Information Security Policy
Table
of Contents
1.Information Security Policy (Word Count = approx. 1000)3 1.1Security:3
1.2Policy:3
1.3Information Security Policy and its importance:4
1.4Policies, Procedures, Practices, Guidelines5
1.5Example of good policy statement6
1.6Possible structure of information security policy documents7 1.7Strategies and techniques to implement information security policies8 2.Developing the Security Program(Word Count = approx. 500)9 3.Security Management Models and Practices (Word Count = approx. 500)11 A.ISO/IEC Model11
B.NIST Security Model11
C.RFC 219611
D.COBIT11
E.COSO12
4.List of References:13
1.Information Security Policy
1.1Security:
Security has been a real issue for this century. Due to the new emerging technology like RFID and wireless devices there have been various issues regarding privacy and security of person and an enterprise. Security can be understood as a condition to protect against unauthorized access. In terms of IT, security can be categorized into application security, computing security, data security, information security, and network security. Source: (Whitman & Mattord 2007, p.5)
Even though all of these security fields need to be monitored in an enterprise, for instance in this document we are concerned only with information security. Information security is responsible for ensuring intrigrity, availability and confidentiality of the enterprise’s valuable assets. For protecting valuable assets one of the preventive measures is develop and implement policy within an enterprise. The figure above shows the policy is essential in all the security aspects. 1.2Policy:
“A policy is a deliberate plan of action to guide decisions and achieve rational outcome(s)” (Wikipedia: policy, 2009). It is also known as a process of making decisions with different priorities and choosing among them. Policies can be written for policical, financial, management and administrative conditions for achieving explicit goals (Wikipedia: policy, 2009). Information security policy document contains the written statements for how an organization intends to protect information.
1.3Information Security Policy and its importance:
Information flow within a business is a foundation of its competitive edge and financial liquidity. Maintaining the competitive edge is also increasingly often related to implementing information services, which act as a way to improve information flow. However, it is important that these services be implemented in such a fashion, that the intended profits do not become losses. That is why information security policy is of such importance. Information security policy must be implemented in such a fashion, that it enables business continuity, minimizes risk, and maximizes business efficiency. Improper development of information resources leads in consequence to data scattering and decrease in security. In order to protect the business assets, businesses develop information security policies as sets of regulations and procedures, which are intended to help maintain information confidentiality, integrity and availability. Company’s information security policy is a document which states the company’s resources and assets which are continuously updated as technology and business requirements changes. It is one of the most important information security document. Enterprises implements information security policies for the following five major consequences (Peltier 2002) : i.It can be benificial for gaining competitive advantage;
ii.Improves customer and shareholder confidence;
iii.Decreases governmental interference;
iv.Compliance with legislative requirements; and
v.The risk of legal liability decreases
1.4Policies, Procedures, Practices, Guidelines
Source: (Whitman & Mattord 2007, p.112)
The figure above provides a general view for policies, standards, practices, guidelines and procedure. More specifically, I.Policies are plan of action of the governement, business, party or political sector for influencing and determining decision, actions and other matters. II.Standards are the more detailed statement for complying policy. III.Practices, Guidelines and Procedures explains how the employees in an organisation comply with the policy. For example a policy of an enterprise can be something like the employees are not allowed to view inappropirate web sites in the workplace. While implementing these policy, enterprise create standards that all the inappropirate sites are bocked and list those sites that are considered inappropirate.
1.5Example of good policy statement
A good policy statement must have the following properties (Whitman & Mattord 2007) i.Policy must be developed with industry-accepted practices ii.Distributed and disseminated using all appropirate methods iii.Reviewed or read by all the employees
iv.Formally agreed to by act or assertion
v.Uniformly applied and enforced
USQ has also got the different policy statement for different purposes. For information and communication technology USQ have got “USQ POLICY FOR ICT INFORMATION MANAGEMENT AND SECURITY”. It can be found in the web site of USQ i.e., http://www.usq.edu.au/resources/101usqpolicyforictinformationmanagementand.pdf. Purpose:
To outline the direction, scope, and approach to the secure management of information resources and services within the USQ ICT environment. It will continue to be reviewed and evaluated in line with changes to business processes and information security risks. Scope and Application:
This policy applies equally to all USQ employees, including permanent, temporary, part-time and contract as well as students, consultants, or third-party employees with access to the USQ ICT environment. Responsible Officer: Chief Technology Officer CIS 8000 Global system strategy
Policy Type/Category: Governance and Management
The policy in USQ ensures
oInformation Security
oInternet and Email Use
oMonitoring and Privacy
oPenalties and Discipline
oPolicy Making and Review
1.6Possible structure of information security policy documents According to Weise & Martin 2001, the structure of information security policy documents contains the following sections: Statement of Purpose: Defines what is the pupose of this policy or why is that needed. Scope: Tells about policy’s applicability and area of coverage Policy Statement: Defines about what are the specifics of policy? Responsibilities: Describes about who must do what?
Audience: Describes about to whom the policy is oriented?
Enforcement: Describes about who is charged with enforcement of policy and what are the penalties for non-compliance Exception: Describes about condition under which they apply
Communicating Policy: Describes about who is responsible and what the process for disseminating policy is Review and Update Process: Under what condition is the policy reviewed Implementing the Policy: Who is responsible and how policy is accomplished Monitoring Compliance: How is monitoring accomplished?
1.7Strategies and techniques to implement information security policies When the security policy is all drawn up, revised, updated and agreed upon, the implementation process will follow. This is usually harder than the creation of the policy itself, due the fact that at this stage you also need to coach and educate your staff to behave in a "secure" manner, following each of the core elements pointed in the formal security policy (Danchev 2003). Access Control Lists: defines the access and privileges of every users to the available resources. Security Awareness program can be developed for the staffs to provide better understanding of security risk and potential security problems (Danchev 2003). Configuration Rules: Specific configuration codes that guides the execution of system what action to perform on each set of information being processed. (Whitman & Mattord 2007)
Security involve risk assessment, analysis of threat and forming organizational policy. Setting the policy and control is not enough, they even have to be effective. To make them effective proper auditing and monitoring must be done and apart from that need of company and business conditions changes from time to time. It is very essential that the level of security are maintained appropirately in an organisation.
2.Developing the Security Program
Prioritization of Security Functions for MetOcean Engineers Pty Ltd are done in the following manner (Whitman & Mattord 2007) (1)Planning: Planning by the executives need to have the priority because everything have to be done according to plan. If proper planning is done then it would be easy to manage things accordingly and hence assign security roles and responsibilities to each member. (2)Policy: Policy is a standard that provides guidelines for the members and staff of MetOcean Engineers Pty Ltd (MetOcean) to formulate planning and operation. Policies need to be set for the overall information security program and specific issues facing the consultancy. (3)Training: Education and training should be provided to the employees regularly by perfoming security awareness programs. (4)Legal assessment: It is important to review and perform legal assessment which is compatible with policies and procedures to ensure legal aspects. (5)Network Security Administration: Network security are ensured by technologies like firewalls, routers, wireless devices that are performed by the network administrator to protect network connectivity between computers, to protect shared information storage resources, to protect internet connectivity and e-mail capability (6)Vulnerability Assessment: Since lack of formal security policies in the network, there may be several threats to the information system of MetOcean Engineers Pty Ltd (MetOcean) that can exploit weakness of system .So vulnerability assessment should be performed that includes information assets and weak points. (7)Risk Assessment: After identifying the vulnerabilities which exist in the system, it is necessary to conduct risk assessment which is done either qualitatively or quantitatively to estimate the potential risk that occurs in MetOcean Engineers Pty Ltd (MetOcean) information system. (8)Risk Management: As soon as potential risks and their impacts on MetOcean are identified, it is important to conduct various risk controls to mitigate the potential risk so a proper risk management should be done that make recommendations to general improvements in the information security posture. (9)Measurement: After implementing various control measures in the existing system, it is necessary to calculate the residual risks and their impact to the academy. (10)Centralized authentication: It is necessary to centralize the authentication mechanism and granting privileges to access the networks in order to resolve different issues related with network system. (11)System Security Administration: Since monitoring and controlling of MetOcean Engineers Pty Ltd (MetOcean) has been achieved by risk management and assessment so configuration of system should be done by system administration. (12)Compliance: Since identified vulnerabilities are repaired by system administrator and network administrator, compliance should be done to ensure the performance of job done. (13)System testing: Software vulnerabilities are evaluated through installation of patches and system testing are done to assure compliance and system performance which is performed as a part of risk management and incident response. (14)Incident Response: MetOcean Engineers Pty Ltd (MetOcean) should have incident response plan and disaster recovery plan to protect sensitive and valuable information assets from unwanted and undesirable event that may occur for their business continuity.
3.Security Management Models and Practices
A security model is a generic blueprint offered by a service organisation (Whitman & Mattord 2007). Some of the security management models and practices are listed as follows:
A.ISO/IEC Model
It is an abbreviation for International Organisation for Standarization (ISO) and the International Electrotechnical Commission (IEC). It is a propieitary document, anybody who want to adopt it needs to purchase the license. It is based on British standard Information Technology – Code of Practice for Information Security Management. It contains the recommended practices of control objectives and control in security policy, information security organisation, asset management, human resource security, physical and environmental security, communication and operation management, access control and complaince. Apart from that it lacks justification for code of practices, the necessary measurement of technical standards. Not useful as any other methods Not a complete framework and requires license to adopt.
B.NIST Security Model
Advantages
oIt does not require cost.
oReviewed broadly by the government and the industry professionals oIt have got various publication, which can be the best reference and guide for routine mangement of information security. Disadvantages
oIt is a generalized model which makes it difficult to customize in order to meet the orgnaisational need. oIt is developed by US so it is may not be compatible to the organisations that are outside US.
C.RFC 2196
RFC 2196 is created by Internet Engineering Task Force (IETF). Charcteristics of RFC 2196:
Provides functional discussion of security issues and overview of developement and implementation of security including five basic areas. It covers security policies, security technical architecture, secrity services and security incident handling. One of the drawback of RFC 2196 is that the organisations require license to purchase the standards which results the model to be costly.
D.COBIT
Control Objectives for Information and related Technology (COBIT) provides advice about the implementation of security. Advantages
oIt is used as a planning tool for information security as well as control models oIt is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks oIt also helps the organization to increase the value attained form IT, and enables alignment. Disadvantages
oWork done in earlier version of COBIT is not validated
oA bit expensive to purchase standards
E.COSO
Committee if Sponsoring Organizations of the Treadway Commission (COSO) is a US private sector based model. It is process, effected by an entity;s board of directors, management and other personnesl, designed to provide reasonable assurance regarding the achievet of the objectives in effectiveness and efficiency of oerations; reliability of financial reporting; and complaince with applicable laws and regulations (Whitman & Mattord 2007). Five comonents of COSO are:
i.Control Environment
ii.Risk Assesment
iii.Control Activities
iv.Information and communication
v.Monitoring
Charcteristics of COSO
Major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence Establishes a common definition of internal controls, standards and criteria against which organizations can access their control systems A framework to describe and analyse those internal control systems which are on IT systems that incorporate information security controls It only helps those organizations that are comply with critical regulations
4.List of References:
Danchev, D 2003, “Building and Implementing a Successful Information Security Policy”, WindowSecurity.com, viewed on 15th January 2009,
Peltier, 2002, “Information security Policies, Procedures, and Standards”
RPS MetOcean, 2008 "Company Profile", viewed on 12 December 2008,
Whitman, ME & Mattord, HJ 2007, “Management of information security”, 2nd edn, Thomson Course Technology, Boston, Massachusetts
Weise, J, and Martin, CR, 2001, “Data Security Policy – Structure and Guidelines”, viewed on 19 Janurary 2009,
Wikipedia: Policy, updated 10th January 2009, viewed on 20th January 2009, < http://en.wikipedia.org/wiki/Policy>
1.Information Security Policy (Word Count = approx. 1000)3 1.1Security:3
1.2Policy:3
1.3Information Security Policy and its importance:4
1.4Policies, Procedures, Practices, Guidelines5
1.5Example of good policy statement6
1.6Possible structure of information security policy documents7 1.7Strategies and techniques to implement information security policies8 2.Developing the Security Program(Word Count = approx. 500)9 3.Security Management Models and Practices (Word Count = approx. 500)11 A.ISO/IEC Model11
B.NIST Security Model11
C.RFC 219611
D.COBIT11
E.COSO12
4.List of References:13
1.Information Security Policy
1.1Security:
Security has been a real issue for this century. Due to the new emerging technology like RFID and wireless devices there have been various issues regarding privacy and security of person and an enterprise. Security can be understood as a condition to protect against unauthorized access. In terms of IT, security can be categorized into application security, computing security, data security, information security, and network security. Source: (Whitman & Mattord 2007, p.5)
Even though all of these security fields need to be monitored in an enterprise, for instance in this document we are concerned only with information security. Information security is responsible for ensuring intrigrity, availability and confidentiality of the enterprise’s valuable assets. For protecting valuable assets one of the preventive measures is develop and implement policy within an enterprise. The figure above shows the policy is essential in all the security aspects. 1.2Policy:
“A policy is a deliberate plan of action to guide decisions and achieve rational outcome(s)” (Wikipedia: policy, 2009). It is also known as a process of making decisions with different priorities and choosing among them. Policies can be written for policical, financial, management and administrative conditions for achieving explicit goals (Wikipedia: policy, 2009). Information security policy document contains the written statements for how an organization intends to protect information.
1.3Information Security Policy and its importance:
Information flow within a business is a foundation of its competitive edge and financial liquidity. Maintaining the competitive edge is also increasingly often related to implementing information services, which act as a way to improve information flow. However, it is important that these services be implemented in such a fashion, that the intended profits do not become losses. That is why information security policy is of such importance. Information security policy must be implemented in such a fashion, that it enables business continuity, minimizes risk, and maximizes business efficiency. Improper development of information resources leads in consequence to data scattering and decrease in security. In order to protect the business assets, businesses develop information security policies as sets of regulations and procedures, which are intended to help maintain information confidentiality, integrity and availability. Company’s information security policy is a document which states the company’s resources and assets which are continuously updated as technology and business requirements changes. It is one of the most important information security document. Enterprises implements information security policies for the following five major consequences (Peltier 2002) : i.It can be benificial for gaining competitive advantage;
ii.Improves customer and shareholder confidence;
iii.Decreases governmental interference;
iv.Compliance with legislative requirements; and
v.The risk of legal liability decreases
1.4Policies, Procedures, Practices, Guidelines
Source: (Whitman & Mattord 2007, p.112)
The figure above provides a general view for policies, standards, practices, guidelines and procedure. More specifically, I.Policies are plan of action of the governement, business, party or political sector for influencing and determining decision, actions and other matters. II.Standards are the more detailed statement for complying policy. III.Practices, Guidelines and Procedures explains how the employees in an organisation comply with the policy. For example a policy of an enterprise can be something like the employees are not allowed to view inappropirate web sites in the workplace. While implementing these policy, enterprise create standards that all the inappropirate sites are bocked and list those sites that are considered inappropirate.
1.5Example of good policy statement
A good policy statement must have the following properties (Whitman & Mattord 2007) i.Policy must be developed with industry-accepted practices ii.Distributed and disseminated using all appropirate methods iii.Reviewed or read by all the employees
iv.Formally agreed to by act or assertion
v.Uniformly applied and enforced
USQ has also got the different policy statement for different purposes. For information and communication technology USQ have got “USQ POLICY FOR ICT INFORMATION MANAGEMENT AND SECURITY”. It can be found in the web site of USQ i.e., http://www.usq.edu.au/resources/101usqpolicyforictinformationmanagementand.pdf. Purpose:
To outline the direction, scope, and approach to the secure management of information resources and services within the USQ ICT environment. It will continue to be reviewed and evaluated in line with changes to business processes and information security risks. Scope and Application:
This policy applies equally to all USQ employees, including permanent, temporary, part-time and contract as well as students, consultants, or third-party employees with access to the USQ ICT environment. Responsible Officer: Chief Technology Officer CIS 8000 Global system strategy
Policy Type/Category: Governance and Management
The policy in USQ ensures
oInformation Security
oInternet and Email Use
oMonitoring and Privacy
oPenalties and Discipline
oPolicy Making and Review
1.6Possible structure of information security policy documents According to Weise & Martin 2001, the structure of information security policy documents contains the following sections: Statement of Purpose: Defines what is the pupose of this policy or why is that needed. Scope: Tells about policy’s applicability and area of coverage Policy Statement: Defines about what are the specifics of policy? Responsibilities: Describes about who must do what?
Audience: Describes about to whom the policy is oriented?
Enforcement: Describes about who is charged with enforcement of policy and what are the penalties for non-compliance Exception: Describes about condition under which they apply
Communicating Policy: Describes about who is responsible and what the process for disseminating policy is Review and Update Process: Under what condition is the policy reviewed Implementing the Policy: Who is responsible and how policy is accomplished Monitoring Compliance: How is monitoring accomplished?
1.7Strategies and techniques to implement information security policies When the security policy is all drawn up, revised, updated and agreed upon, the implementation process will follow. This is usually harder than the creation of the policy itself, due the fact that at this stage you also need to coach and educate your staff to behave in a "secure" manner, following each of the core elements pointed in the formal security policy (Danchev 2003). Access Control Lists: defines the access and privileges of every users to the available resources. Security Awareness program can be developed for the staffs to provide better understanding of security risk and potential security problems (Danchev 2003). Configuration Rules: Specific configuration codes that guides the execution of system what action to perform on each set of information being processed. (Whitman & Mattord 2007)
Security involve risk assessment, analysis of threat and forming organizational policy. Setting the policy and control is not enough, they even have to be effective. To make them effective proper auditing and monitoring must be done and apart from that need of company and business conditions changes from time to time. It is very essential that the level of security are maintained appropirately in an organisation.
2.Developing the Security Program
Prioritization of Security Functions for MetOcean Engineers Pty Ltd are done in the following manner (Whitman & Mattord 2007) (1)Planning: Planning by the executives need to have the priority because everything have to be done according to plan. If proper planning is done then it would be easy to manage things accordingly and hence assign security roles and responsibilities to each member. (2)Policy: Policy is a standard that provides guidelines for the members and staff of MetOcean Engineers Pty Ltd (MetOcean) to formulate planning and operation. Policies need to be set for the overall information security program and specific issues facing the consultancy. (3)Training: Education and training should be provided to the employees regularly by perfoming security awareness programs. (4)Legal assessment: It is important to review and perform legal assessment which is compatible with policies and procedures to ensure legal aspects. (5)Network Security Administration: Network security are ensured by technologies like firewalls, routers, wireless devices that are performed by the network administrator to protect network connectivity between computers, to protect shared information storage resources, to protect internet connectivity and e-mail capability (6)Vulnerability Assessment: Since lack of formal security policies in the network, there may be several threats to the information system of MetOcean Engineers Pty Ltd (MetOcean) that can exploit weakness of system .So vulnerability assessment should be performed that includes information assets and weak points. (7)Risk Assessment: After identifying the vulnerabilities which exist in the system, it is necessary to conduct risk assessment which is done either qualitatively or quantitatively to estimate the potential risk that occurs in MetOcean Engineers Pty Ltd (MetOcean) information system. (8)Risk Management: As soon as potential risks and their impacts on MetOcean are identified, it is important to conduct various risk controls to mitigate the potential risk so a proper risk management should be done that make recommendations to general improvements in the information security posture. (9)Measurement: After implementing various control measures in the existing system, it is necessary to calculate the residual risks and their impact to the academy. (10)Centralized authentication: It is necessary to centralize the authentication mechanism and granting privileges to access the networks in order to resolve different issues related with network system. (11)System Security Administration: Since monitoring and controlling of MetOcean Engineers Pty Ltd (MetOcean) has been achieved by risk management and assessment so configuration of system should be done by system administration. (12)Compliance: Since identified vulnerabilities are repaired by system administrator and network administrator, compliance should be done to ensure the performance of job done. (13)System testing: Software vulnerabilities are evaluated through installation of patches and system testing are done to assure compliance and system performance which is performed as a part of risk management and incident response. (14)Incident Response: MetOcean Engineers Pty Ltd (MetOcean) should have incident response plan and disaster recovery plan to protect sensitive and valuable information assets from unwanted and undesirable event that may occur for their business continuity.
3.Security Management Models and Practices
A security model is a generic blueprint offered by a service organisation (Whitman & Mattord 2007). Some of the security management models and practices are listed as follows:
A.ISO/IEC Model
It is an abbreviation for International Organisation for Standarization (ISO) and the International Electrotechnical Commission (IEC). It is a propieitary document, anybody who want to adopt it needs to purchase the license. It is based on British standard Information Technology – Code of Practice for Information Security Management. It contains the recommended practices of control objectives and control in security policy, information security organisation, asset management, human resource security, physical and environmental security, communication and operation management, access control and complaince. Apart from that it lacks justification for code of practices, the necessary measurement of technical standards. Not useful as any other methods Not a complete framework and requires license to adopt.
B.NIST Security Model
Advantages
oIt does not require cost.
oReviewed broadly by the government and the industry professionals oIt have got various publication, which can be the best reference and guide for routine mangement of information security. Disadvantages
oIt is a generalized model which makes it difficult to customize in order to meet the orgnaisational need. oIt is developed by US so it is may not be compatible to the organisations that are outside US.
C.RFC 2196
RFC 2196 is created by Internet Engineering Task Force (IETF). Charcteristics of RFC 2196:
Provides functional discussion of security issues and overview of developement and implementation of security including five basic areas. It covers security policies, security technical architecture, secrity services and security incident handling. One of the drawback of RFC 2196 is that the organisations require license to purchase the standards which results the model to be costly.
D.COBIT
Control Objectives for Information and related Technology (COBIT) provides advice about the implementation of security. Advantages
oIt is used as a planning tool for information security as well as control models oIt is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks oIt also helps the organization to increase the value attained form IT, and enables alignment. Disadvantages
oWork done in earlier version of COBIT is not validated
oA bit expensive to purchase standards
E.COSO
Committee if Sponsoring Organizations of the Treadway Commission (COSO) is a US private sector based model. It is process, effected by an entity;s board of directors, management and other personnesl, designed to provide reasonable assurance regarding the achievet of the objectives in effectiveness and efficiency of oerations; reliability of financial reporting; and complaince with applicable laws and regulations (Whitman & Mattord 2007). Five comonents of COSO are:
i.Control Environment
ii.Risk Assesment
iii.Control Activities
iv.Information and communication
v.Monitoring
Charcteristics of COSO
Major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence Establishes a common definition of internal controls, standards and criteria against which organizations can access their control systems A framework to describe and analyse those internal control systems which are on IT systems that incorporate information security controls It only helps those organizations that are comply with critical regulations
4.List of References:
Danchev, D 2003, “Building and Implementing a Successful Information Security Policy”, WindowSecurity.com, viewed on 15th January 2009,
Peltier, 2002, “Information security Policies, Procedures, and Standards”
RPS MetOcean, 2008 "Company Profile", viewed on 12 December 2008,
Whitman, ME & Mattord, HJ 2007, “Management of information security”, 2nd edn, Thomson Course Technology, Boston, Massachusetts
Weise, J, and Martin, CR, 2001, “Data Security Policy – Structure and Guidelines”, viewed on 19 Janurary 2009,
Wikipedia: Policy, updated 10th January 2009, viewed on 20th January 2009, < http://en.wikipedia.org/wiki/Policy>
No comments:
Post a Comment