information systems 365 lecture four - security policy development, data classification methods and...
DESCRIPTION
Security Policy Development, Data Classification Methods and Workplace ControlsTRANSCRIPT
![Page 1: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/1.jpg)
Information Security 365/765, Fall Semester, 2014
Course Instructor, Nicholas DavisLecture 4, Security Policy Development, Data Classification Methods, Workplace Controls
![Page 2: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/2.jpg)
Next TimeNext Time
Security policiesInformation classificationSecurity awareness training
04/10/23 UNIVERSITY OF WISCONSIN 2
![Page 3: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/3.jpg)
Security PolicySecurity Policy
An overall general statement, produced by senior management, which dictates the role which security management plays in the organization
Made up of goals and responsibilitiesShows strategic and tactical value of the policyOutlines how enforcement should be carried out04/10/23 UNIVERSITY OF WISCONSIN 3
![Page 4: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/4.jpg)
Security Policy ComponentsSecurity Policy ComponentsBusiness ObjectivesBusiness Objectives
Business objectives should drive the policy’s creation, implementation, enforcement. The policy should not dictate business objectives
04/10/23 UNIVERSITY OF WISCONSIN 4
![Page 5: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/5.jpg)
Security Policy ComponentsSecurity Policy ComponentsMake It LegibleMake It Legible
The document should be written in plain language, which all the employees can easily understand the portions which apply to them, without question
04/10/23 UNIVERSITY OF WISCONSIN 5
![Page 6: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/6.jpg)
Security Policy ComponentsSecurity Policy ComponentsUniformityUniformity
Make certain it fits all business functions and processes
04/10/23 UNIVERSITY OF WISCONSIN 6
![Page 7: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/7.jpg)
Security PolicySecurity PolicyLegal ConformityLegal Conformity
It should support all legislation and regulations which apply to the company, local, national and international
04/10/23 UNIVERSITY OF WISCONSIN 7
![Page 8: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/8.jpg)
Security PolicySecurity PolicyA Living DocumentA Living Document
It should be re-visited on a regular basis and updated as necessary, as changes occur within the company.
Make certain that all changes are documented and changes are recorded
04/10/23 UNIVERSITY OF WISCONSIN 8
![Page 9: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/9.jpg)
Security PolicySecurity PolicyAdaptabilityAdaptability
It should be written in such a way as to make it useful for several years at a time, under normal circumstances, and flexible enough to deal with minor changes, as they occur.
04/10/23 UNIVERSITY OF WISCONSIN 9
![Page 10: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/10.jpg)
Security PolicySecurity PolicyLanguageLanguage
The tone of the policy must be certain and strong. Avoid using the word “should”, as it leaves room for interpretation. Instead, use the words “shall”, “will” and “must”, throughout the document
04/10/23 UNIVERSITY OF WISCONSIN 10
![Page 11: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/11.jpg)
Security PolicySecurity PolicyStyleStyle
No frillsProfessional lookingConsistent presentation
04/10/23 UNIVERSITY OF WISCONSIN 11
![Page 12: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/12.jpg)
Why is IT Security PolicyWhy is IT Security PolicySo Important?So Important?
Helps identify company’s valuable assetsProvides authority to the security team and their activitiesProvides a reference to review when conflicts pertaining to security ariseStates clearly the company’s goals and objectives in the area of securityOutlines personal responsibility04/10/23 UNIVERSITY OF WISCONSIN 12
![Page 13: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/13.jpg)
Why is IT Security PolicyWhy is IT Security PolicySo Important?So Important?
Helps prevent unanticipated events from occurringDefines the scope and boundaries for the security team and its functionsOutlines incident response responsibilitiesOutlines the company’s response to legal and regulatory requirements
04/10/23 UNIVERSITY OF WISCONSIN 13
![Page 14: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/14.jpg)
Three Types ofThree Types ofSecurity Policies ExistSecurity Policies ExistRegulatoryAdvisoryInformative
04/10/23 UNIVERSITY OF WISCONSIN 14
![Page 15: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/15.jpg)
Security Policy TypesSecurity Policy TypesRegulatoryRegulatory
Ensures that the company is following standards set by specific industry regulations. It is very detailed and specific to a type of industry:FinanceHealthcareGovernment
04/10/23 UNIVERSITY OF WISCONSIN 15
![Page 16: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/16.jpg)
Security Policy TypeSecurity Policy TypeAdvisoryAdvisory
Tells employees which types of behaviors and activities shall and shall not take place within the organizationHow to handle:Medical informationFinancial transactionsConfidential information
Outlines ramifications for non-compliance
04/10/23 UNIVERSITY OF WISCONSIN 16
![Page 17: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/17.jpg)
Security Policy TypeSecurity Policy TypeInformativeInformative
Informs employees on generalities of certain topics, but is not enforceable.
It teaches about issues important to the company, such as how the company would like employees to interact with business partners, the company’s goal and mission, or the corporate reporting structure
04/10/23 UNIVERSITY OF WISCONSIN 17
![Page 18: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/18.jpg)
Security PolicySecurity PolicyDue Diligence ForwardDue Diligence ForwardDue Diligence, is the act of investigating and understanding the risks the company faces
04/10/23 UNIVERSITY OF WISCONSIN 18
![Page 19: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/19.jpg)
Security PolicySecurity PolicyDue CareDue Care
Is a statement which demonstrates that the company has accepted and taken responsibility for activities which take place in the organization
04/10/23 UNIVERSITY OF WISCONSIN 19
![Page 20: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/20.jpg)
How Due DiligenceHow Due DiligenceDue Care are RelatedDue Care are RelatedDue diligence is the understanding of the threats and risks, while due care is the countermeasures which the company has put in place to address the threats and risks
04/10/23 UNIVERSITY OF WISCONSIN 20
![Page 21: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/21.jpg)
Information ClassificationInformation Classification
In the field of data management, data classification is defined as a tool for categorization of data to enable/help organization to effectively answer following questions:
What data types are available?Where are certain data located?What access levels are implemented?What protection level is implemented and does it adhere to compliance regulations?
04/10/23 UNIVERSITY OF WISCONSIN 21
![Page 22: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/22.jpg)
Data ClassificationData Classification
Commercial EnterpriseMilitary
You are business students, so we will focus on commercial enterprise data classification terminology
04/10/23 UNIVERSITY OF WISCONSIN 22
![Page 23: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/23.jpg)
Data ClassificationData ClassificationTypesTypes
PublicSensitivePrivateConfidential
04/10/23 UNIVERSITY OF WISCONSIN 23
![Page 24: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/24.jpg)
Data ClassificationData ClassificationPublicPublic
Definition: Disclosure is not welcome, but it would not cause an adverse impact or damage to the company or its employees
Examples:How many people work at the companyCurrent job positions posted on the website
04/10/23 UNIVERSITY OF WISCONSIN 24
![Page 25: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/25.jpg)
Data ClassificationData ClassificationSensitiveSensitive
Definition: Requires special precautions to ensure the integrity and confidentiality of the data, by preventing it from unauthorized modification or deletion. Requires higher than normal assurance of accuracy and completeness
Example:Financial informationDetails of projectsProfit earnings and forecasts
04/10/23 UNIVERSITY OF WISCONSIN 25
![Page 26: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/26.jpg)
Data ClassificationData ClassificationPrivatePrivate
Definition: Personal information, for use only within the company. Unauthorized disclosure could adversely affect employees, the company, its business partners or customers
Examples:Work historyHR informationMedical information
04/10/23 UNIVERSITY OF WISCONSIN 26
![Page 27: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/27.jpg)
Data ClassificationData ClassificationConfidentialConfidential
Definition: For use within the company only. Exempt from disclosure under the Freedom of Information Act. Unauthorized disclosure could seriously affect a company
Examples:Trade secretsProgramming software codeInformation that keeps the company competitive
04/10/23 UNIVERSITY OF WISCONSIN 27
![Page 28: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/28.jpg)
Data ClassificationData ClassificationProceduresProcedures
1. Define classification levels2. Specify the criteria by which
data will be classified3. Have the data owner indicate
the classification level for their data
4. Identify the data custodian, who will be responsible for maintaining the data and its security level
5. Indicate the controls to be applied at each classification level
04/10/23 UNIVERSITY OF WISCONSIN 28
![Page 29: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/29.jpg)
Data ClassificationData ClassificationProceduresProcedures
6. Document any exceptions in detail7. Indicate the methods which are used to transfer data custody to a different owner8. Create a procedure to periodically review the data’s classification and ownership9. Indicate declassification procedures10. Integrate this knowledge into a security awareness program04/10/23 UNIVERSITY OF WISCONSIN 29
![Page 30: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/30.jpg)
If You Choose to CreateIf You Choose to CreateYou Own Data Classification You Own Data Classification
SystemSystemToo many levels will make classification complex and confusingToo few levels will encourage sloppy data classificationThere should be no overlap between classification levelsClassification levels should be developed for both data and the systems housing the data, and they should match04/10/23 UNIVERSITY OF WISCONSIN 30
![Page 31: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/31.jpg)
Hiring PracticesHiring Practices
Job skill screeningReference checkNon-disclosure agreement (NDA) signedEducation verificationCriminal background checkCredit report checkSex offender checkDrug screeningProfessional license checkImmigration status checkSocial Security Number trace to ensure validity
04/10/23 UNIVERSITY OF WISCONSIN 31
![Page 32: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/32.jpg)
Employee ControlsEmployee ControlsRotation of DutiesRotation of Duties
No one person should stay in one position for an uninterrupted period of time, as this may enable them to have too much control over a segment of business
Mandatory vacation policy
04/10/23 UNIVERSITY OF WISCONSIN 32
![Page 33: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/33.jpg)
Employee ControlsEmployee ControlsSeparation of DutiesSeparation of Duties
Split knowledge system: No single employee has the knowledge to do a task by themselvesExample
Dual control: No single employee has the physical ability to do a task by themselvesExample
04/10/23 UNIVERSITY OF WISCONSIN 33
![Page 34: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/34.jpg)
Termination PracticesTermination Practices
Each company needs a set of pre-defined termination proceduresExample:Once terminated, the employee must be escorted out of the facility by their managerEmployee must immediately surrender keys, employee badge, etc.Employee must be asked to complete an exit interview and return company propertyThe terminated employee’s online accounts must be disabled immediately upon termination
04/10/23 UNIVERSITY OF WISCONSIN 34
![Page 35: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/35.jpg)
Beware of DisgruntledBeware of DisgruntledFormer EmployeesFormer Employees
04/10/23 UNIVERSITY OF WISCONSIN 35
![Page 36: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/36.jpg)
Security AwarenessSecurity AwarenessTraining ProgramTraining Program
One for senior managementOne for staffOne for technical employees
ResponsibilitiesLiabilitiesExpectations
04/10/23 UNIVERSITY OF WISCONSIN 36
![Page 37: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/37.jpg)
Security AwarenessSecurity AwarenessSenior ManagementSenior Management
Focus on: corporate assets, financial gains and losses which can occur due to information security incidents. They are the leaders, they must demonstrate the proper mindset to the rest of the company
04/10/23 UNIVERSITY OF WISCONSIN 37
![Page 38: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/38.jpg)
Security AwarenessSecurity AwarenessMid-ManagementMid-Management
Focus on: policies, standards and guidelines and how they map to individual departments, responsibility for ensuring their employees adherence to the security policies, and how the managers will be held accountable for enforcement
04/10/23 UNIVERSITY OF WISCONSIN 38
![Page 39: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/39.jpg)
Security AwarenessSecurity AwarenessEmployeesEmployees
Focus: on the operational aspects of information security, proper system usage, how to recognize a security issue and how to properly handle and report a suspected information security incident
04/10/23 UNIVERSITY OF WISCONSIN 39
![Page 40: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/40.jpg)
Next ClassNext ClassAccess ControlAccess Control
04/10/23 UNIVERSITY OF WISCONSIN 40
![Page 41: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/41.jpg)
04/10/23 UNIVERSITY OF WISCONSIN 41
![Page 42: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/42.jpg)
04/10/23 UNIVERSITY OF WISCONSIN 42
![Page 43: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/43.jpg)
04/10/23 UNIVERSITY OF WISCONSIN 43
![Page 44: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/44.jpg)
04/10/23 UNIVERSITY OF WISCONSIN 44
![Page 45: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/45.jpg)
04/10/23 UNIVERSITY OF WISCONSIN 45
![Page 46: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/46.jpg)
04/10/23 UNIVERSITY OF WISCONSIN 46
![Page 47: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/47.jpg)
04/10/23 UNIVERSITY OF WISCONSIN 47
![Page 48: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/48.jpg)
04/10/23 UNIVERSITY OF WISCONSIN 48
![Page 49: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/49.jpg)
04/10/23 UNIVERSITY OF WISCONSIN 49
![Page 50: Information systems 365 lecture four - Security Policy Development, Data Classification Methods and Workplace Controls](https://reader035.vdocuments.net/reader035/viewer/2022062511/54c56e9e4a79590e428b4571/html5/thumbnails/50.jpg)
04/10/23 UNIVERSITY OF WISCONSIN 50