What’s Needed for a Successful Information Security Policy?
An Educational Paper Contribution:
Today organizations have a fighting battle to protect their information assets from external and internal threats. A security policy should be looked at as a living document always involving with the latest threats it is protecting against. Before you begin writing a policy do your research know what you are protecting whom you need to talk to and what law and regulation your policy need to enforce.
Security policies set the guidelines and structure of the organization. Having a well written policy that documents how the data and networks will be protected and what right users have on the network and applications. When incidents happen policies can direct the user with the correct steps to take. This paper gives the steps to think about when creating a policy.
- Be sure to define the topic..
When creating an information security policy there several things that need to be considered. 1) Will management support and enforce the policy? 2) How does information security policy affect the organization? And 3) What is the framework to have a successful policy?
Always have in your mind when writing a policy what you are trying to protect and the potential threats. The main goal of the policy is to protect, set rules and guidelines, what authorizes a person have minimized the risk, a baseline for security and tracking of compliance with regulations and legislation. There are two types of policies governing and technical. The governing policy is written at a high level for management. The enterprise information security policy is also known as governing policy. The technical policy address the who, the what, the when and the where by describing what must be done and written for end users, technical users and management. Technical policies are also known as Issue-specific and system-specific security policies.
The policy development lifecycle can help you develop your step in developing your own policies there are 15 steps to follow 1) Senior Management commitment 2) work with legal and HR to set a compliance grace period. 3) Determine, who needs to be involved in writing the policy 4, ) If there is existing policy review to see if still compliance 5) Do research on security policies by searching the internet, talking to other security professionals, reading books and Whitepapers 6) have a good understanding about the organizational needs and what is being protected before Interviewing the SMEs to get the correct information 7) Write the initial draft to see how it is accepted by management and users. 8) Consult your company style guide, so it is uniformed 9) determine review cycles to keep the document up to date 10) Also set up a review with additional stakeholders that have an interest in policy. 11) Identify any gaps before publishing your policy. 12) Have a game plan how you will communicate the policy of the organization 13) always publish your policy where all employees have access 14) make sure you have a plan to communicate to users 15) lastly make sure you regularly update and review the policy. This is a living document and should not become shelf ware.
- How/why/when is it used in practice?
An information Security policy is needed at each step of the information security program. Your program is only as good as the policies you have in place. Policies are used to control the use of hardware, define users access to applications, what users have access to and how email and internet usage the number of policies depends on the company needs and goals. Your policy should give direction and understand your target audience. Remember when creating your policy you are protecting the organization data with confidentially, integrity and availability.
- Different types of the product/standards/regulation associated with the topic.
The regulations for writing a policy is it should not conflict with the law, must be able to stand up in court and have the proper support. Depending on your organization the regulation to follow is PCI Data Security, HITECH Act, HIPAA (Health Insurance Accountability and Portability Act), SOX (Sarbanes Oxley), ISO family of security standards and GLBA (Graham-Leach-Bliley Act). The policy written for the organizations determines the standards. They’re not really products for writing policies but their guidance from NIST document, Books and organizations like SANS and ISACA.
- Your recommendation on the topic and its future viability to Information Security
My recommendation for the topic is doing an assessment on your application to understand what’s needed to be protected. This way your policies can be written to protect the assets and the organization from threats and vulnerabilities. Policies need to have the support of management and enforceable. Any type of policy enterprise information security policy, Issue-specific and system-specific need to be written in a way that is easy for the user to understand.
- What do you think the next step is for the topic?
The next step for policies is trained security personnel that understand the difference between a policy, standard and guidelines. How to explain why policies are important to protecting the organization’s reputation and cost benefits Also need to understand the business needs and the assets being protected. To have a strong understanding of the law to know what is enforceable. As security personnel you need to know the important people to pull in like legal, management, human resources, administrators depending on the policy being written.
- What possible research application can be investigated for your topic?
For my topic, there are not really an application you can investigate, but there are several websites like CERT, vendor sites, antivirus software sites that help you stay on top of the latest vulnerability. These sites help you to stay up to date with the current threats facing your application and network. Also need to stay on top of president executive orders, FISMA, NIST and the Laws.
Conclusion
The main goal of security is protecting the confidentiality, integrity and availability of company assets. You must determine what you are protecting, how to protect. A policy is the life line to information security in a company. Having a policy shows the company due diligence in protecting assets. Know the key player and have management buy in. Perform a risk assessment on your application to know what threats are facing your company. This gives a baseline for your policy. Knowing your risk can help you set priorities on which policies are needed first and most cost-effective.
Once you have the policy created, and the users trained. Remember a policy a living document and must be reviewed on a regular basis to adapt to a changing environment.
Complementing a Security Management Model with the 20 Critical Security Controls
An Educational Paper Contribution:
There are strategic benefits of complementing an organization’s existing security management model with the 20 Critical Security Controls, which is a threat-focused approach to improving the security environment. Today’s cyber attacks are increasing in sophistication and exposing gaps in current security models, which are not providing an effective blueprint for organizations to effectively prioritize on the security controls that are actually stopping and detecting cyber attacks. The 20 Critical Security Controls were developed by a consortium of experts from various governments, industry, and academic organizations to provide a blueprint for how to prevent, detect, and mitigate actual attacks impacting organizations worldwide.
The complexity and velocity of the threats organizations are facing are only escalating and there is a definite need for careful analysis of the attack trends to determine effective mitigations. According to a recent study by Verizon, 92% of data breaches in 2012 were perpetrated by outsiders and one-fifth of all data breaches were connected with state affiliated actors, which highlights that the sophistication and resources available to conduct attacks is growing. Furthermore, 69% of breaches were discovered by an external party and often went months before they were detected, offering a glimpse into the how little visibility organizations have into active attacks (Verizon, 2013, pp. 5-6). Of the top threat actions identified in 2012, which were tampering, spyware, backdoor, export data, use of stolen credentials, capture stored data, phishing, command and control, downloader, and brute force, there were seven threat actions related to malware. The analysis and recommendations by Verizon stated the Critical Security Controls, if implemented, could have directly limited the success of the top threat actions, leading to their recommendation that most organizations could benefit from implementing all of the Critical Security Controls to some level (Verizon, 2013, p. 58).
Of the organizations affected by data breaches in 2012, they are a cross section of small to large organizations, geographically spanning 27 countries and representing a diverse assortment of industries (Verizon, 2013, pp. 4-5). These organizations probably had reasonable security controls in place, such as firewalls, antivirus, and security policies, and given the widespread reference and adoption of various security management models, such as ISO 27000, COBIT, NIST, and other compliance frameworks, such as PCI DSS, these organizations undoubtedly had access to industry best practices and recommendations. However, even with all these good resources, organizations are increasingly finding themselves reacting to security breaches, often as a result of notification by outside parties, which have caused damage to the organizations reputation and actual economic losses of information and intellectual property.
John Pescatore, a seasoned security analyst formerly with Gartner and now with the SANS Institute noted, “Most of the Compliance regimes are invariably rigid, top-down structures, whereas the CSC effort is purposely bottomup” (Pescatore, 2013, p. 20). This characterization could point to the reason there is an apparent disconnect between many organizations attempts to maintain compliance with various security management models and the fact that they are not effectively stopping attacks. A recent report by the Center for Strategic and International Studies makes an interesting point about compliance frameworks:
“The older compliance and audit-based approach found in legislative mandates like the Health Information Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA), and the Financial Services Modernization Act (also known as Graham-Leach-Blilely, GLB) is both resource intensive and ineffective. Compliance is usually a good thing, but in cybersecurity it came to stand for a static, paper-driven method that was expensive without providing equivalent benefits” (Lewis, 2013, p. 7).
The new approach to cyber security is based on evaluation of attack data and what measures have effectively prevented attacks. The resulting analysis and recommendations are offering organizations a change to assess their security environment with a clear goal in mind.
The stated goal of the Critical Security Controls is to, “…protect critical assets, infrastructure, and information by strengthening your organization’s defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.” The controls were developed by experts from various government agencies including the NSA, FBI, US Department of Defense, US Department of Homeland Security, the UK government’s Centre for the Protection of Critical Infrastructure, and the Australian Defence Signals Directorate, with the assistance of various other industry recognized professionals. Five principles of an effective cyber security defense are reflected in the Critical Security Controls:
- “Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
- Prioritization: Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.
- Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
- Continuous monitoring: Carry out continuous monitoring to test and validate the effectiveness of current security measures.
- Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics professionals” (Council on CyberSecurity, 2013, pp. 2-3).
The Critical Security Controls represent controls that are already found in many of the security management models in use today and are not meant to replace these models, but to focus and prioritize the controls that are implemented to achieve significant reductions in attack success. Simply put, the Critical Security Controls represent the controls most likely to enhance an organization’s security posture, and provide a guide to management to know where to focus their attention and resources first. One reason that makes the Critical Security Controls so valuable to smaller organizations, is they allow an organization to leverage the expertise of government, industry, and academia in determining what threats and vulnerabilities they are likely to face and should therefore allocate their resources to defend (Sager, 2013, p. 1).
The consensus based risk assessment approach essentially allows for a risk assessment based on what the community of experts are seeing, rather than only relying on the expertise internal to one organization to determine the right responses. Tony Sager, the former chief of the information assurance directorate at the NSA, asserts the Critical Security Controls are a “foundational risk assessment” that allows an organization to use it to determine where to start taking action. The case for why the Critical Security Controls are relevant is simply that organizations today use common technologies and face common threats in an increasingly interconnected environment where organizations are linked to each other, so a common baseline of Critical Security Controls is applicable to many organizations. Additionally, organizations may not have access to the resources and expertise to produce the results of the Critical Security Controls, so by leveraging the power of the community, they are in a better position to quickly assess and implement a baseline of defenses to thwart most attacks and then can concentrate their focus on specific threats to their business to further enhance their security posture (Sager, 2013, pp. 1-2).
Expanding on the concept of using the Critical Security Controls as a foundational risk assessment is the goal of implementing continuous monitoring. Given the dynamic nature of risks organizations face, there is an incentive to consider the move to continuous monitoring as a way to ensure risks are being managed effectively. Risk assessment should not be a periodic activity, but should be integrated with the continuous monitoring approach used to manage risks based on the constant stream of new information available. The Critical Security Controls offer another key advantage in this space as they provide an organization with a prioritized list of the most important elements to target for continuous monitoring (Sager, 2013, p. 3).
Automation of the continuous monitoring process is also key in leveraging the ability of the controls to quickly provide value to an organization. A central philosophy in the design of the Critical Security Controls is that, “…any defenses that can be automated, should be automated,” enabling rapid detection and mitigation of attacks to an organization’s network, with the goal of minimizing the damage (Tarala, 2012, p. 1). Today’s organizations are up against some very sophisticated attacks, including malware that have the potential to avoid signature-based detection and also have the ability to disable antivirus and other security tools. This stresses the importance of having automated controls such as application whitelisting, intrusion detection systems, and asset tracking systems that run and report automatically (Tarala, 2012, p. 5). The principle way to accomplish automation and continuous monitoring is by deploying sensors to collect threat data from inbound and outbound network traffic and report it for correlation and further analysis. The Critical Security Controls outline 45 different sensors that can be put into use by organizations. These include asset tracking, vulnerability management systems, patch management systems, intrusion detection systems, authentication systems, and file integrity systems (Tarala, 2012, pp. 6-7). Automation does not eliminate the need for intelligent people to analyze the information and determine how to respond, though it does maximize their efficiency and effectiveness by knowing when and where attacks are happening so they can focus their time remediating any issues that arise.
The Critical Security Controls offer a compelling incentive to organizations to align their security environment with these effective mitigations and reduce their potential for successful attacks. As organizations implement these controls, it is likely they will realize cost savings through automation, increased visibility into the actual threats they face through continuous monitoring, and an overall lower risk of cyber attack, espionage, and theft, which can be a competitive advantage for any organization in today’s increasingly connected world.
CNET News – Hector Monsegur interview: Sabu speaks about his early days of hacking
CNET News – Hector Monsegur interview part 1: Sabu speaks about his early days of hacking
CNET News – Hector Monsegur interview part 2: Operation Tunisia and serious hacks
CNET News – Hector Monsegur interview part 3: Sony’s hack and Sabu’s next steps
Former Anonymous hacker doubts North Korea behind Sony attack
Former Anonymous hacker doubts North Korea behind Sony attack.
As the U.S. comes closer to publicly blaming North Korea for the Sony cyberattack, former Anonymous hacker Hector Monsegur is raising doubts. He should know because he once hacked into Sony. Elaine Quijano sat down with Monsegur, also known as “Sabu,” who was responsible for some of the most notorious hacks ever committed.
More on Hector Monsegur here:
How the Sony hack was traced back to North Korea
The FBI statement was definitive: “The North Korean government is responsible” for the cyberattack on Sony.
Play Video
Obama: Sony “made a mistake” pulling movie
The attack was routed through servers in countries all over the world in an effort to hide its origin, but President Obama said North Korea is the sole culprit. How the Sony hack was traced back to North Korea:
The Three General Categories of Policies
The three general categories of policies involved with information security are: (a) general or security program policies, (b) issue-specific security policies, and (C) system-specific security policies.
A general or security program policy is the overarching information security policy for an organization. This policy provides the foundation for the lower-level and more detailed security policies. The general or security program policy directly supports the organization’s mission or business objectives and has the endorsement of executive management. This policy sets the framework for which the other security policies shall follow and support. Included in this overarching policy is the scope, purpose, roles and responsibilities, any constraints and the applicability of the policy for the organization.
An issue-specific security policy addresses a specific area of technology within an organization, such as email, or use of the internet. The issue-specific security policy contains a brief description of the issue and instructions for the proper use of the associated technology. Due to rapid developments in technology, this policy will require frequent updates to remain current and relevant. Issue-specific policies may also detail the prohibited use of technology or equipment in addition to the acceptable use. Issue-specific security policies may be individual and assigned for one type of technology or they may be all-inclusive of various technologies in use at the organization.
System-specific security policies are written documents that provide standards or procedures for configuring and maintaining information systems such as time-sheet and expense account systems or information technology equipment such as network firewall devices. System-specific security policies can be grouped as managerial guidance or as technical guidance. Managerial guidance supports the organization’s objectives in the implementation and configuration of information systems and information technology equipment. Technical guidance supports the managerial guidance and provides the details necessary to implement and manage the information systems and information technology equipment. These detailed policies can include access control lists that specify who can access systems, what they can access, when they can access, and where they can access systems. System-specific security policies can also include configuration rules such as firewall rule policy settings and intrusion detection/prevention rules.
