Вы находитесь на странице: 1из 27

O BJECTIVES

Compose a statement of authority

Develop and evaluate policies related to the


information security policies documents
objectives and ownership

Create and asses policies associated with the


management of security-related activities

Assess and manage the risks inherent in working


with third parties

C OMPOSING A S TATEMENT OF
A UTHORITY

The statement should be issued by an authority


figure such as a CEO, President

Buy-in from top management is a must

It provides adequate credibility to the policy for all


employees

C OMPOSING A S TATEMENT OF
A UTHORITY C ONT.

The statement is an introduction to the policy

Statement of authority & statement of culture

It sets the tone for the document to come

Exposes the values of the company and what


security measures will be deployed to protect
them

An attempt at recruiting employees to act in a


secure fashion to protect the company

C OMPOSING A S TATEMENT OF
A UTHORITY C ONT.

The goal of the statement of authority: to deliver


a clear message about the importance of
information security for all employees

If the message is not clear, employees will either


act erroneously by mistake or will disregard the
whole document altogether

The statement is a teaching tool

It should be created, promoted and used as such

C OMPOSING A S TATEMENT OF
A UTHORITY C ONT.

The statement should reflect the company


culture in both format and content

Information security is first and foremost cultural


and behavioral

Employees need to identify and embrace with the


company culture

It is made easier if the documents that are part of


the security policy are clearly in accordance with
the company policy

S ECURITY P OLICY D OCUMENT


P OLICY

States the need for written information security


policies as well as who is responsible for creating,
approving, enforcing & reviewing policies

These responsibilities must be clearly stated in the


document so that no phase of the process is
abandoned or ignored

Strong leadership is always a part of successful


information security policies

S ECURITY P OLICY D OCUMENT


P OLICY C ONT.

Emphasizes managements approach and


commitment to information security

No Information policy can be successful without full


and unequivocal support from Management

Its a policy about needing and having policies!

F EDERAL L AW & I NFORMATION


S ECURITY P OLICY

Many private sector industries are federally regulated:

Financial Sector:

GLBA (Gramm-Leach-Bliley Act)

SOX (Sarbanes-Oxley, which affects


publicly-traded companies)

Healthcare:

HIPAA (Health Insurance Portability & Accountability Act

Educational Institutions:

FERPA (Family Educational Rights & Privacy Act)

F EDERAL L AW & I NFORMATION


S ECURITY P OLICY C ONT.

Some organizations may fall under several


federal mandates

If necessary, companies should hire 3rd-party


experts to identify under which mandates a
company falls

ISO 17799 can be mapped to several federal


mandate regulations

Here again, it may be advantageous to hire 3rdparty compliance experts to guide and support
the companys compliance team

S ECURITY P OLICY D OCUMENT


P OLICY C ONT.

10

The Information Security Policy Document policy


should reference federal and state regulations to
which the organization is subject

It is important to integrate those regulations in


the policies written for and deployed by the
company

The first step towards compliance is awareness!

11

T HE N EED FOR AN E MPLOYEE


V ERSION OF THE S ECURITY
P OLICIES

Whole document can be too complex &


intimidating

The goal is to create a guide of what is acceptable


and what is not. Making the document too
complex defeats that purpose

The goal is for employees to read, understand


and act according to the policies

The policies are useless without proper employee


support

T HE N EED FOR AN E MPLOYEE


V ERSION OF THE S ECURITY
P OLICIES C ONT.

12

Employees should only be given those policies


that apply to them

Need-to-know and the concept of least privilege


apply here as well!

Acceptable Use Agreement should be drafted


and distributed to all employees

It should include (but is not limited to):

An Internet use policy

An Email use policy

T HE N EED FOR AN E MPLOYEE


V ERSION OF THE S ECURITY
P OLICIES C ONT.

13

Remind all employees that information cannot


be protected if they dont all buy in and adopt
the policies that regulate the company

Again, information security is behavioral and


cultural

There is no technical device that a company can


deploy that will protect the confidentiality,
integrity and availability of data if employees are
not also enrolled in actively protecting the
company data

P OLICIES

14

ARE

D YNAMIC

Organizations change, either directly or


indirectly. Their policies must also change to
reflect this dynamic situation

Scheduled, regular reviews should take place

Change drivers are events within an organization


that affect culture, procedures, activities,
responsibilities, and more

Change drivers must be identified and analyzed

15

P OLICIES

ARE

D YNAMIC C ONT.

Change drivers may introduce new activities


and/or vulnerabilities

Identified change drivers should trigger new risk


& vulnerability assessments

Companies should also have regularly scheduled


risk and vulnerability assessments

For separation of duties purposes, it is


recommended that vulnerability assessments be
conducted by 3rd-party consultants

16

P OLICIES

D YNAMIC C ONT.

Who is responsible for this document?

ARE

The ISO, or a member of Upper Management

What ownership means:

Developing, maintaining & reviewing policies

Policy owner does not approve policies. That is


done at a higher level

Information Security Policy Document defines


both ownership and authority

17

P OLICIES

ARE

D YNAMIC C ONT.

Decisions should include:

Who is in charge of security management?

What is the scope of their enforcement


authority?

When should third-party expertise be brought in?

M ANAGING O RGANIZATIONAL
S ECURITY

18

Three topics on which to focus:

Information Security Infrastructure

Identification of risks from 3rd-party consultants

Security Requirements for outsourcing

M ANAGING O RGANIZATIONAL
S ECURITY C ONT.

19

Designing & maintaining a secure environment


requires input from representatives of each
department of the company:

Management

IT (developers, network engineers, administrators)

HR

Legal & Financial services

Collaboration of all these parties is required to


create and maintain a successful information
security policy

M ANAGING O RGANIZATIONAL
S ECURITY C ONT.

20

Designing & maintaining a secure environment


requires input from representatives of each
department of the company:

Management

IT (developers, network engineers,


administrators)

HR

Legal & Financial services

M ANAGING O RGANIZATIONAL
S ECURITY C ONT.

21

Who is a third-party?

Business partners

Vendors

Contractors (including temporary workers)

M ANAGING O RGANIZATIONAL
S ECURITY C ONT.

22

Physical Security

Protecting the network from attacks from the


outside is recommended, but a company should
not forget to protect the physical security of the
servers themselves

Why bother to hack when you can steal?

M ANAGING O RGANIZATIONAL
S ECURITY C ONT.

23

If physical access for 3rd-party is allowed, proper


control must be deployed to:

Select who gets physical access

To which areas is physical access granted

Has due diligence been extended to verify the


integrity and credibility of those 3rd-party
contractors?

O UTSOURCING I S A G ROWING
T REND

24

Outsourcing is seen as some as a business tool


used to lower costs. It also comes with risks:

Is the work being outsourced out of the country?

If so, to which country?

How is security handled in the culture of that


country?

How effectively are Intellectual Property laws


enforced and respected in that country?

O UTSOURCING I S A G ROWING
T REND C ONT.

25

Is the data secure during transmission?

Is the data transferred electronically?

What secure protocols are used?

Is the data physically sent overseas?

What courier system is used?

How reliable/reputable/dependable is this


courier system?

O UTSOURCING I S A G ROWING
T REND C ONT.

26

Is the data securely stored while away from the


corporate network?

What security controls are deployed at the


periphery of the target network?

What access control methods are used on the


target control?

What auditing methods are used on the target


network?

O UTSOURCING I S A G ROWING
T REND C ONT.

27

How to conduct due diligence on a company


located halfway across the world?

Is this company foreign-owned, or a subsidiary of


a US-owned corporation?

Is this company reputable?

Has the company sent a representative on-site to


verify the information provided to them?