Docstoc

Information Security Policy - PowerPoint

Document Sample
Information Security Policy - PowerPoint Powered By Docstoc
					                                           Unit Outline
                                  Information Security Policy
      Module 1: Purpose
      Module 2: Life Cycle
      Module 3: Terminology
 Module 4: Structure
      Module 5: Summary




Sanjay Goel, School of Business/Center for Information Forensics and Assurance   1
University at Albany Proprietary Information
Module 4
Structure
Structure
Learning Objectives
•         Students should be able to:
        – Create a general security policy program.
        – Know what the components of a security policy program,
          issue-specific policy, and acceptable use guidelines are.




Sanjay Goel, School of Business/Center for Information Forensics and Assurance   3
University at Albany Proprietary Information
Structure
Security Policy Outline
                                  Information Security Policy

                 Security Program Policy
                   Issue-Specific Policy                                          High-Level
                                          System-Specific Policy

                                          System-Specific Policy                  Low-Level


                   Issue-Specific Policy
                                          System-Specific Policy

                                          System-Specific Policy
              Acceptable Use Guidelines



 Sanjay Goel, School of Business/Center for Information Forensics and Assurance                4
 University at Albany Proprietary Information
Structure
Security Program Policy
• A security program policy is a high-level policy which contains
  general rationale and purpose of an information security policy,
  was well as related definitions, roles and responsibilities, and
  compliance.
                       Information Security Policy
             Security Program Policy
                                                                    Purpose
                                                              Policy Statement      Introduction
                                                                      Scope
                                                  Issue-Specific Policy Summaries
                                                        Roles & Responsibilities
                                                                  References
                                                                                    Relevant Resources
                                                                  Definitions




 Sanjay Goel, School of Business/Center for Information Forensics and Assurance                          5
 University at Albany Proprietary Information
Structure
Security Program Policy: Introduction
• Purpose
        – The purpose usually contains the rationale for why the information
          security policy is being created.
• Policy Statement
        – The policy statement describes organizational values and philosophy
          on issues detailed within the security policy.
•      Scope
        – The scope details application constraints of the information security
          policy. For example, it can specify the departments, personnel, and
          systems that it will impact. This is usually determined as a result of a
          risk analysis.




Sanjay Goel, School of Business/Center for Information Forensics and Assurance       6
University at Albany Proprietary Information
Structure
Security Program Policy: Issue-Specific Summaries
• While the introductory sections of the security policy should be
  created first, most of the Security Program Policy should be
  developed after issue-specific and system-specific policies.
• Issue-Specific Summaries go through all of the issue-specific
  policies defined throughout the entire security policy and give a
  top-level overview.




Sanjay Goel, School of Business/Center for Information Forensics and Assurance   7
University at Albany Proprietary Information
Structure
Security Program Policy: Roles & Responsibilities
• The roles and responsibilities section list relevant personnel and
  the responsibilities they have related to the information security
  policy. These responsibilities and role definitions usually
  include:
        – Development, maintenance, and publication of present and future
          policy
        – Creation and decision of relevant procedures for policies
        – Implementation of policies
        – Enforcement of policies (dealing with violations)
        – Monitoring and auditing of compliance
        – User responsibilities




Sanjay Goel, School of Business/Center for Information Forensics and Assurance   8
University at Albany Proprietary Information
Structure
Security Program Policy: Relevant Resources
• References         • Definitions
        – Pertain to past policies
                                        – Clarify the meaning of terms (e.g. general
          which the information
                                          information security, information
          security policy supersedes,
                                          technology, and specific roles).
          related legislation and laws,
          other relevant                – Definitions should be concise and easy-
          organizational policies or      to-understand in order to be effective.
          guidelines, and               – The point of including definitions is to
          international standards.        avoid misunderstandings in language and
        – These may be listed in the      to provide a frame of reference.
          form of a link or citation.
        – These are useful in
          providing the context for
          an information security
          policy.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance   9
University at Albany Proprietary Information
Structure
Low-Level Policy
                Information Security Policy
Issue-Specific Policy
                   Background/Rationale
                           Description
                          Sub-Category
                                         Background/Rationale
                                                 Description
                                                 Guidelines
                                         System-Specific Policy
                                                             Implementation Procedures
                                                               Enforcement Procedures
                                                                 Evaluation Procedures
                                                 References
                                                 Definitions

 Sanjay Goel, School of Business/Center for Information Forensics and Assurance          10
 University at Albany Proprietary Information
Structure
Low-Level Policy: Issue-Specific
• Issue-Specific policies usually focus on areas defined by a
  previous risk analysis and usually differ from organization to
  organization. However, all issue-specific policies do share
  common elements, despite variations in order or location
  within a document.
• They contain multiple sections, but should begin with an
  initial description of what the controls constitute (sub-
  categories), why they are important for the organization, and
  the associated risks that they impact.




Sanjay Goel, School of Business/Center for Information Forensics and Assurance   11
University at Albany Proprietary Information
Structure
Low-Level Policy: Sub-Category General
• Issue-Specific policies are usually higher-level areas of
  security controls, which contain sub-categories.
• Sub-categories of issue-specific policies will also contain
  description and background and associated risks.
• In addition, similar to the issue-specific policy higher-level,
  there may be references to other documents, organizational
  processes, etc. as well as defined terms for clarification
  purposes.




Sanjay Goel, School of Business/Center for Information Forensics and Assurance   12
University at Albany Proprietary Information
Structure
Low-Level Policy: Sub-Category Specific
• They also tend to include:
        – Specific guidelines which reference responsibilities and roles and are
          dependent on the sub-category. These can also include acceptable
          use guidelines.
        – Procedures for implementation (includes responsibilities and roles;
          instructions; guidelines; standards; system-specific steps; as well as
          training and awareness programs)
        – Procedures for enforcement (includes responsibilities and roles,
          reporting procedures and procedures for dealing with violations)
        – Procedures for evaluation (includes processes for
          evidence/documentation for evaluation, schedule for auditing,
          monitoring methods, auditing methods)




Sanjay Goel, School of Business/Center for Information Forensics and Assurance     13
University at Albany Proprietary Information
Structure
Acceptable Use Guidelines
• Acceptable Use Guidelines, like the Security Program Policy is considered a
  high-level policy.
• It is basically a summary of all acceptable use guidelines and can be
  categorized by the issue that they are specific to and/or to whom they apply.
• Acceptable Use Guidelines are usually compiled and distributed within
  pamphlets to regular users who neither need nor want detailed
  implementation and/or enforcement procedures and simply want to know
  what they may and may not do so that they do not cause damage to
  themselves or the organization.


                          Information Security Policy


               Acceptable Use Guidelines



  Sanjay Goel, School of Business/Center for Information Forensics and Assurance   14
  University at Albany Proprietary Information
Structure
Exercise
• A good way of applying what has been learned in this
  module would be to view a genuine security program policy.
• In a linked zip file you should find the following:
        – “Business & Finance Bulletin IS-3 Electronic Information Security”,
          which is a security program policy from the University of California.
        – “HEP-C Alert, Inc. General Security Policy” from the company
          HEP-C Alert, Inc.
        – “Cyber-Security Policy P03-002”, version 2.0 of a security program
          policy for New York State government agencies.
        – “Government Security Policy”, a security program policy for the
          Canadian government.
• While there are some differences in the application, it is
  apparent that the main aspects of the security program
  policy detailed are contained within all of these documents.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance   15
University at Albany Proprietary Information
Structure
Summary
• An information security policy is made up of high-level policies
  (security program policy and acceptable use guidelines) as well
  as low-level policies (issue-specific and system-specific).
• A security program policy contains:
        – Purpose, Policy Statement, Scope, Issue-Specific Policy Summaries,
          Roles and Responsibilities, References, and Definitions.
• An issue-specific policy can contain sub-categories. Both of
  these contain a definition, rationale, references, and definitions.
• However, the sub-categories also tend to contain acceptable use
  guidelines, and specific procedures for implementation,
  enforcement and evaluation.



Sanjay Goel, School of Business/Center for Information Forensics and Assurance   16
University at Albany Proprietary Information

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:9/6/2012
language:
pages:16