Security Policies Jim Stracka . The Problem Today.

Security PoliciesSecurity Policies

• Jim Stracka

• www.pentasafe.com

The Problem TodayThe Problem Today

VigilEnt Security Agents

VigilEnt Policy Center

VigilEnt Security Manager

VigilEnt Security Solution

Overwhelming ValidationOverwhelming Validation

Customers

StrategicAlliances

InvestorsLEHMAN BROTHERS

AgendaAgenda

• Business Issues

• What Is An Information Security Policy ?

• Policy Development Process

• Conclusion

Business IssuesBusiness Issues• Organizations Embracing New Business

Models• Increased Risks In New Economy

Environments• How Do You Conduct E-Business Safely ?• Security Is A BUSINESS Issue Not A

Technology Issue• Security Must Be Governed By Policy

Why have a Security Policy ?Why have a Security Policy ?

• Clearly Establishes Expectations• Acts As An Extension Of The Organizations

Leadership• Opportunity To Address Asset Protection• Ensures Proper Compliance With Laws,

Regulations etc• Ensures Implementation Of Proper Controls• Reduces Liability

What is a Policy ?What is a Policy ?

• A Policy Defines Expectations

• Policies Are Written At A High Level

• Technology Changes, But Policies Rarely Do

• Your Policy Should Indicate A “Perfect World” (Security Gap)

Policy or Standard?Policy or Standard?The Rule Process Should Incorporate Two Levels:

• Policy: Few And Short StatementsSets The Goal Your Trying To AchieveLanguage Used (Will / Shall)

• Standard: Gets Much More Specific; To Platform; Technology; Procedure Language Used (Should / Could)

The Problem TodayThe Problem Today

Anatomy of a Security PolicyAnatomy of a Security PolicyElements of a Viable Policy:• Policy Statements • Purpose• Scope• Controls• Definitions• Applicable Entities• Roles And Responsibilities• References• Information Assets

Policy Elements: Policy StatementPolicy Elements: Policy StatementThe Policy Statement is a one or two sentence

description of the policy. It describes the control environment, not how the organization will accomplish the objective.

Policy Statement

Policy Elements: PurposePolicy Elements: PurposeThe policy Purpose describes the reason for

this particular policy (i.e., why it exists).

Purpose

Policy Elements: ScopePolicy Elements: Scope The policy Scope primarily defines who falls

under the jurisdiction of the policy. As a further explanation of scope, policy statements should indicate who must observe the policies and when it may be acceptable for worker actions or activities to be inconsistent with policies.

Scope

Policy Elements: Information AssetsPolicy Elements: Information Assets• Integral element of any security policy• Not likely restated for each policy statement• However, it is important to identify for each policy

statement if there are any specific inclusions or exclusions to this information (this is most effectively done on a class basis)

Examples:“The provisions set forth in this policy statement apply to all identified classes of information assets.”

“This policy applies only to information assets that are classified as ‘Confidential’ or ‘Highly Sensitive’.”

Short, to the Point, ClearShort, to the Point, Clear

• Keep It Brief

• Policy Never Tells Or Suggests How To Achieve The Objective

• Policy Rarely Changes Because It Does Not Depend On A Person, Process, or Technology

Develop A “Policy On Policy”Develop A “Policy On Policy”Clearly Define The Policy Administration Process:

• For Developing New Policy• For Requesting Modification To Existing Policy• To Suggest The Elimination Of Outdated Policy

– Who Writes The Policy?– Who Reviews The Policy?– Who Approves The Policy?– What Is The Process For Requesting Exceptions?

Policy PrioritiesPolicy Priorities• The Policies Of The Organization As A Whole

Should Take Precedence

• More Granular Section Policies Can Always Be Added To The Overall Policies For The Organization

• Specific Enterprise Sections May Require Additional Policies Due To The Nature Of Their Business

Integration of Policy & ITIntegration of Policy & ITMake Use Of What Is Available

• Use Of Policy To Develop Standards

• Use Of Standards To Communicate Policy

• Make Use Of Platform Specific MVS, AS400, Sun/Solaris, Novell, NT Standards To Develop Policy

The Problem TodayThe Problem Today

Policy Life-CyclePolicy Life-CycleThe greatest challenge of implementing an information security policy is keeping the policy active. The policy life-cycle process is shown below; the last two steps tend to be the

most overlooked:

– Monitoring, compliance and enforcement; and

– Review and Update

Code of Conduct Code of Conduct • Use Your Corporate “Code of Conduct” To Help

Support Your Policy Efforts

• The “Code of Conduct” Usually Supports Business Directives and Ethical Actions

• Make Sure Your Policy Efforts Support Your “Code of Conduct”

Consequences Consequences

• There Should Be A Separate Policy That Delineates The Consequences Of Failure To Comply With Policy

• Appropriate Procedures Must Be Identified, Communicated, and Enforced

• Need to work with Human Resources / Senior Management

Policy ImplementationPolicy Implementation• Develop “Educated” Draft(s)• Involve Many Areas / Departments

(Form A Policy Committee) • Obtain Leadership Approval From The Start • Train Staff On Policy / And Security Issues• Communicate Content / Milestones Of

Process• Use A Machine To Sustain The Process

Ideal Times To Develop PoliciesIdeal Times To Develop Policies

• Your Organization Just Suffered A Loss• Competing Organization Just Suffered A Loss• Press Discussing A Major Vulnerability• Your Organization Just Received Adverse Audit

Report• Your Organization Just Hit With Lawsuit• Your Organization Will Make Major Changes• Other InfoSec Initiatives Are Well Underway

ConclusionConclusion• Developing Policy Is Not An Easy Process

• Why Do Many Fail?– Complicated Process– Many Twists And Turns– Lack Of Management Support

• Automated Tools Are Long Overdue

Do you want more???Do you want more???

Jim Stracka

888-400-2834

[email protected]

www.pentasafe.com