SPG U4 2
SPG U4 2
SPG U4 2
1
Management of Information Security, 3rd ed.
Enterprise Information Security
Policy (EISP)
3
Management of Information Security, 3rd ed.
ESIP Components
• Statement of purpose
• Information technology security
elements
• Need for information technology
security
• Information technology security
responsibilities and roles
• Reference to other information
technology standards and
guidelines
4
Management of Information Security, 3rd ed.
Issue-Specific Security Policy
(ISSP)
• Provides detailed, targeted guidance
– Instruction for secure use of a technology
systems
– Begins with introduction to fundamental
technological philosophy of the organization
• Protects organization from inefficiency and
ambiguity
– Documents how the technology-based system is
controlled
– Identifies the processes and authorities that
provide this control
• Indemnifies the organization against liability
for an employee’s inappropriate or illegal
system use 5
Management of Information Security, 3rd ed.
Issue-Specific Security Policy- contd
• ISSP topics
– Email and internet use
– Minimum system configurations
– Prohibitions against hacking
– Home use of company-owned
computer equipment
– Use of personal equipment on
company networks
– Use of telecommunications
technologies
– Use of photocopy equipment 6
Management of Information Security, 3rd ed.
Elements of the ISSP
• Statement of Purpose
– Scope and applicability
– Definition of technology addressed
– Responsibilities
• Authorized Access and Usage of
Equipment
– User access
– Fair and responsible use
– Protection of privacy
7
Management of Information Security, 3rd ed.
Elements of the ISSP - contd
• Prohibited Usage of Equipment
– Disruptive use or misuse
– Criminal use
– Offensive or harassing materials
– Copyrighted, licensed or other intellectual
property
– Other restrictions
• Systems management
– Management of stored materials
– Employer monitoring
– Virus protection
– Physical security
– Encryption 8
Management of Information Security, 3rd ed.
Elements of the ISSP - contd
• Violations of policy
– Procedures for reporting violations
– Penalties for violations
• Policy review and modification
– Scheduled review of policy and
procedures for modification
• Limitations of liability
– Statements of liability or disclaimers
9
Management of Information Security, 3rd ed.
System-Specific Security Policy
• System-specific security policies
(SysSP) frequently do not look like
other types of policy
– may function as standards or procedures
to be used when configuring or
maintaining systems
• SysSPs can be separated into
– Management guidance
– Technical specifications
– Or combined in a single policy document
10
Management of Information Security, 3rd ed.
Managerial Guidance SysSPs
• Created by management to guide the
implementation and configuration of
technology
• Applies to any technology that affects
the confidentiality, integrity or
availability of information, e.g. firewall
configuration
• Informs technologists of management
intent
11
Management of Information Security, 3rd ed.
Technical Specifications SysSPs
• System administrators’ directions
on implementing managerial policy
• Each type of equipment has its
own type of policies
• General methods of implementing
technical controls
– Access control lists
– Configuration rules
12
Management of Information Security, 3rd ed.
Technical Specifications SysSPs - contd
• Access control lists
– Include the user access lists, matrices, and
capability tables that govern the rights and
privileges
– A similar method that specifies which
subjects and objects users or groups can
access is called a capability table
– These specifications are frequently complex
matrices, rather than simple lists or tables
– Enable administrations to restrict access
according to user, computer, time, duration,
or even a particular file
13
Management of Information Security, 3rd ed.
Technical Specifications SysSPs - contd
• Configuration rules
– Specific configuration codes entered into
security systems
• Guide the execution of the system when
information is passing through it
• Many security systems require specific
configuration scripts telling the
systems what actions to perform on
each set of information they process
15
Management of Information Security, 3rd ed.
Policy, Standards, and Practices
• Policy : A plan or course of action that
influences decisions
– must be properly disseminated, read,
understood, agreed-to, and uniformly enforced
– require constant modification and
maintenance
• Standards
– A more detailed statement of what must be
done to comply with policy
• Practices
– Procedures and guidelines explain how
employees will comply with policy
16
Management of Information Security, 3rd ed.
Policies, Standards, & Practices
18
Management of Information Security, 3rd ed.
Development steps
19
Organizing for Security
21
Management of Information Security, 3rd ed.
Security in Large Organizations - contd
• The CISO has responsibility for
information security functions
– Should be adequately performed somewhere
within the organization
• The deployment of full-time security
personnel depends on:
– Sensitivity of the information to be protected
– Industry regulations
– General profitability
• The more money the company can
dedicate to its personnel budget
– The more likely it is to maintain a large
information security staff
22
Management of Information Security, 3rd ed.
Security in Medium-Sized Organizations
• Have between 100 and 1000 computers
– Have a smaller total budget
– Have same sized security staff as the small
organization, but a larger need
– Must rely on help from IT staff for plans and
practices
– Ability to set policy, handle incidents, and
effectively allocate resources is worse than
any other size
– May be large enough to implement a multi-
tiered approach to security
• With fewer dedicated groups and more functions
assigned to each group
– Tend to ignore some security functions 23
Management of Information Security, 3rd ed.
Security in Small Organizations
• Have between 10 and 100 computers
– Have a simple, centralized IT organizational
model
– Spend disproportionately more on security
– Information security is often the responsibility of
a single security administrator
– Have little in the way of formal policy, planning,
or security measures
– Often outsource Web presence or ecommerce
– Security training and awareness is commonly
conducted on a 1-on-1 basis
– Policies (when they exist) are often issue-
specific
– Threats from insiders are less likely
• Every employee knows every other employee
24
Management of Information Security, 3rd ed.
Placing Information Security
• In large organizations
– InfoSec is often located within the information
technology department
• Headed by the CISO who reports directly to the top
computing executive, or CIO
• An InfoSec program is sometimes at odds
with the goals and objectives of the IT
department as a whole, because the goals
and objectives of the CIO and the CISO may
come in conflict
– It is not difficult to understand the current
movement to separate information security from
the IT division
– The challenge is to design a reporting structure
for the InfoSec program that balances the needs
of each of the communities of interest 25
Management of Information Security, 3rd ed.