1 / 32

TEL382 IA Policies & Disaster Recovery

Get an overview of policies and disaster recovery in this week 1 outline. Understand the role of policy in government and corporate culture, and learn how to define and enforce information security policies.

marlynj
Télécharger la présentation

TEL382 IA Policies & Disaster Recovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TEL382 IA Policies & Disaster Recovery Week 1

  2. OUTLINE • Introductions • Syllabus • Grading Scheme • Guidelines/Suggestions • Homework/Paper-Presentation

  3. Who am I? • Dave Climek, Adjunct Lecturer • 10 years here at SUNY • 29 years associated with the US Air Force • AAS Electrical Engineering Technology - Canton • BT Electrical Engineering - Buffalo State • BS Telecommunications - SUNYIT • MS Telecommunications - SUNYIT • MS Business Management – SUNYIT • MS Information Assurance – Norwich University

  4. Who are you? • Name • Work Experience • Educational Background • What are you hoping to get from this course?

  5. Introductions • Contact Card • Name • Phone Number • Email • Major • Background • Work Experience • Expectations:What are you hoping to get from this course?

  6. Syllabus • Phone Numbers, Email • Textbooks, Additional Reading • Overview, Objectives • Grading • 2 Assessments • Homework/Formats • Technology Paper & Presentation • Course Outline

  7. Class Web Page • http://people.sunyit.edu/~climekd • Copy of Syllabus • Copy of this week’s slides • Copy of homework overview • Copy of paper/presentation topics

  8. Suggestions • Read textbooks • Download lecture notes • Keep up with homework assignments • Start paper/presentation as soon as possible • Come to class

  9. TEL382 Greene Chapter 1

  10. Outline • Defining Policy • Policy Through the Ages • Role of Policy in Government • Role of Policy in Corporate Culture • Psychology of Policy • Introducing Policy • Acceptance of Policy • Enforcing Information Security Policies

  11. Defining Policy • According to Merriam-Webster, policy is: • “prudence or wisdom in the management of affairs” • “management or procedure based primarily on material interest” • “a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions” • Information Security Policy: • Document that states how an organization plans to protect the organization’s tangible and intangible information assets • Management instructions indicating a course of action, a guiding principle, or an appropriate procedure • High-level statements that provide guidance to workers who must make present and future decisions • Generalized requirements that must be written down and communicated to certain groups of people inside, and in some cases outside, the organization

  12. Information Assets • Tangible • Facilities, hardware, software, media, supplies, documentation, customer data, etc. • Intangible • Body of information an organization must have to conduct its business mission, reputation, intellectual capital, intellectual property, etc. • Information States • Stored, Processed, Transmitted • Locations • IT Systems, Paper, Brains

  13. Policy Through the Ages • Policies, laws, codes of justice, etc. have been around for a long time • Examples • Bible • US Constitution • Etc.

  14. Role of Policy in Government • Monroe Doctrine – 1823 • US independent of Europe • US interests extend to Central and South America

  15. Role of Policy in Corporate Culture • Corporate Culture: shared attitudes, values, goals, and practices that characterize a company or organization • Policies provide consistency for customers and employees • Discipline • Rewards • Financial Modernization Act of 1999 (Gramm-Leach Bliley – GLBA) • Health Insurance Portability and Accountability Act of 1996 (HIPAA)

  16. Psychology of Policy • Reaction is to rebel against unexplained rules • Policy Development, Introduction, Enforcement • Seek Input from members • Introduce through training • Consistently enforce • Identify Key People/Roles • Board of Directors • Senior Mgrs, C-level positions • Dept Mgrs • Supervisors/Mgrs with vendors, service providers • Info/Data Owners & Custodians • Users

  17. Introducing Policy • Get approval from Board of Directors/Executive Management • BoD, if regulated industry • Introduce Policy to Organization • Awareness Training Program • Email • Memos • Etc.

  18. Acceptance of Policy • Not a “one shot” endeavor; requires constant and continual effort • Best if top down driven • Management shows by example • Reinforcement Through Communications • Intranet pages • Paycheck envelope “fillers” • On-line security awareness technologies • Screen Savers • Email or discussion post distribution • Permanent agenda item at all department meetings • Responding to Environmental Changes • Must keep up with organizational/technological changes

  19. Enforcing Information Security Policies • Some policies can be automatically monitored • Those can cannot must be monitored by third-party monitoring and audit tools • Third-party monitoring and audit tools help monitor users who don’t know what they are doing • Enforcement • When rule breaking is not punished, the rules become meaningless • Enforcement must be consistent • Consequences must be commensurate with the criticality of the information the policy was written to protect

  20. TEL382 Greene Chapter 2

  21. Outline • Policies, Standards, Guidelines, Procedures • Developing Policy Style and Format • Defining Policy Elements • Statement of Authority • Policy Heading • Policy Objective • Statement of Purpose • Policy Statements • Exception to Policy • Policy Enforcement • Definitions

  22. Policies, Standards, Guidelines, Procedures • Regulatory Policy Content Requirements • Policy Objective • Statement of Purpose • Statement of Exceptions • Actual Policy Statement • Statement of violation consequences • Date policy was written and revised • Schedule for future review and revision • Standards • Specific minimum requirements in policy • May change from time to time • Example: Password Requirements (length, special char, history, etc.) • Guidelines • Suggestions for best way to accomplish • May change more often • Example: Password Suggestions (Use phrase, song title, saying, etc.) • Procedures • Instructions necessary to carry out a policy statement • May change as needed • Example: Steps to change password

  23. Developing Policy Style and Format • Know your intended audience • Plan before you write • Use a template • Policy Format • Each policy is a separate discrete document OR • One large policy document with multiple sections • Short, concise • Sections • Objectives, Purpose, Audience, Policy Statement, Exceptions, Disciplinary Actions (& Dates – Written revised, reviewed, etc. & Approval Authority)

  24. Defining Policy ElementsStatement of Authority • May serve as a preface to a group of policies • Explains motivation • Regulatory compliance • Other

  25. Policy Heading • Contains all logistical information • Contents may include: • Security domain, subsection, policy number • Name or organization and document • Effective dates, authors • Change control documentation • Relevant cross-references • Approval authority

  26. Policy Objective • What is the goal of our policy? • What are we attempting to achieve with this policy?

  27. Statement of Purpose • Why does the policy exist? • Explains why the policy was adopted • Provides understanding and motivation to users

  28. Policy Audience • Who is the policy intended for? • Policies may be targeted for specific employees and/or positions • May apply to outsiders • Partners, vendors, clients • Unless specified, policies apply to all information system users, owners, and custodians

  29. Policy Statements • Focuses specifically on the rules • Systematic list of rules and actions to be taken to control the risks associated with threats and vulnerabilities • Reference other documents that apply (Standards, Guidelines, Procedures, etc.) • Must be clear, concise and unambiguous

  30. Exception to Policy • Special situations call for exceptions to the rules • Language must be clear, concise, unambiguous and include a process by which exceptions may be granted • Keep exceptions low; If there are many- • Maybe rule is not appropriate the first place • Employees may perceive rule as unimportant • Employees may perceive favoritism toward some • It becomes too difficult to keep track of and audit them

  31. Policy Enforcement • Assert seriousness of policy • Cannot list every punishment for every infraction • Describe a disciplinary process and list most severe punishment • Must be proportional to broken rule and subsequent risk exposure • Must then develop process and schedule applicable disciplinary actions • Plus contingency for repeat offences • Does not negate the need to properly educate and train users

  32. Definitions • Include definitions for any non-standard language • Remember policy purpose is to communicate and educate • Some users may not be in-house employees • Identify target audience and write to the lowest common denominator • Definitions help to remove ambiguity that may be claimed in any legal proceedings

More Related