acp - new york capital region chapter february 10, 2010 presenter: dan didier...
Post on 19-Dec-2015
216 views
TRANSCRIPT
Information Security Policy
ACP - New York Capital Region Chapter
February 10, 2010
Presenter: Dan [email protected]
In association with M.A. Polce Consulting
What’s driving your business to develop an information security policy?
Audience input, please…
Security Policy Drivers
Basel II - (international banking) BSA - (anti-money laundering) E-SIGN - (electronic signature) FACTA - (identity theft) FISMA - (federal govt.) GLBA - (banking) Identity Theft Red Flags Rule - (finance / creditors) HIPAA - (healthcare) NCUA Part 748 Patriot Act PCI SOX
Established Compliance Drivers
ARE THERE REALLY THIS MANY???
MASS. CMR - (data security law) Breach and Notification Laws (per state) NYS Security Breach Notification Act NYS Social Security Number Protection Law HITECH – (Health Information Technology for
Economic and Clinical Health Act) NYS Internet Security and Privacy Act
Recently Established Compliance Drivers
Immediate loss of business due to unavailability Long-term loss of business due to loss of
trustworthiness and reputation Loss of stock value Financial liability for breach of contract Legal liability for contributory negligence Loss of management credibility Embarrassment of employees Lowered employee morale Increased employee turnover Difficulty hiring competent staff Incitement to abuse of security policies
More Drivers…Protecting Critical Assets Against:
Information Security Life Cycle
Security Policy
Security Procedures
Awareness andTraining
Compliance
SecurityAudit
Security / RiskAssessment
An effective information security policy is designed to support the control objectives as defined by management to meet the assurance requirements of achieving business objectives and preventing, detecting, and correcting undesired events.
What is the goal of an Information Security Policy?
An information security policy enables high-level business requirements by protecting sensitive information with defined policy, controls, standards, and procedures for configuring and managing security.
Through the creation of an information security policy, an organization establishes clear guidelines necessary to implement secure business processes as defined by the key business stakeholders.
How is an Information Security Policy Implemented?
These guidelines are leveraged throughout the information security life cycle and help to define the specific policy, standards, procedures, and guidelines in each of the respective areas.
There are three key questions:
What is a Policy? What is a Standard? What is a Procedure?
Policies, Standards, and Procedures
Is defined by management / key stakeholders
Is a brief document, including◦ To whom and what the policy applies◦ The need for adherence (compliance / security)◦ A general description◦ Consequences of non-adherence
Policy
Defined by directors or department-level managers Standards define what must be done to implement
security:◦ roles and responsibilities of security personnel◦ protection against malware◦ information and software exchange mechanisms◦ user responsibilities◦ acceptable use◦ mobile computing◦ access control◦ compliance◦ government regulation◦ industry standards
Standards
Defined by directors or department-level managers, implemented by target workforce.
Procedures specifically outline how security controls must be implemented and managed.
Procedures should support the accompanying standards, ensuring that standards are followed and tasks are documented (auditable) to achieve full compliance.
This component provides many of the critical details that can either make or break and effective information security policy.
Procedures
A policy without support is useless. Consider the statement: do as I say, not as I do.
Management is wholly responsible for all ramifications of failing to properly address industry, compliance, and business requirements.
Management is also responsible for assuring the continuity of policy compliance for all external service providers. There is no transfer of liability when organizational tasks are outsourced; the originating organization and its management are ultimately responsible for ensuring compliance.
Obtaining Management Support…
Cost can be identified fairly easily Benefits may be difficult to quantify An effective program requires the support,
credibility, and advocacy of management. This needs to be obtained and maintained.
Management must be kept informed, spoken to in their language, and shown proof of impact.
…Obtaining Management support
Enable Mgmt with just enough information to:◦ Understand security concerns◦ Make informed decisions◦ Be knowledgeable on the topic
Provide reports that meld into existing communication mechanisms including progress reports and briefings.
Provide updates that highlight progress and accomplishments.
Whenever possible, use metrics to quantify progress.
Keep Management Informed
Provide relevant and accurate information:◦ Avoid overstating of threats and fears.◦ Do not provide a false sense of security.◦ Present reasonable solutions along with problems
and concerns◦ Remember the budget; include costs and benefits◦ Remember the ecology; relationship between
users and systems◦ Remember that resistance is often based on
expending funds on something perceived as a low priority; however, the cost of one incident may be quite expensive.
Speak Management’s Language
without proper enforcement mechanisms, a policy may be worth little more than the paper it was printed on.
A policy needs “teeth” to be effective and for the workforce to respect and abide by it.
However, avoid using “standard” policy language: “Failure to comply with this policy may result in disciplinary action, up to and including termination.”
Policy Enforcement…
Avoid ambiguity and explain to the workforce what may happen with increasing levels of severity:◦ Warning from management◦ Official warning from personal file◦ Revoking privileges such as Internet/email◦ Require additional training◦ Suspension without pay◦ Termination
Better Policy Enforcement
A policy must not be written solely to have a policy; it must support the business process and also be supported by it.
A policy must be considered a living, breathing document. It must be updated as business requirements and processes change.
A policy must be incorporated into the information security life cycle.
A policy must be initiated, mandated, and supported by management.
To Do and not To Do
Common drivers for developing a BCP◦ Regulatory compliance◦ Business partner requirements◦ High-level of reliance on IT◦ Past experiences with system failures or
catastrophic events (Blackout of 2004) Common goals for a BCP
◦ Minimize the impact of incidents◦ Reduce risk◦ Interpret potential threats and develop defenses◦ Integrate and enable business
Similarities of BCP and Information Security Policy
Define policies, procedures and standards for:◦ Controlling access to data during the recovery
process (document access/secuity requirements, etc).◦ Identifying and documenting information that must
be protected.◦ Implementing security to accommodate the likely
increase in use of mobile devices during recovery.◦ Physical access controls for temporary locations.◦ Backup tape (media) controls (both during non-
disaster and disaster recovery periods). ◦ 3rd party recovery vendors and access to sensitive
data/information .
Supporting BCP with Policy