8/18/2019 Information Security Chapter 2 Planning for Security.ppt
1/20
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
2/20
Principles of Information Security, 2nd Edition 2
Introduction
Creation of information security program begins withcreation and/or review of organization’s information security
policies, standards, and practices
Then, selection or creation of information security
architecture and the development and use of a detailed
information security blueprint creates plan for future success
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
3/20
Principles of Information Security, 2nd Edition 3
Definitions
Policy course of action used by organization to conveyinstructions from management to those who perform duties
Policies are organizational laws
!tandards more detailed statements of what must be doneto comply with policy
Practices, procedures and guidelines effectively e"plain
how to comply with policy
#or a policy to be effective, must be properly disseminated,
read, understood and agreed to by all members of
organization
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
4/20
Principles of Information Security, 2nd Edition 4
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
5/20
Principles of Information Security, 2nd Edition 5
$nterprise Information !ecurity Policy %$I!P&
!ets strategic direction, scope, and tone for all security
efforts within the organization
$"ecutive'level document, usually drafted by or with CI( of
the organization
Typically addresses compliance in two areas
$nsure meeting re)uirements to establish program and
responsibilities assigned therein to various organizational
components
*se of specified penalties and disciplinary action
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
6/20
Principles of Information Security, 2nd Edition 6
Issue'!pecific !ecurity Policy %I!!P&
The I!!P +ddresses specific areas of technology
e)uires fre)uent updates
Contains statement on organization’s position onspecific issue
Three approaches when creating and managing I!!Ps
Create a number of independent I!!P documents
Create a single comprehensive I!!P document
Create a modular I!!P document
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
7/20Principles of Information Security, 2nd Edition 7
!ystems'!pecific Policy %!ys!P&
!ys!Ps fre)uently codified as standards and proceduresused when configuring or maintaining systems
!ystems'specific policies fall into two groups
+ccess control lists %+C-s&
Configuration rules
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
8/20Principles of Information Security, 2nd Edition 8
Policy .anagement
Policies must be managed as they constantly change
To remain viable, security policies must have
Individual responsible for reviews
+ schedule of reviews
.ethod for maing recommendations for reviews
!pecific policy issuance and revision date
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
9/20Principles of Information Security, 2nd Edition 9
Information Classification
Classification of information is an important aspect of policy
Policies are classified
+ clean des policy stipulates that at end of business day,
classified information must be properly stored and secured
In today’s open office environments, may be beneficial toimplement a clean des policy
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
10/20Principles of Information Security, 2nd Edition 1
The Information !ecurity 0lueprint
0asis for design, selection, and implementation of allsecurity policies, education and training programs, and
technological controls
.ore detailed version of security framewor %outline ofoverall information security strategy for organization&
!hould specify tass to be accomplished and the order in
which they are to be realized
!hould also serve as scalable, upgradeable, and
comprehensive plan for information security needs for
coming years
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
11/20Principles of Information Security, 2nd Edition 11
I!( 12233/0!2233
(ne of the most widely referenced and often discussedsecurity models
#ramewor for information security that states
organizational security policy is needed to provide
management direction and support
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
12/20Principles of Information Security, 2nd Edition 12
4I!T !ecurity .odels
+nother possible approach described in documentsavailable from Computer !ecurity esource Center of 4I!T
!P 566'17
!P 566'18
!P 566'15
!P 566'79
!P 566':6
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
13/20Principles of Information Security, 2nd Edition 13
4I!T !pecial Publication 566'18
!ecurity supports mission of organization; is an integralelement of sound management
!ecurity should be cost'effective; owners have security
responsibilities outside their own organizations
!ecurity responsibilities and accountability should be made
e"plicit; security re)uires a comprehensive and integrated
approach
!ecurity should be periodically reassessed; security is
constrained by societal factors
:: Principles enumerated
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
14/20Principles of Information Security, 2nd Edition 14
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
15/20Principles of Information Security, 2nd Edition 15
#igure >'1> ? !pheres of !ecurity
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
16/20Principles of Information Security, 2nd Edition 16
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
17/20Principles of Information Security, 2nd Edition 17
Design of !ecurity +rchitecture
Defense in depth Implementation of security in layers
e)uires that organization establish sufficient security
controls and safeguards so that an intruder faces multiplelayers of controls
!ecurity perimeter
Point at which an organization’s security protection ends andoutside world begins
Does not apply to internal attacs from employee threats or
on'site physical threats
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
18/20Principles of Information Security, 2nd Edition 18
@ey Technology Components
#irewall device that selectively discriminates againstinformation flowing into or out of organization
Demilitarized zone %D.A& no'man’s land between inside
and outside networs where some organizations place
=eb servers
Intrusion Detection !ystems %ID!s& in effort to detectunauthorized activity within inner networ, or on individual
machines, organization may wish to implement an ID!
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
19/20Principles of Information Security, 2nd Edition 19
#igure >'15 ? @ey Components
8/18/2019 Information Security Chapter 2 Planning for Security.ppt
20/20Principles of Information Security 2nd Edition 2