1

CYBER LAW AND POLICY

Lesson 6
Information security policies
Objectives
• Upon completion of this material you should be able to:
– Define information security policy and understand its central role in
a successful information security program
– Describe the three major types of information security policy and
explain what goes into each type
– Develop, implement, and maintain various types of information
security policies
Introduction
• Policy is the essential foundation of an effective
information security program
– “The success of an information resources protection program
depends on the policy generated, and on the attitude of
management toward securing information on automated systems”
• Policy maker sets the tone and emphasis on the
importance of information security
Introduction (cont’d.)
• Policy objectives
– Reduced risk
– Compliance with laws and regulations
– Assurance of operational continuity, information integrity, and
confidentiality
Why Policy?
• A quality information security program begins and ends
with policy
• Policies are the least expensive means of control and
often the most difficult to implement
• Basic rules for shaping a policy
– Policy should never conflict with law
– Policy must be able to stand up in court if challenged
– Policy must be properly supported and administered
Why Policy? (cont’d.)

Figure 4-1 The bull’s eye model

Source: Course Technology/Cengage Learning
Why Policy? (cont’d.)
• Bulls-eye model layers
– Policies: first layer of defense
– Networks: threats first meet the organization’s network
– Systems: computers and manufacturing systems
– Applications: all applications systems
Why Policy? (cont’d.)
• Policies are important reference documents
– For internal audits
– For the resolution of legal disputes about management's due
carefulness
– Policy documents can act as a clear statement of management's
intent
Policy, Standards, and Practices
• Policy
– A plan or course of action that influences decisions
– For policies to be effective they must be properly disseminated,
read, understood, agreed-to, and uniformly enforced
– Policies require constant modification and maintenance
Policy, Standards, and Practices (cont’d.)
• Types of information security policy
– Enterprise information security program policy
– Issue-specific information security policies
– Systems-specific policies
• Standards
– A more detailed statement of what must be done to comply with
policy
• Practices
– Procedures and guidelines explain how employees will comply with
policy
Policies, Standards, & Practices

Figure 4-2 Policies, standards and practices

Source: Course Technology/Cengage Learning
Enterprise Information Security Policy
(EISP)
• Sets strategic direction, scope, and tone for organization’s
security efforts
• Assigns responsibilities for various areas of information
security
• Guides development, implementation, and management
requirements of information security program
Example EISP Components
• Statement of purpose
– What the policy is for
• Information security elements
– Defines information security
• Need for information security
– Justifies importance of information security in the organization
Example EISP Components (cont’d.)
• Information security responsibilities and roles
– Defines organizational structure
• Reference to other information security standards and
guidelines
Issue-Specific Security Policy (ISSP)
• Provides detailed, targeted guidance
– Instructs the organization in secure use of a technology systems
– Begins with introduction to fundamental technological philosophy of
the organization
• Protects organization from inefficiency and ambiguity
– Documents how the technology-based system is controlled
Issue-Specific Security Policy (cont’d.)
• Protects organization from inefficiency and ambiguity
(cont’d.)
– Identifies the processes and authorities that provide this control
• Covers the organization against liability for an employee’s
inappropriate or illegal system use
Issue-Specific Security Policy (cont’d.)
• Every organization’s ISSP should:
– Address specific technology-based systems
– Require frequent updates
– Contain an issue statement on the organization’s position on an
issue
Issue-Specific Security Policy (cont’d.)
• ISSP topics
– Email and internet use
– Prohibitions against hacking
– Home use of company-owned computer equipment
– Use of personal equipment on company networks
– Use of telecommunications technologies
– Use of photocopy equipment
Components of the ISSP
1. Statement of Purpose
– Scope and applicability
– Definition of technology addressed
– Responsibilities
2. Authorized Access and Usage of Equipment
– User access
– Fair and responsible use
– Protection of privacy
Components of the ISSP (cont’d.)
3. Prohibited Usage of Equipment
– Disruptive use or misuse
– Criminal use
– Offensive or harassing materials
– Copyrighted, licensed or other intellectual property
– Other restrictions
Components of the ISSP (cont’d.)
4. Systems management
– Management of stored materials
– Employer monitoring
– Virus protection
– Physical security
– Encryption
5. Violations of policy
– Procedures for reporting violations
– Penalties for violations
Components of the ISSP (cont’d.)
6. Policy review and modification
– Scheduled review of policy and procedures for modification
7. Limitations of liability
– Statements of liability or disclaimers
Implementing the ISSP
• Common approaches
– Several independent ISSP documents
– A single comprehensive ISSP document
– A modular ISSP document that unifies policy creation and
administration
• The recommended approach is the modular policy
– Provides a balance between issue orientation and policy
management
System-Specific Security Policy
• System-specific security policies (SysSPs) frequently do
not look like other types of policy
– They may function as standards or procedures to be used when
configuring or maintaining systems
• SysSPs can be separated into
– Management guidance
– Technical specifications
– Or combined in a single policy document
Managerial Guidance SysSPs
• Created by management to guide the implementation and
configuration of technology
• Applies to any technology that affects the confidentiality,
integrity or availability of information
• Informs technologists of management intent
Technical Specifications SysSPs
• System administrators’ directions on implementing
managerial policy
• Each type of equipment has its own type of policies
• General methods of implementing technical controls
– Access control lists
– Configuration rules
Technical Specifications SysSPs (cont’d.)
• Access control lists
– Include the user access lists and capability tables that govern the
rights and privileges
– A similar method that specifies which subjects and objects users or
groups can access is called a capability table
– These specifications are frequently complex matrices, rather than
simple lists or tables
Technical Specifications SysSPs (cont’d.)
• Access control lists (cont’d.)
– Enable administrations to restrict access according to user,
computer, time, duration, or even a particular file
• Access control lists regulate
– Who can use the system
– What authorized users can access
– When authorized users can access the system
Technical Specifications SysSPs (cont’d.)
• Access control lists regulate (cont’d.)
– Where authorized users can access the system from
– How authorized users can access the system
– Restricting what users can access, e.g. printers, files,
communications, and applications
• Administrators set user privileges
– Read, write, create, modify, delete, compare, copy
Technical Specifications SysSPs (cont’d.)

Figure 4-5 Windows XP ACL

Source: Course Technology/Cengage Learning
Technical Specifications SysSPs (cont’d.)
• Configuration rules
– Specific instructions entered into a security system to regulate how
it reacts to the data it receives
– Rule policies are more specific to system operation than ACLs
– May or may not deal with users directly
Technical Specifications SysSPs (cont’d.)
• Many security systems require specific configuration
scripts telling the systems what actions to perform on
each set of information they process
Technical Specifications SysSPs (cont’d.)

Figure 4-6 Firewall configuration rules

Source: Course Technology/Cengage Learning

Technical Specifications SysSPs (cont’d.)
• Often organizations create a single document combining
elements of both management guidance and technical
specifications SysSPs
• This can be confusing, but practical
• Care should be taken to articulate the required actions carefully as
the procedures are presented
Figure 4-7 IDPS configuration rules
Source: Course Technology/Cengage Learning
 Guidelines for Effective Policy
• For policies to be effective, they must be
properly:
– Developed using industry-accepted practices
– Distributed or disseminated using all
appropriate methods
– Reviewed or read by all employees
– Understood by all employees
– Formally agreed to by act or assertion
– Uniformly applied and enforced
 Developing Information Security
Policy
• It is often useful to view policy development
as a two-part project
– First, design and develop the policy (or
redesign and rewrite an outdated policy)
– Second, establish management processes to
continue the policy within the organization
• The former is an exercise in project
management, while the latter requires
adherence to good business practices
 Developing Information Security
Policy (cont’d.)
• Policy development projects should be
– Well planned
– Properly funded
– Aggressively managed to ensure that it is
completed on time and within budget
• The policy development project can be
guided by the SecSDLC process
 Developing Information Security
Policy (cont’d.)
• Investigation phase
– Obtain support from senior management, and
active involvement of IT management,
specifically the CIO
– Clearly articulate the goals of the policy project
– Gain participation of correct individuals
affected by the recommended policies
 Developing Information Security
Policy (cont’d.)
• Investigation phase (cont’d.)
– Involve legal, human resources and end-users
– Assign a project champion with sufficient
stature and prestige
– Acquire a capable project manager
– Develop a detailed outline of and sound
estimates for project cost and scheduling
 Developing Information Security
Policy (cont’d.)
• Analysis phase should produce
– New or recent risk assessment or IT audit
documenting the current information security
needs of the organization
– Key reference materials
• Including any existing policies
Developing Information Security
Policy (cont’d.)

Figure 4-8 End user license agreement for Microsoft Windows XP

Source: Course Technology/Cengage Learning

 Developing Information Security
Policy (cont’d.)
• Design phase includes
– How the policies will be distributed
– How verification of the distribution will be
accomplished
– Specifications for any automated tools
– Revisions to feasibility analysis reports based
on improved costs and benefits as the design
is clarified
 Developing Information Security
Policy (cont’d.)
• Implementation phase includes
– Writing the policies
• Making certain the policies are enforceable as
written
• Policy distribution is not always straightforward
• Effective policy is written at a reasonable reading
level, and attempts to minimize technical jargon and
management terminology
 Developing Information Security
Policy (cont’d.)
• Maintenance Phase
– Maintain and modify the policy as needed to
ensure that it remains effective as a tool to
meet changing threats
– The policy should have a built-in mechanism
via which users can report problems with the
policy, preferably anonymously
– Periodic review should be built in to the
process
 Policy Comprehension

Figure 4-9 Readability statistics

Source: Course Technology/Cengage Learning

 A Final Note on Policy
• Lest you believe that the only reason to
have policies is to avoid litigation, it is
important to emphasize the preventative
nature of policy
– Policies exist, first and foremost, to inform
employees of what is and is not acceptable
behavior in the organization
– Policy seeks to improve employee productivity,
and prevent potentially embarrassing situations
 Summary
• Introduction
• Why Policy?
• Enterprise Information Security Policy
• Issue-Specific Security Policy
• System-Specific Policy
• Guidelines for Policy Development