policies Security in Organizations 2011 Eric Verheul 1 - - PowerPoint PPT Presentation

1

Information security policies

Security in Organizations 2011 Eric Verheul

2

Literature

Main literature for this lecture: 1. ISO 27001 and ISO 27002 2. Besluit voorschrift informatiebeveiliging rijksdienst 2007 (www.wetten.nl) 3. Beveiligingsvoorschrift Rijksdienst 2005 (www.wetten.nl)

Variants on ISO 2700*

3

Outline

• Introduction
• Requirements on IS policies from ISO 2700x and VIR-2007
• Organization of information security
• IS policy layout
• Some first feed-back from assignment #1

4

Introduction

• Every organization needs an “IS policy”
• Most organization have an IS policy but in many cases it is

just a paper tiger:

• not sufficiently concrete
• not in line what is actual done operational
• and most of all … not implemented
• I am giving you my perspective on IS policy based

experience and on ISO 2700x and Voorschrift Informatiebeveiliging Rijksdienst 2007

5

Introduction

Tactical IS Operational IS Strategic IS

Senior management Line management Operations (administrators, employees, external parties)

• The IS policy is a means of communication IS requirements

to organization

• The organization communicates back through (progress)

reports

Requirements Reporting

IS policy IS guidelines, parameters IS procedures settings

6

Requirements from ISO 2700x and VIR

ISO 2700x

• Recall ISO 27001 describes an ISMS that refers to ISO

27002 for security controls

• Both ISO 27001 and ISO 27002 have requirements on IS

policy

• ISO 27002: Chapter 5 „Security Policy‟
• ISO 27001: Clause 4.2.1 b)

7

Requirements from ISO 27002 Section 5.1.1

Control An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. Guidance

• Definition of information security
• Management intent and support
• Framework for implementing IS
• General principles to follow (e.g., legal, awareness, BCP,

security incidents)

• Definitions of roles and responsibilities
• References to documentation

8

Requirements from ISO 27002 Section 5.1.2

Control The information security policy should be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. Guidance on input

• Feedback from interested parties
• Results from (independent) reviews
• Status of preventive and corrective actions
• Results of previous management reviews
• Changes that could affect the organization‟s IS approach
• Trends related to threats and vulnerabilities
• Reported information security incidents
• Recommendations provided by relevant authorities

9

Requirements from ISO 27002 Section 5.1.2

Control The information security policy should be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. Guidance on output

• Improvement of the organization‟s approach to managing

information security and its processes;

• Improvement of control objectives and controls
• Improvement in the allocation of resources and

responsibilities. Note: the ISO 27002 Chapter 5 requirements resemble the ISO 27001 PDCA cycle.

10

Requirements from ISO 27001 Clause 4.2.1 b)

11

Requirements from ISO 2700x and VIR

Voorschrift informatiebeveiliging rijksdienst 2007 (VIR)

• Applicable to the „Rijksdienst‟ (central government) most

notably the departments („ministeries‟)

• Applicable to all information regardless of its form
• Stipulates that information security is the responsibility of line

management

• Article 3 sets requirements on an information security policy
• Article 4 describes responsibilities of line management

12

Requirements from VIR article 3

An information security policy document includes:

• Strategic principles and conditions on IS
• Description of the IS organization including responsibilities
• IS baselines
• Frequency of IS policy review
• Descriptions on how security awareness is increased

The IS policy is approved by the Secretary General (=highest civil servant within department) and is end responsible for its implementation.

13

Requirements from VIR article 4

Line management

• is end responsible for information security of his/her

information systems

• sets security controls based on a risk assessment
• is end responsible for the implementation of these security

controls

• Periodically evaluates information security and adjusts

information accordingly

14

Outline

• Introduction
• Requirements on IS policies from ISO 2700x and VIR-2007
• Organization of information security
• IS policy layout
• Some first feed-back from assignment #1

Information Security & Risk Management

The IS process in helicopter view

• Setting the IS policy
• Allocation of IS roles and responsibilities
• Setting security baselines
• ISMS implementation (inc. setting risk assessment methodology)

Plan

• Implementing security baselines
• Conducting risk assessments
• Implementation of additional controls

Do

• Reviewing compliance with policy
• Reviewing IS effectiveness

Check

• Periodic review of IS by management
• Planning of corrective actions

Act

Information Security & Risk Management

Distinguished IS parties within organization

• Senior Management
• Security office
• Line management (system owners)
• Internal / external auditors
• Supporting internal / external services
• IS projects
• Employees of the organization

Information Security & Risk Management

Senior Management

What:

• Giving commitment on information security
• Approval of IS policy
• Bootstrapping the ISMS (security officer)
• Providing resources and budget
• Management of serious security incidents
• Periodic review of IS („Act‟), including adjusting the IS policy
• Sponsoring of IS projects

Reports to:

• Stakeholders
• Supervisory board

Information Security & Risk Management

Security Officer

What:

• IS center point; sits between senior management and the
• rganization
• Drafting / revising information security including security

baselines (but not approval!)

• Providing specific guidelines on information security
• Daily supervision on information security
• Security incident handling
• Progress control on IS including IS projects
• Initiation of IS projects
• Arranging the periodic management review

Reports to: Senior management

Security Office

„Headquarters‟ Business Unit Business Unit Business Unit Business Unit

Locatie Locatie Locatie Location Locatie Locatie Locatie Location Locatie Locatie Locatie Location Locatie Locatie Locatie Location

CISO BISO ISO

Information Security & Risk Management

Line management („system owners‟)

What:

• Conducting risk assessments on their systems
• Implementing security (baselines, additional controls)
• Agreements with internal / external parties on security, e.g. as

arising from risk assessments

• Supervision on information security, e.g. talking to non-

compliant employees Reports to: Security Office

Information Security & Risk Management

Line management („system owners‟)

Risk Criteria related to Integrity

Low Incorrectness of information can result in:

fraud of less than Euro 2.500 no bad publicity no damage to the operational management due to incorrect management decisions no risk for liability or non-compliance with rules and regulations

Medium Incorrectness of information can result in:

fraud of less than Euro 25.000 bad publicity in local news media limited damage to the operational management due to incorrect management decisions limited risk for liability or non-compliance with rules and regulations

High Incorrectness of information can result in:

fraud of substantially more than Euro 25.000 bad publicity in national news media unacceptable damage to the operational management due to incorrect management decisions high risk for liability or non-compliance with rules and regulations

Risk Criteria related to Confidentiality Risk Criteria related to Availability

Information Security & Risk Management

Internal / external audit

What:

• Conducting audits on compliance with IS policy
• Conducting audits on ISMS:
• are all parties doing the things they should do?
• is the ISMS effective?
• Conducting specific audits, e.g., compliance with baselines
• Should be independent

Reports to: Senior Management

Information Security & Risk Management

Supporting internal / external services

Information Security & Risk Management

Supporting internal / external services

What:

• IT department (!), facility department, HR, legal department etc.
• employment agencies, contractors, couriers, security guards
• Compare ISO 27002 chapters
• Implementing security baselines
• Implementing specific additional security controls arising from

risk assessments Reports to: Security office „Clients‟ (line management)

Information Security & Risk Management

IS projects

What:

• Implementation of specific security (e.g. PKI, IPS, IAM)

Reports to:

• Project leaders
• Security office

Information Security & Risk Management

Employees of the organization

What:

• Adhering to security baselines and specific controls arising from

risk assessments

• Reporting security incidents

Reports to:

• Security office
• Line management

Information Security & Risk Management

Relation with PDCA

P D C A X X X X X X X X X X X X X X

• Senior Management
• Security office
• Line management (system owners)
• Internal / external auditors
• Supporting internal / external services
• IS projects
• Employees of the organization

There is on „‟X‟ wrong here; which one?

Information Security & Risk Management

Relation with PDCA

P D C A X X X X X X X X X X X X X X

• Senior Management
• Security office
• Line management (system owners)
• Internal / external auditors
• Supporting internal / external services
• IS projects
• Employees of the organization

29

Outline

• Introduction
• Requirements on IS policies from ISO 2700x and VIR-2007
• Organization of information security
• IS policy layout
• Some first feed-back from assignment #1

Information Security & Risk Management

IS policy layout

Chapter Introduction Background on organization (what it does/ produces, clients etc.) Management approval Senior management approval (and commitment) Definition of information security What is CIA, what is IS? Basic principles to follow Important IS aspects within the

• rganization.

Objective and scope Minimal requirements to be met What falls under the policy (scope) Organization of information security Who is responsible for what? Relation with PDCA Approach How do you implement PDCA Baselines Make a choice of controls that are important for all systems/processes.

Information Security & Risk Management

Introduction

http://www.ru.nl/fnwi/:

• Education
• Research

(http://www.ru.nl/science/research/research_facilities/ )

• Paid research (e.g., LaQuSo,

http://www.ru.nl/publish/pages/566471/rujv2006opmaak.pdf )

• Service departments

(http://www.ru.nl/science/about_the_faculty/service_departments/)

Information Security & Risk Management

Management approval

Information Security & Risk Management

Management approval

Education institutes Research institutes Service departments

Information Security & Risk Management

Management approval

Education institutes

• Onderwijsinstituut voor Biowetenschappen
• Onderwijsinstituut voor Informatica en Informatiekunde
• Onderwijsinstituut voor Moleculaire Wetenschappen
• Onderwijsinstituut voor Wiskunde, Natuur- en Sterrenkunde (WiNSt)

Research institutes

• Donders Centre for Neuroscience (DCN)
• Institute for Computing and Information Sciences (ICIS)
• Institute for Mathematics, Astrophysics and Particle Physics (IMAPP)
• Institute for Molecules and Materials (IMM)
• Institute for Science, Innovation and Society (ISIS)
• Institute for Water and Wetland Research (IWWR

Service departments next slide

Information Security & Risk Management

Management approval

Service departments

• Faculteitsbureau
• C&CZ, Computer- and Communications Department
• FEZ, Financiën en Economische Zaken
• IHZ, Interne- en Huisvestingszaken
• OWC, Onderwijscentrum
• (o.a. Facultaire Studenten Administratie/Examenbureau)
• P&O, Personeel en Organisatie
• TeCe, TechnoCentrum (Technical Department)
• Library of Science
• EXO steunpunt
• GI, General Instruments (IWWR)
• Experimental Garden and Genebank (IWWR)
• OC, Onderdeelcommissie

Information Security & Risk Management

Definition of information security

Just cite ISO 2700x

Information Security & Risk Management

Basic principles to follow

• Minimal requirements to be met
• What falls under the policy (scope)

Which laws do you think are applicable?

Information Security & Risk Management

Objective and scope

What are important IS aspects within FNWI?

Service departments

• Faculteitsbureau
• C&CZ, Computer- and Communications Department
• FEZ, Financiën en Economische Zaken
• IHZ, Interne- en Huisvestingszaken
• OWC, Onderwijscentrum
• (o.a. Facultaire Studenten Administratie/Examenbureau)
• P&O, Personeel en Organisatie
• TeCe, TechnoCentrum (Technical Department)
• Library of Science
• EXO steunpunt
• GI, General Instruments (IWWR)
• Experimental Garden and Genebank (IWWR)
• OC, Onderdeelcommissie

Information Security & Risk Management

Organization of information security / Approach

Who is responsible for what? Relation with PDCA

Education institutes Research institutes Service departments

Information Security & Risk Management

Baselines

Make a choice of controls that are important for all systems/processes.

H ISO 27002 NEN Vertaling 5 Security Policy Beveiligingsbeleid 6 Organization of Information Security Beveiligingsorganisatie 7 Asset Management Classificatie en beheer van bedrijfsmiddelen 8 Human resources security Beveiligingseisen ten aanzien van personeel 9 Physical and Environmental Security Fysieke beveiliging en beveiliging van de omgeving 10 Communications and Operations Management Beheer van communicatie- en bedieningsprocessen 11 Access Control Toegangsbeveiliging 12 Information Systems Acquisition, Development and Maintenance Ontwikkeling en onderhoud van systemen 13 Information Security Incident Management Incidentmanagement 14 Business Continuity Management Continuïteitsmanagement 15 Compliance Naleving