Information Security

CCS 1306

Kasunika Guruge
Lecturer (P)
School of IT & Computing
SLTC Research University
 Information Security
CCS 1306

Information Security Frameworks

What are Policies ?
● The written aspect of governance (including security governance) is known as
policy.
● Policies are documents published by promoted or distributed by senior
management describing the organization’s goals.
● Security policies are the policies that address the security goals of an organization.
● Typically, policies are drafted by subject matter experts, shared among
stakeholders for review and comment, revised then presented to senior
management for final approval.
● Example policies :
IT Security Policy
Password Policy
Disaster Recovery Policy 3
What are Standards ?
● Standards contain technical specifications or other precise criteria designed to be
used consistently as a rule or guideline.
● Also known as frameworks.
● Standards can either come from within the organization or from external sources.
● Standards organizations :
ISO –International Organization for Standardization
NIST -National Institute of Standards & Technology
ISOC –Internet Society …… etc.

4
What are Procedures ?

● Procedures are explicit, repeatable activities to accomplish a specific task.

● Procedures can address one-time or infrequent actions or common, regular
occurrence.
● Proper documentation of procedures and training personnel how to locate and
perform procedures is necessary for the organization to derive benefit of
procedures.
● Procedures described the actual actions that need to be taken by the personnel
in the organization.

5
What are Guidelines ?

● Guidelines are like standards that they describe practices and expectations of
activity to best accomplish tasks and attain goals.

● Unlike standards, guideline s are not mandate but rather recommendations and
suggestions.

● Guidelines may be created internally, for use by the organization, or come from
external sources.

6
Hierarchy

● Policies are in the top of the hierarchy. Senior management dictates policy, so all
activity within the organization should confirm with policy.
● Standards are next; the organization’s policies should specify which standards
the organization adheres to.
● Guidelines inform the organization how to conduct activities. Guidelines are not
mandatory.
● Procedures are the least powerful of hierarchy, but they are the most detailed.

7
Information Security Frameworks

8
ISO –International Organization for Standardization
● ISO is an international standard-setting body composed of representatives
from various national standards organizations.
● The organization promotes worldwide proprietary, industrial, and commercial
standards
● ISO information security related standards are commonly known as ISO27k
standards. Because all the information security related standards are started
from ISO27001
● Examples for information security related standards:
- ISO/IEC 27001 -Information security management systems
- ISO/IEC 27005 -Information security risk management
- ISO/IEC 27018 -Code of practice for controls to protect personally identifiable
information processed in public cloud computing services 9
ISO/IEC 27001
● ISO/IEC 27001 -Information security management systems.
● This standard is to provide requirements for
✓ establishing
✓ Implementing
✓ maintaining and
✓ continually improving an information security management system.
● Standard states the adequate security controls to protect the information
assets.
● ISO/IEC standards are under copyright and cannot be redistributed without
purchase.

10
ISO/IEC 27018
● ISO/IEC 27018 -Code of practice for controls to protect personally identifiable
information(PII) processed in public cloud computing services
● This standard ensures that a cloud service provider has appropriate
procedures in place for handling PII.
● Example:
Requirements for the encryption of PII in transit, when stored and also on
any removable physical media

11
NIST –National Institute of Standards and Technology
● NIST is a United States based federal technology agency that works with
industry to develop and apply technology, measurements and standards.

● NIST Computer Security Division (CSD) focuses on providing measurements

and standards to protect information systems.

12
NIST Cybersecurity Framework
● The NIST Cybersecurity Framework provides a policy framework of computer
security guidance for how private sector organizations in the United States can
assess and improve their ability to prevent, detect, and respond to cyber
attacks.

● Identify – Develop an organizational

understanding to manage cybersecurity risk to
systems, people, assets, data, and capabilities.

● Protect – Develop and implement appropriate

safeguards to ensure delivery of critical services.
13
NIST Cybersecurity Framework
● Detect - Develop and implement appropriate activities to identify the occurrence
of a cybersecurity event.
● Respond – Develop and implement appropriate activities to take action
regarding a detected cybersecurity incident
● Recover – Develop and implement appropriate activities to maintain plans for
resilience and to restore any capabilities or services that were impaired due to a
cybersecurity incident.

● Refer for more details: https://www.nist.gov/cyberframework

14
Activity -03

● Find more information about other security frameworks.

15
QUESTIONS?

Thank You!

16