12/30/2005

security policy:the big picture.up close and personal.

peter h. gregory, cisa, cisspphg@isecbooks.com

2

peter h. gregory, cisa, cissp

• writer: computer viruses for dummies, blocking spam and spyware for dummies, cissp for dummies, security+ for dummies; computerworld columnist.

• speaker: RSA, SecureWorld Expo, West Coast Security Forum, University of Washington, etc.

Evergreen State Chapter

3

4

agenda

• What is a security policy• Why have a security policy• Characteristics of a good policy• How & where to begin• ISO 17799• Human factors to consider• Success factors

5

what is a security policy?

• Wikipedia: A security policy is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security environment.

• SANS: A policy is typically a document that outlines specific requirements or rules that must be met.

• CERT: A security policy defines the set of laws, rules, and practices that regulate how an organization implements, manages, protects, and distributes computing resources to achieve security objectives.

• Me: a doctrinal statement that defines a principle related to the protection of corporate assets. Policy is law.

6

why have a security policy?

• consistent approach for protecting assets– consistent across staff– consistent across departments– consistent across contexts– consistent over time

• legal protection• because Sarbanes-Oxley, GLBA, HIPAA, FERC, VISA, etc.

said so

7

characteristics of a good policy

• simple• concise• unambiguous• durable• achievable• measurable• enforceable• not technology-specific

8

a policy is not:

• a procedure• a standard• an architecture• a checklist• a configuration

however, we should have policies that require these things!!

9

the security policy ecosystem

• executive support and leadership by example• individual written acknowledgement• monitoring and management reporting• enforcement• document lifecycle• awareness training• explanatory materials

having a policy is more than just having the written document. it is only a part of the big picture.

10

how and where to begin (1)

• brand new construction– vacant lot with a building permit

• focus on the big picture. consider:– objectives– level of executive & management support– roles & responsibilities– regulatory requirements– current structure (document and ecosystem)

11

how and where to begin (2)

• tear-down– it’s a wreck and we need to almost start over– save a few good parts, add a lot of new stuff

• focus on the big picture. consider:– objectives– level of executive & management support– roles & responsibilities– regulatory requirements– current structure (document and ecosystem)

12

how and where to begin (3)

• remodeling– from patch ‘n paint to adding a room– adding sections, restructuring, modernizing

• focus on the big picture. consider:– objectives– level of executive & management support– roles & responsibilities– regulatory requirements– current structure (document and ecosystem)

13

things to consider

• are objectives clear?• what are you responsible for?• are necessary resources available?• resistance to change• is senior management prepared to support and enforce?• is awareness training & education required and included?

14

resources for sample policy content

• ISO17799– the de facto world standard– good for structure too

• SANS

• NIST

15

ISO 17799 structure

• Security policy• Organizational security• Asset classification and control• Personnel security• Physical and environmental security

• Communications and operations management• Access control• Systems development and maintenance• Business continuity management

• Compliance

16

if you use ISO17799…

• Make sure each policy will work in your organization• Consider your organization’s culture

• Add other sections / subsections as needed in order to cover yourorganization’s business activities

• Consider trolling SANS or other places for other policy ideas and content to be sure your policy is complete

17

challenging human factors to consider

• Resistance to change• Resentment of authority

• Challenge to authority• Sabotage• Undermining credibility

• Snitches and scapegoats

18

success factors

• Executive sponsorship and support– Leadership by example– Real willingness to enforce

• Adequate resources• Expertise (in-house, consultant)• Policy should not conflict with organization’s culture

– (unless the culture is in dire need of repair!)• Negotiating Skills

• Patience

19

characteristics of a successful change agency

• Identify and Promote only Essential Changes• Promote Only Those Changes That Have a Chance to Succeed• Anticipate Sources of Resistance• Distinguish Resistance from Well-Founded Criticism• Involve All Affected Parties the Right Way• Do Not Promise What You Cannot Deliver• Use Sponsors, Partners, and Collaborators as Co-Change Agents• Change Metrics and Rewards to Support the Changed World• Provide Training• Celebrate All Successes

20

resources

• ISO17799 – iso.ch (CHF176,00 ≅ USD150.00)

• SANS Security Policies – www.sans.org/resources/policies• NIST Technical Guide to Internet Security Policy -

http://csrc.nist.gov/isptg/• iNFOSYSSEC Security Policy Writing Styles & Guides -

http://www.infosyssec.com/infosyssec/secpol1.htm

21

recap

• What is a security policy• Why have a security policy• Characteristics of a good policy• How & where to begin• ISO 17799• Human factors to consider• Success factors

12/30/2005

security policy:the big picture.up close and personal.

peter h. gregory, cisa, cisspphg@isecbooks.com