CH 05
CH 05
CH 05
Learning Objectives
Upon completion of this material, you should be able to:
Define managements role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines Describe what an information security blueprint is, identify its major components, and explain how it supports the information security program
Introduction
Creation of information security program begins with creation and/or review of an organizations information security policies, standards, and practices Then, selection or creation of information security architecture and the development and use of a detailed information security blueprint creates a plan for future success Without policy, blueprints, and planning, an organization is unable to meet information security needs of various communities of interest
Principles of Information Security, Fourth Edition 4
Governance framework
Definitions
Policy: course of action used by organization to convey instructions from management to those who perform duties Policies are organizational laws Standards: more detailed statements of what must be done to comply with policy Practices, procedures, and guidelines effectively explain how to comply with policy For a policy to be effective, it must be properly disseminated, read, understood, and agreed to by all members of organization and uniformly enforced
Principles of Information Security, Fourth Edition 8
EISP elements
Principles of Information Security, Fourth Edition 10
EISP Elements
An overview of the corporate philosophy on security Information on the structure of the information security organization and individuals who fulfill the information security role Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors) Fully articulated responsibilities for security that are unique to each role within the organization
Principles of Information Security, Fourth Edition 11
13
ACLs can restrict access for a particular user, computer, time, durationeven a particular file Configuration rule policies Combination SysSPs
Principles of Information Security, Fourth Edition 14
VPN-1/Firewall-1 Policy Editor courtesy of Check Point Software Technologies Ltd. Figure 5-4 Check Point VPN-1/Firewall-1 Policy Editor
Principles of Information Security, Fourth Edition 15
Policy Management
Policies must be managed as they constantly change To remain viable, security policies must have:
Individual responsible for the policy (policy administrator) A schedule of reviews Method for making recommendations for reviews Specific policy issuance and revision date Automated policy management
16
18
19
15
20
20
21
22
23
27
30
Security perimeter
Point at which an organizations security protection ends and outside world begins Does not apply to internal attacks from employee threats or on-site physical threats
Principles of Information Security, Fourth Edition 31
33
Security Education
Everyone in an organization needs to be trained and aware of information security; not every member needs formal degree or certificate in information security When formal education for individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education A number of universities have formal coursework in information security
Principles of Information Security, Fourth Edition 37
Security Training
Involves providing members of organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely Management of information security can develop customized in-house training or outsource the training program Alternatives to formal training include conferences and programs offered through professional organizations
Principles of Information Security, Fourth Edition 38
Security Awareness
One of least frequently implemented but most beneficial programs is the security awareness program Designed to keep information security at the forefront of users minds Need not be complicated or expensive If the program is not actively implemented, employees begin to tune out and risk of employee accidents and failures increases
39
Continuity Strategies
Incident response plans (IRPs); disaster recovery plans (DRPs); business continuity plans (BCPs) Primary functions of above plans
IRP focuses on immediate response; if attack escalates or is disastrous, process changes to disaster recovery and BCP DRP typically focuses on restoring systems after disasters occur; as such, is closely associated with BCP BCP occurs concurrently with DRP when damage is major or long term, requiring more than simple restoration of information and information resources
40
41
Incident response (IR) is more reactive than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident
Principles of Information Security, Fourth Edition 46
IR team consists of individuals needed to handle systems as incident takes place Planners should develop guidelines for reacting to and recovering from incident
Principles of Information Security, Fourth Edition 47
Incident detection
Most common occurrence is complaint about technology support, often delivered to help desk Careful training needed to quickly identify and classify an incident Once attack is properly identified, organization can respond
Principles of Information Security, Fourth Edition 48
50
52
55
57
Crisis Management
Actions taken during and after a disaster that focus on people involved and address viability of business What may truly distinguish an incident from a disaster are the actions of the response teams Disaster recovery personnel must know their roles without any supporting documentation
Preparation Training Rehearsal
Principles of Information Security, Fourth Edition 58
60
61
Summary
Management has essential role in development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines Information security blueprint is planning document that is basis for design, selection, and implementation of all security policies, education and training programs, and technological controls
65
Summary (contd.)
Information security education, training, and awareness (SETA) is control measure that reduces accidental security breaches and increases organizational resistance to many other forms of attack Contingency planning (CP) made up of three components: incident response planning (IRP), disaster recovery planning (DRP), and business continuity planning (BCP)
66