lecture 3
Cards (23)
- InfoSec policiesGuide behaviour, act as low cost controls
- InfoSec policies act as an outline for acceptable behavior and use of information, designed to create a productive and effective work environment
- InfoSec policies function as a low cost form of control for prevention of incidents involving information, but may be hard to implement
- To be effective, InfoSec policiesNeed to be properly supported and administered
- InfoSec policies must contribute to the success of the organization, and end users of information systems should be involved in the steps of policy formulation
- Policies should never conflict with law, and should comply with law (must be able to stand up in court if challenged)
- PolicyA set of rules that determine what behavior is acceptable and unacceptable within an organization
- Types of policies
- Policies
- Practices
- Standards
- Guidelines
- Procedures
- Types of InfoSec Policies (NIST)
- Enterprise information security policy (EISP)
- Issue-specific security policies (ISSP)
- System-specific security policies (SysSP)
- Enterprise information security policy (EISP)A high-level information security policy that sets the strategic direction for the InfoSec programme
- Issue-specific security policies (ISSP)An organizational level policy that provides detailed and targeted guidance about how to use a shared resource in a secure way, more detailed than the EISP and changes more often
- System-specific security policies (SysSP)Low level organizational policies that provide both managerial guidance and technical specifications to be used when configuring or maintaining systems
- What is in an EISP?
- Overview of the corporate philosophy on security
- Information on the structure of the InfoSec organization including roles, responsibilities shared by all and unique to each role
- Examples of individual policy statements
- What is in an ISSP?Explains how technology should be used and controlled, and how the organization is indemnified against liability for misuse, begins by introducing the organization's fundamental resource-use philosophy
- ISSPs can be created as a number of independent documents, a single comprehensive document, or a modular document that unifies policy creation and administration while maintaining each specific issue's requirements
- A modular ISSP document that unifies policy creation and administration while maintaining each specific issue's requirements is recommended
- System-specific security policies (SysSP)Similar to a set of standards or procedures that must be followed when dealing with specific systems, can be used for managerial guidance or contain technical specifications
- Technical specifications - controls in a SysSP
- Access control lists (ACLs)
- Configuration settings, e.g. firewall rules
- Access control list (ACL)Specifies who can use the system, what authorized users can access, when they can access, where they can access from, and how they can access, and assigns privileges like read, write, execute, delete
- Guidelines for effective policy development
- Develop using industry-accepted practices
- Distribute using all appropriate methods
- Ensure it is read by all employees
- Ensure it is understood by all employees
- Ensure it is formally agreed to by act or affirmation
- Ensure it is uniformly applied and enforced
- The Policy Development Process1. The policy is designed and written (or redesigned and rewritten)2. A senior manager or executive at the appropriate level and the organization's legal counsel review and formally approves the document3. Management processes are established to perpetuate the policy within the organization
- The policy must be readable, easy to comprehend, compliant, and enforceable
- Policy design & Implementation
- SANS security policy templates
- Infosec Institute - Acceptable use policy essentials
- ComputerWorld - tips for implementing an acceptable use policy