Building Effective, Tailored Information Security Policy · Title: Building Effective, Tailored Information Security Policy Author: John Pescatore, Trusted Information Systems Keywords:

Copyright © 1997 Trusted Information Systems - 16/23/97

Building Effective, TailoredInformation Security PolicyBuilding Effective, TailoredBuilding Effective, TailoredInformation Security PolicyInformation Security Policy

John PescatoreTrusted Information Systems

301-947-7153 [email protected]


Changing Business M odelPAST

Traditional structure:(Sectors, w holly owned businesses, stability)

M odern structure:(SBUs, JVs, IPOs, Divestitures,

Acquisitions, Partnerships,Strategic Alliances...constant change)

FUTURE

JV

JV

Core

Acquisition

DivestitureJV IPO

Corp

Core Corp

Corp

JV JV

JV

JV

JVJV

JV

Divestiture

DivestitureDivestiture

IPO

IPO

Acquisition

Acquisition

Acquisition

Acquisition

JV

Need for flexibility w ill increase

3rd Qtr 1995


Electronic Business RelationshipsElectronic Business RelationshipsElectronic Business Relationships

u To be successfulbusinesses need theability to create rapidsetup/teardownelectronic businessrelationships withcustomers, suppliers,and partners. Securitywill need to bedistributed throughoutthe computing enterprise

Consumers

Data

Producers


Enterprise-wide SecurityEnterprise-wide SecurityEnterprise-wide Security

• Encryption• Firewalls• VAN Costs

• Multilevel O/S• Secure WWW• Virus Protection• Audit/Backup• Data

Encryption

• Firewalls• Host Security• Messaging

Security• Integrity• Availability

• SecureRDBMS

• ObjectOrientedSecurity

• One TimePasswords

• StrongAuthentication

• Data Encryption

• ElectronicCommerce

• Digital Signatures• Windows NT• Non-repudiation

• Single Sign On• Data Encryption• Workplace

PrivacyConsumers

Data

Producers


Infrastructure ImpactsInfrastructure ImpactsInfrastructure Impacts

u Changing businessmodel leads to:ì Growth by acquisitionì Strategic alliancesì Constant change

u Infrastructure needs tosupport:ì Virtual Officesì Virtual Enterprisesì Virtual Workgroups

u Security enables business to use theInternet to keep up with pace of change

u Encryptionu Authenticationu Access Control


Growth by AcquisitionGrowth by AcquisitionGrowth by Acquisition

u Security Impacts:ì Security Policy inconsistenciesì Interoperability of Security Controlsì Level of security sinks to lowest common

denominator

u Policy Demands:ì Frequent, often unplanned, updates neededì Must address multiple culturesì Drive to select best-of-breed approach


Strategic AlliancesStrategic AlliancesStrategic Alliances

u Security Impacts:ì Team today, compete tomorrowì Need for international secure connectivityì Varying levels of trust

u Policy Impacts:ì Focus on business-critical dataì Need to address export issuesì “One size fits all” no longer works


Constant ChangeConstant ChangeConstant Change

u Security Impacts:ì Vulnerabilities follow transitionsì Breakdown of informal policiesì High administrative load for access control

u Policy Impacts:ì Need for intrusion detection, updates, auditsì Need to accessible formal policyì Policy needs to drive affordable solutions


Integrated Security PlanningIntegrated Security PlanningIntegrated Security Planning

u Treat security like an investmentì Strategic planningì Business-drivenì ROI or Cost/Benefit Analysis

u Legal and regulatory issues

Strategize Implement Measure/Audit

Business/MissionNeeds

InformationTechnologyNeeds

SecurityServicesRequired

DevelopSecurityArchitecture

DeploySecurityControls

PerformIntrusionDetection

UpdatePolicies andControls

Policy Development and Refinement

Procurement/Development

Awareness/Education

Compliance Enforcement

Upgrade/Enhancement


Tailored Security PolicyTailored Security PolicyTailored Security Policy

u Goal is to influence behavioru Need to enable, not just to deny

ì Users can route around controls all too easilyì Become cost of sales, not just overhead

u Focus on the business needsì What data will be handled?ì How can that data be accessed?ì What is your organization’s paranoia level?ì What controls are required on that data?


Data CategorizationData CategorizationData Categorization

u Define broad classes of informationcreated, stored and/or delivered by yourbusiness

u Logical groupings based on impact tobusinessì Customer data - financial records, medical

records, ordersì Business data - financial, competitive,

intellectual propertyì Employee data - salary, benefits, home phone


Data CategorizationData CategorizationData Categorization

u Assign sensitivity levels, eg:ì Unrestrictedì Restrictedì Controlled Distribution

Unrestricted Restricted Controlled DistributionMeeting notes Memos for the record Salary data, personnel filesInternal telephone directory Organizational directories

with home addressesand/or phone numbers

Customer databases,privacy or medical-relatedinformation

Corporate publicity Financial reports Data on mergers orpotential acquisitions

User IDs Passwords, encryption keysMost internal policies andprocedures

Incident response plans Results of riskassessments

Functional informationabout a major application

Source code for a majorapplication

Information that is themajor product of a majorapplication: loan approvals,flight plan data, publicsafety information,calculations, etc.


Data AccessData AccessData Access

u How could an attacker get to your data?ì How is it created?ì Where is it stored?ì How is it transmitted?

u Typical client/server/Internet scenarioì Created on a Windows 95 PCì Stored locally, on a file server, on an internal

Web server, in a database, external Web serverì Sent over LANs, WANs, over Internet via http, ftp

and email


Data AccessData AccessData Access

u Identify Data Owners and Data Maintainersu Identify business needs to provide access

to the dataì Internal employeesì External employeesì Business partnersì Customersì Other third parties

u Identify exposure points and threats


Paranoia LevelParanoia LevelParanoia Level

u Getting to “good enough security”u Security policy needs to match the risk

acceptance profile of an organizationì What are the realistic threats?ì How visible is your organization?ì What are the consequences of an incident?ì How sensitive is your organization to the

intangible costs of an incident?

u Regulatory and legal issues


Risk Profiling MatrixRisk Profiling MatrixRisk Profiling Matrix

Risk Profiling MatrixThreats: Rating Visibility Rating ScoNone identified as active; exposureis limited

1 Very low profile, noactive publicity

1

Unknown state or multipleexposures

3 Middle of the pack,periodic publicity

3

Active threats, multiple exposures 5 Lightning rod, activepublicity

5

Consequences Rating Sensitivity Rating ScoNo cost impact; well within plannedbudget; risk transferred

1 Accepted as cost ofdoing business; noorganization issues

1

Internal functions impacted; budgetoverrun; opportunity costs

3 Unacceptable BusinessUnit managementimpact; good will costs

3

External functions impacted; directrevenue hit

5 Unacceptable CorporateManagement impact;business relationshipsaffected

5

TotalScore:


Security ControlsSecurity ControlsSecurity Controls

u Match the required controls to theorganizational value of the data, the risktolerance of the organization, and theinvestment required to meet the policyì Sounds easy, huh?

u Security policy can have wide rangingimpactì Business-wide reviewì End result will be a compromise between

security goals and business realities


Security ControlsSecurity ControlsSecurity Controls

Information CategoryProtectionRequired

Restricted Unrestricted ControlledDistribution

Identification Identify asOrganizationProperty

Identify asOrganizationProperty, withcategory shown oninitial page of record

Identify asOrganizationProperty, withcategory shown oneach page of record

DisclosureRestrictions

None inside theOrganization

Based on need toknow

Only whenapproved by theinformation owner

Access Controls Access limited towithin theorganization

Access limited tothose authorized bythe informationowner

Access limited tothose authorized bythe informationowner. All accessmust be logged

Transmission overnetworks

No restriction Internal networksonly

Must be encryptedbefore transmissionover any network

Storage No restriction Locked storage,physical securecomputer area.

Locked storage,encrypted whenstored on computerconnected tonetwork


Writing the PolicyWriting the PolicyWriting the Policy

u Match your organization’s cultureu Use the “real” information channelsu Several sources for templates

ì NIST/TIS - http://csrc.nist.gov/isptgì Charles C. Wood - http://www.baselinesoft.comì Outside consultants

u Involve Legal, HR, Public Affairsu Policy should be issued from as high in the

organization as possible


Awareness and EducationAwareness and EducationAwareness and Education

u Standard approaches:ì Part of new hire trainingì Yearly signed awareness statementì System bannersì Internal newsletters

u Direct Marketing approachì Pay stub messagesì Online quizzes with awardsì Self assessment tools


Trusted Information Systems

• Since 1983, computer, network, andinformation security

• Customers in industry and federal, state, andlocal governments, worldwide

• Security products, security consulting, andworld-respected research and development

• RecoverKey encryption technology• TIS offices in Maryland, Virginia, California,

UK, Germany• TIS Business Partners in North America,

South America, Europe, Asia, Africa, andAustralia

Documents

Building Effective, Tailored Information Security Policy · Title: Building Effective, Tailored Information Security Policy Author: John Pescatore, Trusted Information Systems Keywords: