1 / 40

Ulf Haga from Nocom Security Engineer

IT-security policy. Ulf Haga from Nocom Security Engineer. Spring 2005. Agenda. -Definitions and basic knowledge about policy and policies today. -Why do you need a security policy? -Why do you need to have parametric for different policy levels for your IT systems?

warner
Download Presentation

Ulf Haga from Nocom Security Engineer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT-security policy Ulf Haga from NocomSecurity Engineer Spring 2005

  2. Agenda • -Definitions and basic knowledge about policyand policies today. • -Why do you need a security policy? • -Why do you need to have parametric for different policy levels for your IT systems? • -Why is it important to plan the IT security policies • -Why is it important to measure and follow up security policies • -Is it possible to plan a good security policy from the start?

  3. -definitions and basic knowledge about policy and policies today.

  4. Information security. The security tree. Physical Operational Include computer, networks and communication systems Management and policy Guidance, rules, procedures for implementation and secure environment.

  5. Information security. Administration security Technical security Physical security IT security Security of walkways parking lots. Computer security Communication security

  6. What is a policy • Usually you mean corporate security policy • It is a small written document. • Reflects cooperate philosophy and expectation • Can be based on industry standard. • Must be base on governments regulations • Should be written and widely disseminated. • Additional documents can include: • Acceptable use policies for employees • Explanations of various security standards adopted by the company • Descriptions of IT management and security management teams, including management hierarchy • Information standard policies • • Policy documents that describe the responsibilities and duties • Network diagrams • .

  7. Policy compliance • Compliance to government regulation. ( ex HIPAA) • Compliance to security standard. ( ex ISO 17799) • Compliance to a corporate security policy (may be based on a standard). Definition: Compliance is a state of being in accordance with established guidelines, specifications, standards or legislation. C

  8. Why do you need a security policy? The organisations needs a security policy to - protect information. Ensure confidentiality, integrity and availability (CIA)- define acceptables use of the company assets - requirements from your partners, customers, suppliers etc. - reduce the downtime associated with the information systems- increase the economic efficiency of the organisation

  9. Policy pyramid Policy – “To do”. A statement of intent that influences immediate and long-term decisions and activities.Standard - An essential requirement to the implementation of a specific policy. Compliance with standards are mandatory. Guideline – “What“ shall be accomplish. A statement that acts as a source of instruction to meeting a policy. Instructions – “How” the security shall be implemented. (“and Who”) Guidelines Instructions

  10. Example • Cooperate security policyProtection against know threat shall have a security level in proportion to the value of the assets. • GuidelineAutomatic logon to laptops and workstation is not allowed. Authorized user can only logon to workstations. • InstructionThe administrator for the IT department shall every Mondaylogon as administrator for every Windows 2000 computer. Run Regedt32.exe Open the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Check the key for DefaultPassword for compliance with the guideline. ORUse the “policy compliant tool check called XXXX” and run module “Not Automatic logon win 2000”.

  11. Standards and regulations/legislations US Legislation General • Children’s Online Privacy Protection Act (COPPA) • Electronic Signatures in Global and National Commerce Act (E-SIGN) Government Agencies • Government Information Security Reform Act (GISRA) Financial Industry • Bank Protection Act of 1968 • Gramm-Leach-Bliley Act (GLBA) Health Care Industry • Health Insurance Portability & Accountability Act (HIPAA) Pharmaceutical and FDA-regulated Industries • 21 CFR Part 11 Electric Power • NERC Australian Legislation • Australian Federal Privacy Act • PSM • ACSI 33 European Legislation • EU Data Privacy Directive • EU Electronic Signature Directive Standards • OECD Guidance on Policy and Practice (Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, OECD Guidelines for Cryptography Policy ) • ISO 17799 • VISA (banking)

  12. Legislation U.S.A VS. European Commission • U.S.A lawmakers have generally focused on mandates that address the practices of a specific industry sector. An government agency enforced it. • EU (European Commission) has passed extremely broad directives applying to the private sector as a whole.

  13. Sarbanes–Oxley (SOX) – Snapshot • What it is • The 2002 Sarbanes-Oxley Act makes senior executives personally accountable for the reliability of the financial data provided to the SEC & the public • Business/IT Implications • Need to achieve SEC (Securities & Exchange Commission) compliance.“It’s the law”. • Accountability on officers, public auditors, & boards of directors • Enhance the transparency of control effectiveness • Implement internal controls & reporting • Develop consistent & leverageable controls documentation WHO IT AFFECTS Applicable to every public company with a market cap of $75 million or more that conducts business in the US. In December 2005 even foreign company registered on the US stock market. TRIGGERS Board of director interest Penalties for non-compliance are severe Drive to improve corporate governance Opportunity to streamline & open business processes 11

  14. EU Data Protection Directive – Snapshot • What it is • Establishes criteria for the protection of personal information across Europe Union, designed to protect free movement of data while still protecting privacy, & mandates standards for collection, use, & disclosure of personal data • Business/IT Implications • Organizations must report on & justify type of personal data collected & stored • Organization must provide individuals timely access to their data • All processing of personal data must be protected against accidental/unlawful destruction, loss, alteration, unauthorized disclosure, or access • Data cannot be transported outside EU without adequate protection WHO IT AFFECTS Any organization in the EU that processes personal data (public & private sector) Foreign organizations that process data within the EU TRIGGERS Violations of the Act can be treated as criminal acts and are also open to civil actions. 51

  15. EU Electronic Signatures Directive – Snapshot • What it is • Establishes a legal framework for electronic signatures and certain certification services. • Business/IT Implications • Electronic signatures will have the same legal status as written signatures • Mechanisms such as certification service providers must be established • Accredited certification service providers must be notified to the EU Commission. WHO IT AFFECTS Certifications service provider within EU. TRIGGERS Violations of the Act can be treated as criminal acts and are also open to civil actions. l 52

  16. ISO 17799 – Snapshot • What it is • An International Security Standard that provides a comprehensive set of best practice controls • Business/IT Implications • Counteract interruptions to business activities & processes • Ensure proper protection of information systems from internal & external threats • Provide management direction & support for information security • Maintain appropriate level of protection of corporate assets WHO IT AFFECTS All organizations worldwide TRIGGERS Improve corporate governance through avoiding breaches of criminal or civil law, statutory, regulatory or contractual obligations & security requirements Opportunity to streamline & open business processes Minimize risks & safeguard corporate assets 18

  17. Products for compliance of standards and regulations

  18. Why do you need a security policy

  19. Vulnerabilities reported 1995-1999 Year 1995 1996 1997 1998 1999 Vulnerabilities 171 345 311 262 417 2000-2005 Year 2000 2001 2002 2003 2004 1Q,2005 Vulnerabilities 1,090 2,437 4,129 3,784 3,780 1,220 Total vulnerabilities reported (1995-1Q,2005): 17,946 CERT/CC Statistics 1988-2005 Why do you need a security policy? • Avg. time between announcement of a vulnerability & appearance of exploit is less then a week.

  20. Incident reported 1988-1989 Year 1988 1989 Incidents 6 132 1990-1999 Year 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 Incidents 252 406 773 1,334 2,340 2,412 2,573 2,134 3,734 9,859 2000-2003 Year 2000 2001 2002 2003 Incidents 21,756 52,658 82,094 137,529 Why do you need a security policy? CERT/CC Statistics 1988-2005

  21. Advantages with a security policy • To get a pronounced and uniformed level of information security. • Means of control to make it easy and implement and security information. • A common framework with guidelines and instructions.

  22. Disadvantages with no security policy • Which information shall be protected? • How shall the information be protected? • Who is responsible? • What is the current level of the security? • Who can the employee do and not?

  23. Why is it important to plan the security policy

  24. Why it is important • To archive an optimal level of protection for your business. • Save money or reduce funds. Never pay for more security then necessary.

  25. Why is it important to measure and follow up security policies

  26. To measure and follow up security policies • You use baselines. To instance use a policy compliance testing tool. • Do it one time every week and look new vulnerability. A baseline gives you • a picture of the state of a system at some point in time.

  27. Baselines Provides a point of reference for analysis. • High level overview of policy compliance state • Historical comparisons or compliances gap between baselines • Data to create a report (next slide). • See the affect of changed security policy and/or guidelines.

  28. Example of compliance trend from baselines.

  29. Is it possible to plan a good IT security policy from the start?

  30. What is a good IT security? • is it the highest level of security? • is it the minimum level of security? • is it to have a good security for partners, suppliers or employee? Answer • A good cooperate security policy shall be good for the business activity.

  31. Plan for a security balance

  32. Preparation to make a good plan for a IT security policy • Carry out a summary for the company activates. • Organize work. Create a group of people. The person shall have knowledge about the company business. • Identify essential demands from customers and partners. • Put focus on important information resources and describe why they are important. • Assess risk • Identify assets • The inventory audit• Classify asset. Lost of CIA. • Obligation to follow. Security standards, regulations or other demands. • Needs to adapt the security policy to the business activity.

  33. Be aware of the IT Guidelines • Make statements that acts as a source of instruction to meeting a policy. Depending of the policy it can include • Responsibility • Detection of threat. Monitoring. • Identify & analyze threat • Response to incident (Remediate) • Business Continuity Planning • Backup, restore plans • Documentations and reports to the company. • Tests • Train employees

  34. Estimate the cost of the security Budget resources for policy compliance. The resources can be • Staff. You might have an Incident Response team. • Security technology. Example use PKI for authentication and for HTTPS to transactions. • Security product. Example firewall, antivirus, secure policy management, IDS, IPS and vulnerability scanning.

  35. Why do you need to have parametric for different policy levels for your IT systems?

  36. What is parametric? • A parameter for password length. • You can have a parameter for the risk of attack on the Webb server. Political reasons. • Parameter for the risk for earthquake. Maybe you need a hot site in a other part of the country.

  37. What more affect a parameter • New threats. • New vulnerability. • The level of importance for an asset has changed. • The corporate security policy has changed. • The business has changed.

  38. Reason to parametric - security management • Based on the risk assessment which can be changed. • Should be dynamic. (Important for parametric) • Encompass all levels of activities and aspects of their operations.

  39. Policy levels are policy, guidelines and instructions. • Corporate security policy should be based on long-term decisions. No need for parametric. • Guidelines. “What” shall be accomplish. No need for parametric. • Instructions. “How”. Yes may need for parametric. Example the password strength. Today it is usually to have 8 characters for computers. Next years it may be 9 characters. You only need to write the password length in one place in the documentation and make reference to that place.

  40. Thank You Ulf.haga@nocom.se

More Related