chief information security officer legislative data center
DESCRIPTION
TRANSCRIPT
- 1.
- 2. Policies and Procedures Presented by Chief Information Security Officer Legislative Data Center Information Security Engineer and Architect Legislative Data Center Policy Manager - ISSA-Sac and Vice President - ISSA-Sac and Lee Vigue [email protected] Ned Allison [email protected]
- 3. The Focus How do we deal with it all?
- Policies
- Procedures
- Standards
- Guidelines
- Practices
- Regulations
- Civil Codes
- Criminal Laws
- Requirements
- Acts
- Agreements
- Statutes
- Frameworks
-
- SAM
-
- SIMM
-
- BS7799
-
- ISO17799
-
- ISO27002
-
- COBITv4.0
-
- NIST
-
- CERT
-
- SANS
- Buzz Words
-
- GLBA
-
- SOX
-
- HIPPA
-
- SAS70
-
- PCI
-
- SB1386
-
- E-Discovery
- Related Issues
-
- Architecture
-
- CMMI
-
- ITIL
- 4. Addressing the issues
- Looking at the issues from two viewpoints
-
- Management
-
-
- Tends to focus on Policy and Guidelines
-
-
-
- Issues with being proactive about Policy
-
-
-
- Critical to supportability of Policy
-
-
- Technical
-
-
- Tends to focus on Standards and Procedures
-
-
-
- Issues with being constrained by Policy
-
-
-
- Critical to do ability of Policy
-
- 5. Walking the path
- Starting with The Definitions
-
- What is it
-
- What makes it up
-
- Samples of the good the bad and the ugly
- Placement in the frame of reference
-
- How does it relate to other strategic goals
- Recommendations
- Summary
- Questions and Answers
- 6. What is a Policy?
- A High Level Statement of Enterprise Beliefs, Goals and objectives along with a general means for attaining them in a specified subject area.
- 7. A Policy needs support
- Because a policy is written at a high level and is a simple statement of a goal, or objective it needs to be supported by;
-
- Standards
-
- Procedures
-
- Guidelines
- 8. Standards, Procedures and Guidelines
- Standards
-
- Mandatory Activities, Actions or Rules supporting policies
- Procedures
-
- Detailed specifics on implementation
- Guidelines
-
- General Statements and Recommendations
- 9. Definitions per ISO 17799
- Policy
-
- Overall intention and direction as formally expressed by management
- Procedure
-
- A formal method to accomplish a task, in accordance with policy and guidelines
- Guideline
-
- A description that clarifies what should be done and how, to achieve objectives set out in policy*
-
- According to ISO 17799-2005
- 10. Policies
- Management View
- Technical View
- 11. Policy and Standard Example
- Policy
-
- Access to Enterprise Information Systems shall be restricted to authorized users only
- Standard
-
- Users must have a unique UserID and an individual and confidential password
- 12. Issues with Policies
- The need to build meat and potatoes statements first
- The idea of no exceptions
- The idea of JITP, Just In Time Policies
- 13. Standards
- Often refer to a specific Technology or Environment
-
- Change with new technologies or environments
- 14. Issues with Standards
- Can be expensive to Maintain
- Require updating to new technical conditions and environment
- Change frequently in comparison to policies
- 15. Procedures
- Detailed statements of requirements and process for implementing policies and standards
- Can be step by step
- Can be lists of required approvals or actions
- 16. Issues with Procedures
- Procedures change frequently with
-
- Organizational Changes
-
- New approval Structures
-
- New Technologies
-
- New Requirements
- Must be maintained
- Change more frequently than Standards
- Multiple Procedures may apply to a single Standard or Policy process
- 17. What are Guidelines
- General Statements and Recommendations designed to achieve Policy objectives and Standards Requirements
- Can be used to provide a framework for Procedural implementation
- 18. Issues with Guidelines
- Guidelines are recommendations not mandatory requirements
- Guidelines are not enforceable
- Guidelines are frequently misused
- 19. Examples
- Policy
-
- Access to information systems is restricted to authorized users only
- Standard
-
- Users will have a unique UserID and confidential password
- Procedure
-
- User will obtain a UserID and one time password upon management approval and must immediately change the password upon first login
- Guideline
-
- Passwords should be complex, consisting of more than 8 characters and include Upper Case, Lower Case, Numbers and Symbols
- 20.
- 21. Samples Discussions
- 22. Policy Frameworks
- CA State SAM and SIMM
- ISO 17799 soon to become ISO 27000 Series
- COBIT
- NIST
- CERT
- others
- 23. Regulatory Drivers
- SOX
- GLBA
- HIPPA
- PCI
- SAS70
- CA SB1386 CA CC1798.1
-
- others
- 24. Parallel Frameworks
- CMMI
- Enterprise Architecture
- ITIL
- 25. Recommendations and Focus for Policies, Standards,
Procedures and Guidelines
- Find a Framework with works for your organization and adapt it to your needs
- Get Executive Management support of your efforts
- Engage Technical Staff in Standards and Procedures to ensure ownership
- Publish Policy to all, Standards to those responsible, Procedures to those who engage in the process and Guidelines to the whole group involved to ensure awareness
- Review and regularly maintain the structure to ensure that it remains accurate, do able, and relevant to your organizational needs and the changing regulatory and technical environments
- 26. Framework Recommendation
- Use COBIT as an overall implementation
-
- Provides Auditable Metrics
- Use ISO 17799 (27000s) as a Security Framework
-
- Provides Detailed Structure to the whole security picture
- Use NIST/CERT/SANS as a Standards Source
-
- Provides Details of specific Technologies and Requirements
- User ITIL to implement Procedures
-
- Provides structure to Operational Aspects of Security
- 27. Summary
- Management View
- Technical View
- 28.
- Questions
- And
- Discussion
- 29. Closing Resources
- http://sam.dgs.ca.gov/default.htm
- http://www.dof.ca.gov/OTROS/StatewideIT/SIMM/SIMM.asp
- http://www.sans.org/resources/policies/
- http://csrc.nist.gov
- http:// www.iso.org /
- http://www.itil.co.uk/
- http://www.isaca.org/
- http://www.issa.org/
- And finally the shamless plug
-
- http://www.issa-sac.org/welcome.shtml