Management of Information Security

Chapter 3
Security Policy and Standards
 Part I

1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
8. SP 800-18 Guide for Developing

CPSC 449/Fall 2005 Security Information Management 2

 Introduction

This chapter focuses on information

security policy:
What it is
How to write it
How to implement it
How to maintain it

CPSC 449/Fall 2005 Security Information Management 3

 Policy

Policy is an essential foundation of effective

infosec program

The success of an information resources

protection program depends on the policy
generated, & on the attitude of management
toward securing information on automated
systems.

CPSC 449/Fall 2005 Security Information Management 4

 You, the policy maker, set the tone & the
emphasis on how important a role infosec will
have within your agency.

Your primary responsibility is to set the

information resource security policy for the
organization with the objectives of reduced
risk, compliance with laws & regulations, &
assurance of operational continuity,
information integrity, & confidentiality.

CPSC 449/Fall 2005 Security Information Management 5

 A quality infosec program begins & ends with policy
Policies are least expensive means of control & often
the most difficult to implement
Basic rules to follow when shaping policy:
Never conflict with law
Stand up in court
Properly supported and administered
Contribute to the success of the organization
Involve end users of information systems

CPSC 449/Fall 2005 Security Information Management 6

 Focus on the systemic solutions, not specifics

CPSC 449/Fall 2005 Security Information Management 7

 Bulls-eye model layers

1. Policies: first layer of defense

2. Networks: threats first meet organizations
network
3. Systems: computers & manufacturing
systems
4. Applications: all applications systems

CPSC 449/Fall 2005 Security Information Management 8

 Policies are important reference documents
for internal audits & for resolution of legal
disputes about managements due diligence
Policy documents can act as a clear
statement of managements intent

CPSC 449/Fall 2005 Security Information Management 9

CPSC 449/Fall 2005 Security Information Management 10
 Policy: plan or course of action that influences
& determines decisions

Standards: more detailed statement of what

must be done to comply with policy

Practices, procedures & guidelines:explain

how employees will comply with policy

CPSC 449/Fall 2005 Security Information Management 11

 For policies to be effective, they must be:
Properly disseminated
Read
Understood
Agreed-to

CPSC 449/Fall 2005 Security Information Management 12

 Policies require constant modification &
maintenance
In order to produce a complete infosec policy,
management must define 3 types of infosec
policy:
Enterprise infosec program policy
Issue-specific infosec policies
Systems-specific infosec policies

CPSC 449/Fall 2005 Security Information Management 13

 Part I

1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
8. SP 800-18 Guide for Developing

CPSC 449/Fall 2005 Security Information Management 14

 Enterprise InfoSec Policy (EISP)

Sets strategic direction, scope, & tone for

organizations security efforts

Assigns responsibilities for various areas of

infosec

Guides development, implementation,&

management requirements of infosec
program

CPSC 449/Fall 2005 Security Information Management 15

 EISP documents should provide:

An overview of corporate philosophy on

security
Information about infosec organization &
infosec roles:
Responsibilities for security shared by all
organization members
Responsibilities for security unique to each
organizational role

CPSC 449/Fall 2005 Security Information Management 16

 Components of the EISP

Statement of Purpose: What the policy is for

Information Technology Security Elements: Defines
infosec
Need for Information Technology Security: justifies
importance of infosec in the organization
Information Technology Security Responsibilities &
Roles: Defines organizational structure
References Information Technology standards &
guidelines

CPSC 449/Fall 2005 Security Information Management 17

 Sample EISP

Protection Of Information: Information must be

protected in a manner commensurate with its
sensitivity, value, & criticality
Use Of Information: Company X information must be
used only for business purposes expressly authorized
by management
Information Handling, Access, & Usage: Information
is a vital asset & all accesses to, uses of, &
processing of Company X information must be
consistent with policies & standards

CPSC 449/Fall 2005 Security Information Management 18

 Data & Program Damage Disclaimers: Company X
disclaims any responsibility for loss or damage to
data or software that results from its efforts to
protect the confidentiality, integrity, & availability of
the information handled by computers &
communications systems

Legal Conflicts: Company X infosec policies were

drafted to meet or exceed the protections found in
existing laws & regulations, & any Company X infosec
policy believed to be in conflict with existing laws or
regulations must be promptly reported to infosec
management

CPSC 449/Fall 2005 Security Information Management 19

 Exceptions To Policies: Exceptions to infosec policies
exist in rare instances where a risk assessment
examining the implications of being out of
compliance has been performed, where a standard
risk acceptance form has been prepared by the data
owner or management, & where this form has been
approved by both InfoSec management & Internal
Audit management

Policy Non-Enforcement: Management's non-

enforcement of any policy requirement does not
constitute its consent

CPSC 449/Fall 2005 Security Information Management 20

 Violation Of Law: Company X management must
seriously consider prosecution for all known violations
of the law

Revocation Of Access Privileges: Company X reserves

the right to revoke a users information technology
privileges at any time

Industry-Specific InfoSec Standards: Company X

information systems must employ industry-specific
infosec standards

CPSC 449/Fall 2005 Security Information Management 21

 Use Of infosec Policies & Procedures: All Company X
infosec documentation including, but not limited to,
policies, standards, & procedures, must be classified
as Internal Use Only, unless expressly created for
external business processes or partners

Security Controls Enforceability: All information

systems security controls must be enforceable prior
to being adopted as a part of standard operating
procedure

CPSC 449/Fall 2005 Security Information Management 22

 Thinking about the EISP (10 min):
Information Security Policy Documents
Review and Evaluation
Appropriate Use of Information Technology
Resources
Identification of Risks from Third Party Access
Physical Security Area
Personnel Security Screening
Information Security Education and Training

CPSC 449/Fall 2005 Security Information Management 23

 Part I

1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
8. SP 800-18 Guide for Developing

CPSC 449/Fall 2005 Security Information Management 24

 Issue-Specific Security Policy (ISSP)

Provides detailed, targeted guidance to instruct organization in

secure use of tech systems

Begins with intro to fundamental technological philosophy of

organization

Serves to protect employee & organization from

inefficiency/ambiguity

Documents how technology-based system is controlled

Identifies Processes & authorities that provide this control

Serves to indemnify organization against liability for

inappropriate or illegal system use

CPSC 449/Fall 2005 Security Information Management 25

 ISSP should

Address specific technology-based systems

Require frequent updates

Contain an issue statement on the

organizations position on an issue

CPSC 449/Fall 2005 Security Information Management 26

 ISSP topics could include
email

use of Internet & World Wide Web

specific minimum configurations of computers to defend against

malware

prohibitions against hacking or testing organization security controls

home use of company-owned computer equipment

use of personal equipment on company networks

use of telecommunications technologies

use of photocopy equipment

CPSC 449/Fall 2005 Security Information Management 27

 Components of the ISSP

Statement of Purpose:
Scope & Applicability
Definition of Technology Addressed
Responsibilities

Authorized Access & Usage of Equipment:

User Access
Fair & Responsible Use
Protection of Privacy

more ...

CPSC 449/Fall 2005 Security Information Management 28

 Prohibited Usage of Equipment:
Disruptive Use or Misuse
Criminal Use
Offensive or Harassing Materials
Copyrighted, Licensed, or other Intellectual Property
Other Restrictions

Systems Management:
Management of Stored Materials
Employer Monitoring
Virus Protection
Physical Security
Encryption

more ...

CPSC 449/Fall 2005 Security Information Management 29

 Violations of Policy:
Procedures for Reporting Violations
Penalties for Violations

Policy Review & Modification:

Scheduled Review of Policy & Procedures for Modification

Limitations of Liability:
Statements of Liability or Disclaimers

CPSC 449/Fall 2005 Security Information Management 30

 Common approaches to implementing
ISSP

Number of independent ISSP documents

Single comprehensive ISSP document
Modular ISSP document that unifies policy
creation & administration
Recommended approach is modular policy,
which provides a balance between issue
orientation & policy management

CPSC 449/Fall 2005 Security Information Management 31

 Discussion (10 min)
Guidelines on anti-virus process
Email-policy
Password
Third party connection agreement
Acceptable use policy

CPSC 449/Fall 2005 Security Information Management 32

 Part I

1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
8. SP 800-18 Guide for Developing

CPSC 449/Fall 2005 Security Information Management 33

 Systems-Specific Policies (SysSPs)

They may often be created to function as

standards or procedures to be used when
configuring or maintaining systems
SysSPs can be separated into:
Management guidance
Technical specifications
Combined in a single policy document

CPSC 449/Fall 2005 Security Information Management 34

 Management Guidance SysSPs

Created by management to guide the

implementation & configuration of technology
Applies to any technology that affects the
confidentiality, integrity or availability of
information
Informs technologists of management intent

CPSC 449/Fall 2005 Security Information Management 35

 Technical Specifications SysSPs

System administrators directions on

implementing managerial policy
Each type of equipment has its own type of
policies
Two general methods of implementing such
technical controls:
1. Access control lists
2. Configuration rules

CPSC 449/Fall 2005 Security Information Management 36

CPSC 449/Fall 2005 Security Information Management 37
 Access Control Lists

ACLs enable administrations to restrict access

according to user, computer, time, duration,
or even a particular file
more ...

CPSC 449/Fall 2005 Security Information Management 38

 Include user access lists, matrices, & capability tables
that govern rights & privileges
Can control access to file storage systems, object
brokers, or other network communications devices
Capability Table: similar method that specifies which
subjects & objects users or groups can access
Specifications are frequently complex matrices, rather
than simple lists or tables
Level of detail & specificity (often called granularity)
may vary from system to system

CPSC 449/Fall 2005 Security Information Management 39

 ACLs regulate

Who can use the system

What authorized users can access
When authorized users can access the system
Where authorized users can access the
system from
How authorized users can access the system
Restricting what users can access, e.g.
printers, files, communications, & applications

CPSC 449/Fall 2005 Security Information Management 40

 ACL Administrators set user privileges
Read
Write
Create
Modify
Delete
Compare
Copy

CPSC 449/Fall 2005 Security Information Management 41

 Configuration rules are specific configuration codes
entered into security systems to guide execution of
system when information is passing through it
Rule policies are more specific to system operation
than ACLs & may or may not deal with users directly
Many security systems require specific configuration
scripts telling systems what actions to perform on
each set of information processed

CPSC 449/Fall 2005 Security Information Management 42

CPSC 449/Fall 2005 Security Information Management 43
CPSC 449/Fall 2005 Security Information Management 44
CPSC 449/Fall 2005 Security Information Management 45
 Combination SysSPs

Often organizations create a single document

combining elements of both Management
Guidance & Technical Specifications SysSPs

While this can be confusing, it is very

practical

Care should be taken to articulate required

actions carefully as procedures are presented

CPSC 449/Fall 2005 Security Information Management 46

 Part I

1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
8. SP 800-18 Guide for Developing

CPSC 449/Fall 2005 Security Information Management 47

 Guidelines for Policy Development

Often useful to view policy development as a

two-part project:
1. Design & develop policy (or redesign &
rewrite outdated policy)
2. Establish management processes to
perpetuate policy within organization
The former is an exercise in project
management, while the latter requires
adherence to good business practices

CPSC 449/Fall 2005 Security Information Management 48

 Policy development or re-development
projects should be well planned, properly
funded, & aggressively managed to ensure
completion on time & within budget

When a policy development project is

undertaken, the project can be guided by the
SecSDLC process

CPSC 449/Fall 2005 Security Information Management 49

 1. Investigation Phase

The policy development team should:

Obtain support from senior management, & active
involvement of IT management, specifically CIO
Clearly articulate goals of policy project
Gain participation of correct individuals affected by
recommended policies
more ...

CPSC 449/Fall 2005 Security Information Management 50

 Be composed from Legal, Human Resources &
end-users
Assign project champion with sufficient stature &
prestige
Acquire a capable project manager
Develop detailed outline of & sound estimates for,
the cost & scheduling of the project

CPSC 449/Fall 2005 Security Information Management 51

 2. Analysis Phase

Should include the following activities:

New or recent risk assessment or IT audit

documenting the current infosec needs of the
organization

Key reference materials, including any

existing policies

CPSC 449/Fall 2005 Security Information Management 52

 3 & 4. Design phase

Should include:
How policies will be distributed
How verification of distribution will be
accomplished
Specifications for any automated tools
Revisions to feasibility analysis reports based on
improved costs & benefits as design is clarified

CPSC 449/Fall 2005 Security Information Management 53

 5. Implementation Phase

Write the policies!

Make certain policies are enforceable as
written
Policy distribution is not always as
straightforward
Effective policy:
Is written at a reasonable reading level
Attempts to minimize technical jargon &
management terminology

CPSC 449/Fall 2005 Security Information Management 54

 One way to measure readability

CPSC 449/Fall 2005 Security Information Management 55

 6. Maintenance Phase

Maintain & modify policy as needed to ensure that it

remains effective as a tool to meet changing threats

Policy should have a built-in mechanism via which

users can report problems with the policy, preferably
anonymously

Periodic review should be built into the process

CPSC 449/Fall 2005 Security Information Management 56

CPSC 449/Fall 2005 Security Information Management 57
 Part I

1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
8. SP 800-18 Guide for Developing

CPSC 449/Fall 2005 Security Information Management 58

 The InfoSec Policy Made Easy
Approach (ISPME)

Gathering Key Reference Materials

Defining A Framework For Policies
Preparing A Coverage Matrix
Making Critical Systems Design Decisions
Structuring Review, Approval, & Enforcement
Processes

CPSC 449/Fall 2005 Security Information Management 59

CPSC 449/Fall 2005 Security Information Management 60
 ISPME Checklist

Perform risk assessment or information technology

audit to determine your orgs unique infosec needs

Clarify what policy means within your org so that

you are not preparing a standard, procedure, or
some other related material

Ensure that roles & responsibilities related to infosec

are clarified, including responsibility for issuing &
maintaining policies

more ...

CPSC 449/Fall 2005 Security Information Management 61

 Convince management that it is advisable to have documented
infosec policies

Identify top management staff who will be approving final

infosec document & all influential reviewers

Collect & read all existing internal infosec awareness material &
make a list of the included bottom-line messages

Conduct a brief internal survey to gather ideas that stakeholders

believe should be included in a new or updated infosec policy

more ...

CPSC 449/Fall 2005 Security Information Management 62

 Examine other policies issued by your organization, such as
those from HR management, to identify prevailing format, style,
tone, length, & cross-references

Identify audience to receive infosec policy materials &

determine whether they will each get a separate document or a
separate page on an intranet site

Determine extent to which audience is literate, computer

knowledgeable, & receptive to security messages

more ...

CPSC 449/Fall 2005 Security Information Management 63

 Decide whether some other awareness efforts must
take place before infosec policies are issued

Using ideas from the risk assessment, prepare a list

of absolutely essential policy messages that must be
communicated

If there is more than one audience, match the

audiences with the bottom-line messages to be
communicated through a coverage matrix.

more ...

CPSC 449/Fall 2005 Security Information Management 64

 Determine how the policy material will be disseminated, noting
the constraints & implications of each medium of
communication

Review compliance checking, disciplinary, & enforcement

processes to ensure they all can work smoothly with new policy
document

Determine whether number of messages is too large to be

handled all at one time, & if so, identify different categories of
material that will be issued at different times

more ...

CPSC 449/Fall 2005 Security Information Management 65

 Have an outline of topics to be included in the first document
reviewed by several stakeholders

Based on comments from stakeholders, revise initial outline &

prepare a first draft

Have first draft document reviewed by stakeholders for initial

reactions, presentation suggestions, & implementation ideas

Revise draft in response to comments from stakeholders

more ...

CPSC 449/Fall 2005 Security Information Management 66

 Request top management approval on policy
Prepare extracts of policy document for selected
purposes
Develop awareness plan that uses policy document
as a source of ideas & requirements
Create working papers memo indicating disposition
of all comments received from reviewers, even if no
changes were made
more ...

CPSC 449/Fall 2005 Security Information Management 67

 Write memo about project, what you learned,
& what needs to be fixed so that next version
of policy document can be prepared more
efficiently, better received by readers, & more
responsive to unique circumstances facing
your organization

Prepare list of next steps that will be required

to implement requirements specified in policy
document

CPSC 449/Fall 2005 Security Information Management 68

 ISPME Next Steps

Post Polices To Intranet Or Equivalent

Develop A Self-Assessment Questionnaire
Develop Revised User ID Issuance Form
Develop Agreement To Comply With InfoSec Policies
Form
Develop Tests To Determine If Workers Understand
Policies
Assign InfoSec Coordinators
Train InfoSec Coordinators
more ...

CPSC 449/Fall 2005 Security Information Management 69

 Prepare & Deliver A Basic InfoSec Training Course

Develop Application Specific InfoSec Policies

Develop A Conceptual Hierarchy Of InfoSec Requirements

Assign Information Ownership & Custodianship

Establish An infosec Management Committee

Develop An infosec Architecture Document

CPSC 449/Fall 2005 Security Information Management 70

 A Final Note on Policy

Lest you believe that the only reason to have policies

is to avoid litigation, it is important to emphasize the
preventative nature of policy

Policies exist first & foremost to inform employees of

what is & is not acceptable behaviour in the
organization

Policy seeks to improve employee productivity, &

prevent potentially embarrassing situations

CPSC 449/Fall 2005 Security Information Management 71

 Summary

Why Policy?
Enterprise InfoSec Policy
Issue-Specific Security Policy
System-Specific Policy
Guidelines for Policy Development

CPSC 449/Fall 2005 Security Information Management 72

 Part II

1. Introduction
2. Security Standard Criteria and Product
Security Evaluation Process
3. Computer Products Evaluation Standards
4. Major Evaluation Criteria

CPSC 449/Fall 2005 Security Information Management 73

 1 Introduction

Security Evaluation Process

Security Standards and Criteria
The Orange Book
U.S. Federal Criteria
Information Technology Security Evaluation
Criteria (ITSEC)
The Trusted Network Interpretation (TNI): The
Red Book
Common Criteria (CC)

CPSC 449/Fall 2005 Security Information Management 74

 2 Security Standards, Criteria
and Evaluation Process

Purpose
Criteria
Process
Structure
Outcome/benefit

CPSC 449/Fall 2005 Security Information Management 75

 2.1 Purpose of Evaluation

Certification
Accreditation
Evaluation
Potential market benefit

CPSC 449/Fall 2005 Security Information Management 76

 2.2 Criteria

Defines several degrees of rigor acceptable at

each testing level of security
Defines the formal requirements the product
need to meet at each Assurance level
Assurance levels are based on Trusted
Computer System Evaluation (TCSEC)

CPSC 449/Fall 2005 Security Information Management 77

 2.3 Process of Evaluation

Two evaluation directions:

Product-oriented
Process-oriented
6-steps
Proposal review
Technical assessment
Advice
Intensive preliminary technical review
Evaluation
Rating maintenance phase

CPSC 449/Fall 2005 Security Information Management 78

 2.4 Structure of Evaluation

Functionality what and how much the

product can do
Effectiveness whether the product meets
the effectiveness threshold
Assurance give buyer assurance and
guarantee

CPSC 449/Fall 2005 Security Information Management 79

 2.5 Outcome/Benefits

A great product
For evaluator, cut down the evaluation cost
without cutting the value of evaluation
For buyer, result in good product to enhance the
security
Evaluation of a computer product can be
done using either a standard or a criteria

CPSC 449/Fall 2005 Security Information Management 80

 3 Computer Products Evaluation
Standards

American National Standards Institute (ANSI)

British Standards Institute (BSI)
Institute of Electrical and Electronic Engineers Standards
Association (IEEE-SA)
International Information System Security Certification
Consortium (ISC)2
International Organization for Standardization (ISO)
National Institute of Standards and Technology (NIST)
National Security Agency (NSA)
International Architecture Board (IAB)
Organization for the Advancement of Structured Information
Standards (OASIS)
Underwriters Laboratories
Worldwide Web Consortium (W3C)

CPSC 449/Fall 2005 Security Information Management 81

 4 Major Evaluation Criteria

The Orange Book

U.S. Federal Criteria
Information Technology Security Evaluation
Criteria (ITSEC)
The Trusted Network Interpretation (TNI):
The Red Book
Common Criteria (CC)

CPSC 449/Fall 2005 Security Information Management 82

 The Orange Book

Three Objectives
A yardstick for user
Guidance for manufacturer
Basis for security requirements
Two requirements
Specific security feature requirements
Assurance requirements

CPSC 449/Fall 2005 Security Information Management 83

 The Orange Book

Four Assurance Levels

Class D Minimal Protection
Class C
C1: Discretionary Security Protection (DSP)
C2: Controlled Access Protection (CAP)
Class B
B1: Labeled Security Protection
B2: Structured Protection
B3: Security Domain
Class A1: Verified Protection

CPSC 449/Fall 2005 Security Information Management 84

 Questions

Does evaluation mean security?

One advantage of process-oriented security
evaluation is that it is cheap. Find other
reasons why it is popular. Why, despite its
popularity, is it reliable?
Why is the product rated as B2/B3/A1 better
than that rated C2/B1, or is it?
How do I know if a product is evaluated?
How do I get my product evaluated?

CPSC 449/Fall 2005 Security Information Management 85