Large presentation on security governance....
SECURITY POLICY
© 2008 Security Architecture - All Rights Reserved.
CONTENTS
Why a Course on Policy? Information Security Policy Policy in Context Regulatory Drivers Policy Standards Policy Development Writing Policies and Guidelines … and Summary © 2008 Security Architecture - All Rights Reserved.
1
SECURITY POLICY
SECTION 1: WHY POLICY?
SECTION OBJECTIVES
1. Emphasize the importance of security policy. 2. Present the areas security policy addresses. 3. Look at policy as a layer within the context of Defense in Depth.
© 2008 Security Architecture - All Rights Reserved.
3
WHY POLICY?
Policy is the foundation for all the other elements in information security. Without effective policies there is no basis for ensuring that security tools, technologies, and processes are used appropriately to address risks.
© 2008 Security Architecture - All Rights Reserved.
4
WHY POLICY?
Developing policy is an art, always specific to the organization in question. No one can sell you pre-written policies. There are processes, templates, and good information sources that can help.
© 2008 Security Architecture - All Rights Reserved.
5
WHY POLICY?
Security in many organizations today is too focused on technology and tools, and not enough on business requirements, physical and information assets, and risk assessment.
© 2008 Security Architecture - All Rights Reserved.
6
WHY POLICY?
Policy addresses all elements of security in your organization: People Communications Processes and operations Physical and intellectual property Technical infrastructure
© 2008 Security Architecture - All Rights Reserved.
7
WHY POLICY?
Security is commonly handled from the bottom up, but… The most effective security structure begins from the top down Æ
Exec Mgmt Business Requirements Security Policies Security Standards & Guidelines Security Technologies
© 2008 Security Architecture - All Rights Reserved.
8
WHAT IS POLICY?
Security policy is a set of documents that explain how an organization will protect its physical and electronic assets. Policy states what will (or will not) be done, how policy is to be carried out and enforced, and often why the policy exists.
© 2008 Security Architecture - All Rights Reserved.
9
WHAT IS POLICY?
Security policy addresses: Employee behavior Business practices Risk management Operations Technical measures
© 2008 Security Architecture - All Rights Reserved.
10
EMPLOYEE BEHAVIOR
Acceptable use policy Email and communications policy Security awareness and education Access control policy Regulatory compliance Roles and responsibilities
© 2008 Security Architecture - All Rights Reserved.
11
BUSINESS PRACTICES
Acceptable use policy External communications policy Transaction security policy Privacy policy Change management Security planning Regulatory compliance © 2008 Security Architecture - All Rights Reserved.
12
RISK MANAGEMENT
Business asset valuation Risk acceptance policy Mission Impact Assessment Disaster recovery/business continuity policy Internal controls Audit and assessment policy © 2008 Security Architecture - All Rights Reserved.
13
OPERATIONS
Acceptable use policy Email and communications policy Network and security monitoring Incident response Access control policy Physical security
© 2008 Security Architecture - All Rights Reserved.
14
TECHNICAL MEASURES
Anti-virus policy Firewall policy Intrusion detection policy Application security policy Identity management and provisioning Access control Fraud detection © 2008 Security Architecture - All Rights Reserved.
15
DEFENSE IN DEPTH
Is the practice of layering defenses to improve an organization’s security posture. Is a leading security principle in information assurance. Applies to any or all layers in a security architecture.
© 2008 Security Architecture - All Rights Reserved.
16
DEFENSE IN DEPTH
Defense in depth is an integrated set of information security measures and actions, implemented to provide multiple layers of security across: People Technology Operations
© 2008 Security Architecture - All Rights Reserved.
17
DEFENSE IN DEPTH
People Information security begins with commitment from senior management Policies and procedures should cover all organizational aspects related to people Training and awareness Personnel security Human resources Physical security © 2008 Security Architecture - All Rights Reserved.
18
DEFENSE IN DEPTH
Technology Security measures should be deployed at network, platform, and application layers Security technology should be chosen to address stated policies based on identified risks Technology is a means to implement security policy © 2008 Security Architecture - All Rights Reserved.
19
DEFENSE IN DEPTH
Operations Day-to-day activities to maintain security posture: Security management Monitoring and event management Readiness assessments and testing Certification and accreditation Intrusion detection, alerting, and response Patch management Training © 2008 Security Architecture - All Rights Reserved.
20
DEFENSE IN DEPTH
Security layers form a concentric set of boundaries: Application Environment Computing Platforms
Network Infrastructure
© 2008 Security Architecture - All Rights Reserved.
21
DEFENSE IN DEPTH Perimeter (Network Layer) Boundary Routers VPN Firewalls Network IDS/IPS RADIUS NAC Gateway Anti-Virus Software (Application Layer) Web Service Security Application Proxy Database Security Content Filter Data Encryption
Proxy Servers Spam Blocker
Input Validation Identity Management
Personnel (User Layer)
Multiple Controls Across Multiple Authentication & Authorization PKI RBAC Training Two-Factor Authentication Biometrics Clearances Layers Host IDS/IPS Desktop Anti-Virus
Host (Platform Layer) Server Anti-Virus Server Anti-Spyware Patch Management Server Certificates
Physical Security Locks Biometrics PIV Credentials/ID Badges CCTV Disaster Recovery/COOP Guards RFID © 2008 Security Architecture - All Rights Reserved.
22
LEADING INFOSEC INVESTMENTS Network Security Distributed security controls Policy and configuration enforcement (NAC) Event monitoring and management (SIEM)
User Management User provisioning/identity management Single sign-on
Content Security Anti-virus/anti-spyware Content filtering and spam control Data loss protection © 2008 Security Architecture - All Rights Reserved.
23
9 Task: Build class company situation addressing industry, structure, operations areas, and user communities.
INTRO WORKSHOP © 2008 Security Architecture - All Rights Reserved.
24
SECURITY POLICY
SECTION 2: INFORMATION SECURITY POLICY
SECTION OBJECTIVES
1. Provide an overview of security policy. 2. Define and show the relationship between policies, standards, guidelines, and procedures. 3. Identify categories and key components of security policies. 4. Introduce security policy processes.
© 2008 Security Architecture - All Rights Reserved.
26
INFORMATION SECURITY POLICY Policies, Standards, Guidelines Elements of Policies, Standards & Guidelines Policy Objectives Policy Classifications Policy Components Information Security Policy Framework Policy Support Policy Development Lifecycle Delivery Methods © 2008 Security Architecture - All Rights Reserved.
27
INFORMATION SECURITY POLICY Without strong management policies, corporate security programs will be less effective and not align with management objectives. Policies are the blueprint for the security framework Policies, Standards and Guidelines enables the corporation to implement the specific controls processes and awareness programs to raise the level of information security and assurance.
© 2008 Security Architecture - All Rights Reserved.
28
POLICES & STANDARDS Policies High Level “umbrellas” Low Level
Standards
User Management Policies All system users must be individually identified
OS Authentication
Corporate-wide standards
Unix, Windows users …
Local Guidelines
Administrative access vs. general
Procedures Local repeatable processes
How-To Request an account Approve a new system © 2008 Security Architecture - All Rights Reserved.
29
HOW THEY RELATE Policy
Governance “Thou Shall”
What Management wants to achieve and why.
Standards
Desired Mechanisms
Technical specification of how to implement policy
Guidelines How to deal with new & unusual situations
Procedure
Steps to carry out
Detailed instructions © 2008 Security Architecture - All Rights Reserved.
30
ELEMENTS OF A POLICY Scope – What you are going to protect High Level Policy Statement – 30,000 ft overview Accountability – personnel Non- compliance – a statement pertaining to loss if compromised Monitoring – how policies, standards or guidelines will be validated Exceptions – in the event that a community of users cannot meet compliance © 2008 Security Architecture - All Rights Reserved.
31
INFORMATION SECURITY POLICY OBJECTIVES Foster information confidentiality Outline data integrity responsibilities Define assets that require protection How resources should be used efficiently and appropriately Provide for system availability Raise awareness Provide a foundation, a roadmap and a compass for information security audit, process, technology and operations © 2008 Security Architecture - All Rights Reserved.
32
9 Task: Draft security policy outlines for 3 of the following: • Acceptable use • Data protection/privacy • Change management • Firewalls • Building access • Network authentication • Anti-virus • Intrusion detection • Information classification • Business continuity
WORKSHOP #1 © 2008 Security Architecture - All Rights Reserved.
33
ELEMENTS OF A STANDARD Scope – How you are going to protect Role & Responsibilities – defining, executing, and supporting standards Guidance – references overriding policy statements Baseline standards – high level statements for platform and applications Technical Standard – product/version specifications and associated descriptions Administrative Standard - initial and ongoing administration of platform and applications © 2008 Security Architecture - All Rights Reserved.
34
ELEMENTS OF A GUIDELINE Guidelines should be based on industry best practices (whenever possible) Purpose – to efficiently meet the standard and policy requirements Intent – description of guideline’s objectives Roles & Responsibilities – defining, executing and supporting guidelines Guideline Statements – step by step process to implement policy elements Operational Statements - defines the “how” of day to day operations © 2008 Security Architecture - All Rights Reserved.
35
POLICY DEVELOPMENT LIFE-CYCLE Planning: •Requirements •ID core corp. issues •Solicit input from groups •Data collection
Periodic Review: •Incidents •Audit •Controls effectiveness
Policy Mgmt
Development: •Draft initial position statement •Security group interaction •Legal, ITSC, HR input •Best practices •Coordinated draft policy •Security council review •Policy approval
Implementation: •Supporting docs •Roll-out •Awareness •Compliance monitoring © 2008 Security Architecture - All Rights Reserved.
36
POLICY CLASSIFICATIONS Regulatory
HIPAA, FCRA, GLBA, SOX
Public
Marketing materials
Internal
Trade secrets, proprietary ideas, HR Information
Confidential
Non-public corporate financial reports
Restrictive (Private)
Corporate payroll information, credit card transactions, customer data © 2008 Security Architecture - All Rights Reserved.
37
POLICY CATEGORIES
Information Security Computer security policy Program policy Issue-specific policy System-specific policy
General Business HR policies Travel policy Time and expense policy © 2008 Security Architecture - All Rights Reserved.
38
COMMON POLICY COMPONENTS
Intent / Purpose Scope and applicability Policy authors and sponsors Roles and responsibilities Effective and review dates Compliance measures Supplementary information and resources © 2008 Security Architecture - All Rights Reserved.
39
GENERAL POLICY CONTENT Date of effective enforcement Statement of intent and audience Sponsor / authorizing corporate officer (or committee) Policy objectives and expectations Exception and change request process Breach of policy response process Review and expiration dates Corporate boundaries outlined in policy Prohibited activities, liability issues, legal requirements, due diligence, etc.
Local issues resolved by standards, guidelines, and other supporting documents ?
© 2008 Security Architecture - All Rights Reserved.
40
POLICY DELIVERY
Email, Intranet, Paper, Training class Get everyone involved and interested Solicit feedback Make “fun” policy delivery continual Enforce and reinforce Part of security awareness and training
© 2008 Security Architecture - All Rights Reserved.
41
9 Task: Fill out the 3 outlines from WS#1 with the contents on the previous slide.
WORKSHOP #2 © 2008 Security Architecture - All Rights Reserved.
42
SECURITY POLICY
SECTION 3: POLICY IN CONTEXT
SECTION OBJECTIVES
1. Show policy’s role within an information security program. 2. Explain the steps in the management of the information security program.
© 2008 Security Architecture - All Rights Reserved.
44
SECURITY MANAGEMENT FRAMEWORK
Best Practices
5
Compliance, Monitoring & Audits
And which are expressed as activities and practices that are of high quality …
4
Standards & Guidelines
Which are validated and watched to assure they are being implemented in practice … 3
Enterprise Security Policies Information Security Management ISO/IEC 27001 & 27002
Where implementation details are resolved by the business … 2
Grounded in a comprehensive structure … 1
You need to start with a foundation … © 2008 Security Architecture - All Rights Reserved.
45
POLICIES & TECHNICAL ARCHITECTURE
Policy Definition Policies Personnel Statutory Program Mgmt Security Incident Info Classification Systems Life Cycle Physical & Environ
Guidelines Tech Controls Inventory
Asset Ownership
Audit Telecom Logical Access Id / Auth / Auth Remote Access Computer Systems Support & Operations
Standards Risk Mgmt Assessment Analysis
Technical Security Architecture Engineering Analysis & Design
Solution Selection © 2008 Security Architecture - All Rights Reserved.
46
INFORMATION SECURITY PROGRAM
Deploy Operations, Administration & Control
Technology Integration
Manage & Support
Policy Process Prototyping & Elaboration
Design
Audit & Review
Assess
© 2008 Security Architecture - All Rights Reserved.
47
INFORMATION ASSURANCE MODEL
Detect
Respond Monitoring, Detection and Prevention
Incident Response, Risk Mitigation
Policy
Protect
Control Selection, Implementation and Operation
Vulnerability Analysis, Audit & Review, Forensics
Assess
© 2008 Security Architecture - All Rights Reserved.
48
THE ISMS (ISO 27001) MODEL
Plan Establish the ISMS
Do
Information Security Requirements and Expectations
Implement and Operate the ISMS
Policy
Monitor and Review the ISMS
Check
Maintain and Improve the ISMS
Act
Managed Information Security & Operations
© 2008 Security Architecture - All Rights Reserved.
49
POLICY
Policy is the hub of the wheel … its central focus. It should be a reference point for actions taken and decisions made. Policy should be used when activities “on the wheel” are undertaken. Reviews should be conducted to ensure policy reflects business objectives. © 2008 Security Architecture - All Rights Reserved.
50
AUDIT, ASSESSMENT & REVIEW
Policy is a key component of audit activities: Evaluate current security picture Compare against policy Performed on a regular basis and after a security event or as defined by a regulatory agency Results of audit and review process are used in the next phase of the security process © 2008 Security Architecture - All Rights Reserved.
51
SECURITY STRATEGIC PLANNING
Iterative policy development should be part of strategic planning cycles: High level planning Use policy as a benchmark and a compass New strategic initiatives always impact policy Looks at process, not technology Uses audit and review findings © 2008 Security Architecture - All Rights Reserved.
52
TECHNOLOGY INTEGRATION The way security technologies work together is driven by security policy (remember defense in depth): Technical planning and implementation Based on policy Uses audit and review as well as developed process to determine technological requirements Tactical implementation of strategic goals The swords and shields of information security © 2008 Security Architecture - All Rights Reserved.
53
POLICY MANAGEMENT TOOLS
Apply security policies to systems Validate computers and applications connecting to the environment Detect policy compromise Automatic remediation if out of compliance May maintain “white list” of applications
© 2008 Security Architecture - All Rights Reserved.
54
Operation, Administration and Control Operational actions should be dictated by policy: Keeping the processes and technology running Responding to security events Testing and practicing the right execution People play a key role Uses technology, process and policy to provide input to the audit and review process
© 2008 Security Architecture - All Rights Reserved.
55
9 Task: Write a security awareness policy to communicate the information security program to employees. How would this differ for customers? (to be revisited…)
WORKSHOP #3 © 2008 Security Architecture - All Rights Reserved.
56
SECURITY POLICY
SECTION 4: REGULATORY DRIVERS
SECTION OBJECTIVES
1. Define and explain major regulatory requirements affecting policy. 2. Understand which and what type of regulations impact your organization.
© 2008 Security Architecture - All Rights Reserved.
58
DUE CARE
What it is: General principle addressing obligation of business managers to act reasonably and in the best interests of their organizations
What it means: Management can be held accountable for the efforts taken (or not taken) to comply with regulations, including those governing privacy safeguards and related policies.
© 2008 Security Architecture - All Rights Reserved.
59
HIPAA What it is: Health Insurance Portability and Accountability Act of 1996 A set of regulations governing health data privacy Affects medical service providers, insurance companies, companies, schools, etc. Intended to allow individuals to control access to and release of their personal medical information Specifies what must be protected, and who has to safeguard it, but not how data is protected © 2008 Security Architecture - All Rights Reserved.
60
HIPAA What it means: Healthcare industry participants must ensure that personal data is only disclosed subject to patient consent Applies to many health transactions that have been automated in recent years, as well as manual processes Extends responsibility to data in transit over and between networks Strongly implies needs for encryption, authentication, authorization, and other security provisions, but leaves implementation details to organizations.
© 2008 Security Architecture - All Rights Reserved.
61
HIPAA What has to be done: Effective in April 2003, affected organizations must implement procedures to comply with the Privacy Rule Includes consumer/patient notification, preferences, and explicit permission for release of protected health information (PHI)
Since 2005, these same organizations must achieve compliance with the Security Rule Establishes guidelines for the minimum requirements to ensure confidentiality, security and integrity of electronically stored and transmitted health information. Covers electronic and non-electronic forms of information Does not provide specific instruction on how organizations should safeguard PHI © 2008 Security Architecture - All Rights Reserved.
62
GLBA What it is: Graham-Leach-Bliley Financial Services Modernization Act of 1999 A set of regulations governing financial data privacy Affects financial institutions and affiliated businesses working with personal financial data Particularly addresses sharing of non-public personal information by financial institutions Intended to allow individuals to control use and release of their personal financial information Specifies what must be protected, and who has to safeguard it, and acceptable compliance guidelines © 2008 Security Architecture - All Rights Reserved.
63
GLBA What it means: Financial institutions must disclose their privacy policies up-front and again at least annually Requires FI’s to deliver privacy policy notices to consumers/customers to offer and describe optout provisions Holds FI’s responsible for safeguarding customer data whether through normal business operations, theft, fraud, or exceptional circumstances © 2008 Security Architecture - All Rights Reserved.
64
SARBANES-OXLEY
What it is: Public Company Accounting Reform and Investor Protection (Sarbanes-Oxley) Act of 2002 A set of regulations governing financial reporting requirements for companies Reduces the time allotted for release of earnings and other financial report data
© 2008 Security Architecture - All Rights Reserved.
65
SARBANES-OXLEY
What it means: Senior management now requires more up-todate understanding of all financial information Managers must certify and be accountable for the financial reports their companies issue Managers must describe and evaluate their internal controls for effectiveness All findings must be certified by external auditors Many former IT responsibilities elevated to business management © 2008 Security Architecture - All Rights Reserved.
66
FISMA
What it is: Federal Information Security Management Act (Title III of E-Government Act of 2002) A set of organizational practices, roles, and responsibilities for government agencies related to information security. Applies to all federal agencies and contractors managing or maintaining federal systems.
© 2008 Security Architecture - All Rights Reserved.
67
FISMA
What it means: All federal agencies submit annual reports on security practices, controls, and level and extent of documentation. Agency-level scores given based on factors such as consistent and comprehensive implementation of practices, and effective use of controls. Responsibility for information security placed under federal CIOs, following standards and guidance produced by NIST. © 2008 Security Architecture - All Rights Reserved.
68
CALIFORNIA SECURITY BREACH NOTIFICATION What it is: SB 1386 passed in 2003 covering any person or business that conducts business in California Requires businesses to give public notice of information security breaches resulting in disclosure of personal information. Notification only must occur to California residents; however, 37 other states have now enacted similar laws Only exception is for encrypted data. Statute applies regardless of where the data is physically stored or where the breach occurs.
© 2008 Security Architecture - All Rights Reserved.
69
EUROPEAN UNION DIRECTIVES EU Data Protection Directive (1998) Imposes data privacy requirements on entities that transport data across national borders. Places data ownership and control in the hands of originating businesses. Explicit permission for third-party data sharing Disclosure/data sharing must be in the interest of the data subject Applies to US companies that do business with the EU Rules in US Dept. of Commerce “safe harbor” privacy framework © 2008 Security Architecture - All Rights Reserved.
70
EUROPEAN UNION DIRECTIVES EU E-Commerce Directive (2000) Creates minimum requirements for selling to EU consumers and businesses online. Addresses both business practices and information transparency. Mandatory business location and contact information Reproduce-ability of online contract terms Prompt notice of order confirmation Local additional imposed by some EU member states
© 2008 Security Architecture - All Rights Reserved.
71
EUROPEAN UNION DIRECTIVES EU Electronic Communications Directive (2002) Creates a framework for an EU-wide effort to regulate unsolicited electronic mail or “spam.” Prohibits businesses without pre-existing customer relationships to solicit consumers unless they opt in. Makes illegal the common US business practice of sharing marketing leads between affiliated companies. Also constrains the use of “cookies” without explicit consumer notification. © 2008 Security Architecture - All Rights Reserved.
72
9 Task: Determine what regulatory or other governing principles apply to our organization. Write a customer or public notification communicating the relevant policy.
WORKSHOP #4 © 2008 Security Architecture - All Rights Reserved.
73
SECURITY POLICY
SECTION 5: POLICY STANDARDS
SECTION OBJECTIVES
1. Define and explain major information security standards relevant to policy. 2. Identify sources of information to help guide policy and standard development.
© 2008 Security Architecture - All Rights Reserved.
75
Examples of Standards
ISO/IEC 27001 and 27002 (ISO 17799) Common Criteria NIST 800 Series of Special Publications NIST Federal Information Processing Standards (FIPS)
© 2008 Security Architecture - All Rights Reserved.
76
ISO/IEC 27001 & 27002 The ISO/IEC 27000 series is a comprehensive set of controls comprising best practices in information security. It is an internationally recognized information security standard, broad in scope and generic in applicability. It focuses on risk identification, assessment and management. It is aligned with common business goals: Ensure business continuity Minimize business damage Maximized return on investments It is about information security, not IT security. It is much more commonly applied in commercial organizations than in government. © 2008 Security Architecture - All Rights Reserved.
77
ISO/IEC 27001 & 27002 (from ISO 17799) Originally created as BS17799, this framework was first submitted in 1995, and revised in 1998, but was not adopted by the International Standards Organization until 1999 . Significantly revised in 2005, it was formally converted to two related International Standards Organization/International Electrotechnical Commission (ISO/IEC) standards, 27001 & 27002. ISO 17799 covers both security management practices and security controls. Somewhat confusingly, what had been referred to as Part 1 and Part 2 in the 17799 standard were numerically reversed in the new ISO/IEC numbering, so that Part 1 becomes 27002 and Part 2 becomes 27001. © 2008 Security Architecture - All Rights Reserved.
78
THE STANDARD Part 1 – Code of Practice ISO 17799 (became ISO 27002 in July 2007) provides 133 security controls under 39 security categories organized into 11 major clauses to identify the particular safeguards that are appropriate to their particular business. These security controls correspond to hundreds of more detailed technologies, measures, and elements of practice. The standard stresses the importance of risk management and makes it clear that you do not have to implement every single guideline; only those that are relevant.
Part 2 – IS Management Standard ISO/IEC 27001 tells how to build an Information Security Management System. It defines a four-step process instructing you how to apply ISO/IEC 17799 and how to establish, implement, monitor, and maintain an ISMS. It is a formal methodology for setting up an information security management system. ISO/IEC 27001 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. © 2008 Security Architecture - All Rights Reserved.
79
THE INFORMATION SECURITY MANAGEMENT SYSTEM ISO 27001 provides a comprehensive process reference for establishing and operationalizing and information security management system. “System” in this context means a set of explicit, standard, repeatable processes and activities, and not necessarily a hardware- or software-based mechanism. There are numerous vendor tools on the market intended to implement an ISMS according to the ISO 27001 standard.
© 2008 Security Architecture - All Rights Reserved.
80
THE ISMS MODEL: PLAN-DO-CHECK-ACT Phase ISMS Action
Description
Plan
Establish
Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.
Do
Implement and Operate
Implement and operate the ISMS policy, controls, processes and procedures.
Check
Monitor and Review
Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.
Act
Maintain and Improve
Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS. © 2008 Security Architecture - All Rights Reserved.
81
ISO/IEC 27001 Adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization's Information Security Management System (ISMS). The approach presented in ISO 27001 encourages its users to emphasize the importance of: a) understanding an organization’s information security requirements and the need to establish policy and objectives for information security; b) implementing and operating controls to manage an organization's information security risks in the context of the organization’s overall business risks; c) monitoring and reviewing the performance and effectiveness of the ISMS; and d) continual improvement based on objective measurement.
Reflects the principles articulated in the Guideline for the Security of Information Systems and Networks, published in 2002 by the Organisation for Economic Co-operation and Development (OECD) © 2008 Security Architecture - All Rights Reserved.
82
ISO/IEC 27001 PROCESS APPROACH The ISO 27001 standard presents a concise (process steps contained in just 10 pages) prescription for information security management. Information security management system General requirements Establishing and managing the ISMS Establish the ISMS Implement and operate the ISMS Monitor and review the ISMS Maintain and improve the ISMS
Documentation requirements General Control of documents Control of records
Management responsibility Management commitment Resource management Provision of resources Training, awareness and competence
Internal ISMS audits Management review of the ISMS General Review input Review output
ISMS improvement Continual improvement Corrective action Preventive action © 2008 Security Architecture - All Rights Reserved.
83
ISO 27002 CLAUSES The 11 clauses (with the number of main security categories included within each clause) are: Security Policy (1) Organizing Information Security (2) Asset Management (2) Human Resources Security (3) Physical and Environmental Security (2) Communications and Operations Management (10) Access Control (7) Information Systems Acquisition, Development and Maintenance (6) Information Security Incident Management (2) Business Continuity Management (1) Compliance (3)
ISO 27002 also has a preliminary section of Risk Assessment and Treatment, but does not include this topic among the security clauses. © 2008 Security Architecture - All Rights Reserved.
84
COMMON CRITERIA
Provides a basis for evaluating security properties of IT products and systems. Sections: 1. Introduction & General Model 2. Security Functional Requirements 3. Security Assurance Requirements
© 2008 Security Architecture - All Rights Reserved.
85
COMMON CRITERIA – PART 1
Defines general concepts & principles Presents constructs for expressing security objectives and defining requirements Used for background information
© 2008 Security Architecture - All Rights Reserved.
86
COMMON CRITERIA – PART 2
Established a set of functional components as a standard way of expressing the functional requirements for evaluated systems Used for guidance when formulating statements of requirements for security functions
© 2008 Security Architecture - All Rights Reserved.
87
COMMON CRITERIA – PART 3
Establishes a set of assurance components as a standard way of expressing the assurance requirements for evaluated systems Catalogs the set of assurance components, facilities & classes Used when determining required levels of assurance
© 2008 Security Architecture - All Rights Reserved.
88
COMMON CRITERIA: RELATIONSHIPS wish to minimize
Owners
impose
Countermeasures
value
to reduce
may contain
Vulnerabilities may be reduced by
may be aware of
leading to
give rise to
Threats Threat Agents
Risk
exploit
to
Assets
that increase to
wish to abuse and/or damage © 2008 Security Architecture - All Rights Reserved.
89
NIST 800 SERIES
A set of guidelines covering a broad range of security topics, from high-level planning and security practices, to detailed treatment of specific technologies The government’s take at “best practices” Primary focus for Certification & Accreditation requirements, especially in the federal civilian arena. Targeted at federal agencies, but useful commercially too. © 2008 Security Architecture - All Rights Reserved.
90
NIST 800 SERIES
General security practices: 800-14 (Securing IT systems) 800-16 (Security training) 800-18 (Security plans) 800-30 (Risk management) 800-34 (Contingency planning) 800-37 (Certification & Accreditation) 800-53A (Security assessment) 800-64 (Security in the SDLC) 800-100 (Information Security Handbook) 800-115 (Security testing) © 2008 Security Architecture - All Rights Reserved.
91
NIST 800 SERIES
Focused security practices: 800-3 (Incident response) 800-9 (E-commerce) 800-21 (Implementing cryptography) 800-23 (Security assurance & acquisition) 800-40 (Patch handling) 800-44 (Securing public web servers) 800-88 (Media sanitization) 800-92 (Security log management) 800-95 (Secure web services) 800-97 (Wireless security) © 2008 Security Architecture - All Rights Reserved.
92
NIST 800 SERIES
Security technology guidelines: 800-25 (Digital signatures) 800-31 (IDS) 800-32 (Federal PKI) 800-41 (Firewalls) 800-45 (Email security) 800-48 (Wireless network security) 800-77 (IPSec VPNs) 800-94 (IDS and IPS systems) 800-113 (SSL VPNs) 800-123 (Server security) © 2008 Security Architecture - All Rights Reserved.
93
FEDERAL INFORMATION PROCESSING STANDARDS (FIPS)
Mandatory Security Standards: FIPS 140 (Cryptographic modules) FIPS 186 (Digital signature standard) FIPS 191 (Local area network (LAN) security) FIPS 197 (Advanced encryption standard (AES)) FIPS 199 (Security categorization) FIPS 200 (Minimum security requirements) FIPS 201 (Personal identity verification) © 2008 Security Architecture - All Rights Reserved.
94
9 Task: Select an appropriate standard for use in implementing our organization’s security policies. Write a standard for vendor selection, keeping Defense in Depth principles in mind.
WORKSHOP #5 © 2008 Security Architecture - All Rights Reserved.
95
SECURITY POLICY
SECTION 6: POLICY DEVELOPMENT
SECTION OBJECTIVES
1. Define policy hierarchy. 2. Identify key policy documents. 3. Describe major policy topics. 4. Present functional policy scope. 5. Present technical policy scope.
© 2008 Security Architecture - All Rights Reserved.
97
POLICY DEVELOPMENT
Effective security policy implementation rests with the guidelines and procedures that translate security policies and standards into practice.
© 2008 Security Architecture - All Rights Reserved.
98
POLICY HIERARCHY
Information security policy applies at many inter-related levels: Corporate or agency-wide Department or business unit Functional processes Technical measures
© 2008 Security Architecture - All Rights Reserved.
99
ENTERPRISE POLICY MANAGEMENT
Eliminate unwanted users, computers, and applications from the enterprise Protect users, computers, and applications from compromise Enforce safe and correct behavior
© 2008 Security Architecture - All Rights Reserved.
100
KEY POLICY DOCUMENTS
Security Policies and Procedures Manual (SPPM) Security Administrator Manual (SAM) Information Security Plan
© 2008 Security Architecture - All Rights Reserved.
101
SECURITY POLICIES AND PROCEDURES MANUAL
Consolidated security policy reference Serves as authoritative source/record Policies address what is to be done Procedures specific how to do it
© 2008 Security Architecture - All Rights Reserved.
102
SECURITY ADMINISTRATOR MANUAL
Administrative reference for security staff Emphasis on operational guidelines Addresses major administrative procedures Monitoring and alerting Notification and incident response Backup and recovery Systems and penetration testing © 2008 Security Architecture - All Rights Reserved.
103
INFORMATION SECURITY PLAN
Enterprise-wide strategic and tactical plan May be part of corporate IT Plan Should correlate directly to business strategic plan Must be available and accessible First place auditors go to
© 2008 Security Architecture - All Rights Reserved.
104
POLICY COMPONENTS
Statement of Purpose Scope Roles and Responsibilities Effective Implementation and Review Dates Specified Security Practices
© 2008 Security Architecture - All Rights Reserved.
105
POLICY TOPICS Asset Classification and Control Access Control Privacy Organizational Practices Systems Development Incident Response Communications Physical Security and Operations Business Continuity and Disaster Recovery © 2008 Security Architecture - All Rights Reserved.
106
SUGGESTED DEVELOPMENT PRIORITY
Information Security Policies Overarching statement from senior mgmt Cover the 11 domains, 39 control areas (ISO 27002)
Access & Identification Security Policies Technology & Communications Policies Support & Operations Security Policies Physical & Environmental Security Policies © 2008 Security Architecture - All Rights Reserved.
107
FUNCTIONAL POLICIES
Acceptable use Incident response Disaster recovery Privacy Awareness Change management
© 2008 Security Architecture - All Rights Reserved.
108
ACCEPTABLE USE
Coverage and responsibility Internal and external uses Data ownership Data protection requirements Personal use of corporate systems
© 2008 Security Architecture - All Rights Reserved.
109
INCIDENT RESPONSE
Coverage: known and unknown threats Prioritization/criticality Incident response team Incident response procedures Discovery Notification Escalation Communication © 2008 Security Architecture - All Rights Reserved.
110
DISASTER RECOVERY
Defining disasters Coverage Recovery time Supporting processes (e.g. backup, offsite) DR team Recovery procedures Test plan © 2008 Security Architecture - All Rights Reserved.
111
PRIVACY
Scope Internal and external requirements Data stewardship Levels of protection needed Communication/notification plan
© 2008 Security Architecture - All Rights Reserved.
112
AWARENESS
Policy distribution Awareness training Communication plan Compliance expectations Non-compliance consequences Sign-off
© 2008 Security Architecture - All Rights Reserved.
113
CHANGE MANAGEMENT
Scope and coverage Change request procedures Change management decision making Thresholds for escalation
© 2008 Security Architecture - All Rights Reserved.
114
TECHNICAL POLICIES
Access control Anti-virus Identity management Intrusion detection/protection Application security Email Encryption Web server configuration © 2008 Security Architecture - All Rights Reserved.
115
ACCESS CONTROL
Mandatory/discretionary access Role-based and/or resource-based Authentication and authorization Remote access
© 2008 Security Architecture - All Rights Reserved.
116
ANTI-VIRUS
Coverage (local, wide-area, remote) Potential points/sources of infection Use of AV software AV gateways (e.g. email servers) Update requirements Patch management Mobile devices © 2008 Security Architecture - All Rights Reserved.
117
IDENTITY MANAGEMENT
User provisioning User de-provisioning Authorization and identification Credentialing (issue and revocation) Password policies
© 2008 Security Architecture - All Rights Reserved.
118
INTRUSION DETECTION/PREVENTION
IDS/IPS placement within the architecture Event logging, monitoring, and correlation Intrusion notification and response Internal and external protection Network IDS Host IDS
© 2008 Security Architecture - All Rights Reserved.
119
APPLICATION SECURITY
Application coverage Network-level protection (e.g. application proxy firewalls) Coding requirements Parameter validation Session management Authorization © 2008 Security Architecture - All Rights Reserved.
120
EMAIL
Usage parameters Monitoring Archiving requirements Remote access Email integrity Attachment handling
© 2008 Security Architecture - All Rights Reserved.
121
ENCRYPTION
Required and recommended use Strength required/approved algorithms Authentication Accountability/Non-repudiation Data protection Information in transit Information at rest © 2008 Security Architecture - All Rights Reserved.
122
WEB SERVER CONFIGURATION
Server placement within architecture Required services and ports available Process permissions (e.g. “run-as”) General access control Administrative access control
© 2008 Security Architecture - All Rights Reserved.
123
SECURITY POLICY
SECTION 7: WRITING POLICIES
SECTION OBJECTIVES
1. Describe policy writing process. 2. Review major policy categories. 3. Outline one policy area from each category. 4. Understand by example guideline structure and content.
© 2008 Security Architecture - All Rights Reserved.
125
POLICY WRITING
Get broad involvement in the process Department representatives Legal Human resources Information Technology Audit and compliance
© 2008 Security Architecture - All Rights Reserved.
126
POLICY WRITING
Gather the requirements that drive policy Business objectives Regulatory requirements Functional requirements Technical requirements User requirements
© 2008 Security Architecture - All Rights Reserved.
127
POLICY WRITING
Be clear Policies should be well written State policies succinctly Leave no room for misinterpretation Emphasize brevity where you can
© 2008 Security Architecture - All Rights Reserved.
128
POLICY WRITING
Avoid naming specific technologies Classes of technology may be appropriate Vendors or products appear in standards Granular policies and procedures may need to be tied to a specific technology (e.g. operating system) Technical standards compliance may be specified for products (e.g. FIPS 140-2)
© 2008 Security Architecture - All Rights Reserved.
129
POLICY WRITING
Educate the organization Even the most appropriate policies are ineffective if they are not communicated and understood Adherence requires awareness Policies need distribution Employees need training
© 2008 Security Architecture - All Rights Reserved.
130
POLICY WRITING
Policies are living documents Policy is a process, not a one-time initiative Review and revision cycles are part of policy Keeping current is essential Interdependencies mean that changes in one area need to be examined for impacts to others
© 2008 Security Architecture - All Rights Reserved.
131
POLICY WRITING
Policies must be enforced Non-compliance comes with consequences Actions back up words Enforcement has to be consistent
© 2008 Security Architecture - All Rights Reserved.
132
POLICY WRITING
Tools are available to facilitate policy creation PoliVec Policy Builder NetIQ/PentaSafe VigilEnt Policy Center Symantec Enterprise Security Manager Information Shield PolicyShield BindView (now also part of Symantec)
© 2008 Security Architecture - All Rights Reserved.
133
INFORMATION SECURITY POLICIES
Data classification Acceptable use Data protection Privacy Risk Management
© 2008 Security Architecture - All Rights Reserved.
134
RISK MANAGEMENT
Introduction Authority Purpose Objectives Target Audience Related Policies
© 2008 Security Architecture - All Rights Reserved.
135
RISK MANAGEMENT
Overview Importance of Risk Management Governing regulations Incorporating Risk Management into IT Processes Key Roles
© 2008 Security Architecture - All Rights Reserved.
136
RISK MANAGEMENT
Risk Assessment System identification and characterization Threat identification Vulnerability identification Control Analysis Likelihood determination Impact Analysis Risk determination © 2008 Security Architecture - All Rights Reserved.
137
RISK MANAGEMENT
Risk Mitigation Options Strategy Controls and implementation Cost-benefit analysis Residual risk
© 2008 Security Architecture - All Rights Reserved.
138
ACCESS & IDENTIFICATION POLICIES
Authentication Authorization PKI Biometrics Digital signatures
© 2008 Security Architecture - All Rights Reserved.
139
DIGITAL SIGNATURES
Purpose and objectives Background and scope Applicability to electronic services Public Key technology and PKI Usage of certificates Certification process
© 2008 Security Architecture - All Rights Reserved.
140
TECHNOLOGY & COMMUNICATION POLICIES
Firewall Anti-virus Email Mobile Data Protection Encryption Intrusion detection/intrusion protection Web server configuration Network connectivity © 2008 Security Architecture - All Rights Reserved.
141
WEB SERVER CONFIGURATION
Introduction Authority Purpose and scope Target audience General IS security principles
© 2008 Security Architecture - All Rights Reserved.
142
WEB SERVER CONFIGURATION
Planning and management Planning a web server deployment Security management staffing Management practices System security plan Web server platforms
© 2008 Security Architecture - All Rights Reserved.
143
WEB SERVER CONFIGURATION
Secure installation and configuration Network placement Installing and configuring the OS Testing the OS Platform security resources and responsibility Installing and configuring the web server Web server access controls
© 2008 Security Architecture - All Rights Reserved.
144
WEB SERVER CONFIGURATION
Secure web access Security of web content Collection of personal information Active and dynamic content controls Authentication requirements Data integrity requirements Encryption requirements
© 2008 Security Architecture - All Rights Reserved.
145
WEB SERVER CONFIGURATION
Web server administration Logging and monitoring Backup and restore procedures Security/penetration testing plan Intrusion/compromise recovery Remote administration Web server security checklist
© 2008 Security Architecture - All Rights Reserved.
146
WEB SERVER CONFIGURATION
Web server administration Logging and monitoring Backup and restore procedures Security/penetration testing plan Intrusion/compromise recovery Remote administration
© 2008 Security Architecture - All Rights Reserved.
147
SUPPORT & OPERATIONS SECURITY POLICIES
Incident response Event correlation Disaster recovery Business continuity Security awareness Change management
© 2008 Security Architecture - All Rights Reserved.
148
INCIDENT RESPONSE
Overview Purpose Coverage and responsibility Current threat environment Need for incident response Proactive and reactive postures Incident response interaction with other areas
© 2008 Security Architecture - All Rights Reserved.
149
INCIDENT RESPONSE
Establishing an Incident Response Team Goals and objectives Constituencies served IRT structure Management support and accountability Standard operating procedures handbook Staffing the team
© 2008 Security Architecture - All Rights Reserved.
150
INCIDENT RESPONSE
Operations Communications plan Logging and monitoring Incident notification Legal obligations Public/media disclosure policy Post-incident analysis
© 2008 Security Architecture - All Rights Reserved.
151
PHYSICAL & ENVIRONMENTAL POLICIES
Building/facility access Perimeter security Hazardous materials
© 2008 Security Architecture - All Rights Reserved.
152
FACILITY ACCESS
Purpose and objectives Coverage and scope Individual and management responsibility Zone classification Access control provisions Employee and contractor access rules Credentialing and revocation © 2008 Security Architecture - All Rights Reserved.
153
GUIDELINES
Guidelines explain how policies and standards will be achieved. Specific to operational practices and technologies May include educational information Topical descriptions and definitions Tips and tricks, lessons learned The right place for “best practices” © 2008 Security Architecture - All Rights Reserved.
154
GUIDELINES: REAL-WORLD EXAMPLE
Take as an example, NIST Special Publication 800-41, “Guidelines on Firewalls and Firewall Policy” Introduction Purpose and scope Audience and assumptions Document organization
© 2008 Security Architecture - All Rights Reserved.
155
GUIDELINES: REAL-WORLD EXAMPLE Overview of Firewall Platforms Intro to Firewall Technology Packet Filter Firewalls Stateful Inspection Firewalls Application Proxy Gateway Firewalls Dedicated Proxy Servers Hybrid Firewall Technologies Network Address Translation Host-based Firewalls Personal Firewalls and Appliances © 2008 Security Architecture - All Rights Reserved.
156
GUIDELINES: REAL-WORLD EXAMPLE Firewall Environments Guidelines for Building Firewall Environments DMZ Networks Virtual Private Networks Intranets Extranets Infrastructure Components: Hubs and Switches Intrusion Detection Systems Domain Name Service (DNS) Placement of Servers in Firewall Environments © 2008 Security Architecture - All Rights Reserved.
157
GUIDELINES: REAL-WORLD EXAMPLE
Firewall Security Policy Firewall Policy Implementing a Firewall Ruleset Testing Firewall Policy Firewall Implementation Approach Firewall Maintenance & Management Physical Security Of The Firewall Environment Periodic Review Of Information Security Policies A Sample Topology and Ruleset © 2008 Security Architecture - All Rights Reserved.
158
GUIDELINES: REAL-WORLD EXAMPLE
Firewall Administration Access To The Firewall Platform Firewall Platform Operating System Builds Firewall Failover Strategies Firewall Logging Functionality Security Incidents Firewall Backups Function-Specific Firewalls © 2008 Security Architecture - All Rights Reserved.
159
PROCEDURES
Step-by-step recipe for how to implement and configure security measures Explicit documentation from both the vendor and the implementing organization Technology specific Internally and externally auditable
© 2008 Security Architecture - All Rights Reserved.
160
POLICY IMPLEMENTATION: REAL-WORLD EXAMPLE Filtering (varies by type of firewall): Physical location of packet (inside/outside perimeter) Source address Destination address Type of TCP/IP application (service, port) Relationship to other packets Application function content (e.g., GET, PUT) Action/Result: Accept: allow packet to pass through Drop: deny access; no response Deny/Reject: deny access; respond with ICMP echo Logging © 2008 Security Architecture - All Rights Reserved.
161
POLICY IMPLEMENTATION: REAL-WORLD EXAMPLE Access control rules are processed in order Once a rule is satisfied, no other rules are checked - packet is either accepted or denied depending on the rule If no rules are satisfied, the packet is denied (default for most firewalls) Complex and/or poor sequencing of policies rules that result in packets to be accepted may create security vulnerabilities
© 2008 Security Architecture - All Rights Reserved.
162
POLICY IMPLEMENTATION: REAL-WORLD EXAMPLE
© 2008 Security Architecture - All Rights Reserved.
163
9 Task: Write a security policy guideline for incident response.
WORKSHOP #7 © 2008 Security Architecture - All Rights Reserved.
164
SECURITY POLICY
SUMMARY
WHY DO WE NEED POLICY?
Compliance Exceed Industry Practices Response Risk Assessment
© 2008 Security Architecture - All Rights Reserved.
166
WHY: COMPLIANCE Health Insurance Portability and Accountability Act (HIPAA) Health Care Industry
Graham-Leach-Bliley Act (GLBA) Financial services institutions
“Reasonable man” measure Businesses are legally obligated to install well-known safety measures to protect against well-known threats
Limit liability Complex system of federal, state, and sector-specific laws © 2008 Security Architecture - All Rights Reserved.
WHY: INDUSTRY PRACTICES
Certification and accreditation Standards certification ISO/IEC Common Criteria FISMA requirements
© 2008 Security Architecture - All Rights Reserved.
168
WHY: RESPONSE
Incident response Event management, correlation, and response Disaster response and recovery
© 2008 Security Architecture - All Rights Reserved.
169
WHY: RISK ASSESSMENT
Risk analysis and mitigation Audit and assessment Effectiveness measurements and metrics
© 2008 Security Architecture - All Rights Reserved.
170
SECURITY POLICY
ADDITIONAL INFORMATION RESOURCES
CERT (www.cert.org)
What is it? Computer Emergency Response Team Run by the Software Engineering Institute (SEI) at Carnegie Mellon Tracks and publishes threats and vulnerabilities Maintains databases of practices and technology-specific security guidelines
© 2008 Security Architecture - All Rights Reserved.
172
US-CERT (www.uscert.gov)
What is it? United States Computer Emergency Readiness Team Run by US Dept. of Homeland Security Federal agencies required to notify US-CERT of breaches within one hour of discovery Point of interaction/communication between federal cyber security interests, the public, and private sector entities
© 2008 Security Architecture - All Rights Reserved.
173
DITSCAP/DIACAP
What is it? DoD Information Technology Security Certification and Accreditation Process (superceded by DoD Information Assurance Certification and Accreditation Process Primarily applies in the defense part of the public sector Formal structure specifies six sections and 18 appendices Many of the DITSCAP requirements are related to policy © 2008 Security Architecture - All Rights Reserved.
174
PRIVACY REGULATIONS Alston-Bird (www.alston.com) Intellectual Property and Privacy practices Online privacy library Summary reports on global regulations and legislation International Association of Privacy Professionals (www.privacyassociation.org) Tracks information privacy practices, laws, and developments worldwide Training and certifications in privacy (CIPP) © 2008 Security Architecture - All Rights Reserved.
175
POLICY DEVELOPMENT
Charles Cresson Wood Information Security Policies Made Easy (v.9) www.infosecurityinfrastructure.com Also titles on roles and responsibilities, ecommerce, security controls, etc.
© 2008 Security Architecture - All Rights Reserved.
176
SECURITY POLICY
Stephen Gantz CISSP-ISSAP, CEH, CGEIT Principal Architect
[email protected]