Information Systems Security Policies & ISO 17799

Maria Karyda, PhDmka@aegean.gr

Laboratory of Information and Communication Systems SecurityDepartment of Information and Communication Systems EngineeringUniversity of the AegeanKarlovassi, Samos, GR-83200, GREECE

IPICS – Chios, July 2005 2

Overview

Information Systems Security Policies What is a Security Policy? Why do we need them? How can we design a Policy and what should we

include? What makes a Security Policy effective?

Information Security Management Standards How can the ISO 17799 assist us?

IPICS – Chios, July 2005 3

Information Systems Security Practices Information Systems Risk Management

aims to minimize risk at acceptable levels by implementing risk analysis and management

methods (e.g. OCTAVE, CRAMM, SBA) baseline security is also an option

Information Systems Security Policy most common security management practice based on risk evaluation results based on standards and best practices

IPICS – Chios, July 2005 4

What is a Security Policy?

High level statements describing the security goals, priorities and the management intention with regard to information systems security, as well as the ways to achieve these goals.

Written in one or more documents.

IPICS – Chios, July 2005 5

Information Systems Security Policies Design Implement Publish Enforce Monitor compliance Evaluate Review Amend and update

IPICS – Chios, July 2005 6

Who is involved?

Security experts design, review and update the policy

System / network administrators implement security controls, guidelines

Management set security goals provide resources

Users follow security procedures

Auditors monitor compliance

IPICS – Chios, July 2005 7

Related ConceptsLaw, Regulations

Security Requirements

Information Systems Security Policy

Information systems security management

standardsBest Practice

Security ProceduresGuidelines

Countermeasures

Law and Regulations e.g. Data Protection, Intellectual Property Management

Security Requirements confidentiality, availability, privacy, integrity, non repudiation

Best practices and Security Standards Security, countermeasures, guidelines and procedures

IPICS – Chios, July 2005 8

Why do we need a security policy? -1- Provides a comprehensive framework for the

selection and implementation of security measures

Communication means among different stakeholders

Management of resources people, skills, money, time

Conveys the importance of security to all members of the organization

IPICS – Chios, July 2005 9

Why do we need a security policy? -2- Helps create a “security culture”

Shared beliefs and values concerning security Legal obligation Helps promote “trust relationships” between

the organizations and its business partners / clients

IPICS – Chios, July 2005 10

Designing a Security Policy: security goals elicitationRisk evaluation

Other sources of security requirements: management legal framework contractual obligations users and administrators business partners and clients

IPICS – Chios, July 2005 11

Designing a Security Policy: Issues to be addressed Goal and security targets Scope Assets covered by the Policy

data, software, hardware, locations, processes etc. Roles and responsibilities Compliance monitoring

incentives, penalties etc. Time

IPICS – Chios, July 2005 12

What kind of Security Policies are there? Computer-oriented Security Policies

Information Security Policies that implement access control (Discretionary Access Control, Mandatory Access Control)

operating systems networks application

Human-oriented Security Policies scope: department, organization applied by IS users

IPICS – Chios, July 2005 13

Security Policies Structure -1- Individual Security Policies

application or system (e.g. email policy) “use policies”

+ effective for isolated systems and autonomous applications

- high complexity, fragmented IS security management

IPICS – Chios, July 2005 14

Security Policies Structure -2- Comprehensive Security Policies

one document addressing all applications, processes and systems

- big volume, not easy to use

- contain high level security guidelines

IPICS – Chios, July 2005 15

Security Policies Structure -3- Modular Security Policies

comprehensive document with multiple annexes containing specific (e.g. per application or system) policies

can be in hypertext form

IPICS – Chios, July 2005 16

ISO/IEC 17799

First Edition: 01-12-2000 Prepared by the British Standards Institution

(as BS 7799) and was adopted by Joint Technical Committee ISO/IEC JTC 1, Information Technology, in parallel with its approval by national bodies of ISO and IEC.

“Information technology — Code of practice for information security management”

New Edition: June 2005

IPICS – Chios, July 2005 17

Security Policies Content -1-(based on ISO 17799-2000)

I. Organizational Security “Information security is a business responsibility

shared by all members of the management team.” Information security infrastructure

management should approve the information security policy,

assign security roles and co-ordinate the implementation of security across the

organization co-operation and collaboration of managers, users,

administrators, application designers, auditors and security staff, and specialist skills in areas such as insurance

IPICS – Chios, July 2005 18

Security Policies Content -2-(based on ISO 17799)

II. Asset classification and control Asset accountability

Accountability should remain with the owner of the asset. Responsibility for implementing controls may be delegated.

Information classification Information should be classified to indicate the

need, priorities and degree of protection, depending on varying degrees of sensitivity and criticality.

IPICS – Chios, July 2005 19

Security Policies Content -3-(based on ISO 17799)

III. Personnel security Security in job definition and resourcing User training

Users should be trained in security procedures and the correct use of information processing facilities to minimize possible security risks.

Responding to security incidents and malfunctions Weaknesses, malfunctions Learning from incidents Disciplinary process

IPICS – Chios, July 2005 20

Examples*

“The Terms and Conditions of Employment of the Organization are to include requirements for compliance with Information Security”

“All staff must have previous employment and other references carefully checked”

“All employees must comply with the Information Security Policy of the Organization. Any Information Security incidents resulting from non-compliance will result in immediate disciplinary action”* RUSecureTM Information Security Policies

IPICS – Chios, July 2005 21

Examples*

“The Organization is committed to providing regular and relevant Information Security awareness communications to all staff by various means, such as electronic updates, briefings, newsletters etc.”

“Periodic training for the Information Security Officer is to be prioritized to educate and train in the latest threats and Information Security Techniques”

“The Organization is committed to providing training to all users of new systems to ensure that their use is both efficinet and does not compromise Information Security”

* RUSecureTM Information Security Policies

IPICS – Chios, July 2005 22

Security Policies Content -4-(based on ISO 17799)

IV. Physical and environmental security Secure areas

Security perimeter, entry controls Protection provided should be commensurate with

the identified risks Equipment security Safety

IPICS – Chios, July 2005 23

Examples*

“A formal Hardware Inventory of all equipment is to be maintained and kept up-to-date at all times”

“All information system hardware faults are to be reported promptly and recorded in a hardware fault register”

* RUSecureTM Information Security Policies

IPICS – Chios, July 2005 24

Security Policies Content -5-(based on ISO 17799)V. Communications & operations management

Operational procedures and responsibilities Incident management procedures Segregation of duties Separation of development and operational facilities

System planning and acceptance Capacity planning, performance requirements, system acceptance

Protection against malicious software Back ups, logging Network management Media handling

tapes, disks, cassettes Information exchange between organizations

Policy on the use of e-mail or fax Electronic commerce security

IPICS – Chios, July 2005 25

Examples*

Policy statement on the use of fax:“Sensitive or confidential information may only be faxed were more secure methods of transmission are not feasible. Both the owner of the information and the intended recipient must authorize the transmissions beforehand”

Policy statement on media handling:

“Only personnel who are authorized to install or modify software shall use removable media to transfer data to/from the organization's network. Any other persons shall require specific authorization” * RUSecureTM Information Security Policies

IPICS – Chios, July 2005 26

Security Policies Content -6-(based on ISO 17799)VI. Access control User access management

Access rights, passwords User responsibilities Network access control

Network segregation Operating system access control Application access control Monitoring system access and use Mobile computing and teleworking

IPICS – Chios, July 2005 27

Examples* User access management:

“Access to all systems must be authorized by the owner of the system and such access, including the appropriate access rights, or privileges, must be recorded in an Access Control List. Such records are to be regarded as Highly Confidential documents and safeguarded accordingly”

Operating system access control

“Access to operating system commands is to be restricted to those who are authorized to perform systems administration/management functions. Even then, such access must be operated under dual control requiring the specific approval of senior management”

*RUSecureTM Information Security Policies

IPICS – Chios, July 2005 28

Security Policies Content -7-(based on ISO 17799)VII. Systems development and maintenance Security requirements of systems

“built-in” security Security in application systems

Message authentication, hash algorithms, cryptography

Cryptographic controls To protect the confidentiality, authenticity or

integrity of information (encryption, digital signatures, key management)

IPICS – Chios, July 2005 29

Examples*

“All new hardware installations are to be planned formally and notified to all interested parties ahead of the proposed installation date. Information security requirements are to be circulated for comment to all interested parties, well in advance of installation”

“All equipment must be fully and comprehensively tested and formally accepted by users before being transferred to the live environment”

*RUSecureTM Information Security Policies

IPICS – Chios, July 2005 30

Security Policies Content -8-(based on ISO 17799)

VIII. Business continuity management “To counteract interruptions to business activities and to protect

critical business processes from the effects of major failures or disasters.”

Analyze the consequences of disasters, security failures and loss of service.

Develop and implement contingency plans to ensure that business processes can be restored within the required time-scales.

Such plans should be maintained and practiced to become an integral part of all other management processes.

Business continuity management should include controls to identify and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations.

IPICS – Chios, July 2005 31

Security Policies Content -9-(based on ISO 17799)

IX. Compliance Compliance with legal requirements

Data protection and privacy of personal information

Intellectual property rights (IPR) Regulation of cryptographic controls

Compliance with security policy

IPICS – Chios, July 2005 32

Examples*

“Persons responsible for Human Resources Management are to prepare guidelines to ensure that all employees are aware of the key aspects Copyright legislation, in so far as these requirements impact on their duties”

“All employees are required to fully comply with the organisation’s Information Security Policies. The monitoring of such compliance is the responsibility of management”

*RUSecureTM Information Security Policies

IPICS – Chios, July 2005 33

Critical factors for successful application -1- Alignment with business goals Management support Organizational culture Address specific security requirements User awareness, training and education Review and evaluation procedures Gradual introduction, change management

IPICS – Chios, July 2005 34

Critical factors for successful application -2- Clear, easy to understand Easily accessible Complete Up-to-date Extendable Applicable Technology independent

IPICS – Chios, July 2005 35

Security Policies Review

Scheduled reviews e.g. once every 18 months

Occasional when major changes occur (e.g. network

configuration, new applications) Review results utilized for evaluating and

updating the Security Policy

IPICS – Chios, July 2005 36

Conclusions

There is no “out of the box” security solution Customize Security Policies

content, structure, security guidelines

Utilize best practice, Information Security Standards

Effective implementation context-dependent