Subject: Operations Security
Discussion Topic: What constitutes a security policy framework? Discuss the elements of this summary, what elements are essential, and which elements could be optional. It is imperative that the summary should have a professional look and should be precise.
– Part A: Discussion topic must be around 200-250 words- Part B: Must respond to 2 peers discussion topics
Reference:
Texbook: Security Policies and Implementation Issues, Author: Robert Johnson
Security Policies and
Implementation Issues
Lesson 6
IT Security Policy Frameworks
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
Describe the components and basic
requirements for creating a security policy
framework.
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
▪ Key building blocks of security policy
framework
▪ Types of documents for a security policy
framework
▪ Information systems security (ISS) and
information assurance considerations
▪ Process to create a security policy
framework
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
DISCOVER: CONCEPTS
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Policy and Standards Library
Framework
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Policy and Standards Library
Framework
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Common Frameworks
▪ Control Objectives for Information and
related Technology (COBIT)
▪ ISO/IEC 27000 series
▪ National Institute of Standards and
Technology (NIST) Special Publications
• Example: SP 800-53, “Recommended
Security Controls for Federal Information
Systems and Organizations
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Policy Framework Components
Policy
• Defines how an organization performs and
conducts business functions and transactions
with a desired outcome
Standards
Procedures
Guidelines
Security Policies and Implementation Issues
• An established method implemented
organization-wide
• Steps required to implement a
process
• A parameter within
which a policy, standard,
or procedure is
suggested
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Access Control Policy Branch
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Information Assurance and
Information Systems Security
IA
ISS
Security
Policy
Framework
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
DISCOVER: PROCESS
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Creating a Security Policy
Framework
Set a budget
Assemble a team
Select a basic
framework
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Creating a Security Policy
Framework (Continued)
Use a content
management system
Cross-reference
standards
Coordinate with other
departments
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Security Policies and Implementation Issues
Public Sector
• State of
Tennessee
• Used ISO/IEC
17799 (27002)
• Policies and
frameworks
covered all
information asset
owned, leased, or
controlled by the
State of
Tennessee
Case Study
Private Sector
• Health care
w/7,000 devices
• Incomplete
inventory
• No easy way to
classify assets
• HIPAA
• Used NIST SP
800-53 to
establish the
framework
Case Study
Case Study
Case Studies on Security Policy
Framework Creation
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Private Sector
• Target Corporation
• 1,797 US and 127
Canadian stores
• December 2013
point-of-sale
(PoS) data breach
• 40 million credit
card records
stolen
• 70 million records
containing PII
• Largest data
breaches of its
kind
Page 14
DISCOVER: ROLES
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Roles Related to a Policy and
Standards Library
CISO
Information resources manager
Information resources security officer
Owners of information resources
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Roles Related to a Policy and
Standards Library (Continued)
Custodians of information resources
Technical managers
Internal auditors
Users
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
DISCOVER: CONTEXTS
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
External and Internal Factors
Affecting Policies
▪ Policies must align with the business
model or objective to be effective
▪ External factors
• Regulatory and governmental initiatives
▪ Internal factors
• Culture, support, and funding
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Summary
▪ Considerations for information assurance
and information security
▪ Process to create a security policy
framework
▪ Factors that affect polices and the best
practices to maintain policies
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
OPTIONAL SLIDES
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
Information Systems Security
Considerations
Unauthorized
Access to and
Use of the
System
Unauthorized
Disclosure of the
Information
Modification of
Information
Security Policies and Implementation Issues
Disruption of the
System or
Services
Destruction of
Information
Resources
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
Topic 1_NAM
Security Policy Framework:
The security policy framework is the binding together structure that ties together an
association’s security documentation. Guaranteeing security is multi-layered procedure that
reaches out all through a business, office or organization. In like manner, an association’s
security policy structure envelops the vision of its senior administration, the laws and guidelines
that apply to its tasks, and the entirety of the particular direction important to effectively
accomplish the security objectives.
By offering structure to the assortment of archives essential for security, the system assists with
guaranteeing that the entirety of the significant components of a security procedure are set up,
and that there is a vehicle for conveying these components over the association. There is a
general pecking order of documentation that associations follow while setting up security policy
systems. The various degrees of the progressive system address explicit sorts correspondence
needs and spotlight on a class of information and issues.
One significant qualification to be made is that compliance with policies, standards, and
procedures is required, guidelines are discretionary(Mike, 2018).
A security policy can be as expansive as you need it to be from everything identified with
IT security and the security of related physical resources, yet enforceable in its full extension.
The accompanying rundown offers some significant contemplation when building up an
information security policy.
1. Reason
First express the motivation behind the policy which might be to:
Make a general way to deal with information security.
Distinguish and appropriate information security breaks, for example, abuse of networks,
information, applications, and PC frameworks.
Keep up the notoriety of the association, and maintain moral and lawful duties.
Regard client rights, including how to respond to requests and grumblings about rebelliousness.
2. Crowd
Characterize the crowd to whom the information security policy applies. You may likewise
indicate which crowds are out of the extent of the policy (for instance, staff in another specialty
unit which oversees security independently may not be in the extent of the policy).
3. Information security targets
Guide your supervisory crew to concede to well-characterized destinations for methodology and
security. Information security centers around three fundamental targets:
Privacy—just people with approval can should get to information and information resources
Honesty—information ought to be unblemished, precise and complete, and IT frameworks must
be kept operational
Accessibility—clients ought to have the option to get to information or frameworks when
required
4. Authority and access control policy
Progressive example—a ranking director may have the position to choose what information can
be shared and with whom. The security policy may have various terms for a ranking director
versus a lesser worker. The policy should plot the degree of power over information and IT
frameworks for each hierarchical job.
Network security policy—clients are just ready to get to organization networks and servers by
means of one of a kind logins that request validation, including passwords, biometrics, ID cards,
or tokens. You should screen all frameworks and record all login endeavors.
5. Information order
The policy ought to order information into classes, which may incorporate “top mystery”,
“mystery”, “secret” and “open”. Your goal in ordering information is:
To guarantee that touchy information can’t be gotten to by people with lower freedom levels.
To ensure profoundly significant information, and maintain a strategic distance from unnecessary
security measures for immaterial information.
6. Information backing and tasks
Information insurance guidelines—frameworks that store individual information, or other touchy
information, must be secured by authoritative principles, best practices, industry consistence
measures and significant guidelines. Most security guidelines require, at the very least,
encryption, a firewall, and hostile to malware assurance.
Information reinforcement—scramble information reinforcement as indicated by industry best
practices. Safely store reinforcement media, or move reinforcement to verify cloud stockpiling.
Development of information—just exchange information through secure conventions. Scramble
any information duplicated to convenient gadgets or transmitted over an open network.
7. Security mindfulness and conduct: Offer IT security approaches with your staff. Lead
instructional meetings to educate representatives regarding your security methods and
components, including information assurance measures, get to insurance measures, and touchy
information grouping.
Social building—place an exceptional accentuation on the risks of social designing assaults, (for
example, phishing messages). Make representatives liable for seeing, forestalling and revealing
such assaults.
Clean work area policy—secure PCs with a link lock. Shred reports that are never again
required. Keep printer regions clean so records don’t fall into an inappropriate hands.
Satisfactory Internet utilization policy—characterize how the Internet ought to be confined. Do
you permit YouTube, internet based life sites, and so on? Square undesirable sites utilizing an
intermediary.
8. Obligations, rights, and obligations of work force
Choose staff to do client get to audits, training; change the executives, episode the board, usage,
and occasional updates of the security policy. Obligations ought to be plainly characterized as a
feature of the security policy(Cassetto, 2019).
Security strategies need to:
Mirror the truth on the ground
Be easy to comprehend
Be enforceable however adaptable
Be quantifiable
Limit unintended consequences(Hickman, 2017).
There are two sections to any security policy. One arrangement with forestalling outer
dangers to keep up the uprightness of the system. The second arrangements with lessening inside
dangers by characterizing suitable utilization of system assets. At any rate, having such a policy
can shield you and your organization from obligation on the off chance that you can show that
any wrong exercises were attempted infringing upon that policy. Almost certain, be that as it
may, an intelligent and well-characterized policy will diminish data transfer capacity utilization,
amplify staff efficiency and decrease the possibility of any lawful issues later on.
These 10 focuses, while absolutely not complete, give a sound judgment way to deal with
creating and executing an AUP that will be reasonable, clear and enforceable.
1. Distinguish your dangers
2. Gain from others.
3. Ensure the policy complies with lawful prerequisites.
4. Level of security = level of hazard
5. Remember staff for policy improvement.
6. Train your workers.
7. Get it recorded as a hard copy.
8. Set clear punishments and uphold them.
9. Update your staff.
10. Introduce the apparatuses you need(Duigan, 2003).
References
Cassetto, O., (2019). The 8 Elements of an Information Security Policy.
Duigan, A., (2003). 10 Steps to a successful security policy.
Mike, (2018). Security Policy Framework.
Hickman, T., (2017). The five elements of great security policy.
Topic 2_VSHK
The security policy framework is incorporated with a set of policies and standards, rules
and regulations, guidelines that enable to carry out the operations on the data with most security
features. This framework selection is mainly based on the organization’s operational activities,
goals or size. This helps in enhancing the organizational goals and objectives. It is an essential
term to adopt the security policy framework to reach organizational missions (Dobson &
Mcdermid, 2018). The primary elements in the security policy framework are objectives,
receivers, analyzing, process, security implementations, assessing priority, preventive factors and
responsibilities.
A business always initiated with a specific goal by implementing the policies which help
the company to define the objectives with security characteristics. This security policy is used to
prevent the threats in the organization and assigns an effective method to prevent the data
breaches. It also assists in increasing the organizational fame and stakeholders interested
domains (Koutrakos, 2013). It is suggested to know about the organization recipients whether
they are group or stakeholder’s company. Integrity, availability, and confidentiality are the three
aspects of the data organizations which ensure the data to be protected and secured in the
working environment. Most of the organizations focus on the data and process it for better
outcomes.
An appropriate security method should be applied to the database storage systems by
ensuring authentication by preventing data threats. Moreover, accessing controls always makes
the organization from unauthorized data accessing. Policies are defined based on security
handling networks in organizations. Preventive factors are installing the firewalls, antivirus
application installations, giving training to the employees about the security principles and how
to save the data from any internal and external threats. Expertise security management
employees should be hired to detect malware activities (Granneman, 2019).
References
Dobson, J., & Mcdermid, J. (2018). A framework for expressing models of security
policy. Proceedings. 1989 IEEE Symposium on Security and Privacy.
Granneman, J. (2019, May 31). Top 7 IT security frameworks and standards explained.
Retrieved from https://searchsecurity.techtarget.com/tip/IT-security-frameworks-and-standardsChoosing-the-right-one.
Koutrakos, P. (2013). The Common Security and Defence Policy within the framework of
Common Foreign and Security Policy. The EU Common Security and Defence Policy, 22–56.