CST 233 INFORMATION SECURITY AND ASSURANCE

ASSIGNMENT 2 WHITEPAPER TYPES OF SECURITY POLICIES : EISP, ISSP AND SysSP

PREPARED BY: MUHAMAD AMIRUL BIN MAT HUSSAIN 106711

LECTURER: DR AMAN JANTAN

2011/2012

Table of Contents Introduction.3 Definitions of Policy4 Purpose of Policy4-5 Types of Security Policy6 Enterprise Information Security Policy (EISP) ...6-8 Issue-Specific Security Policy (ISSP)...8-9 System-Specific Policy (SysSP) ...10 Case Study..........11-15 Conclusion..16 References..17

1. Introduction The term of security policy and the importance of information security in management or business are still not recognized by many people in an organization, company and others. Management from all communities of interest, including general staff, information technology, and information technology, should make policies for their organization. Policies direct how issues should be addressed and technologies should be used. For a large company or organization, developing a single policy document that speaks to all types of users within the organization and addresses all the information security issues necessary maybe difficult. It should be noted that there is no single method for developing a security policy or policies. Many factors must be taken into account, including audience type and company business and size. This paper then will addresses the three types of security policy that must define by each management of company or organization that are Enterprise Information Security Policies(EISP), Issue-Specific Security

Policies(ISSP), and Systems-Specific Security Policies(SysSP).

2. Definitions of Policy In discussions of computer security, the term policy has more than one meaning. As noted in a Office of Technology Assessment report, Information Security and Privacy in Network Environments (1994), "Security Policy refers here to the statements made by organizations, corporations, and agencies to establish overall policy on information access and safeguards. Another meaning of policy comes from the book Principles of Information Security 4th Edition (2012) and refers to the plan or course of action that conveys instructions from an organizations senior management to those who make decisions, take actions, and perform other duties. Policy is senior management's directives to create a computer security program, establish its goals, and assign responsibilities. The term policy is also used to refer to the specific security rules for particular systems. Additionally, policy may refer to entirely different matters, such as the specific managerial decisions setting an organization's e-mail privacy policy, use of the internet policy, and others.

3. Purpose of Policy A security policy should fulfill many purposes. The basic purposes of policy are it should: Protect people and information Set the rules for expected behavior by users, system administrators, management, and security personnel Authorize security personnel to monitor, probe, and investigate Define and authorize the consequences of violation Define the company consensus baseline stance on security

Help minimize risk Help track compliance with regulations and legislation

Information security policies provide a framework for best practice that can be followed by all employees. They help to ensure risk is minimized and that any security incidents are effectively responded to. Besides, information security policies will also help turn staff into participants in the companys efforts to secure its information assets, and the process of developing these policies will help to define a companys information assets. Information security policy defines the organizations attitude to information, and announces internally and externally that information is an asset, the property of the organization, and is to be protected from unauthorized access, modification, disclosure, and destruction.

4. Types of Security Policy 4.1 Enterprise Information Security Policy (EISP) A management official, normally the head of the organization or the senior administration official, issues program policy to establish (or restructure) the organization's computer security program and its basic structure. The EISP is based on and directly supports the mission, vision, and direction of the organization. This high-level policy defines the purpose of the program and its scope within the organization, assigns responsibilities (to the computer security organization) for direct program implementation, as well as other responsibilities to related offices (such as the Information Resources Management [IRM] organization) and addresses compliance issues. The EISP sets organizational strategic directions for security and assigns resources for its implementation. The good EISP should address the following components : Purpose : Program policy normally includes a statement describing why the program is being established. This may include defining the goals of the program. Securityrelated needs, such as integrity, availability, and confidentiality, can form the basis of organizational goals established in policy. For instance, in an organization responsible for maintaining large mission-critical databases, reduction in errors, data loss, data corruption, and recovery might be specifically stressed. In an organization responsible for maintaining confidential personal data, however, goals might emphasize stronger protection against unauthorized disclosure.

Scope : Program policy should be clear as to which resources-including facilities, hardware, and software, information, and personnel - the computer security program covers. In many cases, the program will encompass all systems and organizational personnel, but this is not always true. In some instances, it may be appropriate for an organization's computer security program to be more limited in scope. Responsibilities : Once the computer security program is established, its management is normally assigned to either a newly-created or existing office. The responsibilities of officials and offices throughout the organization also need to be addressed, including line managers, applications owners, users, and the data processing. This section of the policy statement, for example, would distinguish between the responsibilities of computer services providers and those of the managers of applications using the provided services. The policy could also establish operational security offices for major systems, particularly those at high risk or most critical to organizational operations. It also can serve as the basis for establishing employee accountability. Compliance : The EISP typically will address two compliance issues: 1. General compliance to ensure meeting the requirements to establish a program and the responsibilities assigned therein to various organizational components. Often an oversight office. Example, the Inspector General is assigned responsibility for monitoring compliance, including how well the organization is implementing management's priorities for the program.

2. The use of specified penalties and disciplinary actions. Since the security policy is a high-level document, specific penalties for various infractions are normally not detailed here; instead, the policy may authorize the creation of compliance structures that include violations and specific disciplinary actions.

4.2 Issue-Specific Security Policy (ISSP) Different with EISP that is intended to address the broad organization wide computer security program, issue-specific security policy (ISSP), are developed to focus on areas of current relevance and concern to an organization. Management may find it appropriate, for example, to issue a policy on specific minimum configurations of computers to defend against worms and viruses or the use of the internet. A policy could also be issued, for example, on prohibitions against hacking and testing organization security controls. ISSP may also be appropriate when new issues arise, such as when implementing a recently passed law requiring additional protection of particular information. EISP is usually broad enough that it does not require much modification over time, whereas ISSP are likely to require more frequent revision as changes in technology and related factors take place. Like as EISP that have their own components, the good ISSP also need to includes these components :

Components Statement of Policy

Description Define the scope and applicability of the policy, definition of the technology

addressed and also the responsibilities of the person that incharge or included with this policy.

Authorized Equipment

Access

and

Usage

of Exermine

user

access,

fair

and

responsible use and also explain the protection of privacy.

Prohibited Usage of Equipment

Define and explain the disruptive or misuse, offensive or harassing materials and other restrictions.

Systems Management

Focuses on the users relationship to systems management. Specific rules from management include regulating the use of email, storage of materials, virus protection, encryption. physical security and

Violations of Policy

Policy statement that should contain the procedures for reporting violations and penalties for violations.

Limitations of Liability

The policy that state the statements of liability, for example the company will not protect the employee who caught violate the company policy.

4.3 Systems-Specific Policy (SysSP) While the ISSP are formalized as written documents readily identifiable as policy, systems-specific policy (SysSP) have a different look. Its often function as standards or procedures to be used when configuring and maintaining the systems. It is much more focused, since it addresses only one system. System-specific security policy includes two components: security objectives (also called managerial guidance) and operational security rules (technical specifications). It is often accompanied by implementing procedures and guidelines. Security Objectives : The first step in the management process is to define security objectives for the specific system. A security objective needs to more specific, it should be concrete and well defined. It also should be stated so that it is clear that the objective is achievable. Security objectives consist of a series of statements that describe meaningful actions about explicit resources. These objectives should be based on system functional or mission requirements, but should state the security actions that support the requirements. Operational Security Rules : After management determines the security objectives, the rules for operating a system can be laid out, for example, to define authorized and unauthorized modification. Who can used the system, what authorized users can access, when and where the authorized users can access from. This specificity are included in Access Control Lists (ACL) and provides powerful control to the administrator. Besides ACL, the configuration rule policies also can included in this components.

10

5. Case Study : The Implementation of EISP, ISSP and SysSP in USM ICT Security Policy . The Centre for Knowledge, Communication, and Technology (PPKT) department has responsible for the ICT at University Science Malaysia (USM). All the infostructure such as networking, telecommunication and also ict security were controlled by this department. For the big organization like USM, the need and importance of ICT Security are required. Therefore, this department had make the ICT security policy to implement in the USM management. In this ICT Security Policy, they had implemented the component of EISP. Below are some of the component of EISP that have in ICT Security Policy USM : 1) Statement of Purpose In this policy, they clearly state the mission of the university ICT policy that is to minimize the risk of resources, ensure that ICT resources are adequately protected from act of abuse or theft and loss, and to protect the interest of parties that rely on the ICT resources from the effects of failure or weakness in terms of confidentiality, integrity, availability, validity, and accessibility of ICT resources. 2) Scope

11

Figure 1 : Scope of ICT Security Policy USM 3) Responsibilities

Figure 2 : Statement of Role and Responsibilities in ICT Security Policy USM

12

Below are some of the implementation of ISSP components that have in ICT Security Policy USM : 1) Authorized Access and Usage of Equipment in ICT Security Policy USM

2) Prohibited Usage of Equipment in ICT Security Policy USM

13

3) Specific Rules from Management : Use of Email in ICT Security Policy USM

The Implementation of SysSP in ICT Security Policy USM 1) Security Objective

Figure 3

14

The statement of general principles in the figure 3 above show the implementation of the security objective that needed in the SysSP. 2) Operational Security Rules

Figure 4 The statement in the figure 4 above determine the Access Control Lists (ACL) that explain the user who can access and what that authorized user can access for the system.

15

6. Conclusion As a conclusion, this paper has describe and explain the three types of security policy that must define by each management of company or organization that are Enterprise Information Security Policies (EISP), Issue-Specific Security Policies (ISSP), and Systems-Specific Security Policies (SysSP). The purpose of these policies and also the importance or why each organization and company need to implement these policies into their management was also well explained in this paper. Each policy was being discussed and going through in detailed one by one. Besides, this paper also have a look into a real case study by take it at the ICT Security Policy USM as a real sample to see how this three types of security policy have been implemented into this real policy.

16

References 1. Michael E. Whitman, Herbert J. Mattord. 4th Edition (2012). Principles of Information Security. 2. NIST: An Introduction to Computer Security - The NIST Handbook. Special Publication 800-12. 3. Sorcha Diver. Information Security Policy- A Development Guide for Large and Small Companies (2007). SANS Institute . 4. Polisi Keselamatan ICT USM. Available at : ict-security.usm.my 5. Policy on Closed Circuit Television (CCTV): Monitoring, Recording, Role and Technical Standards (2010). Universiti Sains Malaysia.

17