Security policy

Lecture 3
Esmiralda Moradian
Learning outcomes

● Understand what is security policy

● Describe the important parts of security policies
● Understand how to create a security policy(ies)
What is security policy?

● Express the goals and objectives

● The security policy translates, clarifies, and communicates
the management position on security
● A policy is typically a document that outlines specific
requirements or rules that must be met
– the rules for expected behavior
● Describes the principles upon which information security
standards and operational guidelines are based
● Provide monitoring of the effectiveness of security measures
Security policy

● Security policy should

– be appropriate to the goals of the organization;
– include information security objectives or provide the framework for
setting information security objectives;
– include a commitment to satisfy requirements related to information
security; and
– include a commitment to continual improvement of the information
security management system.

Top management shall establish an information security policy

Information Security policy
● The security policy shall
– be defined
– be approved by management
– be available as documented information
– be communicated within the organization and
– be available to interested parties
● Should follow good design and governance practices
– not so long that they become unusable
– not so vague that they become meaningless
Security policy
Information security policy should contain statements concerning:
– definition of information security,
– objectives and principles to guide activities relating to information
security;
– assignment of responsibilities for information security management to
defined roles;
– processes for handling deviations and exceptions
– state requirements regarding
• information protection
• access control
• physical and environmental security
• system development lifecycle
– state operational security requirements
– point to underlying policy documents
Tasks

● ISACA, ISF, and ISC2 developed 12 principles for

policy development that support 3 tasks:
1. Support the business;
2. Defend the business; and
3. Promote responsible information security
behavior.
Task 1. Support the business

● Focus on the business to ensure that IS is integrated into essential business

activities
● Deliver quality and value to stakeholders
● Comply with relevant legal and regulatory requirements
● Provide timely and accurate information on security performance
● Evaluate current and future information threats to
– analyse and assess emerging threats to mitigate risks
● Promote continuous improvement in information security
Task 2. Defend (protect) the business

● Adopt a risk-based approach

● Protect classified information
● Concentrate on critical business applications to prioritise resources
– protect business applications in which a security incident would have the
greatest impact
● Develop systems securely
Task 3. Promote responsible information
security behavior

● Act in a professional and ethical manner

● Foster an information security-positive culture
Implementation

● Policies should be developed in conjunction with the

stakeholders
● The legal and compliance team should be consulted
● Involve system owners
● Executive sponsors to support implementation
● Existing processes must be evaluated
– if process does not exist-create the process to support
the policy
Security policy review

● Security policy should be reviewed

– on a regular basis, at planned intervals or
– if significant changes occur to ensure their continuing
suitability, adequacy and effectiveness
– to ensure that they are relevant and achieving desired goals
● Each policy should have an owner
● The review of policies for information security should take the
results of management reviews into account
● Management approval for a revised policy should be obtained
Management support

Difficult to convince management that the organization

needs a security policy and that it must be taken seriously

So, how to convince the management?

● Value of the assets
● Identify and assess risks to the assets in case of an attack
● Consider and calculate the financial and legal
consequences
● Cost of security
Security policy
● To be practical and implementable, policies must be further defined
by
– standards
• a collection of system-specific or procedural-specific
requirements
– guidelines
• a collection of system specific or procedural specific
"suggestions"

Ensure that all operations are consistent with the intent of the
security policies
Security policies types

● Access control
● Physical and environmental security
● Backup & restore
● Protection from malicious code
● Communications security (cryptographic controls)
● Privacy policy
● End user-oriented policies
– acceptable use of assets
– clear desk and clear screen
– mobile device and teleworking
– restrictions on software installation and use
Example. Internet usage policy

● Establish an employee Internet usage policy

– surf the web should be limited to a reasonable amount of time and
to certain types of activities.
– if you use a web filtering system, employees should have clear
knowledge of how and why their web activities will be monitored,
– workplace rules of behavior should be clear, concise and easy to
follow.
– employees should feel comfortable performing both personal and
professional tasks online
Example. Social media policy

In Social media policy the following should be included:

● Guidance on when to disclose company activities and what details can be discuss
● Rules of behavior
● Guidance on acceptability of using a company email address to use on social media
sites
● Guidance on selecting passwords for social networking accounts
● Risk awareness and education on the potential pitfalls of social media use
Example. Mobile device policy
● The mobile device policy should consider:
– registration of mobile devices;
– requirements for physical protection;
– restriction of software installation;
– requirements for mobile device SW versions and for applying patches;
– malware protection;
– remote disabling, erasure or lockout; etc.
● If privately owned devices are allowed, consider
– separation of private and business use of the devices
– providing access to business information only after users have signed
an end user agreement
• physical protection
• SW updating
• waiving ownership of business data
• allowing remote wiping
Example. Email security policy

● Requirements to set up a spam email filter

● Requirements for protection of sensitive information sent via email
● Protect against online fraud
● Protect against phishing
● Train employees to recognize social engineering
● Don’t fall for fake antivirus offers
Example. Webserver Security

● Plan and address the security aspects of the deployment of a public web server
● Implement security management practices and controls
● Ensure web server OS and application meet the security requirements
● Ensure appropriate steps are taken to protect web content
● Use authentication and cryptographic technologies
● Employ network infrastructure for WS protection
● Commit to an ongoing process of maintaining WS security
Example. HR security_Employees

● Develop a hiring process

● Perform background checks
● Set appropriate access controls
● Provide security training
● Consider rules for dealing with 3rd parties
Group policies

● Policy groups example

– organizational level policies
– user level policies
– system level policies
Holistic Security

● Security policies are only effective in the context of an

integrated and comprehensive non-technical and technical
controls
● Not sufficient to implement some security features in an IT
system.
● Real security requires holistically integrated RM controls
References

● Security policies templates can be found at https://www.sans.org/security-

resources/policies/

● Cyber Security Planning Guide

 Questions?
Questions can be asked in Supervision forum and/or
during the chat and zoom sessions