Information and Security

More documents

Recommendations

Info

Case StudyI've Got a SecretClassified DocumentsHow many classified documents doesthe US Government have?How much does it cost to keep all thosesecrets?What do you think?Chapter 5Planning for SecurityIf this is the information superhighway, it’s goingthrough a lot of bad, bad, neighborhoods.-- Dorian Berger, 1997Introduction Creation of information security program begins withcreation and/or review of organization’s information securitypolicies, standards, and practices Then, selection or creation of information securityarchitecture and the development and use of a detailedinformation security blueprint creates plan for future success Without policy, blueprints, and planning, organization isunable to meet information security needs of variouscommunities of interestInformation Security Policy, Standardsand Practices Communities of interest must consider policies as basis forall information security efforts Policies direct how issues should be addressed andtechnologies used Security policies are least expensive controls to executebut most difficult to implement Shaping policy is difficultDefinitions Policy: course of action used by organization to conveyinstructions from management to those who perform duties Policies are organizational laws Standards: more detailed statements of what must bedone to comply with policy Practices, procedures and guidelines effectively explainhow to comply with policy For a policy to be effective, must be properly disseminated,read, understood and agreed to by all members oforganizationEnterprise Information Security Policy (EISP) Sets strategic direction, scope, and tone for all securityefforts within the organization Executive-level document, usually drafted by or with CIO ofthe organization Typically addresses compliance in two areas Ensure meeting requirements to establish program andresponsibilities assigned therein to various organizationalcomponents Use of specified penalties and disciplinary actionIssue-Specific Security Policy (ISSP) The ISSP: Addresses specific areas of technology Requires frequent updates Contains statement on organization’s position onspecific issue Three approaches when creating and managing ISSPs: Create a number of independent ISSP documents Create a single comprehensive ISSP document Create a modular ISSP document
Systems-Specific Policy (SysSP) SysSPs frequently codified as standards and proceduresused when configuring or maintaining systems Systems-specific policies fall into two groups Access control lists (ACLs) Configuration rulesSystems-Specific Policy (SysSP) (continued) Both Microsoft Windows and Novell Netware 5.x/6.x familiestranslate ACLs into configurations used to control access ACLs allow configuration to restrict access from anyoneand anywhere Rule policies are more specific to operation of a systemthan ACLs Many security systems require specific configuration scriptstelling systems what actions to perform on each set ofinformation they processPolicy Management Policies must be managed as they constantly change To remain viable, security policies must have: Individual responsible for reviews A schedule of reviews Method for making recommendations for reviews Specific policy issuance and revision dateInformation Classification Classification of information is an important aspect of policy Policies are classified A clean desk policy stipulates that at end of business day,classified information must be properly stored and secured In today’s open office environments, may be beneficial toimplement a clean desk policyThe Information Security Blueprint Basis for design, selection, and implementation of allsecurity policies, education and training programs, andtechnological controls More detailed version of security framework (outline ofoverall information security strategy for organization) Should specify tasks to be accomplished and the order inwhich they are to be realized Should also serve as scalable, upgradeable, andcomprehensive plan for information security needs forcoming yearsISO 17799/BS7799 One of the most widely referenced and often discussedsecurity models Framework for information security that statesorganizational security policy is needed to providemanagement direction and supportNIST Security Models Another possible approach described in documentsavailable from Computer Security Resource Center of NIST SP 800-12 SP 800-14 SP 800-18 SP 800-26 SP 800-30NIST Special Publication 800-14 Security supports mission of organization; is an integralelement of sound management Security should be cost-effective; owners have securityresponsibilities outside their own organizations Security responsibilities and accountability should be madeexplicit; security requires a comprehensive and integratedapproach Security should be periodically reassessed; security isconstrained by societal factors 33 Principles enumeratedIETF Security Architecture Security Area Working Group acts as advisory board forprotocols and areas developed and promoted by theInternet Society RFC 2196: Site Security Handbook covers five basic areasof security with detailed discussions on development andimplementation
Page 1: Information andSecurity"No one can
Page 5 and 6: Security Education Everyone in an o
Page 7 and 8: Business Continuity Planning Outlin
Page 9 and 10: InterferenceWiFi Frequency - 2.4 Gh
Page 11 and 12: InfrastructureStations access via W

Information and Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?