1 / 26

Policy Review (Top-Down Methodology)

Policy Review (Top-Down Methodology). Lesson 7. Policies. From the Peltier Text, p. 81

Download Presentation

Policy Review (Top-Down Methodology)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Policy Review(Top-Down Methodology) Lesson 7

  2. Policies • From the Peltier Text, p. 81 • “The cornerstones of effective information security programs are well-written policy statements. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents.” • “The top-down portion of the network vulnerability assessment (NVA) looks at the policies requested in the Pre-NVA Checklist”

  3. Documents from checklist • Network Topology (diagram) • Firewall Architecture • Remote Access Server Architecture • Detailed list of Mission-Critical Applications • Brief description (purpose) • Data storage method (database) • Who is the data owner/administrator? • Who are the users (job title)? • Security mechanisms • Sensitive or critical data • Information Security Policies • Password & ID Policy • Confidential information policies and procedures • Data classification • System Access Policy and Procedures • Corporate Communication Policies • Electronic/paper communications • Disposal Policy • Internet Usage Policy • Mission Statements • Organization Charts

  4. Policy Management Life Cycle

  5. Some Definitions • Policy • A high-level statement of enterprise beliefs, goals, and objectives and the general means for their attainment for a specified subject area. • General Program Policy • Sets the strategic directions of the enterprise for global behavior and assigns resources for its implementation (e.g. conflict of interest, standards of conduct,…) • Topic-specific policy • Addresses specific issues of concern to the organization (e.g. email, Internet and phone usage, physical security..) • System- or Application-specific policy • Focus on decisions taken by management to protect a particular application or system. • Exhibit 1, p85-86 contains a list of possible policies

  6. Components of a policy • Topic • Defines the goals of the policy. • Scope • Used to broaden or narrow the topic • Responsibilities • Who is responsible for what actions. • Compliance • Discusses what actions occur when an individual is found to be in noncompliance and what actions an organization must take when found in noncompliance.

  7. Writing (or reviewing) a policy • “5 W’s of Journalism 101” (and 1 H) • What: what is to be protected (the topic) • Who: who is responsible (responsibilities) • Where: where within the organization does the policy reach (scope) • How: how compliance will be monitored (compliance) • When: when does the policy take effect • Why: why the policy was developed • The last two may actually not be in the policy itself. • When and why are often covered in a cover letter with policy issuance

  8. The Information Security Policy • Should be • Approved by management • Published and communicated with all employees • State management commitment • Outline the organization’s approach to managing information security • Should include • A definition of information security • A statement of management intent, supporting the goals and principles of information security • A definition of general and specific responsibilities • References to documentation that may support the policy

  9. From The Texas Code

  10. California SB 1386 • This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. • Any customer injured by a violation of this title may institute a civil action to recover damages.

  11. GLB • Requires clear disclosure by all financial institutions of their privacy policy regarding the sharing of non-public personal information with both affiliates and third parties. • Requires a notice to consumers and an opportunity to "opt-out" of sharing of non-public personal information with nonaffiliated third parties subject to certain limited exceptions. • Clarifies that the disclosure of a financial institution's privacy policy is required to take place at the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship.

  12. Sarbanes-Oxley Act of 2002 • The result of a number of corporate accounting scandals. • Mandates specific actions to improve corporate reporting. • Reaffirms necessity for financial statement audit process and role of external auditors. • IT security and controls considered part of effective fraud management.

  13. HIPAA • Health Insurance Portability and Accountability Act • Standards require that measures be taken to secure health information covered by this act while in the custody of entities governed by HIPAA as well as in transit between covered entities and from covered entities to others. • Wants to ensure the confidentiality, integrity, and availability of electronic protected health information.

  14. Some useful (possibly) documents • NIST Special publication 800-14, “Generally accepted principles and practices for securing Information Technology Systems” • Includes discussion on policies and risk management. • NIST Special publication 800-53, “Recommended Security Controls for Federal Information Systems” • Includes discussion of “Baseline Security Controls” at three level (low, med, high) • NIST Special publication 800-26 “Security Self-Assessment Guide for Information Technology Systems” • Has nice checklist as well as a method to interpret results • NIST Special publication 800-18 “Guide for developing security plans for Information Technology Systems”

  15. A final note… • Download from web site and read the document “Building and Implementing a Successful Information Security Policy” by Dancho Danchev at windowsecurity.com

  16. Summary • What is the importance and significance of this material? • How does this topic fit into the subject of “Security Risk Analysis”?

More Related