Information Security

Lecture # 35

Dr. Shafiq Hussain

Associate Professor & Chairperson
Department of Computer Science

1
 Objectives
• Introduction to Security Policy.

2
 Security Policy
• A security policy is a document that spells out
principles and strategies for an organization to
maintain the security of its information assets.

3
 Security Policy (Cont..)
• A security policy (also called an information security
policy or IT security policy) is a document that spells
out the rules, expectations, and overall approach that
an organization uses to maintain the confidentiality,
integrity, and availability of its data.

4
 Security Policy (Cont..)
• Security policies exist at many different levels, from
high-level constructs that describe an enterprise’s
general security goals and principles to documents
addressing specific issues, such as remote access or
Wi-Fi use.

5
 Security Policy (Cont..)
• A security policy is frequently used in conjunction
with other types of documentation such as standard
operating procedures.

6
 Security Policy (Cont..)
• These documents work together to help the company
achieve its security goals.

• The policy defines the overall strategy and

security stance, with the other documents helping
build structure around that practice.

7
 Security Policy (Cont..)
Some of the benefits of a well-designed and
implemented security policy include:

Guides the implementation of technical controls

• A security policy doesn’t provide specific low-level
technical guidance, but it does spell out the intentions
and expectations of senior management in regard to
security.

8
 Security Policy (Cont..)
Guides the implementation of technical controls
• It’s then up to the security or IT teams to translate
these intentions into specific technical actions.

• For example, a policy might state that only authorized

users should be granted access to proprietary
company information.

9
 Security Policy (Cont..)
Guides the implementation of technical controls
• The specific authentication systems and access
control rules used to implement this policy can
change over time, but the general intent remains the
same.

10
 Security Policy (Cont..)
Guides the implementation of technical controls
• Without a place to start from, the security or IT teams
can only guess senior management’s desires.

• This can lead to inconsistent application of security

controls across different groups and business entities.

11
 Security Policy (Cont..)
Sets clear expectations
• Without a security policy, each employee or user will
be left to his or her own judgment in deciding what’s
appropriate and what’s not.

• This can lead to disaster when different employees

apply different standards.

12
 Security Policy (Cont..)
Sets clear expectations
• A security policy should also clearly spell out how
compliance is monitored and enforced.

13
 Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• Documented security policies are a requirement of
legislation like HIPAA (Health Insurance Portability
and Accountability Act) and Sarbanes-Oxley, as well
as regulations and standards like PCI-DSS, ISO
27001, and SOC2.

14
 Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• The Health Insurance Portability and Accountability
Act (HIPAA) of 1996 establishes federal standards
protecting sensitive health information from
disclosure without patient's consent.

15
 Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• The US Department of Health and Human Services
issued the HIPAA Privacy Rule to implement HIPAA
requirements.

• The HIPAA Security Rule protects specific

information cover the Privacy Rule.

16
 Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• The Sarbanes–Oxley Act of 2002 is a United States
federal law that mandates certain practices in
financial record keeping and reporting for
corporations.

17
 Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• Even when not explicitly required, a security policy is
often a practical necessity in crafting a strategy to
meet increasingly stringent security and data privacy
requirements.

18
 Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• The Payment Card Industry Data Security Standard
(PCI DSS) is an information security standard used to
handle credit cards from major card brands.

19
 Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• ISO/IEC 27001 is the world's best-known standard
for information security management systems
(ISMS). It defines requirements an ISMS must meet.

20
 Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• The ISO/IEC 27001 standard provides companies of
any size and from all sectors of activity with guidance
for establishing, implementing, maintaining and
continually improving an information security
management system.

21
 Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• SOC 2 is a security framework that specifies how
organizations should protect customer data from
unauthorized access, security incidents, and other
vulnerabilities.

22
 Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• The American Institute of Certified Public
Accountants (AICPA) developed SOC 2 around five
Trust Services Criteria: security, availability,
processing integrity, confidentiality, and privacy.

23
 Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• SOC 2 stands for Systems and Organization Controls
2.

• It was created by the AICPA in 2010. SOC 2 was

designed to provide auditors with guidance for
evaluating the operating effectiveness of an
organization’s security protocols.

24
 Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• The SOC 2 security framework covers how
companies should handle customer data that’s stored
in the cloud.

• At its core, the AICPA designed SOC 2 to establish

trust between service providers and their customers.

25
 Security Policy (Cont..)
Improves organizational efficiency and helps meet
business objectives
• A good security policy can enhance an organization’s
efficiency.

• Its policies get everyone on the same page, avoid

duplication of effort, and provide consistency in
monitoring and enforcing compliance.

26
 Security Policy (Cont..)
Improves organizational efficiency and helps meet
business objectives
• Security policies should also provide clear guidance
for when policy exceptions are granted, and by
whom.

27
 Security Policy (Cont..)
Three types of security policies
• Security policies can vary in scope, applicability, and
complexity, according to the needs of different
organizations.

28
 Security Policy (Cont..)
Three types of security policies
• While there’s no universal model for security
policies, the National Institutes of Standards and
Technology (NIST) spells out three distinct types in
Special Publication (SP) 800-12:

29
 Security Policy (Cont..)
Three types of security policies
Program policy
• Program policies are strategic, high-level blueprints
that guide an organization’s information security
program.

30
 Security Policy (Cont..)
Three types of security policies
Program policy
• They spell out the purpose and scope of the program,
as well as define roles and responsibilities and
compliance mechanisms.

31
 Security Policy (Cont..)
Three types of security policies
Program policy
• Also known as master or organizational policies,
these documents are crafted with high levels of input
from senior management and are typically technology
agnostic.

32
 Security Policy (Cont..)
Three types of security policies
Program policy
• They are the least frequently updated type of policy,
as they should be written at a high enough level to
remain relevant even through technical and
organizational changes.

33
 Security Policy (Cont..)
Three types of security policies
Issue-specific policy
• Issue-specific policies build upon the generic security
policy and provide more concrete guidance on certain
issues relevant to an organization’s workforce.

34
 Security Policy (Cont..)
Three types of security policies
Issue-specific policy
• Common examples could include a network security
policy, bring-your-own-device (BYOD) policy, social
media policy, or remote work policy.

35
 Security Policy (Cont..)
Three types of security policies
Issue-specific policy
• These may address specific technology areas but are
usually more generic.

36
 Security Policy (Cont..)
Three types of security policies
Issue-specific policy
• A remote access policy might state that offsite access
is only possible through a company-approved and
supported VPN, but that policy probably won’t name
a specific VPN client.

• This way, the company can change vendors without

major updates.

37
 Security Policy (Cont..)
Three types of security policies
System-specific policy
• A system-specific policy is the most granular type of
IT security policy, focusing on a particular type of
system, such as a firewall or web server, or even an
individual computer.

38
 Security Policy (Cont..)
Three types of security policies
System-specific policy
• NIST states that system-specific policies should
consist of both a security objective and operational
rules.

39
 Security Policy (Cont..)
Three types of security policies
System-specific policy
• IT and security teams are heavily involved in the
creation, implementation, and enforcement of system-
specific policies but the key decisions and rules are
still made by senior management.

40
 Questions
Any Question Please?

You can contact me at: [email protected]

Your Query will be answered within one working day.

41
 Further Readings
• Chapter No. 1
Computer_Security_Principles_and_Practice_(3rd_E
dition)
By William Stallings and Lawrie Brown

42
Thanks

43