taxonomy-based information security policies
DESCRIPTION
How to aggregate policy writing by using a taxonomy-based approach.TRANSCRIPT
![Page 1: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/1.jpg)
Information Security
Juggernaut
Taxonomy-based Security Policies
By Ravila Helen White, CISSP, CISM, CISA, GCIH
ijMaking it better without making it complex
![Page 2: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/2.jpg)
DisclaimerThis presentation and the concepts
herein are my opinions through private research, practice and chatting with other professionals.
It is not the opinion of past, present or future employers.
![Page 3: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/3.jpg)
OverviewUnderstanding TaxonomyPolicy ArtifactsControlsSetting ContextPolicy SchemaMetadataWriting Policies
![Page 4: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/4.jpg)
Understanding Taxonomy
![Page 5: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/5.jpg)
Taxonomy is the practice and science of classification.
Mathematically, a hierarchical taxonomy is a tree structure of classifications for a given set of objects. It is also named Containment hierarchy. At the top of this structure is a single classification, the root node, that applies to all objects.
Legally, an open-ended contextual taxonomy—a taxonomy holding only with respect to a specific context.
What it is
![Page 6: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/6.jpg)
Technological uses of taxonomy?Data warehouseData martsReport(s)
![Page 7: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/7.jpg)
Used in Policy DevelopmentGroups like policies togetherEliminates redundant policiesSustainable policy design and
maintenance
![Page 8: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/8.jpg)
Policy Artifacts
![Page 9: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/9.jpg)
What are Policy Artifacts
Legal documentsAuthoritative Guides
![Page 10: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/10.jpg)
Controls for Security Policies
![Page 11: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/11.jpg)
Security Policy ControlsPointEnterpriseHybridContextUse ScenarioExceptionFloor
![Page 12: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/12.jpg)
Defining Policy Context
![Page 13: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/13.jpg)
Defining ContextSystem or domain identificationParent identificationContext control aligns to parent
or supersetUse Scenario identificationUse scenario defines child
domain and or consumer
![Page 14: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/14.jpg)
Setting Context
![Page 15: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/15.jpg)
Policy Schema
![Page 16: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/16.jpg)
Develop a SchemaSystem or domain identificationParent identificationContext control aligns to parent
or supersetUse Scenario identificationUse scenario defines child
domain and or consumer
![Page 17: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/17.jpg)
Policy concept schema
![Page 18: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/18.jpg)
Meta Data
![Page 19: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/19.jpg)
Component Architecture
![Page 20: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/20.jpg)
Writing Policies
![Page 21: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/21.jpg)
Scientific Taxonomy
Network Acceptable Use Policy Component Taxonomy
Meta Policy
1 Appropriate Use 2 Privacy 3 Passwords 4 Records Retention
Micro
Policy
1.1Personal Use 2.1 Monitoring 3.1 Complexity 4.1 Electronic Files
1.2 Copyrighted and Third Party Material 2.2 Ownership 3.2 Expiration 4.2 E-mail
1.3 Instant Messengers 2.3 Data 3.3 Sharing 4.3 Personal Data
1.4 Personal E-mail 4.4 Classification
![Page 22: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/22.jpg)
Policy NarrativeMeta policyMicro policiesUse ScenarioExceptions
![Page 23: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/23.jpg)
Tips
![Page 24: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/24.jpg)
Tip #1Write policies after you’ve
identified the business peers who must help support and enforce policy
![Page 25: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/25.jpg)
Tip #2Keep track of policy violations.
Violations may occur due to lack of training or understanding.
![Page 26: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/26.jpg)
Tip #3Examined the organization’s
technology roadmap. Write policies that compliment the roadmap. This will reduce the amount of incremental updates to the policy.
![Page 27: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/27.jpg)
Tip #4Provide end-users with a FAQ or
information documentation to help convey meaning behind why supporting policies are important and safeguard the organization.
![Page 28: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/28.jpg)
Copyright InformationSome works in this presentation
have been licensed under the Creative Common license (CC). Please respect the license when using the concepts or adapting them.
For more information please go here:
www.creativecommons.org
![Page 29: Taxonomy-based Information Security Policies](https://reader033.vdocuments.site/reader033/viewer/2022061120/546c2b6bb4af9f842c8b4fdd/html5/thumbnails/29.jpg)
Thank you…For a complete narrative of this presentation, please search for “Writing security policies using a taxonomy-based approach” or reference the December 2009 issue of Information Security magazine.