Post on 27-Oct-2014
transcript
1
CST 233
INFORMATION SECURITY AND ASSURANCE
ASSIGNMENT 2
WHITEPAPER TYPES OF SECURITY POLICIES : EISP, ISSP AND SysSP
PREPARED BY:
MUHAMAD AMIRUL BIN MAT HUSSAIN 106711
LECTURER: DR AMAN JANTAN
2011/2012
2
Table of Contents
Introduction……………………………………………………………………….3
Definitions of Policy………………………………………………………………4
Purpose of Policy…………………………………………………………………4-5
Types of Security Policy…………………………………………………………6
Enterprise Information Security Policy (EISP) …………………………...6-8
Issue-Specific Security Policy (ISSP)……………………………………...8-9
System-Specific Policy (SysSP) …………………………………………...10
Case Study…………………………………………………………………..........11-15
Conclusion………………………………………………………………………..16
References………………………………………………………………………..17
3
1. Introduction
The term of security policy and the importance of information security in
management or business are still not recognized by many people in an organization,
company and others. Management from all communities of interest, including
general staff, information technology, and information technology, should make
policies for their organization. Policies direct how issues should be addressed and
technologies should be used. For a large company or organization, developing a
single policy document that speaks to all types of users within the organization and
addresses all the information security issues necessary maybe difficult. It should be
noted that there is no single method for developing a security policy or policies.
Many factors must be taken into account, including audience type and company
business and size. This paper then will addresses the three types of security policy
that must define by each management of company or organization that are
Enterprise Information Security Policies(EISP), Issue-Specific Security
Policies(ISSP), and Systems-Specific Security Policies(SysSP).
4
2. Definitions of Policy
In discussions of computer security, the term policy has more than one meaning.
As noted in a Office of Technology Assessment report, Information Security and
Privacy in Network Environments (1994), "Security Policy refers here to the
statements made by organizations, corporations, and agencies to establish overall
policy on information access and safeguards.” Another meaning of policy comes
from the book Principles of Information Security 4th Edition (2012) and refers to the
“plan or course of action that conveys instructions from an organization’s senior
management to those who make decisions, take actions, and perform other duties.”
Policy is senior management's directives to create a computer security program,
establish its goals, and assign responsibilities. The term policy is also used to refer
to the specific security rules for particular systems. Additionally, policy may refer to
entirely different matters, such as the specific managerial decisions setting an
organization's e-mail privacy policy, use of the internet policy, and others.
3. Purpose of Policy
A security policy should fulfill many purposes. The basic purposes of policy are it
should:
Protect people and information
Set the rules for expected behavior by users, system administrators,
management, and security personnel
Authorize security personnel to monitor, probe, and investigate
Define and authorize the consequences of violation
Define the company consensus baseline stance on security
5
Help minimize risk
Help track compliance with regulations and legislation
Information security policies provide a framework for best practice that can be
followed by all employees. They help to ensure risk is minimized and that any
security incidents are effectively responded to.
Besides, information security policies will also help turn staff into participants in
the company’s efforts to secure its information assets, and the process of developing
these policies will help to define a company’s information assets. Information security
policy defines the organization’s attitude to information, and announces internally
and externally that information is an asset, the property of the organization, and is to
be protected from unauthorized access, modification, disclosure, and destruction.
6
4. Types of Security Policy
4.1 Enterprise Information Security Policy (EISP)
A management official, normally the head of the organization or the senior
administration official, issues program policy to establish (or restructure) the
organization's computer security program and its basic structure. The EISP is based
on and directly supports the mission, vision, and direction of the organization. This
high-level policy defines the purpose of the program and its scope within the
organization, assigns responsibilities (to the computer security organization) for
direct program implementation, as well as other responsibilities to related offices
(such as the Information Resources Management [IRM] organization) and addresses
compliance issues. The EISP sets organizational strategic directions for security and
assigns resources for its implementation.
The good EISP should address the following components :
Purpose : Program policy normally includes a statement describing why the program
is being established. This may include defining the goals of the program. Security-
related needs, such as integrity, availability, and confidentiality, can form the basis of
organizational goals established in policy. For instance, in an organization
responsible for maintaining large mission-critical databases, reduction in errors, data
loss, data corruption, and recovery might be specifically stressed. In an organization
responsible for maintaining confidential personal data, however, goals might
emphasize stronger protection against unauthorized disclosure.
7
Scope : Program policy should be clear as to which resources-including facilities,
hardware, and software, information, and personnel - the computer security program
covers. In many cases, the program will encompass all systems and organizational
personnel, but this is not always true. In some instances, it may be appropriate for an
organization's computer security program to be more limited in scope.
Responsibilities : Once the computer security program is established, its
management is normally assigned to either a newly-created or existing office. The
responsibilities of officials and offices throughout the organization also need to be
addressed, including line managers, applications owners, users, and the data
processing. This section of the policy statement, for example, would distinguish
between the responsibilities of computer services providers and those of the
managers of applications using the provided services. The policy could also
establish operational security offices for major systems, particularly those at high risk
or most critical to organizational operations. It also can serve as the basis for
establishing employee accountability.
Compliance : The EISP typically will address two compliance issues:
1. General compliance to ensure meeting the requirements to establish a
program and the responsibilities assigned therein to various organizational
components. Often an oversight office. Example, the Inspector General is
assigned responsibility for monitoring compliance, including how well the
organization is implementing management's priorities for the program.
8
2. The use of specified penalties and disciplinary actions. Since the security
policy is a high-level document, specific penalties for various infractions are
normally not detailed here; instead, the policy may authorize the creation of
compliance structures that include violations and specific disciplinary actions.
4.2 Issue-Specific Security Policy (ISSP)
Different with EISP that is intended to address the broad organization wide computer
security program, issue-specific security policy (ISSP), are developed to focus on
areas of current relevance and concern to an organization. Management may find it
appropriate, for example, to issue a policy on specific minimum configurations of
computers to defend against worms and viruses or the use of the internet. A policy
could also be issued, for example, on prohibitions against hacking and testing
organization security controls. ISSP may also be appropriate when new issues arise,
such as when implementing a recently passed law requiring additional protection of
particular information. EISP is usually broad enough that it does not require much
modification over time, whereas ISSP are likely to require more frequent revision as
changes in technology and related factors take place.
Like as EISP that have their own components, the good ISSP also need to includes
these components :
9
Components Description
Statement of Policy Define the scope and applicability of the
policy, definition of the technology
addressed and also the responsibilities of
the person that incharge or included with
this policy.
Authorized Access and Usage of
Equipment
Exermine user access, fair and
responsible use and also explain the
protection of privacy.
Prohibited Usage of Equipment Define and explain the disruptive or
misuse, offensive or harassing materials
and other restrictions.
Systems Management Focuses on the user’s relationship to
systems management. Specific rules
from management include regulating the
use of email, storage of materials, virus
protection, physical security and
encryption.
Violations of Policy Policy statement that should contain the
procedures for reporting violations and
penalties for violations.
Limitations of Liability The policy that state the statements of
liability, for example the company will not
protect the employee who caught violate
the company policy.
10
4.3 Systems-Specific Policy (SysSP)
While the ISSP are formalized as written documents readily identifiable as policy,
systems-specific policy (SysSP) have a different look. It’s often function as standards
or procedures to be used when configuring and maintaining the systems. It is much
more focused, since it addresses only one system. System-specific security policy
includes two components: security objectives (also called managerial guidance) and
operational security rules (technical specifications). It is often accompanied by
implementing procedures and guidelines.
Security Objectives : The first step in the management process is to define security
objectives for the specific system. A security objective needs to more specific, it
should be concrete and well defined. It also should be stated so that it is clear that
the objective is achievable. Security objectives consist of a series of statements that
describe meaningful actions about explicit resources. These objectives should be
based on system functional or mission requirements, but should state the security
actions that support the requirements.
Operational Security Rules : After management determines the security objectives,
the rules for operating a system can be laid out, for example, to define authorized
and unauthorized modification. Who can used the system, what authorized users
can access, when and where the authorized users can access from. This specificity
are included in Access Control Lists (ACL) and provides powerful control to the
administrator. Besides ACL, the configuration rule policies also can included in this
components.
11
5. Case Study : The Implementation of EISP, ISSP and SysSP in USM ICT
Security Policy .
The Centre for Knowledge, Communication, and Technology (PPKT) department
has responsible for the ICT at University Science Malaysia (USM). All the
infostructure such as networking, telecommunication and also ict security were
controlled by this department. For the big organization like USM, the need and
importance of ICT Security are required. Therefore, this department had make the
ICT security policy to implement in the USM management. In this ICT Security
Policy, they had implemented the component of EISP. Below are some of the
component of EISP that have in ICT Security Policy USM :
1) Statement of Purpose
In this policy, they clearly state the mission of the university ICT policy that is
to minimize the risk of resources, ensure that ICT resources are adequately
protected from act of abuse or theft and loss, and to protect the interest of
parties that rely on the ICT resources from the effects of failure or weakness
in terms of confidentiality, integrity, availability, validity, and accessibility of
ICT resources.
2) Scope
12
Figure 1 : Scope of ICT Security Policy USM
3) Responsibilities
Figure 2 : Statement of Role and Responsibilities in ICT Security Policy USM
13
Below are some of the implementation of ISSP components that have in
ICT Security Policy USM :
1) Authorized Access and Usage of Equipment in ICT Security Policy USM
2) Prohibited Usage of Equipment in ICT Security Policy USM
14
3) Specific Rules from Management : Use of Email in ICT Security Policy USM
The Implementation of SysSP in ICT Security Policy USM
1) Security Objective
Figure 3
15
The statement of general principles in the figure 3 above show the implementation of
the security objective that needed in the SysSP.
2) Operational Security Rules
Figure 4
The statement in the figure 4 above determine the Access Control Lists
(ACL) that explain the user who can access and what that authorized user
can access for the system.
16
6. Conclusion
As a conclusion, this paper has describe and explain the three types of security
policy that must define by each management of company or organization that are
Enterprise Information Security Policies (EISP), Issue-Specific Security Policies
(ISSP), and Systems-Specific Security Policies (SysSP). The purpose of these
policies and also the importance or why each organization and company need to
implement these policies into their management was also well explained in this
paper. Each policy was being discussed and going through in detailed one by one.
Besides, this paper also have a look into a real case study by take it at the ICT
Security Policy USM as a real sample to see how this three types of security policy
have been implemented into this real policy.
17
References
1. Michael E. Whitman, Herbert J. Mattord. 4th Edition (2012). Principles of
Information Security.
2. NIST: An Introduction to Computer Security - The NIST Handbook. Special
Publication 800-12.
3. Sorcha Diver. Information Security Policy- A Development Guide for Large
and Small Companies (2007). SANS Institute .
4. Polisi Keselamatan ICT USM. Available at : ict-security.usm.my
5. Policy on Closed Circuit Television (CCTV): Monitoring, Recording, Role and
Technical Standards (2010). Universiti Sains Malaysia.