taxonomy-based information security policies
DESCRIPTION
How to aggregate policy writing by using a taxonomy-based approach.TRANSCRIPT
Information Security
Juggernaut
Taxonomy-based Security Policies
By Ravila Helen White, CISSP, CISM, CISA, GCIH
ijMaking it better without making it complex
DisclaimerThis presentation and the concepts
herein are my opinions through private research, practice and chatting with other professionals.
It is not the opinion of past, present or future employers.
OverviewUnderstanding TaxonomyPolicy ArtifactsControlsSetting ContextPolicy SchemaMetadataWriting Policies
Understanding Taxonomy
Taxonomy is the practice and science of classification.
Mathematically, a hierarchical taxonomy is a tree structure of classifications for a given set of objects. It is also named Containment hierarchy. At the top of this structure is a single classification, the root node, that applies to all objects.
Legally, an open-ended contextual taxonomy—a taxonomy holding only with respect to a specific context.
What it is
Technological uses of taxonomy?Data warehouseData martsReport(s)
Used in Policy DevelopmentGroups like policies togetherEliminates redundant policiesSustainable policy design and
maintenance
Policy Artifacts
What are Policy Artifacts
Legal documentsAuthoritative Guides
Controls for Security Policies
Security Policy ControlsPointEnterpriseHybridContextUse ScenarioExceptionFloor
Defining Policy Context
Defining ContextSystem or domain identificationParent identificationContext control aligns to parent
or supersetUse Scenario identificationUse scenario defines child
domain and or consumer
Setting Context
Policy Schema
Develop a SchemaSystem or domain identificationParent identificationContext control aligns to parent
or supersetUse Scenario identificationUse scenario defines child
domain and or consumer
Policy concept schema
Meta Data
Component Architecture
Writing Policies
Scientific Taxonomy
Network Acceptable Use Policy Component Taxonomy
Meta Policy
1 Appropriate Use 2 Privacy 3 Passwords 4 Records Retention
Micro
Policy
1.1Personal Use 2.1 Monitoring 3.1 Complexity 4.1 Electronic Files
1.2 Copyrighted and Third Party Material 2.2 Ownership 3.2 Expiration 4.2 E-mail
1.3 Instant Messengers 2.3 Data 3.3 Sharing 4.3 Personal Data
1.4 Personal E-mail 4.4 Classification
Policy NarrativeMeta policyMicro policiesUse ScenarioExceptions
Tips
Tip #1Write policies after you’ve
identified the business peers who must help support and enforce policy
Tip #2Keep track of policy violations.
Violations may occur due to lack of training or understanding.
Tip #3Examined the organization’s
technology roadmap. Write policies that compliment the roadmap. This will reduce the amount of incremental updates to the policy.
Tip #4Provide end-users with a FAQ or
information documentation to help convey meaning behind why supporting policies are important and safeguard the organization.
Copyright InformationSome works in this presentation
have been licensed under the Creative Common license (CC). Please respect the license when using the concepts or adapting them.
For more information please go here:
www.creativecommons.org
Thank you…For a complete narrative of this presentation, please search for “Writing security policies using a taxonomy-based approach” or reference the December 2009 issue of Information Security magazine.