy Reading

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

To be certain that employees understand the policy, the document must be written at a reasonable reading level, with minimal technical jargon and management terminology
The next step is to use some form of assessment to gauge how well employees understand the policy’s underlying issues
Quizzes and other forms of examination can be employed to assess quantitatively which employees understand the policy by earning a minimum score, and which employees require additional training and awareness efforts before the policy can be enforced
Policy Comprehension

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed. – Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole …