security policy: the big picture, up close and personal · 2007-01-06 · • writer: computer...
TRANSCRIPT
12/30/2005
security policy:the big picture.up close and personal.
peter h. gregory, cisa, [email protected]
2
peter h. gregory, cisa, cissp
• writer: computer viruses for dummies, blocking spam and spyware for dummies, cissp for dummies, security+ for dummies; computerworld columnist.
• speaker: RSA, SecureWorld Expo, West Coast Security Forum, University of Washington, etc.
Evergreen State Chapter
4
agenda
• What is a security policy• Why have a security policy• Characteristics of a good policy• How & where to begin• ISO 17799• Human factors to consider• Success factors
5
what is a security policy?
• Wikipedia: A security policy is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security environment.
• SANS: A policy is typically a document that outlines specific requirements or rules that must be met.
• CERT: A security policy defines the set of laws, rules, and practices that regulate how an organization implements, manages, protects, and distributes computing resources to achieve security objectives.
• Me: a doctrinal statement that defines a principle related to the protection of corporate assets. Policy is law.
6
why have a security policy?
• consistent approach for protecting assets– consistent across staff– consistent across departments– consistent across contexts– consistent over time
• legal protection• because Sarbanes-Oxley, GLBA, HIPAA, FERC, VISA, etc.
said so
7
characteristics of a good policy
• simple• concise• unambiguous• durable• achievable• measurable• enforceable• not technology-specific
8
a policy is not:
• a procedure• a standard• an architecture• a checklist• a configuration
however, we should have policies that require these things!!
9
the security policy ecosystem
• executive support and leadership by example• individual written acknowledgement• monitoring and management reporting• enforcement• document lifecycle• awareness training• explanatory materials
having a policy is more than just having the written document. it is only a part of the big picture.
10
how and where to begin (1)
• brand new construction– vacant lot with a building permit
• focus on the big picture. consider:– objectives– level of executive & management support– roles & responsibilities– regulatory requirements– current structure (document and ecosystem)
11
how and where to begin (2)
• tear-down– it’s a wreck and we need to almost start over– save a few good parts, add a lot of new stuff
• focus on the big picture. consider:– objectives– level of executive & management support– roles & responsibilities– regulatory requirements– current structure (document and ecosystem)
12
how and where to begin (3)
• remodeling– from patch ‘n paint to adding a room– adding sections, restructuring, modernizing
• focus on the big picture. consider:– objectives– level of executive & management support– roles & responsibilities– regulatory requirements– current structure (document and ecosystem)
13
things to consider
• are objectives clear?• what are you responsible for?• are necessary resources available?• resistance to change• is senior management prepared to support and enforce?• is awareness training & education required and included?
14
resources for sample policy content
• ISO17799– the de facto world standard– good for structure too
• SANS
• NIST
15
ISO 17799 structure
• Security policy• Organizational security• Asset classification and control• Personnel security• Physical and environmental security
• Communications and operations management• Access control• Systems development and maintenance• Business continuity management
• Compliance
16
if you use ISO17799…
• Make sure each policy will work in your organization• Consider your organization’s culture
• Add other sections / subsections as needed in order to cover yourorganization’s business activities
• Consider trolling SANS or other places for other policy ideas and content to be sure your policy is complete
17
challenging human factors to consider
• Resistance to change• Resentment of authority
• Challenge to authority• Sabotage• Undermining credibility
• Snitches and scapegoats
18
success factors
• Executive sponsorship and support– Leadership by example– Real willingness to enforce
• Adequate resources• Expertise (in-house, consultant)• Policy should not conflict with organization’s culture
– (unless the culture is in dire need of repair!)• Negotiating Skills
• Patience
19
characteristics of a successful change agency
• Identify and Promote only Essential Changes• Promote Only Those Changes That Have a Chance to Succeed• Anticipate Sources of Resistance• Distinguish Resistance from Well-Founded Criticism• Involve All Affected Parties the Right Way• Do Not Promise What You Cannot Deliver• Use Sponsors, Partners, and Collaborators as Co-Change Agents• Change Metrics and Rewards to Support the Changed World• Provide Training• Celebrate All Successes
20
resources
• ISO17799 – iso.ch (CHF176,00 ≅ USD150.00)
• SANS Security Policies – www.sans.org/resources/policies• NIST Technical Guide to Internet Security Policy -
http://csrc.nist.gov/isptg/• iNFOSYSSEC Security Policy Writing Styles & Guides -
http://www.infosyssec.com/infosyssec/secpol1.htm
21
recap
• What is a security policy• Why have a security policy• Characteristics of a good policy• How & where to begin• ISO 17799• Human factors to consider• Success factors
12/30/2005
security policy:the big picture.up close and personal.
peter h. gregory, cisa, [email protected]