O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Security Policies and Implementation Issues, 2nd Edition

Book Description

PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES Security Policies and Implementation Issues, Second Edition offers a comprehensive, end-to-end view of information security policies and frameworks from the raw organizational mechanics of building to the psychology of implementation. Written by an industry expert, it presents an effective balance between technical knowledge and soft skills, and introduces many different concepts of information security in clear simple terms such as governance, regulator mandates, business drivers, legal considerations, and much more. With step-by-step examples and real-world exercises, this book is a must-have resource for students, security officers, auditors, and risk leaders looking to fully understand the process of implementing successful sets of security policies and frameworks. Instructor Materials for Security Policies and Implementation Issues include: PowerPoint Lecture Slides Instructor's Guide Sample Course Syllabus Quiz & Exam Questions Case Scenarios/Handouts About the Series This book is part of the Information Systems Security and Assurance Series from Jones and Bartlett Learning. Designed for courses and curriculums in IT Security, Cybersecurity, Information Assurance, and Information Systems Security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. These titles deliver fundamental information-security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but forward-thinking—putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow, as well.

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright
  4. Contents
  5. Dedication
  6. Preface
  7. Acknowledgments
  8. About the Author
  9. Part One: The Need for IT Security Policy Frameworks
    1. Chapter 1 Information Systems Security Policy Management
      1. What Is Information Systems Security?
        1. Information Systems Security Management Life Cycle
      2. What Is Information Assurance?
        1. Confidentiality
        2. Integrity
        3. Nonrepudiation
      3. What Is Governance?
      4. Why Is Governance Important?
      5. What Are Information Systems Security Policies?
      6. Where Do Information Systems Security Policies Fit Within an Organization?
      7. Why Information Systems Security Policies Are Important
        1. Policies That Support Operational Success
        2. Challenges of Running a Business Without Policies
        3. Dangers of Not Implementing Policies
        4. Dangers of Implementing the Wrong Policies
      8. When Do You Need Information Systems Security Policies?
        1. Business Process Reengineering (BPR)
        2. Continuous Improvement
        3. Making Changes in Response to Problems
      9. Why Enforcing and Winning Acceptance for Policies Is Challenging
      10. Chapter Summary
      11. Key Concepts and Terms
      12. Chapter 1 Assessment
    2. Chapter 2 Business Drivers for Information Security Policies
      1. Why Are Business Drivers Important?
      2. Maintaining Compliance
        1. Compliance Requires Proper Security Controls
        2. Security Controls Must Include Information Security Policies
        3. Relationship Between Security Controls and Information Security Policy
      3. Mitigating Risk Exposure
        1. Educate Employees and Drive Security Awareness
        2. Prevent Loss of Intellectual Property
        3. Protect Digital Assets
        4. Secure Privacy of Data
        5. Lower Risk Exposure
      4. Minimizing Liability of the Organization
        1. Separation Between Employer and Employee
        2. Acceptable Use Policies
        3. Confidentiality Agreement and Nondisclosure Agreement
        4. Business Liability Insurance Policies
      5. Implementing Policies to Drive Operational Consistency
        1. Forcing Repeatable Business Processes Across the Entire Organization
        2. Differences Between Mitigating and Compensating Controls
        3. Policies Help Prevent Operational Deviation
      6. Chapter Summary
      7. Key Concepts and Terms
      8. Chapter 2 Assessment
      9. Endnotes
    3. Chapter 3 U.S. Compliance Laws and Information Security Policy Requirements
      1. U.S. Compliance Laws
        1. What Are U.S. Compliance Laws?
        2. Why Did U.S. Compliance Laws Come About?
      2. Whom Do the Laws Protect?
      3. Which Laws Require Proper Security Controls to Be Included in Policies?
        1. Which Laws Require Proper Security Controls for Handling Privacy Data?
      4. Aligning Security Policies and Controls with Regulations
      5. Industry Leading Practices and Self-Regulation
      6. Some Important Industry Standards
        1. Payment Card Industry Data Security Standard (PCI DSS)
        2. Statement on Standards for Attestation Engagements No. 16 (SSAE16)
        3. Information Technology Infrastructure Library (ITIL)
      7. Chapter Summary
      8. Key Concepts and Terms
      9. Chapter 3 Assessment
      10. Endnotes
    4. Chapter 4 Business Challenges Within the Seven Domains of IT Responsibility
      1. The Seven Domains of a Typical IT Infrastructure
        1. User Domain
        2. Workstation Domain
        3. LAN Domain
        4. LAN-to-WAN Domain
        5. WAN Domain
        6. Remote Access Domain
        7. System/Application Domain
      2. Information Security Business Challenges and Security Policies That Mitigate Risk Within the Seven Domains
        1. User Domain
        2. Workstation Domain
        3. LAN Domain
        4. LAN-to-WAN Domain
        5. WAN Domain
        6. Remote Access Domain
        7. System/Application Domain
      3. Chapter Summary
      4. Key Concepts and Terms
      5. Chapter 4 Assessment
    5. Chapter 5 Information Security Policy Implementation Issues
      1. Human Nature in the Workplace
        1. Basic Elements of Motivation
        2. Personality Types of Employees
        3. Leadership, Values, and Ethics
      2. Organizational Structure
        1. Flat Organizations
        2. Hierarchical Organizations
      3. The Challenge of User Apathy
      4. The Importance of Executive Management Support
        1. Selling Information Security Policies to an Executive
        2. Before, During, and After Policy Implementation
      5. The Role of Human Resources Policies
        1. Relationship Between HR and Security Policies
        2. Lack of Support
      6. Policy Roles, Responsibilities, and Accountability
        1. Change Model
        2. Responsibilities During Change
        3. Roles and Accountabilities
      7. When Policy Fulfillment Is Not Part of Job Descriptions
      8. Impact on Entrepreneurial Productivity and Efficiency
        1. Applying Security Policies to an Entrepreneurial Business
      9. Tying Security Policy to Performance and Accountability
      10. Chapter Summary
      11. Key Concepts and Terms
      12. Chapter 5 Assessment
      13. Endnote
  10. Part Two: Types of Policies and Appropriate Frameworks
    1. Chapter 6 IT Security Policy Frameworks
      1. What Is an IT Policy Framework?
      2. What Is a Program Framework Policy or Charter?
        1. Industry-Standard Policy Frameworks
        2. What Is a Policy?
        3. What Are Standards?
        4. What Are Procedures?
        5. What Are Guidelines?
      3. Business Considerations for the Framework
        1. Roles for Policy and Standards Development and Compliance
      4. Information Assurance Considerations
        1. Confidentiality
        2. Integrity
        3. Availability
      5. Information Systems Security Considerations
        1. Unauthorized Access to and Use of the System
        2. Unauthorized Disclosure of the Information
        3. Disruption of the System or Services
        4. Modification of Information
        5. Destruction of Information Resources
      6. Best Practices for IT Security Policy Framework Creation
      7. Case Studies in Policy Framework Development
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Private Sector Case Study
      8. Chapter Summary
      9. Key Concepts and Terms
      10. Chapter 6 Assessment
    2. Chapter 7 How to Design, Organize, Implement, and Maintain IT Security Policies
      1. Policies and Standards Design Considerations
        1. Architecture Operating Model
        2. Principles for Policy and Standards Development
        3. The Importance of Transparency with Regard to Customer Data
        4. Types of Controls for Policies and Standards
      2. Document Organization Considerations
        1. Sample Templates
      3. Considerations for Implementing Policies and Standards
        1. Building Consensus on Intent
        2. Reviews and Approvals
        3. Publishing Your Policies and Standards Library
        4. Awareness and Training
      4. Policy Change Control Board
        1. Business Drivers for Policy and Standards Changes
      5. Maintaining Your Policies and Standards Library
        1. Updates and Revisions
      6. Best Practices for Policies and Standards Maintenance
      7. Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies
        1. Private Sector Case Study
        2. Public Sector Case Study
      8. Chapter Summary
      9. Key Concepts and Terms
      10. Chapter 7 Assessment
    3. Chapter 8 IT Security Policy Framework Approaches
      1. IT Security Policy Framework Approaches
        1. Risk Management and Compliance Approach
        2. The Physical Domains of IT Responsibility Approach
      2. Roles, Responsibilities, and Accountability for Personnel
        1. The Seven Domains of a Typical IT Infrastructure
        2. Organizational Structure
        3. Organizational Culture
      3. Separation of Duties
        1. Layered Security Approach
        2. Domain of Responsibility and Accountability
      4. Governance and Compliance
        1. IT Security Controls
        2. IT Security Policy Framework
      5. Best Practices for IT Security Policy Framework Approaches
        1. What Is the Difference Between GRC and ERM?
      6. Case Studies and Examples of IT Security Policy Framework Approaches
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      7. Chapter Summary
      8. Key Concepts and Terms
      9. Chapter 8 Assessment
      10. Endnote
    4. Chapter 9 User Domain Policies
      1. The Weakest Link in the Information Security Chain
        1. Social Engineering
        2. Human Mistakes
        3. Insiders
      2. Seven Types of Users
        1. Employees
        2. Systems Administrators
        3. Security Personnel
        4. Contractors
        5. Vendors
        6. Guests and General Public
        7. Control Partners
        8. Contingent
        9. System
      3. Why Govern Users with Policies?
      4. Acceptable Use Policy (AUP)
      5. The Privileged-Level Access Agreement (PAA)
      6. Security Awareness Policy (SAP)
      7. Best Practices for User Domain Policies
      8. Understanding Least Access Privileges and Best Fit Privileges
      9. Case Studies and Examples of User Domain Policies
        1. Government Laptop Compromised
        2. The Collapse of Barings Bank, 1995
        3. Unauthorized Access to Defense Department Systems
      10. Chapter Summary
      11. Key Concepts and Terms
      12. Chapter 9 Assessment
    5. Chapter 10 IT Infrastructure Security Policies
      1. Anatomy of an Infrastructure Policy
        1. Format of a Standard
      2. Workstation Domain Policies
      3. LAN Domain Policies
      4. LAN-to-WAN Domain Policies
      5. WAN Domain Policies
      6. Remote Access Domain Policies
      7. System/Application Domain Policies
      8. Telecommunications Policies
      9. Best Practices for IT Infrastructure Security Policies
      10. Case Studies and Examples of IT Infrastructure Security Policies
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 10 Assessment
    6. Chapter 11 Data Classification and Handling Policies and Risk Management Policies
      1. Data Classification Policies
        1. When Is Data Classified or Labeled?
        2. The Need for Data Classification
        3. Legal Classification Schemes
        4. Military Classification Schemes
        5. Business Classification Schemes
        6. Developing a Customized Classification Scheme
        7. Classifying Your Data
      2. Data Handling Policies
        1. The Need for Policy Governing Data at Rest and in Transit
        2. Policies, Standards, and Procedures Covering the Data Life Cycle
      3. Identifying Business Risks Related to Information Systems
        1. Types of Risk
        2. Development and Need for Policies Based on Risk Management
      4. Risk and Control Self-Assessment
      5. Risk Assessment Policies
        1. Risk Exposure
        2. Prioritization of Risk, Threat, and Vulnerabilities
        3. Risk Management Strategies
        4. Vulnerability Assessments
        5. Vulnerability Windows
        6. Patch Management
      6. Quality Assurance Versus Quality Control
      7. Best Practices for Data Classification and Risk Management Policies
      8. Case Studies and Examples of Data Classification and Risk Management Policies
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Private Sector Case Study
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 11 Assessment
    7. Chapter 12 Incident Response Team (IRT) Policies
      1. Incident Response Policy
        1. What Is an Incident?
      2. Incident Classification
      3. The Response Team Charter
      4. Incident Response Team Members
      5. Responsibilities During an Incident
        1. Users on the Front Line
        2. System Administrators
        3. Information Security Personnel
        4. Management
        5. Support Services
        6. Other Key Roles
      6. Business Impact Analysis (BIA) Policies
        1. Component Priority
        2. Component Reliance
        3. Impact Report
        4. Development and Need for Policies Based on the BIA
      7. Procedures for Incident Response
        1. Discovering an Incident
        2. Reporting an Incident
        3. Containing and Minimizing the Damage
        4. Cleaning Up After the Incident
        5. Documenting the Incident and Actions
        6. Analyzing the Incident and Response
        7. Creating Mitigation to Prevent Future Incidents
        8. Handling the Media and Deciding What to Disclose
        9. Business Continuity Planning Policies
        10. Dealing with Loss of Systems, Applications, or Data Availability
      8. Response and Recovery Time Objectives Policies Based on the BIA
      9. Best Practices for Incident Response Policies
      10. Disaster Recovery Plan Policies
        1. Disaster Declaration Policy
        2. Assessment of the Disaster’s Severity and of Potential Downtime
      11. Case Studies and Examples of Incident Response Policies
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      12. Chapter Summary
      13. Key Concepts and Terms
      14. Chapter 12 Assessment
  11. Part Three: Implementing and Maintaining an IT Security Policy Framework
    1. Chapter 13 IT Security Policy Implementations
      1. Simplified Implementation Process
      2. Target State
        1. Distributed Infrastructure
        2. Outdated Technology
        3. Lack of Standardization Throughout the IT Infrastructure
      3. Executive Buy-in, Cost, and Impact
        1. Executive Management Sponsorship
        2. Overcoming Nontechnical Hindrances
      4. Policy Language
      5. Employee Awareness and Training
        1. Organizational and Individual Acceptance
        2. Motivation
        3. Developing an Organization-Wide Security Awareness Policy
        4. Conducting Security Awareness Training Sessions
        5. Human Resources Ownership of New Employee Orientation
        6. Review of Acceptable Use Policies (AUPs)
      6. Information Dissemination—How to Educate Employees
        1. Hard Copy Dissemination
        2. Posting Policies on the Intranet
        3. Using E-mail
        4. Brown Bag Lunches and Learning Sessions
      7. Policy Implementation Issues
      8. Governance and Monitoring
      9. Best Practices for IT Security Policy Implementations
      10. Case Studies and Examples of IT Security Policy Implementations
        1. Private Sector Case Study
        2. Public Sector Case Study
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 13 Assessment
    2. Chapter 14 IT Security Policy Enforcement
      1. Organizational Support for IT Security Policy Enforcement
        1. Executive Management Sponsorship
        2. Governance Versus Management Organizational Structure
        3. The Hierarchical Organizational Approach to Security Policy Implementation
        4. Front-Line Managers’ and Supervisors’ Responsibility and Accountability
        5. Grass-Roots Employees
      2. An Organization’s Right to Monitor User Actions and Traffic
      3. Compliance Law: Requirement or Risk Management?
      4. What Is Law and What Is Policy?
        1. What Security Controls Work to Enforce Protection of Privacy Data?
      5. What Automated Security Controls Can Be Implemented Through Policy?
        1. What Manual Security Controls Assist with Enforcement?
      6. Legal Implications of IT Security Policy Enforcement
      7. Who Is Ultimately Accountable for Risk, Threats, and Vulnerabilities?
        1. Where Must IT Security Policy Enforcement Come From?
      8. Best Practices for IT Security Policy Enforcement
      9. Case Studies and Examples of Successful IT Security Policy Enforcement
        1. Private Sector Case Study
        2. Public Sector Case Study No. 1
        3. Public Sector Case Study No. 2
      10. Chapter Summary
      11. Key Concepts and Terms
      12. Chapter 14 Assessment
    3. Chapter 15 IT Policy Compliance and Compliance Technologies
      1. Creating a Baseline Definition for Information Systems Security
        1. Policy-Defining Overall IT Infrastructure Security Definition
        2. Vulnerability Window and Information Security Gap Definition
      2. Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance
        1. Automated Systems
        2. Random Audits and Departmental Compliance
        3. Overall Organizational Report Card for Policy Compliance
      3. Automating IT Security Policy Compliance
        1. Automated Policy Distribution
        2. Configuration Management and Change Control Management
        3. Collaboration and Policy Compliance Across Business Areas
        4. Version Control for Policy Implementation Guidelines and Compliance
      4. Compliance Technologies and Solutions
        1. COSO Internal Controls Framework
        2. SCAP
        3. SNMP
        4. WBEM
        5. Digital Signing
      5. Best Practices for IT Security Policy Compliance Monitoring
      6. Case Studies and Examples of Successful IT Security Policy Compliance Monitoring
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Nonprofit Sector Case Study
      7. Chapter Summary
      8. Key Concepts and Terms
      9. Chapter 15 Assessment
  12. Appendix A: Answer Key
  13. Appendix B: Standard Acronyms
  14. Glossary of Key Terms
  15. References
  16. Index