1.

2. Policies and Procedures Presented by Chief Information Security Officer Legislative Data Center Information Security Engineer and Architect Legislative Data Center Policy Manager - ISSA-Sac and Vice President - ISSA-Sac and Lee Vigue lvigue@issa-sac.org Ned Allison nallison@issa-sac.org

3. The Focus How do we deal with it all?

• Policies

• Procedures

• Standards

• Guidelines

• Practices

• Regulations

• Civil Codes

• Criminal Laws

• Requirements

• Acts

• Agreements

• Statutes

• Frameworks

• • SAM

• • SIMM

• • BS7799

• • ISO17799

• • ISO27002

• • COBITv4.0

• • NIST

• • CERT

• • SANS

• Buzz Words

• • GLBA

• • SOX

• • HIPPA

• • SAS70

• • PCI

• • SB1386

• • E-Discovery

• Related Issues

• • Architecture

• • CMMI

• • ITIL

4. Addressing the issues

• Looking at the issues from two viewpoints

• • Management

• • • Tends to focus on Policy and Guidelines

• • • Issues with being proactive about Policy

• • • Critical to supportability of Policy

• • Technical

• • • Tends to focus on Standards and Procedures

• • • Issues with being constrained by Policy

• • • Critical to do ability of Policy

5. Walking the path

• Starting with The Definitions

• • What is it

• • What makes it up

• • Samples of the good the bad and the ugly

• Placement in the frame of reference

• • How does it relate to other strategic goals

• Recommendations

• Summary

• Questions and Answers

6. What is a Policy?

• A High Level Statement of Enterprise Beliefs, Goals and objectives along with a general means for attaining them in a specified subject area.

a step by step implementation set at high level a specific, detailed description a Brief Statement It is not It is

7. A Policy needs support

• Because a policy is written at a high level and is a simple statement of a goal, or objective it needs to be supported by;

• • Standards

• • Procedures

• • Guidelines

8. Standards, Procedures and Guidelines

• Standards

• • Mandatory Activities, Actions or Rules supporting policies

• Procedures

• • Detailed specifics on implementation

• Guidelines

• • General Statements and Recommendations

9. Definitions per ISO 17799

• Policy

• • Overall intention and direction as formally expressed by management

• Procedure

• • A formal method to accomplish a task, in accordance with policy and guidelines

• Guideline

• • A description that clarifies what should be done and how, to achieve objectives set out in policy*

• • According to ISO 17799-2005

10. Policies

• Management View

• Technical View

11. Policy and Standard Example

• Policy

• • Access to Enterprise Information Systems shall be restricted to authorized users only

• Standard

• • Users must have a unique UserID and an individual and confidential password

12. Issues with Policies

• The need to build meat and potatoes statements first

• The idea of no exceptions

• The idea of JITP, Just In Time Policies

13. Standards

• Often refer to a specific Technology or Environment

• • Change with new technologies or environments

14. Issues with Standards

• Can be expensive to Maintain

• Require updating to new technical conditions and environment

• Change frequently in comparison to policies

15. Procedures

• Detailed statements of requirements and process for implementing policies and standards

• Can be step by step

• Can be lists of required approvals or actions

16. Issues with Procedures

• Procedures change frequently with

• • Organizational Changes

• • New approval Structures

• • New Technologies

• • New Requirements

• Must be maintained

• Change more frequently than Standards

• Multiple Procedures may apply to a single Standard or Policy process

17. What are Guidelines

• General Statements and Recommendations designed to achieve Policy objectives and Standards Requirements

• Can be used to provide a framework for Procedural implementation

18. Issues with Guidelines

• Guidelines are recommendations not mandatory requirements

• Guidelines are not enforceable

• Guidelines are frequently misused

19. Examples

• Policy

• • Access to information systems is restricted to authorized users only

• Standard

• • Users will have a unique UserID and confidential password

• Procedure

• • User will obtain a UserID and one time password upon management approval and must immediately change the password upon first login

• Guideline

• • Passwords should be complex, consisting of more than 8 characters and include Upper Case, Lower Case, Numbers and Symbols

20.

21. Samples Discussions

22. Policy Frameworks

• CA State SAM and SIMM

• ISO 17799 soon to become ISO 27000 Series

• COBIT

• NIST

• CERT

• others

23. Regulatory Drivers

• SOX

• GLBA

• HIPPA

• PCI

• SAS70

• CA SB1386 CA CC1798.1

• • others

24. Parallel Frameworks

• CMMI

• Enterprise Architecture

• ITIL

25. Recommendations and Focus for Policies, Standards, Procedures and Guidelines

• Find a Framework with works for your organization and adapt it to your needs

• Get Executive Management support of your efforts

• Engage Technical Staff in Standards and Procedures to ensure ownership

• Publish Policy to all, Standards to those responsible, Procedures to those who engage in the process and Guidelines to the whole group involved to ensure awareness

• Review and regularly maintain the structure to ensure that it remains accurate, do able, and relevant to your organizational needs and the changing regulatory and technical environments

26. Framework Recommendation

• Use COBIT as an overall implementation

• • Provides Auditable Metrics

• Use ISO 17799 (27000s) as a Security Framework

• • Provides Detailed Structure to the whole security picture

• Use NIST/CERT/SANS as a Standards Source

• • Provides Details of specific Technologies and Requirements

• User ITIL to implement Procedures

• • Provides structure to Operational Aspects of Security

27. Summary

• Management View

• Technical View

28.

• Questions

• And

• Discussion

29. Closing Resources

• http://sam.dgs.ca.gov/default.htm

• http://www.dof.ca.gov/OTROS/StatewideIT/SIMM/SIMM.asp

• http://www.sans.org/resources/policies/

• http://csrc.nist.gov

• http:// www.iso.org /

• http://www.itil.co.uk/

• http://www.isaca.org/

• http://www.issa.org/

• And finally the shamless plug

• • http://www.issa-sac.org/welcome.shtml