You are previewing Security Policies and Implementation Issues.
O'Reilly logo
Security Policies and Implementation Issues

Book Description

PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES! The study of information system security concepts and domains is an essential part of the education of computer science students and professionals alike. Security Policies and Implementation Issues offers a comprehensive, end-to-end view of information security policies and frameworks from the raw organizational mechanics of building to the psychology of implementation. It presents an effective balance between technical knowledge and soft skills, and introduces many different concepts of information security in clear simple terms such as governance, regulator mandates, business drivers, legal considerations, and much more. With step-by-step examples and real-world exercises, this book is a must-have resource for students, security officers, auditors, and risk leaders looking to fully understand the process of implementing successful sets of security policies and frameworks.

Table of Contents

  1. Copyright
  2. Preface
    1. Purpose of This Book
    2. Learning Features
    3. Audience
  3. Acknowledgments
  4. About the Author
  5. ONE. The Need for IT Security Policy Frameworks
    1. 1. Information Systems Security Policy Management
      1. What Is Information Systems Security?
        1. Information Systems Security Management Life Cycle
          1. Plan and Organize
          2. Acquire and Implement
          3. Deliver and Support
          4. Monitor and Evaluate
      2. What Is Information Assurance?
        1. Confidentiality
        2. Integrity
          1. Authentication
          2. Availability
        3. Nonrepudiation
      3. What Is Governance?
      4. Why Is Governance Important?
      5. What Are Information Systems Security Policies?
          1. How Policies and Standards Differ
          2. How Policies and Procedures Differ
      6. Where Do Information Systems Security Policies Fit Within an Organization?
      7. Why Information Systems Security Policies Are Important
        1. Policies That Support Operational Success
        2. Challenges of Running a Business Without Policies
        3. Dangers of Not Implementing Policies
        4. Dangers of Implementing the Wrong Policies
      8. When Do You Need Information Systems Security Policies?
        1. Business Process Reengineering (BPR)
        2. Continuous Improvement
        3. Problem Related
      9. Why Enforcing and Winning Acceptance for Policies Is Challenging
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 1 ASSESSMENT
    2. 2. Business Drivers for Information Security Policies
      1. Why Are Business Drivers Important?
      2. Maintaining Compliance
        1. Compliance Requires Proper Security Controls
        2. Security Controls Must Include Information Security Policies
          1. Preventive Security Controls
          2. Detective Security Control
          3. Corrective Security Control
        3. Relationship Between Security Controls and Information Security Policy
      3. Mitigating Risk Exposure
        1. Educate Employees and Drive Security Awareness
        2. Prevent Loss of Intellectual Property
          1. Labeling Data and Data Classification
        3. Protect Digital Assets
        4. Secure Privacy of Data
          1. Full Disclosure and Data Encryption
        5. Lower Risk Exposure
      4. Minimizing Liability of the Organization
        1. Separation Between Employer and Employee
        2. Acceptable Use Policies
        3. Confidentiality Agreement and Non-Disclosure Agreement
        4. Business Liability Insurance Policies
      5. Implementing Policies to Drive Operational Consistency
        1. Forcing Repeatable Business Processes Across the Entire Organization
          1. Policies Are Key to Repeatable Behavior
        2. Policies Help Prevent Operational Deviation
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 2 ASSESSMENT
      9. ENDNOTES
    3. 3. U.S. Compliance Laws and Information Security Policy Requirements
      1. U.S. Compliance Laws
        1. What Are They?
          1. Federal Information Security Management Act (FISMA)
          2. Health Insurance Portability and Accountability Act (HIPAA)
          3. Gramm-Leach-Bliley Act (GLBA)
          4. Sarbanes-Oxley (SOX) Act
          5. Family Educational Rights and Privacy Act (FERPA)
          6. Children's Internet Protection Act (CIPA)
        2. Why Did They Come About?
      2. Whom Do the Laws Protect?
      3. Which Laws Require Proper Security Controls Including Policies?
        1. Which Laws Require Proper Security Controls for Handling Privacy Data?
      4. Aligning Security Policies and Controls with Regulations
      5. Industry Leading Practices and Self-Regulation
      6. Some Important Industry Standards
        1. Payment Card Industry Data Security Standard (PCI DSS)
        2. Statement on Auditing Standard 70 (SAS 70)
        3. Information Technology Infrastructure Library (ITIL)
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 3 ASSESSMENT
      10. ENDNOTES
    4. 4. Business Challenges Within the Seven Domains of IT Responsibility
      1. The Seven Domains of a Typical IT Infrastructure
        1. User Domain
        2. Workstation Domain
        3. LAN Domain
        4. LAN-to-WAN Domain
        5. WAN Domain
        6. Remote Access Domain
        7. System/Application Domain
      2. Information Security Business Challenges and Security Policies That Mitigate Risk Within the Seven Domains
        1. User Domain
        2. Workstation Domain
        3. LAN Domain
        4. LAN-to-WAN Domain
        5. WAN Domain
        6. Remote Access Domain
        7. System/Application Domain
          1. Inventory
          2. Perimeter
          3. Encryption of Mobile Devices
      3. CHAPTER SUMMARY
      4. KEY CONCEPTS AND TERMS
      5. CHAPTER 4 ASSESSMENT
    5. 5. Information Security Policy Implementation Issues
      1. Human Nature in the Workplace
        1. Basic Elements of Motivation
          1. Pride
          2. Self-Interest
          3. Success
        2. Personality Types of Employees
        3. Leadership, Values, and Ethics
      2. Organizational Structure
        1. Flat Organizations
        2. Hierarchical Organizations
          1. Advantages of a Hierarchical Model
          2. Disadvantages of a Hierarchical Model
      3. The Challenge of User Apathy
      4. The Importance of Executive Management Support
        1. Selling Information Security Policies to an Executive
        2. Before, During, and After Policy Implementation
      5. The Role of Human Resources
        1. Relationship Between HR and Security Policies
        2. Lack of Support
      6. Policy Roles, Responsibilities, and Accountability
        1. Change Model
        2. Responsibilities During Change
          1. Step 1: Create Urgency
          2. Step 2: Create a Powerful Coalition
          3. Step 3: Create a Vision for Change
          4. Step 4: Communicate the Vision
          5. Step 5: Remove Obstacles
          6. Step 6: Create Short-Term Wins
          7. Step 7: Build on the Change
          8. Step 8: Anchor the Changes in Corporate Culture
        3. Roles and Accountabilities
      7. When Policy Fulfillment Is Not Part of Job Descriptions
      8. Impact on Entrepreneurial Productivity and Efficiency
        1. Applying Security Policies to a Entrepreneurial Business
      9. Tying Security Policy to Performance and Accountability
      10. Success Is Dependent Upon Proper Interpretation and Enforcement
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 5 ASSESSMENT
      14. ENDNOTE
  6. TWO. Types of Policies and Appropriate Frameworks
    1. 6. IT Security Policy Frameworks
      1. What Is an IT Policy Framework?
      2. What Is a Program Framework Policy or Charter?
          1. Purpose and Mission
          2. Scope
          3. Responsibilities
          4. Compliance
        1. Industry-Standard Policy Frameworks
          1. ISO/IEC 27002 (2005)
          2. NIST Special Publication (SP) 800-53
        2. What Is a Policy?
        3. What Are Standards?
          1. Issue-Specific or Control Standards
            1. Statement of an Issue
            2. Statement of the Organization's Position
            3. Statement of Applicability
            4. Definition of Roles and Responsibilities
            5. Compliance
            6. Points of Contact
          2. System-Specific or Baseline Standards
        4. What Are Procedures?
          1. Exceptions to Standards
        5. What Are Guidelines?
      3. Business Considerations for the Framework
        1. Roles for Policy and Standards Development and Compliance
      4. Information Assurance Considerations
        1. Confidentiality
        2. Integrity
        3. Availability
        4. Authentication
        5. Nonrepudiation
      5. Information Systems Security Considerations
        1. Unauthorized Access to and Use of the System
        2. Unauthorized Disclosure of the Information
        3. Disruption of the System or Services
        4. Modification of Information
        5. Destruction of Information Resources
      6. Best Practices for IT Security Policy Framework Creation
      7. Case Studies in Policy Framework Development
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Protection Case Study
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 6 ASSESSMENT
    2. 7. How to Design, Organize, Implement, and Maintain IT Security Policies
      1. Policies and Standards Design Considerations
        1. Principles for Policy and Standards Development
        2. Types of Controls for Policies and Standards
          1. Security Control Types
      2. Document Organization Considerations
        1. Sample Templates
          1. Sample Policy Template
          2. Sample Standard Template
          3. Sample Procedure Template
          4. Sample Guideline Template
      3. Considerations For Implementing Policies and Standards
        1. Reviews and Approvals
        2. Publishing Your Policies and Standards Library
        3. Awareness and Training
          1. Security Newsletter
          2. Security Articles
          3. What Is . . . ?
          4. Ask Us
          5. Security Resources
          6. Contacts
      4. Policy Change Control Board
        1. Business Drivers for Policy and Standards Changes
      5. Maintaining Your Policies and Standards Library
        1. Updates and Revisions
      6. Best Practices for Policies and Standards Maintenance
      7. Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Example
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 7 ASSESSMENT
    3. 8. IT Security Policy Framework Approaches
      1. IT Security Policy Framework Approaches
        1. Risk Management and Compliance Approach
        2. The Physical Domains of IT Responsibility Approach
      2. Roles, Responsibilities, and Accountability for Personnel
        1. The Seven Domains of a Typical IT Infrastructure
        2. Organizational Structure
        3. Organizational Culture
      3. Separation of Duties
        1. Layered Security Approach
        2. Domain of Responsibility and Accountability
          1. First Line of Defense
          2. Second Line of Defense
          3. Third Line of Defense
      4. Governance and Compliance
        1. IT Security Controls
        2. IT Security Policy Framework
      5. Best Practices for IT Security Policy Framework Approaches
        1. What Is the Difference Between GRC and ERM?
      6. Case Studies and Examples of IT Security Policy Framework Approaches
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 8 ASSESSMENT
      10. ENDNOTE
    4. 9. User Domain Policies
      1. The Weakest Link in the Information Security Chain
        1. Social Engineering
        2. Human Mistakes
        3. Insiders
      2. Six Types of Users
        1. Employees
        2. Systems Administrators
        3. Security Personnel
        4. Contractors
        5. Guests and General Public
        6. Auditors
      3. Why Govern Users with Policies?
      4. Acceptable Use Policy (AUP)
      5. The Privileged-Level Access Agreement (PAA)
      6. Security Awareness Policy (SAP)
      7. Best Practices for User Domain Policies
      8. Case Studies and Examples of User Domain Policies
        1. Private Sector Case Studies
          1. Corporate Laptops Compromised
          2. The Collapse of Barings Bank, 1995
        2. Public Sector Case Study
        3. Critical Infrastructure Case Studies
          1. Water Treatment Plant Control Systems Compromised
          2. Disgruntled Employee Breaches Former Employer's Systems
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 9 ASSESSMENT
    5. 10. IT Infrastructure Security Policies
      1. Anatomy of an Infrastructure Policy
        1. Format of a Standard
      2. Workstation Domain Policies
          1. Control Standards
          2. Baseline Standards
          3. Procedures
          4. Guidelines
      3. LAN Domain Policies
          1. Control Standards
          2. Baseline Standards
          3. Procedures
          4. Guidelines
      4. LAN-to-WAN Domain Policies
          1. Control Standards
          2. Baseline Standards
          3. Procedures
          4. Guidelines
      5. WAN Domain Policies
          1. Control Standards
          2. Baseline Standards
          3. Procedures
          4. Guidelines
      6. Remote Access Domain Policies
          1. Control Standards
          2. Baseline Standards
          3. Procedures
          4. Guidelines
      7. System/Application Domain Policies
          1. Control Standards
          2. Baseline Standards
          3. Procedures
          4. Guidelines
      8. Telecommunications Policies
          1. Control Standards
          2. Baseline Standards
          3. Procedures
          4. Guidelines
      9. Best Practices for IT Infrastructure Security Policies
      10. Case Studies and Examples of IT Infrastructure Security Policies
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 10 ASSESSMENT
    6. 11. Data Classification and Handling Policies and Risk Management Policies
      1. Data Classification Policies
        1. The Need for Data Classification
          1. Protecting Information
          2. Retaining Information
          3. Recovering Information
        2. Military Classification Schemes
        3. Business Classification Schemes
        4. Developing a Customized Classification Scheme
        5. Classifying Your Data
      2. Data Handling Policies
        1. The Need for Policy Governing Data at Rest and in Transit
        2. Policies, Standards, and Procedures Covering the Data Life Cycle
      3. Identify Business Risks Related to Information Systems
        1. Types of Risk
        2. Development and Need for Policies Based on Risk Management
      4. Business Impact Analysis (BIA) Policies
        1. Component Priority
        2. Component Reliance
        3. Impact Report
        4. Development and Need for Policies Based on BIA
      5. Risk Assessment Policies
        1. Risk Exposure
        2. Prioritization of Risk, Threat, and Vulnerabilities
        3. Risk Management Strategies
        4. Vulnerability Assessments
        5. Vulnerability Windows
        6. Patch Management
      6. Business Continuity Planning (BCP) Policies
        1. Dealing with Loss of Systems, Applications, or Data Availability
        2. Continuity of Operations Plan (COOP)
        3. Response and Recovery Time Objectives (RTO) Policies Based on the BIA
      7. Disaster Recovery Plan (DRP) Policies
        1. Disaster Declaration Policy
        2. Assessment of the Severity of the Disaster and Potential Downtime
        3. Dealing with Natural Disasters, Man-Made Disasters, and Catastrophic Loss
        4. Disaster Recovery Procedures for Mission-Critical System, Application, or Data Functionality and Recovery
        5. RTO Policies Based on Disaster Scenario
      8. Best Practices for Risk Management Policies
      9. Case Studies and Examples of Risk Management Policies
        1. Private Sector Case Example
        2. Public Sector Case Example
        3. Critical Infrastructure Case Study
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 11 ASSESSMENT
    7. 12. Incident Response Team (IRT) Policies
      1. Incident Response Policy
        1. What Is an Incident?
      2. Incident Classification
      3. The Response Team Charter
      4. Incident Response Team Members
      5. Responsibilities During an Incident
        1. Users on the Front Line
        2. System Administrators
        3. Information Security Personnel
        4. Management
        5. Support Services
        6. Other Key Roles
      6. Procedures for Incident Response
        1. Discovering an Incident
        2. Reporting an Incident
        3. Containing and Minimizing the Damage
        4. Cleaning Up After the Incident
        5. Documenting the Incident and Actions
        6. Analyzing the Incident and Response
        7. Creating Mitigation to Prevent Future Incidents
        8. Handling the Media and What to Disclose
      7. Best Practices for Incident Response Policies
      8. Case Studies and Examples of Incident Response Policies
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 12 ASSESSMENT
  7. THREE. Implementing and Maintaining an IT Security Policy Framework
    1. 13. IT Security Policy Implementations
      1. Implementation Issues for IT Security Policies
        1. Organizational Challenges
        2. Organizational and Cultural Change
        3. Organizational and Individual Acceptance
      2. Security Awareness Policy Implementations
        1. Development of an Organization-Wide Security Awareness Policy
        2. Conducting Security Awareness Training Sessions
        3. Executive Management Sponsorship
        4. Human Resources (HR) Ownership of New Employee Orientation
        5. Review of Acceptable Use Policies (AUPs)
      3. Information Dissemination—How to Educate Employees
        1. Hard Copy Dissemination
        2. Posting Policies on the Intranet
        3. Using E-mail
        4. Brown Bag Lunch and Learning Sessions
      4. Overcoming Technical Hindrances
        1. Distributed Infrastructure
        2. Outdated Technology
        3. Lack of Standardization Throughout the IT Infrastructure
      5. Overcoming Nontechnical Hindrances
        1. Distributed Environment
        2. User Types
        3. Lack of Executive Management Support
      6. Best Practices for IT Security Policy Implementations
      7. Case Studies and Examples of Successful IT Security Policy Implementations
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 13 ASSESSMENT
      11. ENDNOTE
    2. 14. IT Security Policy Enforcement
      1. Organizational Support for IT Security Policy Enforcement
        1. Executive Management Must Provide Sponsorship
        2. Hierarchical Organizational Approach to Ensure Roles, Responsibilities, and Accountabilities Are Defined for Security Policy Implementation
          1. Project Committee
          2. Architecture Review Committee
          3. External Connection Committee
          4. Vendor Governance Committee
          5. Security Compliance Committee
          6. Operational Risk Committee
        3. Front-Line Managers and Supervisors Must Take Responsibility and Accept Accountability
        4. Grass-Roots Employees
      2. An Organization's Right to Monitor User Actions and Traffic
          1. Internet Use
          2. E-mail Use
          3. Computer Use
      3. Compliance Law: Requirement or Risk Management?
      4. What Is Law and What Is Policy?
        1. What Security Controls Work to Enforce Protection of Privacy Data?
      5. What Automated Security Controls Can Be Implemented Through Policy?
        1. What Manual Security Controls Assist with Enforcement?
      6. Legal Implications of IT Security Policy Enforcement
      7. Who Is Ultimately Liable for Risk, Threats, and Vulnerabilities?
        1. Where Must IT Security Policy Enforcement Come From?
      8. Best Practices for IT Security Policy Enforcement
      9. Case Studies and Examples of Successful IT Security Policy Enforcement
        1. Private Sector Case Study
        2. Public Sector Case Study
        3. Critical Infrastructure Case Study
      10. CHAPTER SUMMARY
      11. KEY CONCEPTS AND TERMS
      12. CHAPTER 14 ASSESSMENT
    3. 15. IT Policy Compliance Systems and Emerging Technologies
      1. Defining a Baseline Definition for Information Systems Security
        1. Policy-Defining Overall IT Infrastructure Security Definition
        2. Vulnerability Window and Information Security Gap Definition
      2. Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance
        1. Automated Systems
        2. Manual Tracking and Reporting
        3. Random Audits and Departmental Compliance
        4. Overall Organizational Report Card for Policy Compliance
      3. Automating IT Security Policy Compliance
        1. Automated Policy Distribution
          1. Training Administrators and Users
          2. Organizational Acceptance
          3. Testing for Effectiveness
          4. Audit Trails
        2. Configuration Management and Change Control Management
          1. Configuration Management Database
          2. Change Control Work Order Database
          3. Tracking, Monitoring, and Reporting Configuration Changes
        3. Collaboration and Policy Compliance across Business Areas
        4. Version Control for Policy Implementation Guidelines and Compliance
      4. Emerging Technologies and Solutions
        1. SCAP
        2. SNMP
        3. WBEM
        4. WMI
        5. Digital Signing
      5. Best Practices for IT Security Policy Compliance Monitoring
      6. Case Studies and Examples of Successful IT Security Policy Compliance Monitoring
        1. Private Sector Case Studies
          1. Small Training Company
          2. Large Sales Organization
        2. Public Sector Example
        3. Critical Infrastructure Case Study
      7. CHAPTER SUMMARY
      8. KEY CONCEPTS AND TERMS
      9. CHAPTER 15 ASSESSMENT
  8. A. Answer Key
  9. B. Standard Acronyms
  10. Glossary of Key Terms
  11. References