UNIT-IV LOGICAL DESIGN

OUTLINE
 Information Security Policy, Standards, and
Practices
 Information Security Blueprint
 NIST Security Models
 Other Sources of Security Frameworks
 Design of Security Architecture
 Security Education, Training, and Awareness
Program
 Planning for Continuity
 Information Security Policy, Standards,
and Practices
 Management from all communities of interest,
including general staff, information technology,
and information security, must make policies
the basis for all information security planning,
design, and deployment.

 Policies direct how issues should be addressed

and how technologies should be used.

 Policies do not specify the proper operation of

equipment or software.
 Information Security Policy, Standards,
and Practices
 Policies should be placed in the standards,
procedures, and practices of users’ manuals and
systems documentation.

 Policy should never oppose law;

 Policy must be able to stand up in court, if

challenged; and policy must be properly
administered through dissemination and
documented acceptance.

 Good security programs begin and end with policy

Information Security Policy, Standards,
and Practices
 Policy is a management tool that helps personnel
to function in a manner that preserves the
security of information assets.

 Security policies are the least expensive control to

execute, but the most difficult to implement
properly.

 Policies function like laws in an organization

because they dictate acceptable and no
acceptable behavior there, as well as the penalties
for failure to comply.
 Information Security Policy, Standards,
and Practices
 Policies define what is right and wrong, the
penalties for violating policy, and the appeal
process.
 Standards are more detailed statements of what
must be done to comply with policy.
 Standards may be informal or part of an
organizational culture, as in de facto standards. Or,
 Standards may be published, examined, and
approved by a group, as in formal or de jure
standards.
 Figure 4-2 shows the relationships among policies,
standards, guidelines, procedures, and practices.
Relationship between Policies, Standards, Guidelines
and Practices
 Information Security Policy, Standards,
and Practices
 A security policy is a set of rules that protects an
organization’s assets.
 An information security policy provides rules for
protection of the organization’s information
assets.
 Management must define three types of security
policy, according to Special Publication (SP) 800-14
of the National Institute of Standards and
Technology (NIST):
 1. Enterprise information security policies
 2. Issue-specific security policies
 3. Systems-specific security policies
Enterprise Information Security Policy
 An Enterprise information security policy
(EISP) is also known as a general security
policy, organizational security policy, IT
security policy, or information security policy.

 The EISP is an executive-level document,

usually enrolled by or in cooperation with the
organization’s chief information officer.

 This policy is usually 2 to 10 pages long and

shapes the philosophy of security in the IT
environment
 Enterprise Information Security Policy
 The EISP guides the development,
implementation, and management of the security
program.
 EISP sets out the requirements that must be met
by the information security blueprint or
framework.
 EISP defines the purpose, scope, constraints, and
applicability of the security program.
 EISP also assigns responsibilities for the various
areas of security, including systems
administration, maintenance of the information
security policies, and the practices and
responsibilities of users.
 EISP addresses legal compliance
 Enterprise Information Security Policy

 EISP addresses legal compliance. According to NIST,

the EISP typically addresses compliance in two
areas:
 General compliance to ensure that an
organization meets the requirements for
establishing a program and assigning
responsibilities therein to various organizational
components

 The use of specified penalties and disciplinary

action.
EISP Elements
Most EISP documents should include the following
elements:
• An overview of the corporate philosophy on
security.
• Information on the structure of the information
security organization and people who fulfill the
information security role
• Fully expressed responsibilities for security that
are shared by all members of the organization
(employees, contractors, consultants, partners, and
visitors)
• Fully expressed responsibilities for security that
are unique to each role within the organization
Components of EISP
Issue-Specific Security Policy
The issue-specific security policy, or
ISSP,
(1) addresses specific areas of
technology as listed below,
(2) requires frequent updates, and
(3) contains a statement about the
organization’s position on a specific
issue.
Issue-Specific Security Policy
• Email
• Use of the Internet and World Wide Web
• Specific minimum configurations of computers to defend
against worms and viruses
• Prohibitions against hacking or testing organization security
controls
• Home use of company-owned computer equipment
• Use of personal equipment on company networks (BYOD:
bring your own device)
• Use of telecommunications technologies, such as fax and
phone
• Use of photocopy equipment
• Use of portable storage devices such as USB memory sticks,
backpack drives, game players, music players, and any other
device capable of storing digital files
• Use of cloud-based storage services.
Issue-Specific Security Policy
Several approaches are used to create and
manage ISSPs within an organization. Three of
the most common are:
 Independent ISSP documents, each
custom-made to a specific issue.
 A single comprehensive ISSP document that
covers all issues.
 A modular ISSP document that unifies
policy creation and administration while
maintaining each specific issue’s
requirements.
Components of Issue-Specific Security Policy

 Statement of Policy
 Authorized Access and Usage of Equipment
 Prohibited Use of Equipment
 Systems Management
 Violations of Policy
 Policy Review and Modification
 Limitations of Liability
System-Specific Security Policy
 SysSPs often function as standards or
procedures to be used when configuring or
maintaining systems.
 SysSPs can be separated into two general
groups,
 Managerial guidance SysSPs and

 Technical specifications SysSPs, or they can

be combined into a single policy document
that contains elements of both.
Managerial Guidance SysSPs
 A managerial guidance SysSP document is created by
management to guide the implementation and
configuration of technology and to address the
behavior of employees in ways that support
information security.
 Firewalls are not the only technology that may
require systems-specific policies.
 Any system that affects the confidentiality, integrity,
or availability of information must be assessed to
evaluate the trade-off between improved security
and restrictions
 Systems-specific policies can be developed at the
same time as ISSPs, or they can be prepared in
advance of their related ISSPs.
Technical Specifications SysSPs
 While a manager can work with a systems
administrator to create managerial policy.
 The systems administrator in turn might need to
create a policy to implement the managerial
policy.
 Each type of equipment requires its own set of
policies, which are used to translate
management’s intent for the technical control
into an enforceable technical approach.
 There are two general methods of implementing
technical controls:
 Access control lists
 Configuration rules.
Access Control List
An access control list (ACL) consists of details about
user access and use permissions and privileges for an
organizational asset or resource, such as a file
storage system, software component, or network
communications device.
ACLs focus on assets and the users who can access
and use them.
A capabilities table is similar to an ACL, but it focuses
on users, the assets they can access, and what they
can do with those assets.
In some systems, capability tables are called user
profiles or user policies.
Access control matrix that combines the information
in ACLs and capability tables.
Access Control List
ACLs control the following:
• Who can use the system
• What authorized users can access
• When authorized users can access the system
• Where authorized users can access the system
Configuration Rule Policies
 Configuration rules (or policies) administrate
how a security system reacts to the data it
receives.
 Rule-based policies are more specific to the
operation of a system than ACLs,
 They may or may not deal with users directly.
 Many security systems—for example, firewalls,
intrusion detection and prevention systems
(IDPSs), and proxy servers—use specific
configuration scripts that represent the
configuration rule policy to determine how the
system handles each data element they
process
Configuration Rule Policies
Configuration Rule Policies