Security Policies and

Implementation Issues

Lesson 1
Information Systems Security Policy
Management

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com
All rights reserved.
 Week 1: Focusing on Key Concepts
 Information System Security (ISS)
 ISS Life Cycle
 Audits and Impact
 Information Security Governance
 Framework Considerations
 Importance of the Policies
 Security Concepts

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 2
All rights reserved.
 Information Systems Security (ISS)
What is it?
The act of protecting information and the systems
that store, process and transmit
Why is ISS needed?
ISS provides a foundation for establishing
protection of systems and data against risks such
as:
- Unauthorized access and Use
- Disclosure
- System Disruption
- Modification or Corruption
- Destruction

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 3
All rights reserved.
 ISS Management Life Cycle

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 4
All rights reserved.
 ISS Management Life Cycle

ExamplePlan,
Align, would and
be an Example:
Build, System and
Acquire,
IT Contract, what are Controls and
Organize
your getting and Implement
Configuration
What level
•service do you want to do? • Schedules
•agreements
How do you want to get • Deliverables
there? • Builds
• SLAs

Deliver,
Example: Service,
How is and Monitor, Evaluate, and
Example: General
Support
data protected? Assess
Controls Review,
Mulit-factor to add SOX Compliance
Minimize
•layer threats
of protection
• Test and monitor controls
• Analyze data • Analyze effectiveness
• Operational management • Auditing
and support
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Security Policies and Implementation Issues www.jblearning.com Page 5
All rights reserved.
 Align, Plan, and Organize: Key
Concepts
Threat

• A human-caused or natural event that could impact the

system

Vulnerability
• A weakness in a system that can be exploited

Risk

• The likelihood or probability of an event and its impact

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 6
All rights reserved.
 Example of Risk Analysis : Threat, Vulnerability
and Risk

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 7
All rights reserved.
 Audits

Self- • This is typically in the form of quality assurance (QA) and

Assessment quality control (QC).

Internal Audit • This consists of reports to the board of directors and

assesses the business.

External • This is done by an outside firm hired by the company to

validate internal audit work and perform special

Audit assessment, such as certifying annual financial

statements.

Regulator • This is an audit by government agencies that assess the

Audit company’s compliance with laws and regulations.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 8
All rights reserved.
 Five Pillars of Information Assurance
(IA)
Availability

Integrity
Authentication

Confidentiality
IA Nonrepudiation

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 9
All rights reserved.
 So what is the difference between Information
System Security (ISS) and Information
Assurance (IA)?

• Information System Security focuses on protecting

information regardless of form or process.

• Information Assurance focuses on protecting

information during process and use.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 10
All rights reserved.
 Shared Principles ISS and IA

Availability

Integrity
Authentication

Confidentiality
IA Nonrepudiation

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 11
All rights reserved.
 C-I-A Triad
Managing the Only changed by
highly sensitive those who have
data. Meaning authority. Level of
data should only access and
be accessed by understanding of
those who need it. data.

Enabling that information and

systems are accessible and
performing when needed.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 12
All rights reserved.
 Information Security Governance

Security Policy
Risk Assessment Framework
Information
Security
Governance

Compliance Information Assurance

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 13
All rights reserved.
 Security Policy Framework
Components
• Establishes tone at the top and authority by which policies are enforced

• Defines how an organization performs and conducts business functions

Policy and transactions with a desired outcome

• Established methods implemented organization-wide

Standards

• Steps required to implement a process

Procedures

Pri • Parameters within which a policy, standard, or

Guidelines
nci procedure is suggested

ple • Statements that define terms used in policy

Definitions documents and set context in which policy
documents are interpreted

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 14
All rights reserved.
 Foundational Reasons for Using and
Enforcing Security Policies
Protecting
Protecting
information at
systems from
rest and in
insider threats
transit

Controlling
Defending the
change to IT
business
infrastructure

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 15
All rights reserved.
 Roles of Security Policies in an
Organization
 Maintenance of a secure work environment
 Change controls
 Physical security

 Protection of information resources

 Internal Threats (Employees, Partners)
 Storage and In Transit

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 16
All rights reserved.
 Importance of IS Security Policies
With ISS Policies

Data Protection Higher Cost

Change Control Regulatory Non-

Without ISS Policies

Risk Management Compliance
Internal Threat Vulnerability to
Protection Mishandling
Increased Vulnerability to
Availability Attack

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 17
All rights reserved.
 Security Concepts and Activities

For Personal Use of (ISC)2 Seminar Attendee Only.

© Copyright 2012 – 2013 (ISC)², Inc. All Rights Reserved. Contents May Not Be Copied or Otherwise Distributed Under Any Circumstances
 Security Threats and Policies

THREATS COUNTERMEASURES

Acceptable use policy, workstation controls, web content filtering, and

Personal Use mail filtering 

 
Appropriate media controls
Theft of Media

 
Balancing input/output reports, separation of duties, and verification of
Fraud information

 
Encryption and policy regarding possession of hacking or sniffing tools
Sniffers

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Page 461
Security Policies and Implementation Issues www.jblearning.com Page 19
All rights reserved.
 Operator and Administrator Privileges

 Operators
 Administrators
 Database administrators

 How many breaches originate from insider

abuse of privilege?
 What risks are associated with personnel
having admin level access?
 What should be done about that risk?

Page 461
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Security Policies and Implementation Issues www.jblearning.com Page 20
All rights reserved.
 System Administrator Duties and
Responsibilities

 Server startup and shutdown

 System configurations reset
 Data backups
 System maintenance
 Customer service
 Network Administrators duties

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company Page 462-463
Security Policies and Implementation Issues www.jblearning.com Page 21
All rights reserved.
 Security Administrator Duties and
Responsibilities

 Policy
 Vulnerability assessments
 Incident response
 User-oriented activity management
 Information classification implementation
 Audit log monitoring and review
 Security tool oversight and management

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company Page 463
Security Policies and Implementation Issues www.jblearning.com Page 22
All rights reserved.
 Wrap UP

 Key concepts within Security Operations

 ISS Lifecycle
 Information Assurance
 Importance of Policy
 Governance Model

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

Security Policies and Implementation Issues www.jblearning.com Page 23
All rights reserved.