0 Bewertungen0% fanden dieses Dokument nützlich (0 Abstimmungen)
37 Ansichten20 Seiten
This document discusses information security policies and frameworks. It outlines three key layers of information security: policies, people (through security education, training and awareness programs), and technology. It also describes the 10 step process for designing security policies, which includes collecting background information, performing risk assessments, creating review boards, developing security plans, implementing policies and standards, and monitoring for compliance. Finally, it discusses common security models and standards like ISO 27001 and 17799 that provide guidance on developing organizational security policies and management systems.
This document discusses information security policies and frameworks. It outlines three key layers of information security: policies, people (through security education, training and awareness programs), and technology. It also describes the 10 step process for designing security policies, which includes collecting background information, performing risk assessments, creating review boards, developing security plans, implementing policies and standards, and monitoring for compliance. Finally, it discusses common security models and standards like ISO 27001 and 17799 that provide guidance on developing organizational security policies and management systems.
This document discusses information security policies and frameworks. It outlines three key layers of information security: policies, people (through security education, training and awareness programs), and technology. It also describes the 10 step process for designing security policies, which includes collecting background information, performing risk assessments, creating review boards, developing security plans, implementing policies and standards, and monitoring for compliance. Finally, it discusses common security models and standards like ISO 27001 and 17799 that provide guidance on developing organizational security policies and management systems.
Policy Violations: Penalties are defined for violation.
Policy review & Modifications: Policy is periodically reviewed and modified if required.
Limitations of Liability: It includes statement of liability. A Structure and Framework of Compressive Security Policy It outlines the overall information security strategy. Sphere of Security:- Foundation of Good Security framework. Defines controls between information and systems, between systems and networks and between networks and Internet. In this sphere the information security is implemented in three layers; Policies People(Security education, training and awareness) Technology. Continue
Security Education Training & Awareness (SETA) Awareness about protecting system resources. Develop skills and knowledge by which user can perform their jobs more securely. It builds in-depth knowledge in designing,implemention, and operating security programs for organizations. SETA Program:- Security Education: This can be achieved by investigating the available courses.
Continue Security Training:- It gives detailed information and hands-on practice for employees. Profession agencies. Security Awareness:- It keeps the users up to date regarding information security through newsletter, posters and bulletin boards. Policy Infrastructure The foundation for information security is Information Security Policies and Standards The major information security functions are: 1.Information protection. 2.Control the access to information. 3.Monitor the users. Policy Design Life Cycle:- Policy provides a framework for the management of security across the enterprise.
Continue Identify the Information Security goals. The policy should include standards, procedures and guidelines. All these should be made aware to users so that they can perform their jobs securely. Users actions are secured and complete information security can be achieved. Security Policy Access to network resource will be granted through a unique user ID and password Passwords should include one non-alpha and not found in dictionary Passwords will be 8 characters long Design Processes This policy life cycle can be designed using 10 step approach.
Design Processes Step 1: Collect Background Information. - Obtain existing policies. - Identify what levels of control is required on the access of information. - Decide who should design the policies. Step 2: Perform Risk Assessment. - Validate Policy against risk. - Identify Complex Functions. - Identify difficult processes. - Identify Confidential data. - Assess the vulnerabilities.
Continue Step 3: Create a Policy Review Board - Determine policy development process. - Write the initial draft. - Send the draft to the Review board. - Modify the draft by incorporating suggestion. - Resolve the issue face to face. - Submit the reviewed draft policy to the cabinet. Step 4: Develop the Information Security Plan - Determine Organizational goals. - Define roles and responsibilities. - Notify user community about direction in policy. Continue Step 4: - Establish a foundation for compliance, risk assessment and audit for information security. Step 5: Develop IS Policies, Standards and Guidelines. Step 6: Implement Policies and Standards - Notify and distribute the policies among users. - Obtain agreement with policies before accessing the confidential systems. - Enforce controls to meet the policies. Continue Step 7: Awareness & Training. - Makes the system users aware of behavior. - Train Users.
Step 8: Monitor for Compliance. - Security Management is required for establishing controls on information. - Implement the User Contracts(code of conduct) - Establish effective authorization approval. - conduct internal review and audit process. Continue. Step 9: Evaluate Policy Effectiveness. - Evaluate policy if there are problems. - Document the policy properly. - Report it to the management. Step 10: Modify the Policy. - Upcoming Technology. - New type of Threats. - New goals. - Change in law & organization standard. - Unsuccessful existing policy.
PDCA Model The PDCA stands for Plan, Do, Check & Act.
Security Policy, Standards & Practices BS7799, ISO/IEC 17799 : The most common security models in IT Code of Practice known as British Standard 7799. This code of practice adopted as International Standard by the ISO and then known as ISO/IEC 17799 in 2000 as a framework for Information Security. It has few drawbacks:- - Did not define justification for the code of practice. - Does not have the required correctness of a technical standard. Continue. Objectives of the ISO/IEC 17799: - Security Policies - Organization of Information Security. - Asset Management. - Physical & Environmental Security. - Controlling the System Access. - Business Continuity Planning. - Compliance with the standard. ISO 27001 ISMS Tool Kit ISO reserves 27000 series for IS Matters. It defines IS as preservation of CIA. It defines MS(Management System) as organization, policies, planning activities, responsibilities, practices, procedures, processes and resources. This standard includes the guidelines and basic principles for initiating, implementing, maintaining and improving ISMS. It also provides guidance for the development of organizational security standards.
ISO 27001 Steps of Implementing ISO 27001: Step 1: Establish ISMS - Define scope and boundaries. - Define location, assets & technology. - Define Justification for any exclusion. - Define ISMS policy. Step 2: Implement & Operate ISMS. - Enforce a risk treatment plan that identifies the correct actions, resources & responsibilities for managing IS risks.
Continue - Implement the controls. Step 3: Monitor & Review ISMS. - Detect the errors in the result. - Identify the security breaches. - Check whether the security actions are performed as expected. Step 4: Maintain & Improve ISMS. - Incorporate the identified improvement in ISMS. - Take appropriate corrective actions from the lessons learnt from the security incidents of other organizations. - Notify interested members regarding actions.