book

Security Policies and Implementation Issues

by Robert Johnson, Mark Merkow

October 2010

Intermediate to advanced

438 pages

13h 54m

English

Jones & Bartlett Learning

Read now

Unlock full access

Purpose of This BookLearning FeaturesAudience
What Is Information Systems Security?Information Systems Security Management Life CyclePlan and OrganizeAcquire and ImplementDeliver and SupportMonitor and EvaluateWhat Is Information Assurance?ConfidentialityIntegrityAuthenticationAvailabilityNonrepudiationWhat Is Governance?Why Is Governance Important?What Are Information Systems Security Policies?How Policies and Standards DifferHow Policies and Procedures DifferWhere Do Information Systems Security Policies Fit Within an Organization?Why Information Systems Security Policies Are ImportantPolicies That Support Operational SuccessChallenges of Running a Business Without PoliciesDangers of Not Implementing PoliciesDangers of Implementing the Wrong PoliciesWhen Do You Need Information Systems Security Policies?Business Process Reengineering (BPR)Continuous ImprovementProblem RelatedWhy Enforcing and Winning Acceptance for Policies Is ChallengingCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 1 ASSESSMENT
Why Are Business Drivers Important?Maintaining ComplianceCompliance Requires Proper Security ControlsSecurity Controls Must Include Information Security PoliciesPreventive Security ControlsDetective Security ControlCorrective Security ControlRelationship Between Security Controls and Information Security PolicyMitigating Risk ExposureEducate Employees and Drive Security AwarenessPrevent Loss of Intellectual PropertyLabeling Data and Data ClassificationProtect Digital AssetsSecure Privacy of DataFull Disclosure and Data EncryptionLower Risk ExposureMinimizing Liability of the OrganizationSeparation Between Employer and EmployeeAcceptable Use PoliciesConfidentiality Agreement and Non-Disclosure AgreementBusiness Liability Insurance PoliciesImplementing Policies to Drive Operational ConsistencyForcing Repeatable Business Processes Across the Entire OrganizationPolicies Are Key to Repeatable BehaviorPolicies Help Prevent Operational DeviationCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 2 ASSESSMENTENDNOTES
U.S. Compliance LawsWhat Are They?Federal Information Security Management Act (FISMA)Health Insurance Portability and Accountability Act (HIPAA)Gramm-Leach-Bliley Act (GLBA)Sarbanes-Oxley (SOX) ActFamily Educational Rights and Privacy Act (FERPA)Children's Internet Protection Act (CIPA)Why Did They Come About?Whom Do the Laws Protect?Which Laws Require Proper Security Controls Including Policies?Which Laws Require Proper Security Controls for Handling Privacy Data?Aligning Security Policies and Controls with RegulationsIndustry Leading Practices and Self-RegulationSome Important Industry StandardsPayment Card Industry Data Security Standard (PCI DSS)Statement on Auditing Standard 70 (SAS 70)Information Technology Infrastructure Library (ITIL)CHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 3 ASSESSMENTENDNOTES
The Seven Domains of a Typical IT InfrastructureUser DomainWorkstation DomainLAN DomainLAN-to-WAN DomainWAN DomainRemote Access DomainSystem/Application DomainInformation Security Business Challenges and Security Policies That Mitigate Risk Within the Seven DomainsUser DomainWorkstation DomainLAN DomainLAN-to-WAN DomainWAN DomainRemote Access DomainSystem/Application DomainInventoryPerimeterEncryption of Mobile DevicesCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 4 ASSESSMENT
Human Nature in the WorkplaceBasic Elements of MotivationPrideSelf-InterestSuccessPersonality Types of EmployeesLeadership, Values, and EthicsOrganizational StructureFlat OrganizationsHierarchical OrganizationsAdvantages of a Hierarchical ModelDisadvantages of a Hierarchical ModelThe Challenge of User ApathyThe Importance of Executive Management SupportSelling Information Security Policies to an ExecutiveBefore, During, and After Policy ImplementationThe Role of Human ResourcesRelationship Between HR and Security PoliciesLack of SupportPolicy Roles, Responsibilities, and AccountabilityChange ModelResponsibilities During ChangeStep 1: Create UrgencyStep 2: Create a Powerful CoalitionStep 3: Create a Vision for ChangeStep 4: Communicate the VisionStep 5: Remove ObstaclesStep 6: Create Short-Term WinsStep 7: Build on the ChangeStep 8: Anchor the Changes in Corporate CultureRoles and AccountabilitiesWhen Policy Fulfillment Is Not Part of Job DescriptionsImpact on Entrepreneurial Productivity and EfficiencyApplying Security Policies to a Entrepreneurial BusinessTying Security Policy to Performance and AccountabilitySuccess Is Dependent Upon Proper Interpretation and EnforcementCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 5 ASSESSMENTENDNOTE

What Is an IT Policy Framework?What Is a Program Framework Policy or Charter?Purpose and MissionScopeResponsibilitiesComplianceIndustry-Standard Policy FrameworksISO/IEC 27002 (2005)NIST Special Publication (SP) 800-53What Is a Policy?What Are Standards?Issue-Specific or Control StandardsStatement of an IssueStatement of the Organization's PositionStatement of ApplicabilityDefinition of Roles and ResponsibilitiesCompliancePoints of ContactSystem-Specific or Baseline StandardsWhat Are Procedures?Exceptions to StandardsWhat Are Guidelines?Business Considerations for the FrameworkRoles for Policy and Standards Development and ComplianceInformation Assurance ConsiderationsConfidentialityIntegrityAvailabilityAuthenticationNonrepudiationInformation Systems Security ConsiderationsUnauthorized Access to and Use of the SystemUnauthorized Disclosure of the InformationDisruption of the System or ServicesModification of InformationDestruction of Information ResourcesBest Practices for IT Security Policy Framework CreationCase Studies in Policy Framework DevelopmentPrivate Sector Case StudyPublic Sector Case StudyCritical Infrastructure Protection Case StudyCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 6 ASSESSMENT
Policies and Standards Design ConsiderationsPrinciples for Policy and Standards DevelopmentTypes of Controls for Policies and StandardsSecurity Control TypesDocument Organization ConsiderationsSample TemplatesSample Policy TemplateSample Standard TemplateSample Procedure TemplateSample Guideline TemplateConsiderations For Implementing Policies and StandardsReviews and ApprovalsPublishing Your Policies and Standards LibraryAwareness and TrainingSecurity NewsletterSecurity ArticlesWhat Is . . . ?Ask UsSecurity ResourcesContactsPolicy Change Control BoardBusiness Drivers for Policy and Standards ChangesMaintaining Your Policies and Standards LibraryUpdates and RevisionsBest Practices for Policies and Standards MaintenanceCase Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security PoliciesPrivate Sector Case StudyPublic Sector Case StudyCritical Infrastructure ExampleCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 7 ASSESSMENT
IT Security Policy Framework ApproachesRisk Management and Compliance ApproachThe Physical Domains of IT Responsibility ApproachRoles, Responsibilities, and Accountability for PersonnelThe Seven Domains of a Typical IT InfrastructureOrganizational StructureOrganizational CultureSeparation of DutiesLayered Security ApproachDomain of Responsibility and AccountabilityFirst Line of DefenseSecond Line of DefenseThird Line of DefenseGovernance and ComplianceIT Security ControlsIT Security Policy FrameworkBest Practices for IT Security Policy Framework ApproachesWhat Is the Difference Between GRC and ERM?Case Studies and Examples of IT Security Policy Framework ApproachesPrivate Sector Case StudyPublic Sector Case StudyCritical Infrastructure Case StudyCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 8 ASSESSMENTENDNOTE
The Weakest Link in the Information Security ChainSocial EngineeringHuman MistakesInsidersSix Types of UsersEmployeesSystems AdministratorsSecurity PersonnelContractorsGuests and General PublicAuditorsWhy Govern Users with Policies?Acceptable Use Policy (AUP)The Privileged-Level Access Agreement (PAA)Security Awareness Policy (SAP)Best Practices for User Domain PoliciesCase Studies and Examples of User Domain PoliciesPrivate Sector Case StudiesCorporate Laptops CompromisedThe Collapse of Barings Bank, 1995Public Sector Case StudyCritical Infrastructure Case StudiesWater Treatment Plant Control Systems CompromisedDisgruntled Employee Breaches Former Employer's SystemsCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 9 ASSESSMENT
Anatomy of an Infrastructure PolicyFormat of a StandardWorkstation Domain PoliciesControl StandardsBaseline StandardsProceduresGuidelinesLAN Domain PoliciesControl StandardsBaseline StandardsProceduresGuidelinesLAN-to-WAN Domain PoliciesControl StandardsBaseline StandardsProceduresGuidelinesWAN Domain PoliciesControl StandardsBaseline StandardsProceduresGuidelinesRemote Access Domain PoliciesControl StandardsBaseline StandardsProceduresGuidelinesSystem/Application Domain PoliciesControl StandardsBaseline StandardsProceduresGuidelinesTelecommunications PoliciesControl StandardsBaseline StandardsProceduresGuidelinesBest Practices for IT Infrastructure Security PoliciesCase Studies and Examples of IT Infrastructure Security PoliciesPrivate Sector Case StudyPublic Sector Case StudyCritical Infrastructure Case StudyCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 10 ASSESSMENT
Data Classification PoliciesThe Need for Data ClassificationProtecting InformationRetaining InformationRecovering InformationMilitary Classification SchemesBusiness Classification SchemesDeveloping a Customized Classification SchemeClassifying Your DataData Handling PoliciesThe Need for Policy Governing Data at Rest and in TransitPolicies, Standards, and Procedures Covering the Data Life CycleIdentify Business Risks Related to Information SystemsTypes of RiskDevelopment and Need for Policies Based on Risk ManagementBusiness Impact Analysis (BIA) PoliciesComponent PriorityComponent RelianceImpact ReportDevelopment and Need for Policies Based on BIARisk Assessment PoliciesRisk ExposurePrioritization of Risk, Threat, and VulnerabilitiesRisk Management StrategiesVulnerability AssessmentsVulnerability WindowsPatch ManagementBusiness Continuity Planning (BCP) PoliciesDealing with Loss of Systems, Applications, or Data AvailabilityContinuity of Operations Plan (COOP)Response and Recovery Time Objectives (RTO) Policies Based on the BIADisaster Recovery Plan (DRP) PoliciesDisaster Declaration PolicyAssessment of the Severity of the Disaster and Potential DowntimeDealing with Natural Disasters, Man-Made Disasters, and Catastrophic LossDisaster Recovery Procedures for Mission-Critical System, Application, or Data Functionality and RecoveryRTO Policies Based on Disaster ScenarioBest Practices for Risk Management PoliciesCase Studies and Examples of Risk Management PoliciesPrivate Sector Case ExamplePublic Sector Case ExampleCritical Infrastructure Case StudyCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 11 ASSESSMENT
Incident Response PolicyWhat Is an Incident?Incident ClassificationThe Response Team CharterIncident Response Team MembersResponsibilities During an IncidentUsers on the Front LineSystem AdministratorsInformation Security PersonnelManagementSupport ServicesOther Key RolesProcedures for Incident ResponseDiscovering an IncidentReporting an IncidentContaining and Minimizing the DamageCleaning Up After the IncidentDocumenting the Incident and ActionsAnalyzing the Incident and ResponseCreating Mitigation to Prevent Future IncidentsHandling the Media and What to DiscloseBest Practices for Incident Response PoliciesCase Studies and Examples of Incident Response PoliciesPrivate Sector Case StudyPublic Sector Case StudyCritical Infrastructure Case StudyCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 12 ASSESSMENT
Implementation Issues for IT Security PoliciesOrganizational ChallengesOrganizational and Cultural ChangeOrganizational and Individual AcceptanceSecurity Awareness Policy ImplementationsDevelopment of an Organization-Wide Security Awareness PolicyConducting Security Awareness Training SessionsExecutive Management SponsorshipHuman Resources (HR) Ownership of New Employee OrientationReview of Acceptable Use Policies (AUPs)Information Dissemination—How to Educate EmployeesHard Copy DisseminationPosting Policies on the IntranetUsing E-mailBrown Bag Lunch and Learning SessionsOvercoming Technical HindrancesDistributed InfrastructureOutdated TechnologyLack of Standardization Throughout the IT InfrastructureOvercoming Nontechnical HindrancesDistributed EnvironmentUser TypesLack of Executive Management SupportBest Practices for IT Security Policy ImplementationsCase Studies and Examples of Successful IT Security Policy ImplementationsPrivate Sector Case StudyPublic Sector Case StudyCritical Infrastructure Case StudyCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 13 ASSESSMENTENDNOTE
Organizational Support for IT Security Policy EnforcementExecutive Management Must Provide SponsorshipHierarchical Organizational Approach to Ensure Roles, Responsibilities, and Accountabilities Are Defined for Security Policy ImplementationProject CommitteeArchitecture Review CommitteeExternal Connection CommitteeVendor Governance CommitteeSecurity Compliance CommitteeOperational Risk CommitteeFront-Line Managers and Supervisors Must Take Responsibility and Accept AccountabilityGrass-Roots EmployeesAn Organization's Right to Monitor User Actions and TrafficInternet UseE-mail UseComputer UseCompliance Law: Requirement or Risk Management?What Is Law and What Is Policy?What Security Controls Work to Enforce Protection of Privacy Data?What Automated Security Controls Can Be Implemented Through Policy?What Manual Security Controls Assist with Enforcement?Legal Implications of IT Security Policy EnforcementWho Is Ultimately Liable for Risk, Threats, and Vulnerabilities?Where Must IT Security Policy Enforcement Come From?Best Practices for IT Security Policy EnforcementCase Studies and Examples of Successful IT Security Policy EnforcementPrivate Sector Case StudyPublic Sector Case StudyCritical Infrastructure Case StudyCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 14 ASSESSMENT
Defining a Baseline Definition for Information Systems SecurityPolicy-Defining Overall IT Infrastructure Security DefinitionVulnerability Window and Information Security Gap DefinitionTracking, Monitoring, and Reporting IT Security Baseline Definition and Policy ComplianceAutomated SystemsManual Tracking and ReportingRandom Audits and Departmental ComplianceOverall Organizational Report Card for Policy ComplianceAutomating IT Security Policy ComplianceAutomated Policy DistributionTraining Administrators and UsersOrganizational AcceptanceTesting for EffectivenessAudit TrailsConfiguration Management and Change Control ManagementConfiguration Management DatabaseChange Control Work Order DatabaseTracking, Monitoring, and Reporting Configuration ChangesCollaboration and Policy Compliance across Business AreasVersion Control for Policy Implementation Guidelines and ComplianceEmerging Technologies and SolutionsSCAPSNMPWBEMWMIDigital SigningBest Practices for IT Security Policy Compliance MonitoringCase Studies and Examples of Successful IT Security Policy Compliance MonitoringPrivate Sector Case StudiesSmall Training CompanyLarge Sales OrganizationPublic Sector ExampleCritical Infrastructure Case StudyCHAPTER SUMMARYKEY CONCEPTS AND TERMSCHAPTER 15 ASSESSMENT