IT Security Policy Framework

●Policies●Standards●Procedures●Guidelines

Policy

● A written statement from an authority declaring a course of action for the sake of expediency.– Example: Policy dictates that all employees will

read and sign the AUP before receiving access to the computing system.

Standard

● A detailed level of attainment.– IT standards ensure that consistent security

controls are adopted.– Example: The Common Criteria have established

standards for hardware and software security.

Procedures

● A description of the process used to accomplish a task.– Example: A procedure checklist is used to perform

and verify backups.

Guidelines

● A suggested course of action which can be specific or general.– Example: The guidelines for a secure password

include but are not limited to ...

IT Policy Framework Purpose

● The purpose is to achieve an acceptable level of risk.

Data Classification Standards

● US Government● Private enterprise

US Government

● Executive order 13526 (2009)– Top secret– Secret– Confidential– Public domain information is considered

unclassified and is not part of the classification standard.

Top Secret

● Would cause grave damage to national security if it were disclosed.

Secret

● Would cause serious damage to national security if it were disclosed.

Confidential

● Would cause damage to national security if it were disclosed.

Guidelines

● Yes there are guidelines for separating information into the appropriate categories.

Unclassified

● Would you believe there are classifications for unclassified information?

Unclassified

● Poses no threat to national security if exposed.

Controlled Unclassified

● For official use only.– Example: law enforcement classified

Alternative classifications

● Top Secret● Secret● Confidential● Restricted● Protect● Unclassified

Private Enterprise Data Classification*

*(Kim, Solomon)● Private● Confidential● Internal use only● Public domain data

*Private

● Data about people,– Example: compliance laws like HIPAA

Confidential

● Information owned by the enterprise– Customer lists– Pricing information– Intellectual property– Internal use only information

Internal Use Only

● Information shared internally by an organization.– Most communications are not intended to be

shared.

Public Domain Data

● Shared with the public– Web site content– White papers

Alternative

• Confidential• Restricted• Protected• Unclassified (public)

Alternative

● Confidential

– Substantially would undermine the financial viability of the organization.

Alternative

● Restricted

– Cause a substantial loss of earning potential. Advantage to competitors

Alternative

● Protected

– Cause financial loss

Data Classification Challanges

● Perfection is the enemy of the good!

– If you insist on perfection, your system will be difficult to implement.

– Employees must be properly educated in order to classify data effectively.

Data Classification Challenges

● Perfection is the enemy of the good!

– If too complex it will fail due to lack of use

– You are better served by keeping your classification scheme simple (no more complex than is necessary)

Data Classification Challenges

● Perfection is the enemy of the good!

– Development and implementation of a data classification scheme will require resources.

– If its complex, it will likely be expensive to implement

Implementation Tips

● Understand what is achievable – any data classification policy must become less complex as more individuals become involved in implementing the policy.

Implementation Tips

● Those who have something at stake should be involved in the data classification policy development.

Implementation Tips

● Provide appropriate education and visibility.

– Any data classification scheme should be posted on the company/agency internal web-page.

Implementation Tips

● Align your data classification scheme with regulatory (compliance) requirements.

Compliance Laws

● Legislation exists mandating security controls to protect private and confidential data.

Example Compliance Legislation

● SOX (Sarbanes-Oxley, 2002)– Requires security controls to protect the

confidentiality and integrity of financial reporting.

Example Compliance Legislation

● GLBA (Gramm-Leach-Bliley, 1999)– Financial institutions must protect client's private

financial information.

Example Compliance Legislation

● HIPAA (Health Insurance Portability and Accountability, 1996)– Health care organizations must secure patient

information.

Example Compliance Legislation

● CIPA (Children's Internet Protection Act, 2000)– Requires public schools and public libraries to

implement an Internet safety policy.

Example Compliance Legislation

● FERPA (Family Educational Rights and Privacy Act, 1974)– Protects the school records and other private data

of students.

Example Compliance Standard

● PCI-DSS (Payment Card Industry Data Security Standard)– An information security standard for organizations

that handle payment card information.● Debit● Credit● Prepaid ● ATM● etc

Professionalization of the SA Discipline

● Establishment of professional societies/organizations

● Credentials– By study and examination– University degrees

Example Professional Organizations

● LISA (SAGE), Large Installation System Administration

● (ISC)2 – International Information Systems Security Certification Consortium.

Professional Organizations

● Offer credentials through study and examination

● Code of ethics● Professional networking● A forum for sharing new technology, ideas,

etc.

Recommended Areas of Knowledge

● Access controls● Cryptography● Network security● Risk management● Application development security● Legal regulations and compliance● Operations security