Security Policy Guidelines CSH 5 Chapter 44 Security

Скачать презентацию Security Policy Guidelines CSH 5 Chapter 44 Security

csh5_ch44_security_policy_guidelines.pptx

Количество слайдов: 34

Selected Topics in CSH 5 Ch 44 ØTerminology ØResources for Policy Writers ØWriting the Policies ØOrganizing the Policies ØPresenting the Policies ØMaintaining the Policies 2 Copyright © 2012 M. E. Kabay. All rights reserved.

Terminology (1) Ø Policy q. Rules and regulations set by the organization q. Laid down by management q. Mandatory, require compliance q. Failure to follow policy results in disciplinary action q. Policies focus on desired results, not on means for achieving them Ø Controls – measures used to protect systems against specific threats 4 Copyright © 2012 M. E. Kabay. All rights reserved.

Terminology (2) Ø Standards q. Accepted specification for hardware, software, or human actions q. De facto or de jure q. Technical choices for implementing particular policies q. Change more rapidly than policies Ø Procedures q. Prescribe how people are to behave in implementation policies 5 Copyright © 2012 M. E. Kabay. All rights reserved.

Resourcesfor Policy Writers Ø ISO/IEC 27000 Ø COBIT Ø Informal Security Standards q. CERT-CC® Documentation q. NSA Security Guidelines q. US Federal Best Security Practices q. RFC 2196 q. German Federal IT Baseline Protection Manual Ø Commercially Available Policy Guides 6 Copyright © 2012 M. E. Kabay. All rights reserved.

ISO 27000 (1) Ø History q. BS 7799: üUK Dept. of Trade and Industry Feb 1995 üProprietary and expensive q. BS 7799 v 2: May 1999 Ø ISO 17799 built on BS 7799 – published 1999 Ø ISO 17799: 2005 revised & published 2005 (duhhh) Ø ISO/IEC 27000 replaced 17799: 2005 in 2009 q. Popular worldwide q. Costs of individual components ~100 CHF (~€ 82, U$109) q. Overview 27000 available free < http: //tinyurl. com/ye 3 rwro > 7 Copyright © 2012 M. E. Kabay. All rights reserved.

ISO 27000 (2) Control objectives & controls for information security management Ø ISO/IEC 27000 — Overview and Vocabulary Ø ISO/IEC 27001 — Requirements Ø ISO/IEC 27002 — Code of Practice Ø ISO/IEC 27003 — Implementation Guidance Ø ISO/IEC 27004 — Measurement Ø ISO/IEC 27005 — Risk Management Ø ISO/IEC 27006 — Certification Body Requirements Ø ISO/IEC 27007 — Audit Guidelines Ø ISO/IEC 27011 — Telecommunications Organizations Ø ISO 27799 — Health Organizations 8 Copyright © 2012 M. E. Kabay. All rights reserved.

COBIT (1) Ø Control Objectives for Information and Related Technology (ISACA) Ø Business-oriented set of standards for guiding management in sound use of IT Ø COBIT Overview q. Executive summary q. Framework üIT objectives üControl functions in IT q. Business requirements for information 10 Copyright © 2012 M. E. Kabay. All rights reserved.

COBIT (2) Ø Control objectives q Planning and organization q Acquisition and implementation q Delivery and support q Monitoring Ø Audit guidelines Ø Implementation tool set q Executive overview q Guide to implementation q Case studies describing COBIT implementation q FAQs q Slide presentations for implementing/selling COBIT Ø Management guidelines 11 Copyright © 2012 M. E. Kabay. All rights reserved.

CERT/CC® Documentation Computer Emergency Response Team Coordination Center® of the Software Engineering Institute at Carnegie Mellon University in Pittsburgh, PA Ø Security for IT Ø Service contracts Ø Securing desktop workstations Ø Responding to intrusions Ø Securing network servers Ø Deploying firewalls Ø Securing public Web servers Ø Detecting signs of intrusion 13 Copyright © 2012 M. E. Kabay. All rights reserved.

US Government Documents Ø NIST Special Publications q http: //csrc. nist. gov/publications/Pubs. SPs. html q Or http: //tinyurl. com/23 jst 6 Ø NSA Security Guidelines Handbook q http: //www. tscm. com/NSAsecmanual 1. html q Or http: //tinyurl. com/6 g 3 g 2 ch q Initial security responsibilities q General responsibilities q Helpful information Ø Federal Information Processing Standards (FIPS) q http: //www. itl. nist. gov/fipspubs/index. htm q Or http: //tinyurl. com/agmwvl 15 Copyright © 2012 M. E. Kabay. All rights reserved.

US Federal Best Security Practices (1) Ø Federal Chief Information Security Officers (CISO) Council q. Best Practices Committee (BPC) q. Sharing best ideas/practical experiences Ø Many useful PDF documents available free; e. g. , q. Best Practices q. Enterprise Architecture q. IT Security/Privacy q. GAO (Government Accountability Office) Reports q. IT Related Laws & Regulations 16 Copyright © 2012 M. E. Kabay. All rights reserved.

RFC 2196 – from IETF (1) Ø Classic document (1997) q. Replaced RFC 1244 (1991) q. Still useful! q. IETF: Internet Engineering Task Force Ø Introduction Ø Security Policies http: //www. ietf. org/rfc. html Ø Architecture Ø Security services and procedures q. Security incident handling q. Ongoing activities q. Tools and locations q. Mailing lists and other resources q. References 18 Copyright © 2012 M. E. Kabay. All rights reserved.

IT Baseline Protection Manual (1) German Information Security Agency English version updated 2005 Ø Stand-alone systems Ø Networked systems Ø Communications Ø Infrastructure Ø Methodologies 21 Copyright © 2012 M. E. Kabay. All rights reserved.

ISPME (Charles Cresson Wood) Ø http: //www. informationshield. com/ispmemain. htm Ø Best in the field Ø $800 and worth every penny Ø Given to every graduating MSIA student in 2004* at Norwich University as graduation gift! _____ * 24 First year that MSIA students graduated Copyright © 2012 M. E. Kabay. All rights reserved.

SANS Resources Ø http: //www. sans. org Ø Security Essentials courses Ø Step-by-step guides Ø SANS Security Policy Project (free) qhttp: //www. sans. org/resources/policies/ q. Collaborative compilation of policies 26 Copyright © 2012 M. E. Kabay. All rights reserved.

Writing the Policies Ø Orientation: prescriptive and proscriptive q. Clear, definite, unambiguous Ø Writing style q. Short, simple declarative sentences Ø Reasons q. Explain why policies make sense q. Optional explanations Ø Indexing q. Many different ways of locating specific policies 29 Copyright © 2012 M. E. Kabay. All rights reserved.

Organizing the Policies Ø Topical organization q. Sequence corresponding to model of perception of security; e. g. , outside-in Ø Organizational q. Create special-purpose documents aimed at particular groups Ø Hierarchical q. Learn from military standards q. Increasing detail at lower levels 30 Copyright © 2012 M. E. Kabay. All rights reserved.

Presenting the Policies Ø Printed text q. Huge loose-leaf binders; or q. Short paper documents; or q. Reference cards, summary sheets, stickers, posters q. Updating a headache Ø Electronic one-dimensional text q. E-mail updated versions periodically Ø Hypertext q. HTML and XML q. RTF and word processor files q. PDF, help files 31 Copyright © 2012 M. E. Kabay. All rights reserved.

Maintaining the Policies Ø Review process q. Employees suggest improvement q. Committees update policy Ø Announcing changes q. Circulate drafts for input – sense of policy ownership for employees q. Major changes announced by high-level staff with explanations q. Distribute changes automatically through electronic access 32 Copyright © 2012 M. E. Kabay. All rights reserved.

Review Questions 1. Distinguish among policies, controls, standards, procedures and give an example of each. 2. What are the advantages and disadvantages of using industry-standard guidelines such as Cobi. T or RFCs in creating policies? 3. Why is the writing-style of policies important for effectiveness? 4. Why can it be useful to give reasons for policies? 5. What are the benefits and costs of providing different views of policy for different sectors of the organization? 6. What are the pros and cons of electronic vs paper distribution of policies? 7. Who should be involved in reviewing and modifying policies and policy documents? Why? 33 Copyright © 2012 M. E. Kabay. All rights reserved.