lecture 3

    avatar
    Created by
    ayla rusdhy

    Cards (23)

    • InfoSec policies
      Guide behaviour, act as low cost controls
      View source
    • InfoSec policies act as an outline for acceptable behavior and use of information, designed to create a productive and effective work environment
      View source
    • InfoSec policies function as a low cost form of control for prevention of incidents involving information, but may be hard to implement
      View source
    • To be effective, InfoSec policies
      Need to be properly supported and administered
      View source
    • InfoSec policies must contribute to the success of the organization, and end users of information systems should be involved in the steps of policy formulation
      View source
    • Policies should never conflict with law, and should comply with law (must be able to stand up in court if challenged)
      View source
    • Policy
      A set of rules that determine what behavior is acceptable and unacceptable within an organization
      View source
    • Types of policies
      • Policies
      • Practices
      • Standards
      • Guidelines
      • Procedures
      View source
    • Types of InfoSec Policies (NIST)
      • Enterprise information security policy (EISP)
      • Issue-specific security policies (ISSP)
      • System-specific security policies (SysSP)
      View source
    • Enterprise information security policy (EISP)
      A high-level information security policy that sets the strategic direction for the InfoSec programme
      View source
    • Issue-specific security policies (ISSP)

      An organizational level policy that provides detailed and targeted guidance about how to use a shared resource in a secure way, more detailed than the EISP and changes more often
      View source
    • System-specific security policies (SysSP)
      Low level organizational policies that provide both managerial guidance and technical specifications to be used when configuring or maintaining systems
      View source
    • What is in an EISP?
      • Overview of the corporate philosophy on security
      • Information on the structure of the InfoSec organization including roles, responsibilities shared by all and unique to each role
      • Examples of individual policy statements
      View source
    • What is in an ISSP?
      Explains how technology should be used and controlled, and how the organization is indemnified against liability for misuse, begins by introducing the organization's fundamental resource-use philosophy
      View source
    • ISSPs can be created as a number of independent documents, a single comprehensive document, or a modular document that unifies policy creation and administration while maintaining each specific issue's requirements
      View source
    • A modular ISSP document that unifies policy creation and administration while maintaining each specific issue's requirements is recommended
      View source
    • System-specific security policies (SysSP)

      Similar to a set of standards or procedures that must be followed when dealing with specific systems, can be used for managerial guidance or contain technical specifications
      View source
    • Technical specifications - controls in a SysSP
      • Access control lists (ACLs)
      • Configuration settings, e.g. firewall rules
      View source
    • Access control list (ACL)
      Specifies who can use the system, what authorized users can access, when they can access, where they can access from, and how they can access, and assigns privileges like read, write, execute, delete
      View source
    • Guidelines for effective policy development
      • Develop using industry-accepted practices
      • Distribute using all appropriate methods
      • Ensure it is read by all employees
      • Ensure it is understood by all employees
      • Ensure it is formally agreed to by act or affirmation
      • Ensure it is uniformly applied and enforced
      View source
    • The Policy Development Process
      1. The policy is designed and written (or redesigned and rewritten)
      2. A senior manager or executive at the appropriate level and the organization's legal counsel review and formally approves the document
      3. Management processes are established to perpetuate the policy within the organization
      View source
    • The policy must be readable, easy to comprehend, compliant, and enforceable
      View source
    • Policy design & Implementation
      • SANS security policy templates
      • Infosec Institute - Acceptable use policy essentials
      • ComputerWorld - tips for implementing an acceptable use policy
      View source
    See similar decks