1 / 32

Standards, Policies, Procedures, and Guidelines

Standards, Policies, Procedures, and Guidelines. Lesson 19. Some Definitions (from Information Security Policies, Procedures and Standards ).

dino
Télécharger la présentation

Standards, Policies, Procedures, and Guidelines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Standards, Policies, Procedures, and Guidelines Lesson 19

  2. Some Definitions(from Information Security Policies, Procedures and Standards) • Policy: a high-level statement of an organization’s beliefs, goals, and objectives and the general means for their attainment for a specified subject area. • Standards: mandatory activities, actions, rules or regulations designed to provide policies with a support structure and specific direction. • Guidelines: more general statements that provide a framework within which to implement procedures. Guidelines are recommendations. • Procedures: outline the specifics of how policies, standards and guidelines will actually be implemented in the operating environment.

  3. Put another way… • Policies state a goal in general terms. • Standards define what is to be accomplished in specific terms • Procedures tell how to meet the standards.

  4. Example:Access to Company information is restricted. • Policy: Access to and use of company information systems is restricted to authorized users. • Standard: Users are required to have unique userid’s and passwords. • Guideline: Passwords should be from 5 to 8 characters in length and contain both alpha and numeric characters. • Procedure: Requests for userid’s and passwords must include the signature of the authorized information owner. Approval signatures will be verified with the company authorized signature verification list.

  5. Security Policy(from:”Active Policy Management: The Cornerstone of Security”) • Often cited as the first, most critical component to any information security program. • Can describe anything from acceptable use of an email system to privacy expectations of computer users. • To serve their purpose by communicating management intent, they must be read and understood. • Problems and issues, or just plain indifference, are almost foregone conclusions. • Best practices for policies include: • Being realistic • Being concise yet thorough • Manage the policy life cycle • Educate and test

  6. Key elements of a Policy • Be easy to understand • Be applicable • Be doable and enforceable • Be phased in • Be proactive (state what has to be done, don’t make “thou shall not…” pronouncements). • Meet organizational objectives • Never, ever use absolutes… (ok, avoid) you might get backed into a corner you don’t want to be in. • Don’t state “violators of the password policy will have their employment terminated” unless you are willing to live with the consequences.

  7. Evaluate Metrics Secure Improve Monitor Security Operational Process • Security Posture Assessment • Users • System Admin • Security Operations • Technology Deployment • Security Design Review • Security Integration • 24x7 Monitoring

  8. Security Posture Assessment Evaluate • Users • System Admin • Security Operations • Technology Deployment • Security Design Review • Security Integration Metrics Secure Improve Monitor • 24x7 Monitoring Security Operational Process

  9. Policy Management Life Cycle

  10. Types of policies(from Information Security Policies, Procedures and Standards) • Program Policies • Used to create the overall security vision for the organization. • Topic-specific policies • Address specific issues. • e.g. email policy, Internet usage, physical security • Application-specific policies • Designed to protect specific applications or systems. • e.g. controls established for payroll system

  11. Program Policies • A high-level policy issued by senior management. • Defines the intent of the security program and its scope within the organization. • Should include • Topic and scope • Responsibilities • Compliance issues

  12. Program Policy Example(from Information Security Policies, Procedures and Standards) The Company relies on various kinds of information resources in its daily operations. These resources include data-processing systems, electronic mail, voice-mail, telephones, copiers, facsimile machines, and other information-generation and exchange methods. It is very important for users to recognize that these resources are made available to them to help the company meet short- and long-term goals, objectives and competitive challenges. Any improper use of any resource is not acceptable and will not be permitted.

  13. Program Policy example (cont.) • The company policies listed here form the basis for the Information Resources Protection Policy (IRPP): • Data and information about the company and its employees are collected and retained to satisfy legitimate business purposes or as required by law. • Protecting company information is every employee’s responsibility. Company people share a common interest in ensuring information is not intentionally, accidentally, or improperly disclosed, lost, or mis-used. • Positive steps must be taken to prevent improper disclosure of company information and unauthorized access to company information resources. • Data, information, and resources are company assets that may be used only for management-approved company business and not for personal use or gain. • Like any other company asset, the company reserves the right to inspect information resources and their use at any time. • Company records and information are available to individuals only on a need-to-know basis. Access or attempted access to information and resources outside ones’ authority are prohibited. • Protective measures must be provided to control access and to protect the integrity of all information systems that process information.

  14. Program Policy example (cont.) 8. Established corporate and unit procedures are to be used for budgeting approval, and acquisition of information-processing facilities, equipment, software, and support services. 9. Appropriate safeguards must be built into information-processing facilities. These safeguards should minimize the extent of loss of information or processing support that could result from such hazards as fire, water, or other natural disasters while maintaining operational effectiveness. Business recovery plans must provide for continuation of vital business functions if loss failure should occur. 10. Independent reviews to ensure that program objectives are being met are an integral part of this effort. These reviews may be conducted by Corporate Auditing, the internal audit staff of a unit, or external auditors. 11. Deliberate unauthorized acts against Company or customer information system(s) or facilities, including but not limited to misuse, misappropriation, destruction of information or system resources, the deliberate and unauthorized disclosure of information, or the use of unauthorized software/hardware, will result in disciplinary action as deemed by management.

  15. Topic-Specific Policies • Unlike Program Policies, Topic-specific policies narrow the focus to one issue at a time. • Basic components include: • Thesis statement • Goals and objectives of this policy • Relevance • To whom does this policy apply? • Responsibilities • Establishment of roles by position or job title • Compliance • Describe unacceptable behavior and consequences • (additional information)

  16. Topic-specific Policy example (from Information Security Policies, Procedures and Standards) Telecommuting Policy The Company allows telecommuting where there are opportunities for improved employee performance, reduced commuting miles, and/or potential for savings for the Company or business unit. Provisions Business units may implement telecommuting as a work option for certain employees based upon specific criteria and procedures consistently applied throughout the agency. -- Consideration may be given to employees who have demonstrated work habits and performance well suited to successful telecommuting. -- Telecommuting criteria and procedures shall be evaluated to ensure its benefits and effectiveness. The telecommuter’s conditions of employment shall remain the same as for non-telecommuting employees. -- Business visits, meetings with Your Company customers, or regularly scheduled meetings with co-workers shall not be held at the home. -- Telecommuting employees shall not act as primary caregivers for dependents nor perform other personal business during hours agreed upon as work hours.

  17. Topic-specific example (cont.) The Company shall provide tele-workers office supplies. Equipment and software, if provided by the business unit for use at the tele-worksite, shall be for the purpose of conducting Company business. Responsibilities Employee shall sign and abide by a telecommuting agreement between the employee and the supervisor. -- Telecommuting shall be voluntary. -- The agreement shall specify individual work schedules. Compliance Company management has the responsibility to manage corporate information, personnel, and physical property relevant to business operations, as well as the right to monitor the actual utilization of all corporate assets. Employees who fail to comply with the policies will be considered to be in violation of Your Company’s Employee Standards of Conduct and will be subject to appropriate corrective action.

  18. Application-specific policies • Focuses on one specific system or application. • As the construction of the security architecture for a site takes place, the Program and Topic-specific policies need to be translated to specific applications and systems. • To develop a comprehensive series of policies: • Define the business objectives then establish which security tools will support those objectives. • Establish the rules for operating the system or application. Determine who has access to what resources and when. • Determine what automated tools may help with this policy.

  19. Application-specific Policy example (from Information Security Policies, Procedures and Standards) Dial-In Access Policy All incoming dial-up connections (via PSTN or ISDN) should use a strong one-time password authentication system (such as SecurID). Dial-in access to the corporate network should only be allowed where necessary and where the following conditions are met: -- Assurance. The dial-in server configuration shall be accurately documented. It shall be subjected to yearly audits. -- Identification and Authentication. All incoming dial-up connections shall use a strong authentication system: one-time passwords, challenge- response, etc. Administrator log-in shall not send passwords in clear text. The call-back or closed user groups features should be used where possible. -- Access Control. Dial-up servers shall not share file or printer resources with other internal machines; that is, they shall not be file or printer servers. Only administrative personnel shall be allowed to log on locally. Dial-up servers shall be installed in a physically secured/locked room.

  20. Some other policies you should think about having • Internet use policy • What can you do, where can you go (e.g. pornography, online brokerage, online gaming, online auctions) • Email Use policy • What is not acceptable (e.g. threats, harassment, spam) • Acceptable use policy • What else can the systems be used for (e.g. running your own home business, downloading and storing music/videos, games)

  21. The definitions again… • Policies state a goal in general terms. • Standards define what is to be accomplished in specific terms • Procedures tell how to meet the standards.

  22. Standards • Policies alone do not offer the guidance required to actually implement a security program. • Standards are mandatory rules, activities, actions, or regulations designed to provide policies with the details needed to be effective.

  23. An example • Policy: It is the Company policy that all orders will be processed as quickly as possible. • Standard: Each order must be processed within six working days of receipt. • Procedure: The following steps will be followed to process orders: • Day 1: Set up file for correspondence • Day 2: Enter order data into the system • Day 3: Verify order in stock and Process Credit Card • Day 4: Retrieve order and send to shipping • Day 5: Package order for shipment • Day 6: Mail order and receipt

  24. A word on standards • Be aware of legislative and regulatory requirements, risks, protective measures, and practices that are relevant to your specific area of responsibility or business. • Two examples of international standards are • BS 7799 (British Standard) • ISO 17799 (based on BS 7799)

  25. Original BS 7799 • Organized into 10 major sections • Business continuity planning • System access control • System development and maintenance • Physical and environmental security • Compliance • Personnel security • Security organization • Computer and Network management • Asset classification and control • Security policy

  26. The definitions again… • Policies state a goal in general terms. • Standards define what is to be accomplished in specific terms • Procedures tell how to meet the standards.

  27. Procedures • Procedures spell out the steps of how the policy and its supporting standards and guidelines will actually be implemented in the organization’s environment. • Procedures are a description of tasks that must be accomplished in a specified order.

  28. Some items to consider for procedures(From Information Security Policies, Procedures, and Standards) • Title • Intent • Scope • Responsibilities • Sequence of events • Approvals • Prerequisites • Definitions • Equipment required • Warnings • Precautions • Procedure body (the steps)

  29. Authorship of Policies, standards, … • The task of actually writing the policies and their supporting standards, guidelines, and procedures would typically be handled by personnel in the computer security office. • Support from IS/IT personnel helpful • External consultants can also be useful • Final draft should be submitted to management for approval.

  30. Policy Checklist From Computer Security Handbook, 3ed, John Wiley Press

  31. And a word on writing(From Information Security Policies, Procedures, and Standards) • Eliminate quotations. As Ralph Waldo Emerson once said: “I hate quotations. Tell me what you know.” • Do not be redundant; do not use more words than necessary, it is highly superfluous. • Profanity sucks. • Be more or less specific. • Understatement is always best. • Exaggeration is a billion times worse than understatement. • One-word sentences? Eliminate. • Analogies in writing are like feathers on a snake. • The passive voice is to be avoided. • Go around the barn at high noon to avoid colloquialisms. • Who needs rhetorical questions? • Avoid alliteration. Always. • Prepositions are not words to end sentences with. • Avoid cliches like the plague. (They are old hat.) • Employ the vernacular. • Eschew ampersands & abbreviations, etc. • Parenthetical remarks (however relevant) are unnecessary. • It is wrong to ever split an infinitive. • Contractions aren’t necessary. • Foreign words and phrases are not apropos. • One should never generalize. • Comparisons are as bad as cliches. • Even if a mixed metaphor sings, it should be derailed.

  32. Summary • What is the Importance and Significance of this material? • How does this topic fit into the subject of “Voice and Data Security”?

More Related