Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

transcript

Lesson Eight

Security Management

Lesson Objectives

• Define security management• Explain in basic terms the function of an

organization’s security policy• List the reasons an organization would

implement a security policy• Define security standards and explain the

different types of standards• Explain the role of standards organizations.• Match the standards organization with its

role in the Information Security field

Introduction

Security management entails the identification of an organization’s information assets and the development, documentation, and implementation of policies, standards, procedures and guidelines that ensure confidentiality, integrity, and availability.

Organization Policies

A policy may be defined as 'An agreed approach in theoretical form, which has been agreed to and/or ratified by, a governing body, and which defines direction and degrees of freedom for action.'

What is a Security Policy?

• Informs users and staff members of the need and the responsibility to protect the organization’s technology and critical information.

• Defines “acceptable use” (based upon the acceptable risk) of all electronic media within an organization.

Security Policies

• Rules and practices an organization uses for its information resources:managementprotectionallocation

• Policies and procedures provide a baseline to:security plans contingency plans procurement plans

Why a Security Policy?

1. Describes in detail acceptable network activity and penalties for misuse

2. Provides a forum for identifying and clarifying security goals, priorities and objectives to the organization and its members.

3. Illustrates to each employee how they are responsible for helping to maintain a secure environment.

4. Defines responsibilities and the scope of information security in an organization.

5. Provides a legal instrument in the case of litigation

Why a Security Policy?

6. Provides a good foundation for conducting security audits

7. Establishes a critical asset identifying potential vulnerabilities

8. Provides a reference for incident response handling

9. Communicates organization culture, core values, and ethics

10. Establishes acceptance and conformity

Management Support

• Without management supporting security policies, they might as well be non-existent

• Security policies and security in general start off at the bottom of the typical executive’s priority list

• A serious security incident or an exceptional sales pitch by the information security professionals help to gain the support of management

Types of Security Policies

• Acceptable Encryption Policy • Acceptable Use Policy • Analog/ISDN Line Policy• Anti-Virus Policy • Application Service Provider Policy• Application Service Provider Standards• Acquisition Assessment Policy

Types of Security Policies

• Audit Vulnerability Scanning Policy • Automatically Forwarded Email Policy• Database Credentials Coding Policy• Dial-in Access Policy• DMZ Lab Security Policy• E-mail Policy

Helpful Security Policy Links

!!!!Read the following documents!!!

• http://www.sans.org/resources/policies/

Policy_Primer.pdf• http://www.sans.org/resources/policies/#template• http://www.dir.state.tx.us/security/policies/

templates.htm

Security Standards

• Specify uniform use of specific technologies, parameters, or procedures.

• Specify a uniform use of specific technologies, parameters or processes to be used to secure systems.

• Contain mandatory statements which can be measured.

Security Standards Example

The Privacy HIPAA Standards requires that "a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information" (CMS, "HIPAA Administrative Simplification - Privacy", Section 164.530 (c)(1)

Types of Security Standards

• Open versus Proprietary• Dejure (by law) versus Defacto

Security Standards Evolve

Security Standards Organizations

• Government statues (federal, state and local)

• Standards organizations (NIST, ISO, IEEE)• Industry requirements (HIPAA, GLB,

TIA/EIA)• Manufacture requirements (Cisco,

Microsoft)• Internal requirements

ISO 17799 Description

• Most widely recognized security standard—the first version was published in December 2000

• Comprehensive in its coverage of security issues

• Contains a substantial number of control requirements

• Compliance and certification for even for the most security conscious of organizations can be daunting

Government Cryptography Standards

Example

• Government Standards: Incident ReportingComputer Security Incident Handling Guide NIST Special Publication 800-61, from National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce.

• A 148-page report describing guidelines for responding to denial-of-service attacks; malicious code, including viruses, worms and Trojan horses; unauthorized access; inappropriate use by authorized users, and incidents incorporating various types of security breaches.http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf

Security Guidelines

• Address intentions and allow for interpretation • Recommendations or best practices • Similar to STANDARDS (not mandated

actions)• Assist users, administrators and others in

effectively interpreting and implementing the security policy

• Data Security and Classification Guidelines http://www.umassp.edu/policy/data/

itcdatasec.html

Security Procedures

• The operational processes required to implement institutional security policy

• Operating practices can be formal or informal, specific to a department or applicable across the entire institution

• Detailed steps or instructions to be followed by users, system administrators, and others to accomplish a particular security-related task

• Assist in complying with security policy, standards and guidelines

• http://wwwoirm.nih.gov/security/sec_policy.html

More Examples

• Policy - All State of Illinois employee email mailboxes must be protected by a username/password

• Standard - The username must follow existing standards and the password must be 8 characters long and have an alpha/numeric combination

• Procedure – Setting the administrative properties of the mailbox to require a username and password be set. Auditing the passwords for appropriate password complexity

Plan, DO, Check, Act

Hyperlinks to Federal Laws

• Federal Computer Intrusion Laws • National Information Infrastructure Protection Act

of 1995

• Fraud and Related Activity in Connection with Computers

• The Digital Millennium Copyright Act • Software Piracy and the Law • The Computer Fraud and Abuse Act of 1986

Hyperlinks to Federal Laws

• Electronic Communications Privacy Act • Privacy Act of 1974 • Communications Act of 1934 • Family Educational Rights and Privacy Act of

1974 • CAN-SPAM Act of 2003 • United States Copyright Office

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Documents