copyright © center for systems security and information assurance lesson eight security management
TRANSCRIPT
Copyright © Center for Systems Security and Information Assurance
Lesson Eight
Security Management
Copyright © Center for Systems Security and Information Assurance
Lesson Objectives
• Define security management• Explain in basic terms the function of an
organization’s security policy• List the reasons an organization would
implement a security policy• Define security standards and explain the
different types of standards• Explain the role of standards organizations.• Match the standards organization with its
role in the Information Security field
Copyright © Center for Systems Security and Information Assurance
Introduction
Security management entails the identification of an organization’s information assets and the development, documentation, and implementation of policies, standards, procedures and guidelines that ensure confidentiality, integrity, and availability.
Copyright © Center for Systems Security and Information Assurance
Organization Policies
A policy may be defined as 'An agreed approach in theoretical form, which has been agreed to and/or ratified by, a governing body, and which defines direction and degrees of freedom for action.'
Copyright © Center for Systems Security and Information Assurance
What is a Security Policy?
• Informs users and staff members of the need and the responsibility to protect the organization’s technology and critical information.
• Defines “acceptable use” (based upon the acceptable risk) of all electronic media within an organization.
Copyright © Center for Systems Security and Information Assurance
Security Policies
• Rules and practices an organization uses for its information resources:managementprotectionallocation
• Policies and procedures provide a baseline to:security plans contingency plans procurement plans
Copyright © Center for Systems Security and Information Assurance
Why a Security Policy?
1. Describes in detail acceptable network activity and penalties for misuse
2. Provides a forum for identifying and clarifying security goals, priorities and objectives to the organization and its members.
3. Illustrates to each employee how they are responsible for helping to maintain a secure environment.
4. Defines responsibilities and the scope of information security in an organization.
5. Provides a legal instrument in the case of litigation
Copyright © Center for Systems Security and Information Assurance
Why a Security Policy?
6. Provides a good foundation for conducting security audits
7. Establishes a critical asset identifying potential vulnerabilities
8. Provides a reference for incident response handling
9. Communicates organization culture, core values, and ethics
10. Establishes acceptance and conformity
Copyright © Center for Systems Security and Information Assurance
Management Support
• Without management supporting security policies, they might as well be non-existent
• Security policies and security in general start off at the bottom of the typical executive’s priority list
• A serious security incident or an exceptional sales pitch by the information security professionals help to gain the support of management
Copyright © Center for Systems Security and Information Assurance
Types of Security Policies
• Acceptable Encryption Policy • Acceptable Use Policy • Analog/ISDN Line Policy• Anti-Virus Policy • Application Service Provider Policy• Application Service Provider Standards• Acquisition Assessment Policy
Copyright © Center for Systems Security and Information Assurance
Types of Security Policies
• Audit Vulnerability Scanning Policy • Automatically Forwarded Email Policy• Database Credentials Coding Policy• Dial-in Access Policy• DMZ Lab Security Policy• E-mail Policy
Copyright © Center for Systems Security and Information Assurance
Helpful Security Policy Links
!!!!Read the following documents!!!
• http://www.sans.org/resources/policies/
Policy_Primer.pdf• http://www.sans.org/resources/policies/#template• http://www.dir.state.tx.us/security/policies/
templates.htm
Copyright © Center for Systems Security and Information Assurance
Security Standards
• Specify uniform use of specific technologies, parameters, or procedures.
• Specify a uniform use of specific technologies, parameters or processes to be used to secure systems.
• Contain mandatory statements which can be measured.
Copyright © Center for Systems Security and Information Assurance
Security Standards Example
The Privacy HIPAA Standards requires that "a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information" (CMS, "HIPAA Administrative Simplification - Privacy", Section 164.530 (c)(1)
Copyright © Center for Systems Security and Information Assurance
Types of Security Standards
• Open versus Proprietary• Dejure (by law) versus Defacto
Copyright © Center for Systems Security and Information Assurance
Security Standards Evolve
Copyright © Center for Systems Security and Information Assurance
Security Standards Organizations
• Government statues (federal, state and local)
• Standards organizations (NIST, ISO, IEEE)• Industry requirements (HIPAA, GLB,
TIA/EIA)• Manufacture requirements (Cisco,
Microsoft)• Internal requirements
Copyright © Center for Systems Security and Information Assurance
ISO 17799 Description
• Most widely recognized security standard—the first version was published in December 2000
• Comprehensive in its coverage of security issues
• Contains a substantial number of control requirements
• Compliance and certification for even for the most security conscious of organizations can be daunting
Copyright © Center for Systems Security and Information Assurance
Government Cryptography Standards
Copyright © Center for Systems Security and Information Assurance
Example
• Government Standards: Incident ReportingComputer Security Incident Handling Guide NIST Special Publication 800-61, from National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce.
• A 148-page report describing guidelines for responding to denial-of-service attacks; malicious code, including viruses, worms and Trojan horses; unauthorized access; inappropriate use by authorized users, and incidents incorporating various types of security breaches.http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf
Copyright © Center for Systems Security and Information Assurance
Security Guidelines
• Address intentions and allow for interpretation • Recommendations or best practices • Similar to STANDARDS (not mandated
actions)• Assist users, administrators and others in
effectively interpreting and implementing the security policy
• Data Security and Classification Guidelines http://www.umassp.edu/policy/data/
itcdatasec.html
Copyright © Center for Systems Security and Information Assurance
Security Procedures
• The operational processes required to implement institutional security policy
• Operating practices can be formal or informal, specific to a department or applicable across the entire institution
• Detailed steps or instructions to be followed by users, system administrators, and others to accomplish a particular security-related task
• Assist in complying with security policy, standards and guidelines
• http://wwwoirm.nih.gov/security/sec_policy.html
Copyright © Center for Systems Security and Information Assurance
More Examples
• Policy - All State of Illinois employee email mailboxes must be protected by a username/password
• Standard - The username must follow existing standards and the password must be 8 characters long and have an alpha/numeric combination
• Procedure – Setting the administrative properties of the mailbox to require a username and password be set. Auditing the passwords for appropriate password complexity
Copyright © Center for Systems Security and Information Assurance
Plan, DO, Check, Act
Copyright © Center for Systems Security and Information Assurance
Hyperlinks to Federal Laws
• Federal Computer Intrusion Laws • National Information Infrastructure Protection Act
of 1995
• Fraud and Related Activity in Connection with Computers
• The Digital Millennium Copyright Act • Software Piracy and the Law • The Computer Fraud and Abuse Act of 1986
Copyright © Center for Systems Security and Information Assurance
Hyperlinks to Federal Laws
• Electronic Communications Privacy Act • Privacy Act of 1974 • Communications Act of 1934 • Family Educational Rights and Privacy Act of
1974 • CAN-SPAM Act of 2003 • United States Copyright Office