Information Security Chapter 2 Planning for Security.ppt

8/18/2019 Information Security Chapter 2 Planning for Security.ppt

1/20


2/20

Principles of Information Security, 2nd Edition 2

Introduction

Creation of information security program begins withcreation and/or review of organization’s information security

policies, standards, and practices

Then, selection or creation of information security

architecture and the development and use of a detailed

information security blueprint creates plan for future success


3/20


Definitions

Policy course of action used by organization to conveyinstructions from management to those who perform duties

Policies are organizational laws

!tandards more detailed statements of what must be doneto comply with policy

Practices, procedures and guidelines effectively e"plain

how to comply with policy

#or a policy to be effective, must be properly disseminated,

read, understood and agreed to by all members of

organization


4/20



5/20


$nterprise Information !ecurity Policy %$I!P&

!ets strategic direction, scope, and tone for all security

efforts within the organization

$"ecutive'level document, usually drafted by or with CI( of

the organization

Typically addresses compliance in two areas

$nsure meeting re)uirements to establish program and

responsibilities assigned therein to various organizational

components

*se of specified penalties and disciplinary action


6/20


Issue'!pecific !ecurity Policy %I!!P&

The I!!P +ddresses specific areas of technology

e)uires fre)uent updates

Contains statement on organization’s position onspecific issue

Three approaches when creating and managing I!!Ps

Create a number of independent I!!P documents

Create a single comprehensive I!!P document

Create a modular I!!P document


7/20Principles of Information Security, 2nd Edition 7

!ystems'!pecific Policy %!ys!P&

!ys!Ps fre)uently codified as standards and proceduresused when configuring or maintaining systems

!ystems'specific policies fall into two groups

+ccess control lists %+C-s&

Configuration rules



Policy .anagement

Policies must be managed as they constantly change

To remain viable, security policies must have

Individual responsible for reviews

+ schedule of reviews

.ethod for maing recommendations for reviews

!pecific policy issuance and revision date



Information Classification

Classification of information is an important aspect of policy

Policies are classified

+ clean des policy stipulates that at end of business day,

classified information must be properly stored and secured

In today’s open office environments, may be beneficial toimplement a clean des policy



The Information !ecurity 0lueprint

0asis for design, selection, and implementation of allsecurity policies, education and training programs, and

technological controls

.ore detailed version of security framewor %outline ofoverall information security strategy for organization&

!hould specify tass to be accomplished and the order in

which they are to be realized

!hould also serve as scalable, upgradeable, and

comprehensive plan for information security needs for

coming years



I!( 12233/0!2233

(ne of the most widely referenced and often discussedsecurity models

#ramewor for information security that states

organizational security policy is needed to provide

management direction and support



4I!T !ecurity .odels

+nother possible approach described in documentsavailable from Computer !ecurity esource Center of 4I!T

!P 566'17

!P 566'18

!P 566'15

!P 566'79

!P 566':6



4I!T !pecial Publication 566'18

!ecurity supports mission of organization; is an integralelement of sound management

!ecurity should be cost'effective; owners have security

responsibilities outside their own organizations

!ecurity responsibilities and accountability should be made

e"plicit; security re)uires a comprehensive and integrated

approach

!ecurity should be periodically reassessed; security is

constrained by societal factors

:: Principles enumerated



#igure >'1> ? !pheres of !ecurity



Design of !ecurity +rchitecture

Defense in depth Implementation of security in layers

e)uires that organization establish sufficient security

controls and safeguards so that an intruder faces multiplelayers of controls

!ecurity perimeter

Point at which an organization’s security protection ends andoutside world begins

Does not apply to internal attacs from employee threats or

on'site physical threats



@ey Technology Components

#irewall device that selectively discriminates againstinformation flowing into or out of organization

Demilitarized zone %D.A& no'man’s land between inside

and outside networs where some organizations place

=eb servers

Intrusion Detection !ystems %ID!s& in effort to detectunauthorized activity within inner networ, or on individual

machines, organization may wish to implement an ID!



#igure >'15 ? @ey Components


20/20Principles of Information Security 2nd Edition 2

Documents

Information Security Chapter 2 Planning for Security.ppt