Standards, Policies, Procedures, and Guidelines - PowerPoint PPT Presentation

1 / 32
About This Presentation
Title:

Standards, Policies, Procedures, and Guidelines

Description:

Standards, Policies, Procedures, and Guidelines Lesson 20 Some Definitions (from Information Security Policies, Procedures and Standards) Policy: a high-level ... – PowerPoint PPT presentation

Number of Views:1663
Avg rating:3.0/5.0
Slides: 33
Provided by: facultyBu1
Category:

less

Transcript and Presenter's Notes

Title: Standards, Policies, Procedures, and Guidelines


1
Standards, Policies, Procedures, and Guidelines
  • Lesson 20

2
Some Definitions(from Information Security
Policies, Procedures and Standards)
  • Policy a high-level statement of an
    organizations beliefs, goals, and objectives and
    the general means for their attainment for a
    specified subject area.
  • Standards mandatory activities, actions, rules
    or regulations designed to provide policies with
    a support structure and specific direction.
  • Guidelines more general statements that provide
    a framework within which to implement procedures.
    Guidelines are recommendations.
  • Procedures outline the specifics of how
    policies, standards and guidelines will actually
    be implemented in the operating environment.

3
Put another way
  • Policies state a goal in general terms.
  • Standards define what is to be accomplished in
    specific terms
  • Procedures tell how to meet the standards.

4
ExampleAccess to Company information is
restricted.
  • Policy Access to and use of company information
    systems is restricted to authorized users.
  • Standard Users are required to have unique
    userids and passwords.
  • Guideline Passwords should be from 5 to 8
    characters in length and contain both alpha and
    numeric characters.
  • Procedure Requests for userids and passwords
    must include the signature of the authorized
    information owner. Approval signatures will be
    verified with the company authorized signature
    verification list.

5
Security Policy(fromActive Policy Management
The Cornerstone of Security)
  • Often cited as the first, most critical component
    to any information security program.
  • Can describe anything from acceptable use of an
    email system to privacy expectations of computer
    users.
  • To serve their purpose by communicating
    management intent, they must be read and
    understood.
  • Problems and issues, or just plain indifference,
    are almost foregone conclusions.
  • Best practices for policies include
  • Being realistic
  • Being concise yet thorough
  • Manage the policy life cycle
  • Educate and test

6
Key elements of a Policy
  • Be easy to understand
  • Be applicable
  • Be doable and enforceable
  • Be phased in
  • Be proactive (state what has to be done, dont
    make thou shall not pronouncements).
  • Meet organizational objectives
  • Never, ever use absolutes (ok, avoid) you might
    get backed into a corner you dont want to be in.
  • Dont state violators of the password policy
    will have their employment terminated unless you
    are willing to live with the consequences.

7
Security Operational Process
  • Security Posture Assessment
  • Users
  • System Admin
  • Security Operations
  • Technology Deployment
  • Security Design Review
  • Security Integration
  • 24x7 Monitoring

8
Security Operational Process
9
Policy Management Life Cycle
10
Types of policies(from Information Security
Policies, Procedures and Standards)
  • Program Policies
  • Used to create the overall security vision for
    the organization.
  • Topic-specific policies
  • Address specific issues.
  • e.g. email policy, Internet usage, physical
    security
  • Application-specific policies
  • Designed to protect specific applications or
    systems.
  • e.g. controls established for payroll system

11
Program Policies
  • A high-level policy issued by senior management.
  • Defines the intent of the security program and
    its scope within the organization.
  • Should include
  • Topic and scope
  • Responsibilities
  • Compliance issues

12
Program Policy Example(from Information Security
Policies, Procedures and Standards)
The Company relies on various kinds of
information resources in its daily operations.
These resources include data-processing systems,
electronic mail, voice-mail, telephones, copiers,
facsimile machines, and other information-generati
on and exchange methods. It is very important
for users to recognize that these resources are
made available to them to help the company meet
short- and long-term goals, objectives and
competitive challenges. Any improper use of any
resource is not acceptable and will not be
permitted.
13
Program Policy example (cont.)
  • The company policies listed here form the basis
    for the Information Resources Protection Policy
    (IRPP)
  • Data and information about the company and its
    employees are collected and retained to satisfy
    legitimate business purposes or as required by
    law.
  • Protecting company information is every
    employees responsibility. Company people share
    a common interest in ensuring information is not
    intentionally, accidentally, or improperly
    disclosed, lost, or mis-used.
  • Positive steps must be taken to prevent improper
    disclosure of company information and
    unauthorized access to company information
    resources.
  • Data, information, and resources are company
    assets that may be used only for
    management-approved company business and not for
    personal use or gain.
  • Like any other company asset, the company
    reserves the right to inspect information
    resources and their use at any time.
  • Company records and information are available to
    individuals only on a need-to-know basis. Access
    or attempted access to information and resources
    outside ones authority are prohibited.
  • Protective measures must be provided to control
    access and to protect the integrity of all
    information systems that process information.

14
Program Policy example (cont.)
8. Established corporate and unit procedures are
to be used for budgeting approval, and
acquisition of information-processing facilities,
equipment, software, and support services. 9.
Appropriate safeguards must be built into
information-processing facilities. These
safeguards should minimize the extent of loss of
information or processing support that could
result from such hazards as fire, water, or other
natural disasters while maintaining operational
effectiveness. Business recovery plans must
provide for continuation of vital business
functions if loss failure should occur. 10.
Independent reviews to ensure that program
objectives are being met are an integral part of
this effort. These reviews may be conducted by
Corporate Auditing, the internal audit staff of a
unit, or external auditors. 11. Deliberate
unauthorized acts against Company or customer
information system(s) or facilities, including
but not limited to misuse, misappropriation,
destruction of information or system resources,
the deliberate and unauthorized disclosure of
information, or the use of unauthorized
software/hardware, will result in disciplinary
action as deemed by management.
15
Topic-Specific Policies
  • Unlike Program Policies, Topic-specific policies
    narrow the focus to one issue at a time.
  • Basic components include
  • Thesis statement
  • Goals and objectives of this policy
  • Relevance
  • To whom does this policy apply?
  • Responsibilities
  • Establishment of roles by position or job title
  • Compliance
  • Describe unacceptable behavior and consequences
  • (additional information)

16
Topic-specific Policy example (from Information
Security Policies, Procedures and Standards)
Telecommuting Policy The Company allows
telecommuting where there are opportunities for
improved employee performance, reduced commuting
miles, and/or potential for savings for the
Company or business unit. Provisions Business
units may implement telecommuting as a work
option for certain employees based upon specific
criteria and procedures consistently applied
throughout the agency. -- Consideration may be
given to employees who have demonstrated work
habits and performance well suited to successful
telecommuting. -- Telecommuting criteria and
procedures shall be evaluated to ensure its
benefits and effectiveness. The telecommuters
conditions of employment shall remain the same as
for non-telecommuting employees. -- Business
visits, meetings with Your Company customers, or
regularly scheduled meetings with co-workers
shall not be held at the home. -- Telecommuting
employees shall not act as primary caregivers
for dependents nor perform other personal
business during hours agreed upon as work
hours.
17
Topic-specific example (cont.)
The Company shall provide tele-workers office
supplies. Equipment and software, if provided by
the business unit for use at the tele-worksite,
shall be for the purpose of conducting Company
business. Responsibilities Employee shall sign
and abide by a telecommuting agreement between
the employee and the supervisor. --
Telecommuting shall be voluntary. -- The
agreement shall specify individual work
schedules. Compliance Company management has
the responsibility to manage corporate
information, personnel, and physical property
relevant to business operations, as well as the
right to monitor the actual utilization of all
corporate assets. Employees who fail to comply
with the policies will be considered to be in
violation of Your Companys Employee Standards of
Conduct and will be subject to appropriate
corrective action.
18
Application-specific policies
  • Focuses on one specific system or application.
  • As the construction of the security architecture
    for a site takes place, the Program and
    Topic-specific policies need to be translated to
    specific applications and systems.
  • To develop a comprehensive series of policies
  • Define the business objectives then establish
    which security tools will support those
    objectives.
  • Establish the rules for operating the system or
    application. Determine who has access to what
    resources and when.
  • Determine what automated tools may help with this
    policy.

19
Application-specific Policy example (from
Information Security Policies, Procedures and
Standards)
Dial-In Access Policy All incoming dial-up
connections (via PSTN or ISDN) should use a
strong one-time password authentication system
(such as SecurID). Dial-in access to the
corporate network should only be allowed where
necessary and where the following conditions are
met -- Assurance. The dial-in server
configuration shall be accurately
documented. It shall be subjected to yearly
audits. -- Identification and Authentication.
All incoming dial-up connections shall use a
strong authentication system one-time
passwords, challenge- response, etc.
Administrator log-in shall not send passwords in
clear text. The call-back or closed user
groups features should be used where
possible. -- Access Control. Dial-up servers
shall not share file or printer resources
with other internal machines that is, they
shall not be file or printer servers. Only
administrative personnel shall be allowed to log
on locally. Dial-up servers shall be
installed in a physically secured/locked room.
20
Some other policies you should think about having
  • Internet use policy
  • What can you do, where can you go (e.g.
    pornography, online brokerage, online gaming,
    online auctions)
  • Email Use policy
  • What is not acceptable (e.g. threats, harassment,
    spam)
  • Acceptable use policy
  • What else can the systems be used for (e.g.
    running your own home business, downloading and
    storing music/videos, games)

21
The definitions again
  • Policies state a goal in general terms.
  • Standards define what is to be accomplished in
    specific terms
  • Procedures tell how to meet the standards.

22
Standards
  • Policies alone do not offer the guidance required
    to actually implement a security program.
  • Standards are mandatory rules, activities,
    actions, or regulations designed to provide
    policies with the details needed to be effective.

23
An example
  • Policy It is the Company policy that all orders
    will be processed as quickly as possible.
  • Standard Each order must be processed within
    six working days of receipt.
  • Procedure The following steps will be followed
    to process orders
  • Day 1 Set up file for correspondence
  • Day 2 Enter order data into the system
  • Day 3 Verify order in stock and Process Credit
    Card
  • Day 4 Retrieve order and send to shipping
  • Day 5 Package order for shipment
  • Day 6 Mail order and receipt

24
A word on standards
  • Be aware of legislative and regulatory
    requirements, risks, protective measures, and
    practices that are relevant to your specific area
    of responsibility or business.
  • Two examples of international standards are
  • BS 7799 (British Standard)
  • ISO 17799 (based on BS 7799)

25
Original BS 7799
  • Organized into 10 major sections
  • Business continuity planning
  • System access control
  • System development and maintenance
  • Physical and environmental security
  • Compliance
  • Personnel security
  • Security organization
  • Computer and Network management
  • Asset classification and control
  • Security policy

26
The definitions again
  • Policies state a goal in general terms.
  • Standards define what is to be accomplished in
    specific terms
  • Procedures tell how to meet the standards.

27
Procedures
  • Procedures spell out the steps of how the policy
    and its supporting standards and guidelines will
    actually be implemented in the organizations
    environment.
  • Procedures are a description of tasks that must
    be accomplished in a specified order.

28
Some items to consider for procedures(From
Information Security Policies, Procedures, and
Standards)
  • Title
  • Intent
  • Scope
  • Responsibilities
  • Sequence of events
  • Approvals
  • Prerequisites
  • Definitions
  • Equipment required
  • Warnings
  • Precautions
  • Procedure body (the steps)

29
Authorship of Policies, standards,
  • The task of actually writing the policies and
    their supporting standards, guidelines, and
    procedures would typically be handled by
    personnel in the computer security office.
  • Support from IS/IT personnel helpful
  • External consultants can also be useful
  • Final draft should be submitted to management for
    approval.

30
Policy Checklist From Computer Security
Handbook, 3ed, John Wiley Press
31
And a word on writing(From Information Security
Policies, Procedures, and Standards)
  • Avoid alliteration. Always.
  • Prepositions are not words to end sentences with.
  • Avoid cliches like the plague. (They are old
    hat.)
  • Employ the vernacular.
  • Eschew ampersands abbreviations, etc.
  • Parenthetical remarks (however relevant) are
    unnecessary.
  • It is wrong to ever split an infinitive.
  • Contractions arent necessary.
  • Foreign words and phrases are not apropos.
  • One should never generalize.
  • Comparisons are as bad as cliches.
  • Even if a mixed metaphor sings, it should be
    derailed.
  • Eliminate quotations. As Ralph Waldo Emerson
    once said I hate quotations. Tell me what you
    know.
  • Do not be redundant do not use more words than
    necessary, it is highly superfluous.
  • Profanity sucks.
  • Be more or less specific.
  • Understatement is always best.
  • Exaggeration is a billion times worse than
    understatement.
  • One-word sentences? Eliminate.
  • Analogies in writing are like feathers on a
    snake.
  • The passive voice is to be avoided.
  • Go around the barn at high noon to avoid
    colloquialisms.
  • Who needs rhetorical questions?

32
Summary
  • What is the Importance and Significance of this
    material?
  • How does this topic fit into the subject of
    Voice and Data Security?
Write a Comment
User Comments (0)
About PowerShow.com