130 likes | 338 Views
95-841 Information Assurance Policy. Tim Shimeall (tjs@cert.org). Information Assurance Policy. Seminar course: Participation is Essential Sessions (after week 4) 50% lecture, 50% discussion Building, developing, evaluating IA policy Grading: Course presentation: 30% (see sign-up list)
E N D
95-841 Information Assurance Policy Tim Shimeall (tjs@cert.org) 95-841
Information Assurance Policy • Seminar course: Participation is Essential • Sessions (after week 4) 50% lecture, 50% discussion • Building, developing, evaluating IA policy • Grading: • Course presentation: 30% (see sign-up list) • Course participation: 30% (when not presenting) • Final paper/project: 40% (topic related policy) 95-841
Presentations • Instructors will cover the background material • Student presenters will apply it to case study or other realistic scenario • Student audience will evaluate application and critique resulting policies • Presenters grade NOT based on critique results, but on level of discussion and on effectiveness at presenting applicable policy • Plan on 90 minutes, including discussion 95-841
Course Content • Introduction and case study • Policy development • Policy evaluation • Building policy for case study (with instructor as stakeholder) • Larger issues (legislation and governance) • Course summary 95-841
What is Information Assurance Policy? • Detailed statement regarding permissible and prohibited behavior with respect to information assets to assure confidentiality, integrity and availability of those assets • Behavior: • loading, using, disseminating data • Acquiring, using, distributing software • Acquiring, using, retiring hardware • In general: anything being done by, on or with any information processing asset • Asset: data, software, device, network, person 95-841
Why Information Assurance Policy?(1) Encryption Redundancy Privacy Resources Integrity Purchasing Guidelines Communications Accountability What does Information Assurance mean??? Firewall Configuration Access Controls Backups Disaster Recovery Authorization Auditing Authentication Risk Reduction 95-841
Management Top management (CXO) Legal Policy Stakeholders Users Human Resources Others (clients, partners) Database Admin System Admin Network Admin Why Information Assurance Policy (2)? 95-841
Why Information Assurance Policy(3)? Janet works in accounting department of a mid-size organization Changed password: wrote the new one on a note; stuck the note to her monitor Later noticed that someone had used her account but didn’t notice any obvious damage Had heard it was bad idea to write passwords down and leave them around Remembered that an employee had been fired for some policy violation Did not report the incident. 95-841
Why Information Assurance Policy?(4) Tim is a security administrator working for you in a 2000-member organization. Detects a password sniffer running on his organization’s principal server, and on a obsolete desktop used for lighting control. In a directory called “…”, he finds a file with 300 user ids and passwords for his site. He reports to you his findings and asks for more time before reporting incident. 95-841
Why Information Assurance Policy?(5) • Staffing? • New Product? • New Infrastructure? • Firewalls? • Training? 95-841
Why Information Assurance (6) • You work as a helpdesk manager, reporting to the CIO, for a medium sized company • An employee-owned smartphone was compromised while on travel, and through that compromise, about 3,000 customer billing records were accessed. • What should you recommend to the CIO? 95-841
Going Forward From Here • Policy and Technology are inherently linked • Policy implements and enables authority • We will discuss a variety of policy aspects Developing Costing Managing Deploying User Network Site Confidentiality Integrity Availability Legislation and Governance 95-841