1 / 79

Incident Management

Incident Management. By Marc-André Léger DESS, MASc, PHD(candidate). Winter 2008. Save the forest. If you really need to print… Please do not print out more than one module at a time as it may evolve…. Session 2. Computer security policies. Security policy. Who Should Be Concerned.

haddix
Download Presentation

Incident Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Incident Management By Marc-André Léger DESS, MASc, PHD(candidate) Winter 2008

  2. Save the forest • If you really need to print… • Please do not print out more than one module at a time as it may evolve…

  3. Session 2 Computer security policies

  4. Security policy

  5. Who Should Be Concerned • Managers • System designers • Users: what are the policy’s impacts on their actions, and what are the ramifications of not following policy • System administrators, support personnel who manage enforcement technologies and processes • Company lawyers: they may have to use the written policies in support of actions taken against employees in violation

  6. Policy Hierarchy

  7. Multiple Levels • Multiple levels of a policy may be in a single document, but the development of the complete policy is “top down” • This refinement process level policies may be integrated into the system design process • For example, you cannot define a firewall policy until you know your system will use a firewall as enforcement mechanism for a higher level policy

  8. Policy Hierarchy Policy Standard 1 Standard 2 Standard 3 Procedure 1.1 Procedure 1.3 Procedure 1.3

  9. Example of Hierarchical Policies • High level:“company proprietary information shall be protected from release to unauthorized personnel”

  10. Mid level procedural policy • All proprietary information shall have a committee responsible for its control • A member of that committee must authorize any distribution of that material • Enforcement: training, audit

  11. Mid level technology policy • Proprietary information may only be stored on protected systems, accessible only to those with authorized access to the proprietary information • There shall be no externally initiated, automated means to retrieve information from the protected systems • Low level; e. g., a firewall rule blocking incoming traffic on ports 20 (ftp data), 21 (ftp control), and 69 (tftp)‏ • The firewall is the enforcement mechanism

  12. Policy • Sets boundaries

  13. Policy • Greek • Politeia: citizenship • Polis: city • Focused on creating sense of organisational citizenship amongst staff • Compliance with policy – good citizen of organisational city; entitled to benefits of city

  14. Policy • Definition: Course of action adopted by a business, etc.* • Development • Core team – business representatives • Reviewed & approved by governing body * Oxford Dictionary of Current English, 1998

  15. Policy • Communication mechanism • Executive level + Employees • Defines how discipline is viewed • Provides direction • Explains what organisational behaviour is supported • Specific actions prepared to take related to discipline • Actions to be taken when directives not followed • Not there to undermine way people work • Should educate employees, not scare them

  16. 3P model • Prevent: provide proactive measures and awareness training • Protect: provide baseline processes to implement technology and controls • Punish: provide an incremental punitive process so you can enforce it at the appropriate time (cohersion)

  17. Using standard • Standards can be usefull to help define what is allowed within the organisational boundary

  18. Standard‏s • Definition: • Object, quality or measure serving as basis to which others conform or should conform or by which others are judged • Level of excellence or quality required or specified • Development • Core team • subject matter experts

  19. Standards • Standards are agreement between parties • Specific set of rules to operate more uniformly & effectively • Sets level of expectation • Ensures consistent operations • Minimise risk • Increase efficiency

  20. Procedures • How we act within the organisational boundary • How we achieve rules set out in standards How to milk a cow… Bring cow into barn Tell cow to stand still Fetch bucket and stool Sit on stool next to cow Squirt milk into bucket

  21. Procedures • Definition(s)‏ • Way of performing a task • OR • Series of actions conducted in a certain manner • Development • Individuals responsible for daily tasks

  22. Procedures • Operational communication mechanism • Plans / steps addressing specifics of how to go about particular action • Transfer of knowledge between individuals who perform same job • Reflect best practices / repetitive actions followed

  23. Procedures • Provide detail to enable performance of function without having to ask: • What • Where • Who

  24. Examples • Policy Statement • All users will be authenticated with passwords that are changed on a periodic basis before being allowed access to the organisation’s information resources.

  25. Examples • Standard Statements • All passwords will be a minimum length of seven characters and contain alphabetical, numeric and special characters. • User passwords will be changed every thirty days. • The last ten passwords will be stored to prevent re-utilisation thereof.

  26. Examples • Procedure Statement • To assign a password to a new user id, select the User ID in the User Manager and right-click to view its properties. • Select the password field and enter a password that conforms to the organisation’s password standards.

  27. Drivers • Compliance • Laws & regulations • Audit requirements • Against which audit can be conducted • Good practice • Industry standards • Risk management • Manage risks related to employee behaviour

  28. Policy Lifecycle

  29. Policy Lifecycle REMEDIATE DEVELOP / AMEND REPORT COMMUNICATE MONITOR ARCHIVE

  30. Policy Lifecycle • Develop / Amend • Acquire senior level sponsorship & sign-off • Involve stakeholders in formulation • Ensure consistency with other policies

  31. Policy Lifecycle • Communicate • Use existing channels • Avoid jargon • Include third parties

  32. Policy Lifecycle • Monitor • Gather data related to compliance with policy • Aggregate data • Analyse data

  33. Policy Lifecycle • Report • Provide organisational wide view of policy compliance • Identify breaches for investigation • Report to executive stakeholders

  34. Policy Lifecycle • Remediate • Understand problematic areas • Revise policy on periodic basis • Address policies that are impractical

  35. Policy Lifecycle • Archive • Adopt strict version control • Archive in case of legal or employment-related action • Process as official records

  36. Common Problems • Fail to impact users ‘on the ground’ • Difficult to reflect organisation’s vision & mission • Difficult to entrench in daily operations – nuisance factor • Users ignorant of policy’s existence • Users do not fully understand document • Too long or too technical

  37. Effective Policies • Understandable • Meaningful & practical • Implementable, enforceable & realistic • Inviting document • Addresses users directly • Convincing

  38. Effective Policies • Incorporates: • Nature of organisation • Organisational risk appetite • Organisational culture

  39. Policy Development

  40. Approach  INITIALISATION PHASE  DEVELOPMENT PHASE  FINALISATION & APPROVAL PHASE KEY ACTIVITIES • Confirm Policy Framework • Define Policy / Standard Management Processes • Confirm Document Format KEY ACTIVITIES • Research topic • Prepare draft • Workshop content • Revisit content (Review cycle)‏ KEY ACTIVITIES • Finalise Policies / Standards for Approval • Present Policies / Standards for Approval KEY DELIVERABLES • Policy Framework • Policy / Standard Management Processes • Document Template KEY DELIVERABLES • Draft for discussion • Final Draft KEY DELIVERABLES • Final Policies / Standards

  41. Approach • Content Development • No ‘cut & paste’ • Developed in conjunction with stakeholder representation – not only technical staff • Wording of principle statements very important

  42. Key Success Factors • Styling • Consistent with overall communication style • Fit in with organisational culture • User-friendly & clear – no ‘thou shallt nots’ • Formatting • Short, easy to read (1 - 5 pages)‏ • Visual impact

  43. Key Success Factors • Writing style • Reflect organisational culture & industry • Clear, comprehensive – no ambiguity • Avoid specific references to technology

  44. Key Success Factors • Presentation • Fun & attractive • Short, concise, to the point • Main document – brief, interesting cartoons, dialogue • Supplementary policies, standards & guidelines to support & detail specific topics • Quality deliverable - underlines importance

  45. Key Success Factors • Commitment • Buy-in from top management vital – people live by example • Change of attitude & behaviour starts at top • Truly effective policy has support from all levels in organisation

  46. Key Success Factors • Governance Processes • Content Review • All stakeholders • Quality Assurance

  47. Policy Communication

  48. Communication • Dissemination • Users need to know about policy • Various methods • Paper-based or electronic copies • Published on internal communication sites • Summarised policy on colourful brochures • Awareness sessions • Creativity very important – marketing-drive

  49. Policy Monitoring & Reporting

  50. Monitoring & Reporting • Monitoring / Auditing • Internal / External Audits • Employee Surveys / Competitions • Key Performance Indicators (KPIs)‏ • Disciplinary Action

More Related