-
7/28/2019 IS365-CH5
1/28
IS 365/765Information
Security
Sung Kim
-
7/28/2019 IS365-CH5
2/28
Planning forSecurity
-
7/28/2019 IS365-CH5
3/28
3
Understand policies, standards, and practices/procedures/guidelines
Describe what an information securityblueprint is
Discuss security education, training, andawareness (SETA) programs
Explain what contingency planning is and howincident response planning, disaster recoveryplanning, and business continuity plans arerelated to contingency planning
Learning Objectives
-
7/28/2019 IS365-CH5
4/28
4
Definitions
Policies are organizational laws influence and determine decisions and actions
Standards: more detailed statements ofwhat must be done to comply with
policyPractices, procedures, and guidelines
effectively explain how to comply withpolicy
For a policy to be effective, it must beproperly disseminated, read,understood, and agreed to by allmembers of organization and uniformly
enforced
-
7/28/2019 IS365-CH5
5/28
5
-
7/28/2019 IS365-CH5
6/28
Example in an Enterprise Context
Policies:It is our policy to investigate everysecurity-related incident within the enterprise.
Standards:Every security-related incidentshall be investigated by a security officer
within five days and reported to theconcerned Departmental head. ..
Procedures:
Day 1: Preliminary investigation including interviews
Day 2: Detailed investigation by examining logs etc. Day 3: .
Day 4: .
Day 5: Report 1 submitted to concerned DepartmentalHead.
-
7/28/2019 IS365-CH5
7/287
Policy
Sets strategic direction, scope, andtone for all security efforts within theorganization
Usually high-level Provide strategic direction
Support the mission of an organization
Sanctioned by senior management
Information security policy providesrules for the protection of theorganizations information assets
-
7/28/2019 IS365-CH5
8/288
Enterprise Information SecurityPolicy (EISP)
Also known as a general security policy
Sets the direction for all security effortswithin the organization
Defines the purpose, scope, constraintsand applicability of the security program
Guides the development,implementation and management of thesecurity program
-
7/28/2019 IS365-CH5
9/28
Components of EISP
Statement of Purpose
IT Security Elements (or Scope)
IT Security Responsibilities and Roles
Reference to Other IT Standards andGuidelines
Examples Table 5-1 on PP. 176-177
9
T f I f ti S it
-
7/28/2019 IS365-CH5
10/28
Types of Information SecurityPolicies
EISP
Enterprise InfoSec Program
Policy
ISSP
Issue SpecificInfo Sec policy
SysSP
System-specificInfo Sec policy
Organizationallevel, Strategic
guidelinesspecific to each
area
Detailed,Targeted
Guidelines forTechnology-
based systems
Configurationand
Maintenance ofspecific systems
NIST 800-14
-
7/28/2019 IS365-CH5
11/28
Issue-Specific Security-Related Policy(ISSP)
ISSP Various technologies and processes to support
routine operations
Need to define the proper use of them
Electronic Mail, Use of the Internet, Home Use ofCompany-Owned Computer, Use of TelecommunicationTechnologies, Privacy
Examples
Table 5-2 on P. 178
UW Examples http://www.cio.wisc.edu/security/standards.aspx
11
-
7/28/2019 IS365-CH5
12/28
Systems-Specific Policy (SysSP)
Often created when configuring ormaintaining systems
SysSPs can be separated into:
Management guidance Technical specifications
May also be combined in a single
policy document
-
7/28/2019 IS365-CH5
13/2813
Systems-Specific Policy (SysSP)
SysSPs frequently function as standardsand procedures used when configuringor maintaining systems
Many security systems require specificconfiguration scripts telling systemswhat actions to perform on each set of
information they process (e.g.,Firewall)
-
7/28/2019 IS365-CH5
14/28
Management Guidance SysSPs
Created by management
Guides the implementation andconfiguration of technology
Applies to any technology that affectsthe confidentiality, integrity oravailability of information
Informs technologists of managementintent
-
7/28/2019 IS365-CH5
15/28
Technical Specifications SysSPs
Created by System administrators
Each type of equipment has its owntype of policies
Two general methods of implementingsuch technical controls:
Access control lists
Configuration rules
Th I f ti S it
-
7/28/2019 IS365-CH5
16/2816
The Information SecurityBlueprint
After identifying vulnerabilities, assessing risks,
and determining controls
Should specify tasks to be accomplished andthe order in which they are to be realized
The security blueprint is the basis for thedesign, selection, and implementation of allsecurity program elements including
Risk management programs
Education and training programs Contingency programs
Technological controls
Maintenance of the security program
Th I f ti S it
-
7/28/2019 IS365-CH5
17/2817
The Information SecurityBlueprint
NIST Special Publication 800-14
Generally Accepted Security Principles and Practices
Provides best security practices and principles that can direct
the security team in the development of a security blueprint. Table 5-6 on PP. 193-194
-
7/28/2019 IS365-CH5
18/2818
Generally Accepted Principles
1. Security supports the mission of the organization2. Security is an integral element of sound management3. Security should be cost-effective4. System owners have security responsibilities outside
their own organizations
5. Security responsibilities and accountability should bemade explicit
6. Security requires a comprehensive and integratedapproach
7. Security should be periodically reassessed8. Security is constrained by societal factors
-
7/28/2019 IS365-CH5
19/28
Generally Accepted Practices
1. Policy2. Program Management
3. Risk Management
4. Life Cycle Planning
5. Personnel/User Issues
6. Preparing for Contingencies and Disasters7. Computer Security Incident Handling
8. Security Considerations in Computer Support and Operations
9. Physical and Environmental Security
10. Awareness and Training
11. Identification and Authentication12. Logical Access Control
13. Audit Trails
14. Cryptography
19
S it Ed ti T i i d
-
7/28/2019 IS365-CH5
20/2820
Security Education, Training andAwareness (SETA)
After developing policy, program, andblueprint, you need to implement a SETAprogram.
Control measure designed to reduceaccidental security breaches
Human errors are among the top threats toinformation assets.
Help employees to do their jobs securely
Security Education Training and
-
7/28/2019 IS365-CH5
21/28
Security Education, Training andAwareness (SETA)(continued)
Purpose: Education To build in-depth knowledge and
understanding in security matters
Training To develop skills so that computer
users can perform their jobs more securely Awareness To increase awareness of the
need to protect information assets
Table 5-10 on p. 207
Security Education Training &
-
7/28/2019 IS365-CH5
22/28
Security Education Training &Awareness Framework (SETA)
-
7/28/2019 IS365-CH5
23/28
23
Security Education
Everyone in an organization needs tobe trained and aware of informationsecurity; not every member needsformal degree or certificate in
information security
Summary
Objective: understanding/ insight
Impact timeframe: long term Method: classroom
Test measure: essay
Focuses on why.
-
7/28/2019 IS365-CH5
24/28
24
Security Training
Involves providing members of organizationwith detailed information and hands-oninstruction designed to prepare them toperform their duties securely
Summary Objective: hands-on knowledge (rather than
exposure).
Impact timeframe: intermediate term (somewhere
between short and long term). Method: lab
Test measure: problem solving
Focuses on how.
-
7/28/2019 IS365-CH5
25/28
25
Security Awareness
One of least frequently implemented butmost beneficial programs is the securityawareness program
Designed to keep information security
at the forefront of users minds
Need not be complicated or expensive
Summary
Objective: exposure Impact timeframe: short-term
Method: videos and newsletters
Test measure: true/false, multiple choice
Focuses on what
-
7/28/2019 IS365-CH5
26/28
26
Continuity Strategies
Incident response plans (IRPs); disasterrecovery plans (DRPs); businesscontinuity plans (BCPs)
Primary functions of above plans IRP focuses on immediate response; if attack escalates or is
disastrous, process changes to disaster recovery and BCP
DRP typically focuses on restoring systems after disastersoccur; as such, is closely associated with BCP
BCP occurs concurrently with DRP when damage is major orlong term, requiring more than simple restoration ofinformation and information resources
-
7/28/2019 IS365-CH5
27/28
27
Contingency Planning Timeline
-
7/28/2019 IS365-CH5
28/28
Summary
Management has essential role in development, maintenance,
and enforcement of information security policy, standards,practices, procedures, and guidelines
Information security blueprint is a planning document that isbasis for design, selection, and implementation of all securitypolicies, education and training programs, and technological
controls
Information security education, training, and awareness (SETA)is control measure that reduces accidental security breachesand increases organizational resistance to many other forms ofattack
Contingency planning (CP) made up of three components:incident response planning (IRP), disaster recovery planning(DRP), and business continuity planning (BCP)
