MANAGEMENT of INFORMATION SECURITY Third Edition

CHAPTER

INFORMATION SECURITY POLICY

Each problem that I solved became a rule which served afterwards to solve other problems Ren Descartes

Objectives
Upon completion of this material you should be able to:
Define information security policy and understand its central role in a successful information security program Describe the three major types of information security policy and explain what goes into each type Develop, implement, and maintain various types various types of information security policies
Management of Information Security, 3rd ed.

Introduction
Policy is the essential foundation of an effective information security program
The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems

Policy maker sets the tone and emphasis on the importance of information security
Management of Information Security, 3rd ed.

Introduction (contd.)
Policy objectives
Reduced risk Compliance with laws and regulations Assurance of operational continuity, information integrity, and confidentiality

Management of Information Security, 3rd ed.

Why Policy?
A quality information security program begins and ends with policy Policies are the least expensive means of control and often the most difficult to implement Basic rules for shaping a policy
Policy should never conflict with law Policy must be able to stand up in court if challenged Policy must be properly supported and administered
Management of Information Security, 3rd ed.

Why Policy? (contd.)

Figure 4-1 The bulls eye model

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

Why Policy? (contd.)

Bulls-eye model layers
Policies: first layer of defense Networks: threats first meet the organizations network Systems: computers and manufacturing systems Applications: all applications systems

Management of Information Security, 3rd ed.

Why Policy? (contd.)

Policies are important reference documents
For internal audits For the resolution of legal disputes about management's due diligence Policy documents can act as a clear statement of management's intent

Management of Information Security, 3rd ed.

Policy, Standards, and Practices

Policy
A plan or course of action that influences decisions For policies to be effective they must be properly disseminated, read, understood, agreed-to, and uniformly enforced Policies require constant modification and maintenance

Management of Information Security, 3rd ed.

Policy, Standards, and Practices (contd.)

Types of information security policy
Enterprise information security program policy Issue-specific information security policies Systems-specific policies

Practices
Procedures and guidelines explain how employees will comply with policy

Management of Information Security, 3rd ed.

Enterprise Information Security Policy (EISP)

Sets strategic direction, scope, and tone for organizations security efforts Assigns responsibilities for various areas of information security Guides development, implementation, and management requirements of information security program

Management of Information Security, 3rd ed.

EISP Elements
EISP documents should provide:
An overview of the corporate philosophy on security Information about information security organization and information security roles
Responsibilities for security that are shared by all members of the organization Responsibilities for security that are unique to each role within the organization

Management of Information Security, 3rd ed.

Example ESIP Components

Statement of purpose
What the policy is for

Information technology security elements

Defines information security

Need for information technology security

Justifies importance of information security in the organization

Management of Information Security, 3rd ed.

Example ESIP Components (contd.)

Information technology security responsibilities and roles
Defines organizational structure

Reference to other information technology standards and guidelines

Management of Information Security, 3rd ed.

Issue-Specific Security Policy (ISSP)

Provides detailed, targeted guidance
Instructs the organization in secure use of a technology systems Begins with introduction to fundamental technological philosophy of the organization

Protects organization from inefficiency and ambiguity

Documents how the technology-based system is controlled
Management of Information Security, 3rd ed.

Issue-Specific Security Policy (contd.)

Protects organization from inefficiency and ambiguity (contd.)
Identifies the processes and authorities that provide this control

Indemnifies the organization against liability for an employees inappropriate or illegal system use

Management of Information Security, 3rd ed.

Issue-Specific Security Policy (contd.)

Every organizations ISSP should:
Address specific technology-based systems Require frequent updates Contain an issue statement on the organizations position on an issue

Management of Information Security, 3rd ed.

Issue-Specific Security Policy (contd.)

ISSP topics
Email and internet use Minimum system configurations Prohibitions against hacking Home use of company-owned computer equipment Use of personal equipment on company networks Use of telecommunications technologies Use of photocopy equipment
Management of Information Security, 3rd ed.

Components of the ISSP

Statement of Purpose
Scope and applicability Definition of technology addressed Responsibilities

Authorized Access and Usage of Equipment

User access Fair and responsible use Protection of privacy
Management of Information Security, 3rd ed.

Components of the ISSP (contd.)

Prohibited Usage of Equipment
Disruptive use or misuse Criminal use Offensive or harassing materials Copyrighted, licensed or other intellectual property Other restrictions

Management of Information Security, 3rd ed.

Components of the ISSP (contd.)

Systems management
Management of stored materials Employer monitoring Virus protection Physical security Encryption

Violations of policy
Procedures for reporting violations Penalties for violations
Management of Information Security, 3rd ed.

Components of the ISSP (contd.)

Policy review and modification
Scheduled review of policy and procedures for modification

Limitations of liability
Statements of liability or disclaimers

Management of Information Security, 3rd ed.

Implementing the ISSP

Common approaches
Several independent ISSP documents A single comprehensive ISSP document A modular ISSP document that unifies policy creation and administration

The recommended approach is the modular policy

Provides a balance between issue orientation and policy management
Management of Information Security, 3rd ed.

System-Specific Security Policy

System-specific security policies (SysSPs) frequently do not look like other types of policy
They may function as standards or procedures to be used when configuring or maintaining systems

SysSPs can be separated into

Management guidance Technical specifications Or combined in a single policy document
Management of Information Security, 3rd ed.

Managerial Guidance SysSPs

Created by management to guide the implementation and configuration of technology Applies to any technology that affects the confidentiality, integrity or availability of information Informs technologists of management intent

Management of Information Security, 3rd ed.

Technical Specifications SysSPs

System administrators directions on implementing managerial policy Each type of equipment has its own type of policies General methods of implementing technical controls
Access control lists Configuration rules

Management of Information Security, 3rd ed.

Technical Specifications SysSPs (contd.)

Access control lists
Include the user access lists, matrices, and capability tables that govern the rights and privileges A similar method that specifies which subjects and objects users or groups can access is called a capability table These specifications are frequently complex matrices, rather than simple lists or tables

Management of Information Security, 3rd ed.

Technical Specifications SysSPs (contd.)

Access control lists (contd.)
Enable administrations to restrict access according to user, computer, time, duration, or even a particular file

Access control lists regulate

Who can use the system What authorized users can access When authorized users can access the system

Management of Information Security, 3rd ed.

Technical Specifications SysSPs (contd.)

Access control lists regulate (contd.)
Where authorized users can access the system from How authorized users can access the system Restricting what users can access, e.g. printers, files, communications, and applications

Administrators set user privileges

Read, write, create, modify, delete, compare, copy
Management of Information Security, 3rd ed.

Technical Specifications SysSPs (contd.)

Figure 4-5 Windows XP ACL

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

Technical Specifications SysSPs (contd.)

Configuration rules
Specific configuration codes entered into security systems
Guide the execution of the system when information is passing through it

Rule policies are more specific to system operation than ACLs

May or may not deal with users directly

Management of Information Security, 3rd ed.

Technical Specifications SysSPs (contd.)

Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process

Management of Information Security, 3rd ed.

Technical Specifications SysSPs (contd.)

Figure 4-6 Firewall configuration rules

Management of Information Security, 3rd ed.

Source: Course Technology/Cengage Learning

Figure 4-7 IDPS configuration rules

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

Guidelines for Effective Policy

For policies to be effective, they must be properly:
Developed using industry-accepted practices Distributed or disseminated using all appropriate methods Reviewed or read by all employees Understood by all employees Formally agreed to by act or assertion Uniformly applied and enforced
Management of Information Security, 3rd ed.

Developing Information Security Policy

It is often useful to view policy development as a two-part project
First, design and develop the policy (or redesign and rewrite an outdated policy) Second, establish management processes to perpetuate the policy within the organization

The former is an exercise in project management, while the latter requires adherence to good business practices
Management of Information Security, 3rd ed.

Developing Information Security Policy (contd.)

Policy development projects should be
Well planned Properly funded Aggressively managed to ensure that it is completed on time and within budget

The policy development project can be guided by the SecSDLC process

Management of Information Security, 3rd ed.

Developing Information Security Policy (contd.)

Investigation phase
Obtain support from senior management, and active involvement of IT management, specifically the CIO Clearly articulate the goals of the policy project Gain participation of correct individuals affected by the recommended policies

Management of Information Security, 3rd ed.

Developing Information Security Policy (contd.)

Investigation phase (contd.)
Involve legal, human resources and end-users Assign a project champion with sufficient stature and prestige Acquire a capable project manager Develop a detailed outline of and sound estimates for project cost and scheduling

Management of Information Security, 3rd ed.

Developing Information Security Policy (contd.)

Analysis phase should produce
New or recent risk assessment or IT audit documenting the current information security needs of the organization Key reference materials
Including any existing policies

Management of Information Security, 3rd ed.

Developing Information Security Policy (contd.)

Figure 4-8 End user license agreement for Microsoft Windows XP

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

Developing Information Security Policy (contd.)

Design phase includes
How the policies will be distributed How verification of the distribution will be accomplished Specifications for any automated tools Revisions to feasibility analysis reports based on improved costs and benefits as the design is clarified

Management of Information Security, 3rd ed.

Developing Information Security Policy (contd.)

Implementation phase includes
Writing the policies
Making certain the policies are enforceable as written Policy distribution is not always straightforward Effective policy is written at a reasonable reading level, and attempts to minimize technical jargon and management terminology

Management of Information Security, 3rd ed.

Developing Information Security Policy (contd.)

Maintenance Phase
Maintain and modify the policy as needed to ensure that it remains effective as a tool to meet changing threats The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously Periodic review should be built in to the process

Management of Information Security, 3rd ed.

Policy Comprehension

Figure 4-9 Readability statistics

Management of Information Security, 3rd ed.

Source: Course Technology/Cengage Learning

Automated Tools

Figure 4-10 The VigilEnt policy center

Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning

SP 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems
NIST Special Publication 800-18, Rev. 1 reinforces a business process-centered approach to policy management Policies are living documents
These documents must be properly disseminated (distributed, read, understood and agreed to), and managed

Management of Information Security, 3rd ed.

SP 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems (contd.)
Good management practices for policy development and maintenance make for a more resilient organization Policy requirements
An individual responsible for reviews A schedule of reviews

Management of Information Security, 3rd ed.

SP 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems (contd.)
Policy requirements (contd.)
A method for making recommendations for reviews An indication of policy and revision date

Management of Information Security, 3rd ed.

A Final Note on Policy

Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy
Policies exist, first and foremost, to inform employees of what is and is not acceptable behavior in the organization Policy seeks to improve employee productivity, and prevent potentially embarrassing situations

Management of Information Security, 3rd ed.

Summary
Introduction Why Policy? Enterprise Information Security Policy Issue-Specific Security Policy System-Specific Policy Guidelines for Policy Development

Management of Information Security, 3rd ed.