Information security policies Security in Organizations 2011 Eric Verheul 1
Main literature for this lecture: 1. ISO 27001 and ISO 27002 Literature 2. Besluit voorschrift informatiebeveiliging rijksdienst 2007 (www.wetten.nl) 3. Beveiligingsvoorschrift Rijksdienst 2005 (www.wetten.nl) Variants on ISO 2700* 2
Outline Introduction Requirements on IS policies from ISO 2700x and VIR-2007 Organization of information security IS policy layout Some first feed-back from assignment #1 3
Introduction Every organization needs an IS policy Most organization have an IS policy but in many cases it is just a paper tiger: not sufficiently concrete not in line what is actual done operational and most of all not implemented I am giving you my perspective on IS policy based experience and on ISO 2700x and Voorschrift Informatiebeveiliging Rijksdienst 2007 4
Requirements Introduction Strategic IS Tactical IS Operational IS Reporting Senior management Line management Operations (administrators, employees, external parties) IS policy IS guidelines, parameters IS procedures settings The IS policy is a means of communication IS requirements to organization The organization communicates back through (progress) reports 5
Requirements from ISO 2700x and VIR ISO 2700x Recall ISO 27001 describes an ISMS that refers to ISO 27002 for security controls Both ISO 27001 and ISO 27002 have requirements on IS policy ISO 27002: Chapter 5 Security Policy ISO 27001: Clause 4.2.1 b) 6
Requirements from ISO 27002 Section 5.1.1 Control An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. Guidance Definition of information security Management intent and support Framework for implementing IS General principles to follow (e.g., legal, awareness, BCP, security incidents) Definitions of roles and responsibilities References to documentation 7
Requirements from ISO 27002 Section 5.1.2 Control The information security policy should be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. Guidance on input Feedback from interested parties Results from (independent) reviews Status of preventive and corrective actions Results of previous management reviews Changes that could affect the organization s IS approach Trends related to threats and vulnerabilities Reported information security incidents Recommendations provided by relevant authorities 8
Requirements from ISO 27002 Section 5.1.2 Control The information security policy should be reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. Guidance on output Improvement of the organization s approach to managing information security and its processes; Improvement of control objectives and controls Improvement in the allocation of resources and responsibilities. Note: the ISO 27002 Chapter 5 requirements resemble the ISO 27001 PDCA cycle. 9
Requirements from ISO 27001 Clause 4.2.1 b) 10
Requirements from ISO 2700x and VIR Voorschrift informatiebeveiliging rijksdienst 2007 (VIR) Applicable to the Rijksdienst (central government) most notably the departments ( ministeries ) Applicable to all information regardless of its form Stipulates that information security is the responsibility of line management Article 3 sets requirements on an information security policy Article 4 describes responsibilities of line management 11
Requirements from VIR article 3 An information security policy document includes: Strategic principles and conditions on IS Description of the IS organization including responsibilities IS baselines Frequency of IS policy review Descriptions on how security awareness is increased The IS policy is approved by the Secretary General (=highest civil servant within department) and is end responsible for its implementation. 12
Requirements from VIR article 4 Line management is end responsible for information security of his/her information systems sets security controls based on a risk assessment is end responsible for the implementation of these security controls Periodically evaluates information security and adjusts information accordingly 13
Outline Introduction Requirements on IS policies from ISO 2700x and VIR-2007 Organization of information security IS policy layout Some first feed-back from assignment #1 14
The IS process in helicopter view Setting the IS policy Allocation of IS roles and responsibilities Setting security baselines ISMS implementation (inc. setting risk assessment methodology) Implementing security baselines Conducting risk assessments Implementation of additional controls Reviewing compliance with policy Reviewing IS effectiveness Periodic review of IS by management Planning of corrective actions Plan Do Check Act
Distinguished IS parties within organization Senior Management Security office Line management (system owners) Internal / external auditors Supporting internal / external services IS projects Employees of the organization
Senior Management What: Giving commitment on information security Approval of IS policy Bootstrapping the ISMS (security officer) Providing resources and budget Management of serious security incidents Periodic review of IS ( Act ), including adjusting the IS policy Sponsoring of IS projects Reports to: Stakeholders Supervisory board
Security Officer What: IS center point; sits between senior management and the organization Drafting / revising information security including security baselines (but not approval!) Providing specific guidelines on information security Daily supervision on information security Security incident handling Progress control on IS including IS projects Initiation of IS projects Arranging the periodic management review Reports to: Senior management
Security Office Headquarters CISO Business Unit Business Unit Business Unit Business Unit BISO Locatie Locatie Locatie Location Locatie Locatie Locatie Location Locatie Locatie Locatie Location Locatie Locatie Locatie Location ISO
Line management ( system owners ) What: Conducting risk assessments on their systems Implementing security (baselines, additional controls) Agreements with internal / external parties on security, e.g. as arising from risk assessments Supervision on information security, e.g. talking to noncompliant employees Reports to: Security Office
Line management ( system owners ) Risk Risk Risk Low Criteria related to Confidentiality Criteria related to Availability Criteria related to Integrity Incorrectness of information can result in: fraud of less than Euro 2.500 no bad publicity no damage to the operational management due to incorrect management decisions no risk for liability or non-compliance with rules and regulations Medium High Incorrectness of information can result in: fraud of less than Euro 25.000 bad publicity in local news media limited damage to the operational management due to incorrect management decisions limited risk for liability or non-compliance with rules and regulations Incorrectness of information can result in: fraud of substantially more than Euro 25.000 bad publicity in national news media unacceptable damage to the operational management due to incorrect management decisions high risk for liability or non-compliance with rules and regulations
Internal / external audit What: Conducting audits on compliance with IS policy Conducting audits on ISMS: are all parties doing the things they should do? is the ISMS effective? Conducting specific audits, e.g., compliance with baselines Should be independent Reports to: Senior Management
Supporting internal / external services
Supporting internal / external services What: IT department (!), facility department, HR, legal department etc. employment agencies, contractors, couriers, security guards Compare ISO 27002 chapters Implementing security baselines Implementing specific additional security controls arising from risk assessments Reports to: Security office Clients (line management)
IS projects What: Implementation of specific security (e.g. PKI, IPS, IAM) Reports to: Project leaders Security office
Employees of the organization What: Adhering to security baselines and specific controls arising from risk assessments Reporting security incidents Reports to: Security office Line management
Relation with PDCA P D C A Senior Management Security office Line management (system owners) Internal / external auditors Supporting internal / external services IS projects Employees of the organization X X X X X X X X X X X X X X There is on X wrong here; which one?
Relation with PDCA P D C A Senior Management Security office Line management (system owners) Internal / external auditors Supporting internal / external services IS projects Employees of the organization X X X X X X X X X X X X X X
Outline Introduction Requirements on IS policies from ISO 2700x and VIR-2007 Organization of information security IS policy layout Some first feed-back from assignment #1 29
IS policy layout Chapter Introduction Management approval Definition of information security Basic principles to follow Objective and scope Organization of information security Approach Baselines Background on organization (what it does/ produces, clients etc.) Senior management approval (and commitment) What is CIA, what is IS? Important IS aspects within the organization. Minimal requirements to be met What falls under the policy (scope) Who is responsible for what? Relation with PDCA How do you implement PDCA Make a choice of controls that are important for all systems/processes.
Introduction http://www.ru.nl/fnwi/: Education Research (http://www.ru.nl/science/research/research_facilities/ ) Paid research (e.g., LaQuSo, http://www.ru.nl/publish/pages/566471/rujv2006opmaak.pdf ) Service departments (http://www.ru.nl/science/about_the_faculty/service_departments/)
Management approval
Management approval Education institutes Research institutes Service departments
Management approval Education institutes Onderwijsinstituut voor Biowetenschappen Onderwijsinstituut voor Informatica en Informatiekunde Onderwijsinstituut voor Moleculaire Wetenschappen Onderwijsinstituut voor Wiskunde, Natuur- en Sterrenkunde (WiNSt) Research institutes Donders Centre for Neuroscience (DCN) Institute for Computing and Information Sciences (ICIS) Institute for Mathematics, Astrophysics and Particle Physics (IMAPP) Institute for Molecules and Materials (IMM) Institute for Science, Innovation and Society (ISIS) Institute for Water and Wetland Research (IWWR Service departments next slide
Management approval Service departments Faculteitsbureau C&CZ, Computer- and Communications Department FEZ, Financiën en Economische Zaken IHZ, Interne- en Huisvestingszaken OWC, Onderwijscentrum (o.a. Facultaire Studenten Administratie/Examenbureau) P&O, Personeel en Organisatie TeCe, TechnoCentrum (Technical Department) Library of Science EXO steunpunt GI, General Instruments (IWWR) Experimental Garden and Genebank (IWWR) OC, Onderdeelcommissie
Definition of information security Just cite ISO 2700x
Basic principles to follow Minimal requirements to be met What falls under the policy (scope) Which laws do you think are applicable?
Objective and scope What are important IS aspects within FNWI? Service departments Faculteitsbureau C&CZ, Computer- and Communications Department FEZ, Financiën en Economische Zaken IHZ, Interne- en Huisvestingszaken OWC, Onderwijscentrum (o.a. Facultaire Studenten Administratie/Examenbureau) P&O, Personeel en Organisatie TeCe, TechnoCentrum (Technical Department) Library of Science EXO steunpunt GI, General Instruments (IWWR) Experimental Garden and Genebank (IWWR) OC, Onderdeelcommissie
Organization of information security / Approach Who is responsible for what? Relation with PDCA Education institutes Research institutes Service departments
Baselines Make a choice of controls that are important for all systems/processes. H ISO 27002 NEN Vertaling 5 Security Policy Beveiligingsbeleid 6 Organization of Information Security Beveiligingsorganisatie 7 Asset Management Classificatie en beheer van bedrijfsmiddelen 8 Human resources security Beveiligingseisen ten aanzien van personeel 9 Physical and Environmental Security Fysieke beveiliging en beveiliging van de omgeving 10 Communications and Operations Management Beheer van communicatie- en bedieningsprocessen 11 Access Control Toegangsbeveiliging 12 Information Systems Acquisition, Development and Maintenance Ontwikkeling en onderhoud van systemen 13 Information Security Incident Incidentmanagement Management 14 Business Continuity Management Continuïteitsmanagement 15 Compliance Naleving