390 likes | 571 Views
Seguridad de la Información. Juan Arturo Nolazco Flores. Bibliograf ía. Presentaci ón basada en: Information Security Policies, Procedures and Standards., Tomas R. Peltier , 2002 . Policy Developoment.
E N D
Seguridad de la Información Juan Arturo Nolazco Flores
Bibliografía • Presentaciónbasada en: • Information Security Policies, Procedures and Standards., Tomas R. Peltier, 2002.
Policy Developoment • Policy isthe documentation of enterprisewide decisions on handling and protecting information. • Every organization needs an information protection policy. (According to the 2000 CSI report on Computer Crime, 65 percent of respondents to its survey admitted that they do not have a written policy). • Information protection program starts with the implementation of a policy. • The program policy creates the attitude of the organization toward information and announces internally and externally that information is an asset and the property of the organization and is to be protected from unauthorized access, modification, disclosure, and destruction.
Police Development • The cornerstone of an effective Information Security Architecture is a well written policy. • Policy perform two Roles: • Internal: • tells employees what is expected of them and • how their actions will be judge. • External: • tells the world how the enterprise is run, • that there are polices that support the business practices, and • the organization understand the protection of assets is vital to the successful execution of the mission.
Span Constraints • Time constraints: • Employees do not have a lot of time to search for the meaning of a policy. • Attention span: • according to Milo O. Frank (How to get your point across in 30 seconds or less), the attention span is 30 seconds. • Entonces, los elementos del DISEÑO son: • Identifica tu objetivo • Conoce tu audiencia • Encuentra el “gancho”: algo que les afecte. • Conoce el “tópico”: salón de clases, análisis de riesgos, bluetooth, etc. • Si necesitas algo, pregunta. • Oraciones limpias y sencillas: lenguaje cotidiano, evita “show-off” • Usa estilo establecido: si ya existen políticas, estudia su lenguaje. • Usa voz activa: la voz pasiva es ambiauga en quein es el responsable. • i.e. El programador escribe el software; en lugar de El software es escrito por el programdador • Utiliza estilo conversacional: es solo recomendación.
Policy Key Elements • Be easy to understand • Be applicable: • Even copying policy from other parts, it has to meet specific needs of your organization. • Be doable (capable of being done) • Be enforceable: • Not a self-defeatablepolicy • Be phased in: • give time to the organization to read the policy • Be proactive: • state what has to be done. • Avoid absolute • Meet business objectives • Control should be meet to help the company to reduce risks.
Types of Policy • General Program Policy: • Strategic direction of the enterprise for global behavior and assigns resources for its implementations. • Used to create the overall vision of the InfoSec vision of an organization. • Topics: • Information Management, conflict of interest, standard of conduct, and general security measures. • Topic-Specific Policy • Addresses specific issues of concern to the organization. • Topics: • E-mail, Internet Usage, Phone Usage, Bluetooth Usage, Physical Security, Application Development, System Development and Network Security. • System/Application-Specific Policy • Designed to protect specific applications or systems • Include controls for financial management systems, account management, business expense forms, employee appraisal and order inventory. • Tambiénver: • http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/chapter5.html • http://www.sans.org/reading-room/whitepapers/policyissues/information-security-policy-development-guide-large-small-companies-1331
Las políticasrequieren el soporte de procedimientos, estándares y guías. • Los estándaresespecifican un conjuntouniforme de tecnologías, parámetros y procedimientosquedeben de cumplirtodosaquellosquequierenutilizar los recursos de la empresa. • Las guías son sugerenciasimplentadasparaasisitirusuarios, personal de soporte, paraaccesar de forma segura la información de la empresa. • Los procedimientossoportanlaspolíticas, estándares y guías; y son un conjunto de pasosdetalladosparallevea a cabounatarea.
Ejemplo: • Objetivo de Negocio: MinimizarCostos • Estrategia: Comparar un solo tipo de equipo. • Política: Toda compradeberáserverificadapor el Departamento de Compras. • Estándar: Los equiposque se aceptaque se compren son: XYZ, con sistemaoperativo QBC.
Program Policy • A high-level policy issued by senior management. • Defines the intent of the security program and its scope within the organization. • Encompass the entire enterprise. • Components: • Topic: • defines the goal of the program. • Scope: either broaden or narrow • the topic (“only this data”) and • the audience (“all employes”). • Responsibilities: Identify three roles and their responsibility • Management: implementing and supporting the policy. • Employees: adhering to the policy, and reporting suspect problems to the management. • Day-to-day administration of the policy. • Compliance: • Who is the responsible to enforce compliance. • First-line supervision • Auditors • What happen when the policy is violated.
Power Program Program Policy • Policy Statement: • It is the policy of the Power and Light Company to protect all company information form disclosure that would violate company commitments to other or would compromise the competitive stance of the company. • EmployeeResponsibility: • Employee responsibilities are defined in Company Procedures AUT 15. Violation of these responsibilities are subject to appropriate disciplinary action up to including discharge, legal action and having the matter referred to law enforcement agencies. • Components Checklist: • Topic: • defines the goal of the program. • Scope: either broaden or narrow • the topic (“only this data”, “all information”) and • the audience (“all employes”). • Responsibilities: Identify three roles and their responsibility • Management: implementing and supporting the policy. • Employees: adhering to the policy, and reporting suspect problems to the management. • Day-to-day administration of the policy. • Compliance: • Who is the responsible to enforce compliance. • First-line supervision • Auditors • What happen when the policy is violated.
Power Program Program Policy • Components Checklist: • Topic: • defines the goal of the program. • Scope: either broaden or narrow • the topic(“only this data”, “all information”) and • the audience (“all employes”). • Responsibilities: Identify three roles and their responsibility • Management: implementing and supporting the policy. • Employees: adhering to the policy, and reporting suspect problems to the management. • Day-to-day administration of the policy. • Compliance: • Who is the responsible to enforce compliance. • First-line supervision • Auditors • What happen when the policy is violated. • Policy Statement: • It is the policy of the Power and Light Company to protect all company information form disclosure that would violate company commitments to other or would compromise the competitive stance of the company. • Implementation Responsible: • The Chief Information Security Officer (CISO) is responsible to develop the procedures to make sure the police is complied in all organization. CISO is also responsible to implement them, and support any problem related with the accomplishment of this police. • EmployeeResponsibility: • Employee responsibilities are defined in Company Procedures AUT 15. The Chief Information Security Officer (CISO) will be monitoring any violation to this responsibilities. Violation of these responsibilities are subject to appropriate disciplinary action up to including discharge, legal action and having the matter referred to law enforcement agencies.
Program Policy Example(from Information Security Policies, Procedures and Standards) The Company relies on various kinds of information resources in its daily operations. These resources include data-processing systems, electronic mail, voice-mail, telephones, copiers, facsimile machines, and other information-generation and exchange methods. It is very important for users to recognize that these resources are made available to them to help the company meet short- and long-term goals, objectives and competitive challenges. Any improper use of any resource is not acceptable and will not be permitted.
Program Policy example (cont.) • The company policies listed here form the basis for the Information Resources Protection Policy (IRPP): • Data and information about the company and its employees are collected and retained to satisfy legitimate business purposes or as required by law. • Protecting company information is every employee’s responsibility. Company people share a common interest in ensuring information is not intentionally, accidentally, or improperly disclosed, lost, or misused. • Positive steps must be taken to prevent improper disclosure of company information and unauthorized access to company information resources. • Data, information, and resources are company assets that may be used only for management-approved company business and not for personal use or gain. • Like any other company asset, the company reserves the right to inspect information resources and their use at any time. • Company records and information are available to individuals only on a need-to-know basis. Access or attempted access to information and resources outside ones’ authority are prohibited. • Protective measures must be provided to control access and to protect the integrity of all information systems that process information. • Components Checklist: • Topic: • defines the goal of the program. • Scope: either broaden or narrow • the topic (“only this data”, “all information”) and • the audience (“all employes”). • Responsibilities: Identify three roles and their responsibility • Management: implementing and supporting the policy. • Employees: adhering to the policy, and reporting suspect problems to the management. • Day-to-day administration of the policy. • Compliance: • Who is the responsible to enforce compliance. • First-linesupervision • Auditors • What happen when the policy is violated.
Program Policy example (cont.) 8.Established corporate and unit procedures are to be used for budgeting approval, and acquisition of information-processing facilities, equipment, software, and support services. 9. Appropriate safeguards must be built into information-processing facilities. These safeguards should minimize the extent of loss of information or processing support that could result from such hazards as fire, water, or other natural disasters while maintaining operational effectiveness. Business recovery plans must provide for continuation of vital business functions if loss failure should occur. 10. Independent reviews to ensure that program objectives are being met are an integral part of this effort. These reviews may be conducted by Corporate Auditing, the internal audit staff of a unit, or external auditors. 11. Deliberate unauthorized acts against Company or customer information system(s) or facilities, including but not limited to misuse, misappropriation, destruction of information or system resources, the deliberate and unauthorized disclosure of information, or the use of unauthorized software/hardware, will result in disciplinary action as deemed by management. • Components Checklist: • Topic: • defines the goal of the program. • Scope: either broaden or narrow • the topic (“only this data”, “all information”) and • the audience (“all employes”). • Responsibilities: Identify three roles and their responsibility • Management: implementing and supporting the policy. • Employees: adhering to the policy, and reporting suspect problems to the management. • Day-to-day administration of the policy. • Compliance: • Who is the responsible to enforce compliance. • First-linesupervision • Auditors • What happen when the policy is violated.
Actividad (15 minutos) • 1. Buscarunapolítica en Internet, Evaluarla y despuésagregar los elementosquefalten. • 2. Desarrollarunapolíticapara la información de los Cursosque se imparten en el Tec de Monterrey.
Topic-Specific Policy • Encompass the entire enterprise. • Components: • Thesis Statement: • the goals and objectives of the policy. Information obtained from Management interviews. • Relevance: • To whom, where, how, and when the policy is applicable. • Responsibilities: Identify three roles and their responsibility • Management: implementing and supporting the policy. • Employees: adhering to the policy, and reporting suspect problems to the management. • Day-to-day administration of the policy. • Compliance: • Identify behaviors that are unacceptable, and the consequences. • Identify the responsible to monitoring confidence. • Additional Information: • Contacts for additional information.
Topic-specific Policy example (from Information Security Policies, Procedures and Standards) • Telecommuting Policy • The Company allows telecommuting where there are opportunities for improved employee performance, reduced commuting miles, and/or potential for savings for the Company or business unit. • Provisions • Business units may implement telecommuting as a work option for certain employees based upon specific criteria and procedures consistently applied throughout the agency. • Consideration may be given to employees who have demonstrated work habits and performance well suited to successful telecommuting. • Telecommuting criteria and procedures shall be evaluated to ensure its benefits and effectiveness. • The telecommuter’s conditions of employment shall remain the same as for non-telecommuting employees. • Business visits, meetings with Your Company customers, or regularly scheduled meetings with co-workers shall not be held at the home. • Telecommuting employees shall not act as primary caregivers for dependents nor perform other personal business during hours agreed upon as work hours. • Components Checklist: • Thesis Statement: • the goals and objectives of the policy. Information obtained from Management interviews. • Relevance: • To whom, where, how, and when the policy is appliable. • Responsibilities: Identify three roles and their responsibility • Management: implementing and supporting the policy. • Employees: adhering to the policy, and reporting suspect problems to the management. • Day-to-day administration of the policy. • Compliance: • Who is the resposible to manage • Identify behaviors that are unacceptable, and the consequences. • Identify the responsible to monitoring confidence. • Additional Information: • Contacts for additional information.
Topic-specific example (cont.) • Components Checklist: • Thesis Statement: • the goals and objectives of the policy. Information obtained from Management interviews. • Relevance: • To whom, where, how, and when the policy is appliable. • Responsibilities: Identify three roles and their responsibility • Management: implementing and supporting the policy. • Employees: adhering to the policy, and reporting suspect problems to the management. • Day-to-day administration of the policy. • Compliance: • Who is the resposible to manage • Identify behaviors that are unacceptable, and the consequences. • Identify the responsible to monitoring confidence. • Additional Information: • Contacts for additional information. The Company shall provide tele-workers office supplies. Equipment and software, if provided by the business unit for use at the tele-worksite, shall be for the purpose of conducting Company business. Responsibilities Employee shall sign and abide by a telecommuting agreement between the employee and the supervisor. -- Telecommuting shall be voluntary. -- The agreement shall specify individual work schedules. Compliance Company management has the responsibility to manage corporate information, personnel, and physical property relevant to business operations, as well as the right to monitor the actual utilization of all corporate assets. Employees who fail to comply with the policies will be considered to be in violation of Your Company’s Employee Standards of Conduct and will be subject to appropriate corrective action.
Application-Specific Policy • Focus on an specific system or application. • Use a process that determine security rules (policy) based on business and mission objectives. • To develop a comprehensive series of policies: • Define the Business objectives • Establish the rules for operating the application or system. Determine who has access and when. • Determine if automatic security tools can help to implement the policy.
Systems-specific policies can be organized into two general groups: • managerial guidance SysSPs, and • technical guidance SysSPs
Managerial Guidance SysSPs • Purpose: • Clear Guidance for a systems administrator to properly configure a piece of the organization’s information security technology. • For example, before a firewall administrator restricts access to the organization’s intranet by filtering all external FTP connection requests, he or she must have been advised by management that such an action is needed and desired. • If administrators are not provided with this specific guidance, then they may take it upon themselves to configure the technology according to their own personal beliefs and experiences. • Common components, of this group, are as follows: • Overview of the Scope and Purpose of the SysSP. • Similar to the previous sections, this section provides the tone and focus for this document. • Managerial and Organizational Intent of the Implementation of the Technology. • Specific implementation requirements in the form of permits and denies: • 1. Permit the following actions: . . . • 2. Deny the following actions: . . . • This section could be written in the context of specific technologies or protocols, as in “should allow SMTP or POP3 traffic,” or it could be in terms of general usage, as in “should allow all e-mail based communications.” • Guidance for Permitting Exceptions. • With every rule there is inevitably cause for exceptions. • In the event that a user requests an exception to a rule, there must be a procedure in place for processing, reviewing, and approving or denying such requests. • This section specifies the what, what, when, and how of such a procedure.
Technical Guidance SysSPs • Address systems configurations by systems administrators. These guidances are frequently systems configuration, rather than printed policies. As a firewall administrator configures a firewall, the administrator creates this technical guidance SysSP, just as a systems administrator does when setting up user accounts. • Technical guidance SysSPs commonly fall into two sub-categories: • ACLs and configuration rules. • consist of the access control lists, matrices, and capability tables governing the rights and privileges of a particular user, or group, to a particular system (file storage systems, object brokers, or other network communications devices). A similar list, referred to as a capability table, is associated with users and groups to specify which subjects and objects a user or group can access. • These specifications are frequently complex matrices, rather than simple lists or tables. In general ACLs regulate the who, what, when, where, and how of access: • Who can use the system • What authorized users can access • When authorized users can access the system • Where authorized users can access the system from • How authorized users can access the system • Configuration rules • comprise the specific configuration codes entered into security systems to guide the execution of the system when information is passing through it. • Rule policies are more specific to the operation of a system than ACLs, and may or may not deal with users directly. • Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process.
Standards • Policies alone do not offer the guidance required to actually implement a security program. • Standards are mandatory rules, activities, actions, or regulations designed to provide policies with the details needed to be effective.
An example • Policy: It is the Company policy that all orders will be processed as quickly as possible. • Standard: Each order must be processed within six working days of receipt.
A word on standards • Be aware of legislative and regulatory requirements, risks, protective measures, and practices that are relevant to your specific area of responsibility or business. • Two examples of international standards are • BS 7799 (British Standard) • ISO 17799 (based on BS 7799)
Original BS 7799 • Organized into 10 major sections • Business continuity planning • System access control • System development and maintenance • Physical and environmental security • Compliance • Personnel security • Security organization • Computer and Network management • Asset classification and control • Security policy
The definitions again… • Policies state a goal in general terms. • Standards define what is to be accomplished in specific terms
Procedures • Procedures spell out the steps of how the policy and its supporting standards and guidelines will actually be implemented in the organization’s environment. • Procedures are a description of tasks that must be accomplished in a specified order.
An example • Policy: It is the Company policy that all orders will be processed as quickly as possible. • Standard: Each order must be processed within six working days of receipt. • Procedure: The following steps will be followed to process orders: • Day 1: Set up file for correspondence • Day 2: Enter order data into the system • Day 3: Verify order in stock and Process Credit Card • Day 4: Retrieve order and send to shipping • Day 5: Package order for shipment • Day 6: Mail order and receipt
The definitions again… • Policies state a goal in general terms. • Standards define what is to be accomplished in specific terms • Procedures tell how to meet the standards.
Some items to consider for procedures(From Information Security Policies, Procedures, and Standards) • Title • Intent • Scope • Responsibilities • Sequence of events • Approvals • Prerequisites • Definitions • Equipment required • Warnings • Precautions • Procedure body (the steps)
Authorship of Policies, standards, … • The task of actually writing the policies and their supporting standards, guidelines, and procedures would typically be handled by personnel in the computer security office. • Support from IS/IT personnel helpful • External consultants can also be useful • Final draft should be submitted to management for approval.
Policy Checklist From Computer Security Handbook, 3ed, John Wiley Press
And a word on writing(From Information Security Policies, Procedures, and Standards) • Eliminate quotations. As Ralph Waldo Emerson once said: “I hate quotations. Tell me what you know.” • Do not be redundant; do not use more words than necessary, it is highly superfluous. • Profanity sucks. • Be more or less specific. • Understatement is always best. • Exaggeration is a billion times worse than understatement. • One-word sentences? Eliminate. • Analogies in writing are like feathers on a snake. • The passive voice is to be avoided. • Go around the barn at high noon to avoid colloquialisms. • Who needs rhetorical questions? • Avoid alliteration. Always. • Prepositions are not words to end sentences with. • Avoid cliches like the plague. (They are old hat.) • Employ the vernacular. • Eschew ampersands & abbreviations, etc. • Parenthetical remarks (however relevant) are unnecessary. • It is wrong to ever split an infinitive. • Contractions aren’t necessary. • Foreign words and phrases are not apropos. • One should never generalize. • Comparisons are as bad as cliches. • Even if a mixed metaphor sings, it should be derailed.
Phases of the Policy Development Life Cycle • Investigation • An examination of the event or plan that initiates the process. Includes the specification of the objectives, constraints and scope of the policy. • Analysis • An assessment of the organization, the status of current policies, and the anticipated perception of those to whom the policy will be applied. • Design • The selection of policy components that specifically address the needs of the users and of the organization, and creation, review, and approval of draft policy. • Implementation • The distribution, reading, understanding, agreement and uniform enforcement of policy. • Maintenance and change • The support, review, and modification of policy for the remainder of its useful life cycle.
Stages of Policy Implementation • Dissemination (distribution) • Delivery of policy in hard copy or electronic format, ensuring the employee receives each policy document. • Review (reading) • Ensuring the individual to whom the policy applies can and does read the document, including those literacy challenged. • Comprehension (understanding) • Assessment of employee grasp of policy content and meaning. • Compliance (agreement) • Documentation of policies agreement by act or affirmation, indicating willful compliance. • Uniform enforcement • Organizational enforcement of policy equally and without prejudice.