CC5052 Week 5

Security Policy, Standard and Practices

Learning Objectives
• Define information security policy and understand its central role in a
successful information security program

• Recognize the three major types of information security policy

• Developing, implementing, and maintaining various types of information

security policies

Slide 2
Introduction
• Policy is designed to create a productive and effective work environment,
free from unnecessary distractions and inappropriate actions.

• In general, a policy is simply a manager's or other governing body's

statement of intent; as such, a policy (document) actually contains
multiple policies (statements).

Slide 3
Introduction
• Policy is the essential foundation of an effective information security
program.

• The success of an information resources protection program depends on

the policy generated, and on the attitude of management toward
securing information on automated systems.

• The success of any information security program lies in policy

development.

Slide 4
Why Policy?
• A quality information security program begins and ends with policy.

• Properly developed and implemented policies enable the information

security program to function almost seamlessly within the workplace.

• Some basic rules must be followed when shaping a policy:

• Policy should never conflict with law
• Policy must be able to stand up in court, if challenged
• Policy must be properly supported and administered

Slide 5
Why Policy?
• All policies must contribute to the success of the organization.

• Management must ensure the adequate sharing of responsibility for

proper use of information systems.

• End users of information systems should be involved in the steps of

policy formulation.

Slide 6
The Bulls-eye Model
Bulls-eye model layers:
• Policies—the outer layer in the bull’s-eye diagram

• Networks—where threats from public networks

meet the organization’s networking infrastructure

• Systems—includes computers used as servers,

desktop computers, and systems used for process
control and manufacturing systems

• Applications—includes all applications systems

Slide 7
Policy, Standards, and Practices
• Policy is “a plan or course of action, as of a government, political party, or
business, intended to influence and determine decisions, actions, and other
matters”.

• A standard is a more detailed statement of what must be done to comply

with policy.

• Practices, procedures and guidelines explain how employees will comply

with policy.

Slide 8
Policy, Standards, and Practices
• For policies to be effective, they must be:
• properly disseminated
• read
• understood
• agreed-to

• Policies require constant modification and maintenance.

Slide 9
Policy, Standards, and Practices

Slide 10
Types of information security policy:
• In order to produce a complete information security policy, management
must define three types of information security policy:
• Enterprise information security program policy (EISP)
• Issue-specific information security policies (ISSP)
• Systems-specific information security policies (SySSP)

Slide 11
Enterprise Information Security Policy (EISP)
• The high-level information security policy that sets the strategic direction,
scope, and tone for all of an organization’s security efforts.

• An EISP assigns responsibilities for the various areas of information

security, including maintenance of InfoSec policies and the practices and
responsibilities of end users.

• Guides the development, implementation, and management

requirements of the information security program.

Slide 12
Enterprise Information Security Policy (EISP) Cntd…
Most EISP documents should provide:
• An overview of the corporate philosophy on security
• Information on the structure of the information security organization and
individuals that fulfill the information security role
• Fully articulated responsibilities for security that are shared by all members of
the organization
• Fully articulated responsibilities for security that are unique to each role
within the organization

Slide 13
Components of the EISP Cntd…
• Statement of Purpose - Answers the question “What is this policy for?” Provides
a framework for the helps the reader to understand the intent of the document.
• Information Technology Security Elements - Defines information security.
• Need for Information Technology Security - Provides information on the
importance of information security in the organization and the obligation (legal
and ethical) to protect critical information whether regarding customers,
employees, or markets.
• Information Technology Security Responsibilities and Roles - Defines the
organizational structure designed to support information security within the
organization.
• Reference to Other Information Technology Standards and Guidelines - Outlines
lists of other standards that influence and are influenced by this policy document.

Slide 14
Issue-Specific Security Policy (ISSP)
• An issue-specific security policy (ISSP) is designed to regulate the use of
some technology or other resource issue within the organization.
• A sound issue-specific security policy provides detailed, targeted guidance to
instruct all members of the organization in the use of technology based
systems.
• The ISSP should begin with an introduction of the fundamental technological
philosophy of the organization.
• This serves to protect both the employee and the organization from
inefficiency and ambiguity

Slide 15
Issue-Specific Security Policy (ISSP) Cntd…
An effective ISSP accomplishes the following:
• Articulates the organization’s expectations about how the technology-based
system in question should be used

• Documents how the technology-based system is controlled and identifies

the processes and authorities that provide this control

• Serves to indemnify the organization against liability for an employee’s

inappropriate or illegal system use

Slide 16
Issue-Specific Security Policy (ISSP) Cntd…
The following are typical in that their use would require an ISSP in most organizations.
• Use of e-mail, instant messaging (IM), and other electronic communications applications
• Use of the Internet, the Web, and company networks by company equipment
• Malware protection requirements (such as anti-malware software implementation)
• Installation and use of non-organizationally issued software or hardware on organization assets, such
as personal computing devices or Internet of things (IoT) appliances
• Processing and/or storage of organizational information on non-organizationally owned computers,
such as cloud computing providers
• Removal of organizational equipment from organizational property
• Use of personal equipment on company networks, such as "BYOD" (bring your own device)
• Use of personal technology during work hours (mobile phones, tablets, etc.)
• Use of photocopying and scanning equipment

Slide 17
Components of the ISSP Cntd…

Slide 18
Systems-Specific Policies (SysSP)
• SysSPs may often be created to function as standards or procedures to be
used when configuring or maintaining systems - for example, to configure and
operate a network firewall.

• SysSPs can be separated into two general groups, managerial guidance and
technical specifications, or they may be written like the example noted above
to combine these two types of SysSP content into a single policy document.

Slide 19
Systems-Specific Policies (SysSP) Cntd…
Managerial Guidance SysSPs
• A systems-specific security policy that expresses management’s intent for the acquisition,
implementation, configuration, and management of a particular technology, written from a business
perspective.
Technical Specifications SysSPs
• A type of systems-specific security policy that expresses technical details for the acquisition,
implementation, configuration, and management of a particular technology, written from a technical
perspective.

The manager is primarily responsible for the creation of the managerial specifications version of the
SysSP, Sys-admins may be the primary authors or architects of the technical specifications version.
While the specific configuration of a firewall belongs in the technical specifications SysSP, the process of
constructing and implementing the firewall must follow guidelines established by management.

Slide 20
Guidelines for Policy Development and Implementation
• In general, policy is only enforceable and legally defensible if it is properly designed,
developed, and implemented using a process that assures repeatable results.

• For policies to be effective and legally defensible, they must be properly:

1. Developed using industry-accepted practices, and formally approved by management
2. Distributed using all appropriate methods
3. Read by all employees
4. Understood by all employees
5. Formally agreed to by act or affirmation
6. Uniformly applied and enforced

Slide 21
Guidelines for Policy Development and Implementation

• It is often useful to view policy development as a two-part project.

1. The first project designs and develops the policy (or redesigns and
rewrites an outdated policy), and
2. The second establishes management processes to perpetuate the
policy within the organization.

Slide 22
The Policy Project
• Like any IT project, a policy development or re-development project should
be well planned, properly funded, and aggressively managed to ensure that
it is completed on time and within budget.

• When a policy development project is undertaken, the project can be

guided by the SDLC process.
• Investigation Phase
• Analysis Phase
• Design Phase
• Implementation Phase
• Maintenance Phase

Slide 23
SP 800-18: Guide for Developing Security Plans
The NIST Special Publication 800-18 offers another approach to policy
management.
• Because policies are living documents that constantly change and grow,
these documents must be properly disseminated (distributed, read,
understood and agreed to), and managed.
• Good management practices for policy development and maintenance
make for a more resilient organization.
• In order to remain current and viable, policies must have:
• an individual responsible for reviews,
• a schedule of reviews,
• a method for making recommendations for reviews, and
• an indication of policy and revision date

Slide 24
A Final Note on Policy
• Lest you believe that the only reason to have policies is to avoid litigation,
it is important to emphasize the preventative nature of policy.
• Policies exist first, and foremost, to inform employees of what is and is not
acceptable behavior in the organization.
• This is an effort to improve employee productivity, and prevent potentially
embarrassing situations.
• If the organization could not verify that the employee was in fact properly
educated on the policy, the employee could sue the organization for
wrongful termination.
• Lawsuits cost money, and the organization could be so financially
devastated that it had to go out of business.
• Other employees lose their livelihood, and no one wins.

Slide 25
Summary
• Policy, Standards, and Practices
• Bulls-eye Model
• Types of Information Security Policy
• Enterprise information security program policy (EISP)
• Issue-specific information security policies (ISSP)

• Systems-specific information security policies (SySSP)

• Guidelines for Policy Development and Impementation

Slide 26