Upload
hamien
View
218
Download
1
Embed Size (px)
Citation preview
Copyright © 1997 Trusted Information Systems - 16/23/97
Building Effective, TailoredInformation Security PolicyBuilding Effective, TailoredBuilding Effective, TailoredInformation Security PolicyInformation Security Policy
John PescatoreTrusted Information Systems
301-947-7153 [email protected]
Copyright © 1997 Trusted Information Systems - 26/23/97
Changing Business M odelPAST
Traditional structure:(Sectors, w holly owned businesses, stability)
M odern structure:(SBUs, JVs, IPOs, Divestitures,
Acquisitions, Partnerships,Strategic Alliances...constant change)
FUTURE
JV
JV
Core
Acquisition
DivestitureJV IPO
Corp
Core Corp
Corp
JV JV
JV
JV
JVJV
JV
Divestiture
DivestitureDivestiture
IPO
IPO
Acquisition
Acquisition
Acquisition
Acquisition
JV
Need for flexibility w ill increase
3rd Qtr 1995
Copyright © 1997 Trusted Information Systems - 36/23/97
Electronic Business RelationshipsElectronic Business RelationshipsElectronic Business Relationships
u To be successfulbusinesses need theability to create rapidsetup/teardownelectronic businessrelationships withcustomers, suppliers,and partners. Securitywill need to bedistributed throughoutthe computing enterprise
Consumers
Data
Producers
Copyright © 1997 Trusted Information Systems - 46/23/97
Enterprise-wide SecurityEnterprise-wide SecurityEnterprise-wide Security
• Encryption• Firewalls• VAN Costs
• Multilevel O/S• Secure WWW• Virus Protection• Audit/Backup• Data
Encryption
• Firewalls• Host Security• Messaging
Security• Integrity• Availability
• SecureRDBMS
• ObjectOrientedSecurity
• One TimePasswords
• StrongAuthentication
• Data Encryption
• ElectronicCommerce
• Digital Signatures• Windows NT• Non-repudiation
• Single Sign On• Data Encryption• Workplace
PrivacyConsumers
Data
Producers
Copyright © 1997 Trusted Information Systems - 56/23/97
Infrastructure ImpactsInfrastructure ImpactsInfrastructure Impacts
u Changing businessmodel leads to:ì Growth by acquisitionì Strategic alliancesì Constant change
u Infrastructure needs tosupport:ì Virtual Officesì Virtual Enterprisesì Virtual Workgroups
u Security enables business to use theInternet to keep up with pace of change
u Encryptionu Authenticationu Access Control
Copyright © 1997 Trusted Information Systems - 66/23/97
Growth by AcquisitionGrowth by AcquisitionGrowth by Acquisition
u Security Impacts:ì Security Policy inconsistenciesì Interoperability of Security Controlsì Level of security sinks to lowest common
denominator
u Policy Demands:ì Frequent, often unplanned, updates neededì Must address multiple culturesì Drive to select best-of-breed approach
Copyright © 1997 Trusted Information Systems - 76/23/97
Strategic AlliancesStrategic AlliancesStrategic Alliances
u Security Impacts:ì Team today, compete tomorrowì Need for international secure connectivityì Varying levels of trust
u Policy Impacts:ì Focus on business-critical dataì Need to address export issuesì “One size fits all” no longer works
Copyright © 1997 Trusted Information Systems - 86/23/97
Constant ChangeConstant ChangeConstant Change
u Security Impacts:ì Vulnerabilities follow transitionsì Breakdown of informal policiesì High administrative load for access control
u Policy Impacts:ì Need for intrusion detection, updates, auditsì Need to accessible formal policyì Policy needs to drive affordable solutions
Copyright © 1997 Trusted Information Systems - 96/23/97
Integrated Security PlanningIntegrated Security PlanningIntegrated Security Planning
u Treat security like an investmentì Strategic planningì Business-drivenì ROI or Cost/Benefit Analysis
u Legal and regulatory issues
Strategize Implement Measure/Audit
Business/MissionNeeds
InformationTechnologyNeeds
SecurityServicesRequired
DevelopSecurityArchitecture
DeploySecurityControls
PerformIntrusionDetection
UpdatePolicies andControls
Policy Development and Refinement
Procurement/Development
Awareness/Education
Compliance Enforcement
Upgrade/Enhancement
Copyright © 1997 Trusted Information Systems - 106/23/97
Tailored Security PolicyTailored Security PolicyTailored Security Policy
u Goal is to influence behavioru Need to enable, not just to deny
ì Users can route around controls all too easilyì Become cost of sales, not just overhead
u Focus on the business needsì What data will be handled?ì How can that data be accessed?ì What is your organization’s paranoia level?ì What controls are required on that data?
Copyright © 1997 Trusted Information Systems - 116/23/97
Data CategorizationData CategorizationData Categorization
u Define broad classes of informationcreated, stored and/or delivered by yourbusiness
u Logical groupings based on impact tobusinessì Customer data - financial records, medical
records, ordersì Business data - financial, competitive,
intellectual propertyì Employee data - salary, benefits, home phone
Copyright © 1997 Trusted Information Systems - 126/23/97
Data CategorizationData CategorizationData Categorization
u Assign sensitivity levels, eg:ì Unrestrictedì Restrictedì Controlled Distribution
Unrestricted Restricted Controlled DistributionMeeting notes Memos for the record Salary data, personnel filesInternal telephone directory Organizational directories
with home addressesand/or phone numbers
Customer databases,privacy or medical-relatedinformation
Corporate publicity Financial reports Data on mergers orpotential acquisitions
User IDs Passwords, encryption keysMost internal policies andprocedures
Incident response plans Results of riskassessments
Functional informationabout a major application
Source code for a majorapplication
Information that is themajor product of a majorapplication: loan approvals,flight plan data, publicsafety information,calculations, etc.
Copyright © 1997 Trusted Information Systems - 136/23/97
Data AccessData AccessData Access
u How could an attacker get to your data?ì How is it created?ì Where is it stored?ì How is it transmitted?
u Typical client/server/Internet scenarioì Created on a Windows 95 PCì Stored locally, on a file server, on an internal
Web server, in a database, external Web serverì Sent over LANs, WANs, over Internet via http, ftp
and email
Copyright © 1997 Trusted Information Systems - 146/23/97
Data AccessData AccessData Access
u Identify Data Owners and Data Maintainersu Identify business needs to provide access
to the dataì Internal employeesì External employeesì Business partnersì Customersì Other third parties
u Identify exposure points and threats
Copyright © 1997 Trusted Information Systems - 156/23/97
Paranoia LevelParanoia LevelParanoia Level
u Getting to “good enough security”u Security policy needs to match the risk
acceptance profile of an organizationì What are the realistic threats?ì How visible is your organization?ì What are the consequences of an incident?ì How sensitive is your organization to the
intangible costs of an incident?
u Regulatory and legal issues
Copyright © 1997 Trusted Information Systems - 166/23/97
Risk Profiling MatrixRisk Profiling MatrixRisk Profiling Matrix
Risk Profiling MatrixThreats: Rating Visibility Rating ScoNone identified as active; exposureis limited
1 Very low profile, noactive publicity
1
Unknown state or multipleexposures
3 Middle of the pack,periodic publicity
3
Active threats, multiple exposures 5 Lightning rod, activepublicity
5
Consequences Rating Sensitivity Rating ScoNo cost impact; well within plannedbudget; risk transferred
1 Accepted as cost ofdoing business; noorganization issues
1
Internal functions impacted; budgetoverrun; opportunity costs
3 Unacceptable BusinessUnit managementimpact; good will costs
3
External functions impacted; directrevenue hit
5 Unacceptable CorporateManagement impact;business relationshipsaffected
5
TotalScore:
Copyright © 1997 Trusted Information Systems - 176/23/97
Security ControlsSecurity ControlsSecurity Controls
u Match the required controls to theorganizational value of the data, the risktolerance of the organization, and theinvestment required to meet the policyì Sounds easy, huh?
u Security policy can have wide rangingimpactì Business-wide reviewì End result will be a compromise between
security goals and business realities
Copyright © 1997 Trusted Information Systems - 186/23/97
Security ControlsSecurity ControlsSecurity Controls
Information CategoryProtectionRequired
Restricted Unrestricted ControlledDistribution
Identification Identify asOrganizationProperty
Identify asOrganizationProperty, withcategory shown oninitial page of record
Identify asOrganizationProperty, withcategory shown oneach page of record
DisclosureRestrictions
None inside theOrganization
Based on need toknow
Only whenapproved by theinformation owner
Access Controls Access limited towithin theorganization
Access limited tothose authorized bythe informationowner
Access limited tothose authorized bythe informationowner. All accessmust be logged
Transmission overnetworks
No restriction Internal networksonly
Must be encryptedbefore transmissionover any network
Storage No restriction Locked storage,physical securecomputer area.
Locked storage,encrypted whenstored on computerconnected tonetwork
Copyright © 1997 Trusted Information Systems - 196/23/97
Writing the PolicyWriting the PolicyWriting the Policy
u Match your organization’s cultureu Use the “real” information channelsu Several sources for templates
ì NIST/TIS - http://csrc.nist.gov/isptgì Charles C. Wood - http://www.baselinesoft.comì Outside consultants
u Involve Legal, HR, Public Affairsu Policy should be issued from as high in the
organization as possible
Copyright © 1997 Trusted Information Systems - 206/23/97
Awareness and EducationAwareness and EducationAwareness and Education
u Standard approaches:ì Part of new hire trainingì Yearly signed awareness statementì System bannersì Internal newsletters
u Direct Marketing approachì Pay stub messagesì Online quizzes with awardsì Self assessment tools
Copyright © 1997 Trusted Information Systems - 216/23/97
Trusted Information Systems
• Since 1983, computer, network, andinformation security
• Customers in industry and federal, state, andlocal governments, worldwide
• Security products, security consulting, andworld-respected research and development
• RecoverKey encryption technology• TIS offices in Maryland, Virginia, California,
UK, Germany• TIS Business Partners in North America,
South America, Europe, Asia, Africa, andAustralia