Download Sessuib 12 2012

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
Document related concepts

Unix security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Information privacy law wikipedia , lookup

Medical privacy wikipedia , lookup

Computer security wikipedia , lookup

Information security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Distributed firewall wikipedia , lookup

Do Not Track legislation wikipedia , lookup

Transcript 
Policy, Regulation, and Ethics

Policy


Regulation


Systems and procedures must meet policy
requirements.
Organizations must comply with requirements of
the laws to which it is subject.
Ethics

Organizations may choose to generate desired
ethical behavior.
How Security, Regulation, and
Ethics Are Related?





All three complement each other.
A minimum is defined by regulatory requirements.
Policies help ensure that these requirements and
met and in fact, more is done where it is deemed
appropriate and cost effective.
Promotion of ethical behavior is likely to generate
desired behavior, aligned with meeting regulatory
requirements and honoring policies.
Environment where ethical behavior is stressed
could foster a sense of duty. People may tend to do
the right thing, beyond the law and policies.
Organization and
Accountability


Organization structure should ideally represent
accountability consistent with roles of personnel.
Accountability for information security is typically
assigned to information security director who may
report to




CEO or
CIO or
Other top level executive
This role must be managed in a multidisciplinary
context because issues of information security are
multidisciplinary.
Security Policies





Policy: A high level document independent of all
functions, roles, powers, and personalities.
Security policy: A formal statement of the rules by
which people who are given access to organization’s
technology and information assets must abide.
Standards: Tend to enforce and tried and tested
practices.
Procedures: Describe, where necessary, specific
ways of securing information assets.
Guidelines: Provide examples and interpretation of
the policy and related standards to facilitate policy
implementation.
Purposes of a Security Policy



Informs users, staff, and managers of
obligations concerning protection of
information technology and assets.
Provides a baseline to provide assurance for
compliance with the policy.
Provides a basis for determine what security
tools to use to adequately protect information
assets.
Characteristics of a Policy





Tenure: Generally, a policy should have a long
tenure, during which it may not change much.
Requisite variety: Each policy must have requisite
variety. All anticipated requirements to provide
control must be addressed in a policy.
Feasibility: Policies must go through the test if
feasibility.
Understandability: Policy must be written so that it
is easy to understand.
Balance: Policy must balance the need for security
with functionality and usability of information
systems.
Content Areas of an
Information Security Policy










Purpose
Scope
Policy
Definitions
Responsibilities
Administration and interpretations
Amendments/termination of the policy
References to applicable policies and standards
Exceptions
Violations/enforcement
Area
Description of content within the area
Purpose
Narrates why this policy is written and how it will benefit the organization.
Scope
To whom does the policy apply is clarified in this area.
Policy
This is the core of policy – the statement(s) that describe the policy.
Definitions
If the policy includes certain terms, these are defined in this area. This allows for a very
specific interpretation of the policy, irrespective of how these terms are used in the
profession.
Responsibilities
Identifies who is responsible for enforcement of the policy. If more than one party is
responsible, a clear identification of responsibility of each party with respect to the policy
enforcement should be included.
Administration and
interpretations
Identifies who is responsible to answer questions regarding this policy, to maintain records
regarding the policy issues and how they were resolved, and to document violations of the
policy and their resoluton.
Amendments/Termination of
the policy
This part states that (1) the organization reserves the right to modify, amend or terminate
the policy at any time and (2) the policy does not constitute a contract between the
organization and its employees.
References to applicable
standards
This section lists policies related to the policy.
Exceptions
Here, the policy identifies how to request an exception to the policy, what information
should the request provide, and to whom it should be addressed. Typically, all exception
requests are handled in accordance with an information security exception policy.
Violations/Enforcement
Specifies where to report any know violations of the policy, and what consequences could
result from such violations. For example, consequences may result in immediate
suspension of user privileges, a disciplinary action, or reporting the case to appropriate
law enforcement agencies.
Classification of Policies


Various alternative classifications are
possible.
Information security policies may be
categorized:



Using components of an information system.
In terms of physical security and logical security.
As system specific or issue specific.
Policy Development Process






The process must mirror risk management processes.
Identify critical information systems processes and
assets.
Understand what risks each information asset faces.
Identify the asset’s vulnerabilities and anticipate types of
threat the asset might be subject to.
Identify control and security measures to protect the
information asset.
Develop a policy that provide cost effective protection
measures.
Periodically, review the policy in light of changes in the
organization and its environment.
Regulatory Requirements




Regulations exist in the area of information assets
protection, and must be met.
Such regulations typically define the threshold
needs to protect information assets.
Compliance of such requirements provides an
assurance that the entity is meeting needs for
protection of information assets at the levels
required by law.
At the same time, compliance helps the entity
protect its information assets and prosecute those
who compromise the security.
Regulatory Requirements and
Security Objectives







Information assets protection
Authentication
Integrity of logic
Integrity of communication
Confidentiality and privacy
System availability
Computer crimes
Objectives, vulnerabilities, and regulation
Selected Vulnerabilities
Illustrative regulatory requirements
Information assets
protection
Theft
Software piracy
Computer Software Copyright Act of 1980
Digital Millenium Copyright Act (1998)
Authentication
Impersonation
Spoofing
Session hijacking
Man-in-the-middle attack
Electronic signature legislation
Digital signature laws
Integrity of logic
(programs)
Malicious code
Buffer overflow
Uniform Commercial Code
Integrity of
communication
Website defacement
Active wiretap
Falsification of message
The Electronic Communications Privacy Act of 1986
Confidentiality and
privacy
Eavesdropping
Passive wiretap
Right to Financial Privacy Act of 1978
The Gramm-Leach-Bliley Act (1999)
Children’s Online Privacy Prevention Act [COPPA]
(1998)
Security objective
Health Insurance Portability and Accountability Act
[HIPAA] (1996)
System availability
Connection flooding
Denial of Service (DNS) attack
Distributed Denial of Service
Computer Fraud and Abuse Act (1984, 1986, 1996)
Policy, Regulation, and Ethics

Policy


Regulation


Systems and procedures must meet policy
requirements.
Organizations must comply with requirements of
the laws to which it is subject.
Ethics

Organizations may choose to generate desired
ethical behavior.
How Security, Regulation, and
Ethics Are Related?





All three complement each other.
A minimum is defined by regulatory requirements.
Policies help ensure that these requirements and
met and in fact, more is done where it is deemed
appropriate and cost effective.
Promotion of ethical behavior is likely to generate
desired behavior, aligned with meeting regulatory
requirements and honoring policies.
Environment where ethical behavior is stressed
could foster a sense of duty. People may tend to do
the right thing, beyond the law and policies.
Organization and
Accountability


Organization structure should ideally represent
accountability consistent with roles of personnel.
Accountability for information security is typically
assigned to information security director who may
report to




CEO or
CIO or
Other top level executive
This role must be managed in a multidisciplinary
context because issues of information security are
multidisciplinary.
Security Policies





Policy: A high level document independent of all
functions, roles, powers, and personalities.
Security policy: A formal statement of the rules by
which people who are given access to organization’s
technology and information assets must abide.
Standards: Tend to enforce and tried and tested
practices.
Procedures: Describe, where necessary, specific
ways of securing information assets.
Guidelines: Provide examples and interpretation of
the policy and related standards to facilitate policy
implementation.
Purposes of a Security Policy



Informs users, staff, and managers of
obligations concerning protection of
information technology and assets.
Provides a baseline to provide assurance for
compliance with the policy.
Provides a basis for determine what security
tools to use to adequately protect information
assets.
Characteristics of a Policy





Tenure: Generally, a policy should have a long
tenure, during which it may not change much.
Requisite variety: Each policy must have requisite
variety. All anticipated requirements to provide
control must be addressed in a policy.
Feasibility: Policies must go through the test if
feasibility.
Understandability: Policy must be written so that it
is easy to understand.
Balance: Policy must balance the need for security
with functionality and usability of information
systems.
Content Areas of an
Information Security Policy










Purpose
Scope
Policy
Definitions
Responsibilities
Administration and interpretations
Amendments/termination of the policy
References to applicable policies and standards
Exceptions
Violations/enforcement
Area
Description of content within the area
Purpose
Narrates why this policy is written and how it will benefit the organization.
Scope
To whom does the policy apply is clarified in this area.
Policy
This is the core of policy – the statement(s) that describe the policy.
Definitions
If the policy includes certain terms, these are defined in this area. This allows for a very
specific interpretation of the policy, irrespective of how these terms are used in the
profession.
Responsibilities
Identifies who is responsible for enforcement of the policy. If more than one party is
responsible, a clear identification of responsibility of each party with respect to the policy
enforcement should be included.
Administration and
interpretations
Identifies who is responsible to answer questions regarding this policy, to maintain records
regarding the policy issues and how they were resolved, and to document violations of the
policy and their resoluton.
Amendments/Termination of
the policy
This part states that (1) the organization reserves the right to modify, amend or terminate
the policy at any time and (2) the policy does not constitute a contract between the
organization and its employees.
References to applicable
standards
This section lists policies related to the policy.
Exceptions
Here, the policy identifies how to request an exception to the policy, what information
should the request provide, and to whom it should be addressed. Typically, all exception
requests are handled in accordance with an information security exception policy.
Violations/Enforcement
Specifies where to report any know violations of the policy, and what consequences could
result from such violations. For example, consequences may result in immediate
suspension of user privileges, a disciplinary action, or reporting the case to appropriate
law enforcement agencies.
Classification of Policies


Various alternative classifications are
possible.
Information security policies may be
categorized:



Using components of an information system.
In terms of physical security and logical security.
As system specific or issue specific.
Policy Development Process






The process must mirror risk management processes.
Identify critical information systems processes and
assets.
Understand what risks each information asset faces.
Identify the asset’s vulnerabilities and anticipate types of
threat the asset might be subject to.
Identify control and security measures to protect the
information asset.
Develop a policy that provide cost effective protection
measures.
Periodically, review the policy in light of changes in the
organization and its environment.
Regulatory Requirements




Regulations exist in the area of information assets
protection, and must be met.
Such regulations typically define the threshold
needs to protect information assets.
Compliance of such requirements provides an
assurance that the entity is meeting needs for
protection of information assets at the levels
required by law.
At the same time, compliance helps the entity
protect its information assets and prosecute those
who compromise the security.
Regulatory Requirements and
Security Objectives







Information assets protection
Authentication
Integrity of logic
Integrity of communication
Confidentiality and privacy
System availability
Computer crimes
Ethical Behaviour in
Organizations



Ethics: The principles of conduct individuals
and groups use in making and implementing
choices.
Principles of moral conduct are the
foundation for ethical behavior.
Ethical behavior may have implications for
information security.
Business Ethics


An organization is a group of individuals with shared
values and goals.
Business as an organization should deserve its
place within the society.


Organizational legitimacy is a result of the degree of
congruence between social values associated with or
implied by the firm’s activities and the norms of acceptable
behavior in the larger social system to which they belong.
Individuals as employees should ask questions
concerning consequences of an action, serving
others’ rights, consistency of decisions with basic
values, and feasibility of their actions in the world as
it is.
Developing Information
Management Policies

Organizations strive to build a corporate culture
based on ethical principles that employees can
understand and implement

ePolicies typically include:






Ethical computer use policy
Information privacy policy
Acceptable use policy
E-mail privacy policy
Internet use policy
Anti-spam policy
ETHICAL COMPUTER USE
POLICY

Ethical computer use policy – contains
general principles to guide computer user
behavior

The ethical computer user policy ensures all
users are informed of the rules and, by
agreeing to use the system on that basis,
consent to abide by the rules
ETHICAL COMPUTER USE
POLICY
INFORMATION PRIVACY
POLICY

The unethical use of information typically occurs
“unintentionally” when it is used for new purposes


For example, social insurance numbers started as a way to
identify government retirement benefits and are now used
as a sort of universal personal ID
Information privacy policy - contains general
principles regarding information privacy
INFORMATION PRIVACY
POLICY

Information privacy policy guidelines
1.
2.
3.
4.
5.
Adoption and implementation of a privacy policy
Notice and disclosure
Choice and consent
Information security
Information quality and access
ACCEPTABLE USE POLICY

Acceptable use policy (AUP) – a policy that a user
must agree to follow in order to be provided access
to a network or to the Internet

An AUP usually contains a nonrepudiation clause

Nonrepudiation – a contractual stipulation to ensure that
e-business participants do not deny (repudiate) their online
actions
ACCEPTABLE USE POLICY
E-MAIL PRIVACY POLICY

Organizations can mitigate the risks of e-mail
and instant messaging communication tools
by implementing and adhering to an e-mail
privacy policy

E-mail privacy policy – details the extent to
which e-mail messages may be read by
others
E-MAIL PRIVACY POLICY
E-MAIL PRIVACY POLICY
INTERNET USE POLICY

Internet use policy – contains general principles
to guide the proper use of the Internet
MONITORING TECHNOLOGIES

Monitoring – tracking people’s activities by such
measures as number of keystrokes, error rate, and
number of transactions processed







Key logger or key trapper software
Hardware key logger
Cookie
Adware
Spyware
Web log
Clickstream
EMPLOYEE MONITORING
POLICIES

Employee monitoring policies – explicitly state how, when, and
where the company monitors its employees
Assurance Considerations



Policy development, implementation, and enforcement
 Is the policy current? Is it enforced? Are violations and exceptions
to the policy tracked and reported? Who acts on such violations?
Are such actions proper? Overall, is the policy effective?
Compliance with regulations
 Is an integrated approach used, where legal, technological and
operational aspects are considered together? Or is the compliance
a patch work?
 Who is responsible for compliance? Are the compliance solutions
documented? Are changes in the regulatory requirements
monitored? Is the whistle-blower system effective?
Ethical behavior
 Does the organization have a code of conduct?
 What structure is in place to nurture ethical behavior in the
organization?
 Who is accountable for promoting organization-wide ethical
conduct?
 What programs are in place to achieve the objective? Are they
effective?
Where are MOST of the
Continuity Challenges ??
CONTINUITY ISSUES
Catastrophic
Interruptions
Minor Interruptions
Everyday Blips
Process
Dysfunctions
BCARE
SOLUTIONS
Continuity
Availability
Reliability
Engineering
42
Physical Access Security





Establishing Perimeters
Implementing and Maintaining a System,
Equipment, Procedures
Defensive Depth, Universal Application
Monitoring / Detection / Response
Common Intrusion Techniques
43
What is a Perimeter?

Controlled border
•
•
•
External: Public / First Level. May be outside of
building.
Second: Building Access. May include elevators
and stairways.
Multiple interior: authorization related to functionbased “need to know”
44
Systems, Equipment,
Procedures



System components: hardware, software,
devices, data, personnel (operators and staff)
Equipment: readers, tokens, cameras and video
recorders, screen monitors, barriers (turnstiles,
man-traps)
Procedures: operator, equipment maintenance,
log review, token issuance, authorization
maintenance. System upgrading. Guards.
45
Defensive Depth




Multiple barriers to breach: make an intruder
work harder
Multiple levels, multiple techniques
Multiple levels of monitoring and detection
Introduce random supplemental checks
46
Universal Application






Every time
Every person
Every control point
Weekdays, nights and weekends
Especially no “official piggybacking”
Why: keeps the “bright line” between
authorized and unauthorized
47
Monitoring/Detection/Respons
e



Monitoring: what conditions, when
Detection: manual, automatic, alarms; who is
notified?
Response:
√
√
√

Who, what, when
How contacted
Logistics and SLA
Failure in any area “breaks the chain” of
response
48
Common Intrusion Techniques


“Piggy-backing”
Poor housekeeping of access privileges
•
•



Terminated employees
Transferred employees
“I have a delivery for Mr./Ms. X.”
Concealment within interior protected areas
Exploitation of known system flaws
49
WHAT YOU ALREADY KNOW
 Good Things:
• Card readers and physical access control
systems
• Cameras
• Locked doors
 Bad Things:
• Piggybacking
• Easy-to-guess passwords
• Asleep at the console
 No need to hear that again
50
WHAT YOU MAY NOT KNOW...
 Facilities & Security co-dependencies
 How they affect the enterprise risk picture
 How formal risk assessment techniques
developed for other industries are
emerging as tools to reduce critical
facilities risks
 How all this relates to BCP/DR
…UNTIL NOW
51
SO WHAT? WHO CARES?
Poor Facilities/Security/IT/BCP coordination =
 Wasted resources
 Risk picture not fully understood
 Risks not fully addressed
CEOs, CFOs, CIOs, CHAIRMEN AND
DIRECTORS CARE ABOUT THESE THINGS...
...AND SO DO
REGULATORS
52
Copyright 2004 Strategic Facilities Inc. All rights reserved
SECURITY & FACILITIES
 SECURITY NEEDS FACILITIES
 Surveillance & Access Control need power
 Cameras need light
 Guard force needs decent environment just
like everyone else
 FACILITIES NEEDS SECURITY
 Extra eyes and ears to for building problems
 Help screen visiting technicians
 Reduce tampering with building systems
53
RELIABILITY
 RELIABILITY
• What is the probability that a system will
•
•
•
•
operate correctly?
Over what mission time?
Severity of failure is part of the risk
conversation, not the reliability conversation
Duration of failure is also a separate variable
Duration is also part of the risk conversation
and also NOT part of the reliability
conversation
54
 MORE RELIABILITY
 Can be expressed as Mean Time To Failure
(MTTF)
 MTTF is OK, but lacks mission time context
 Probability of success over mission time does
a better job of depicting the situation
 Probability of failure
= 1 - (Probability of success)
 Duration of failure known as Mean Time To
Restore, or MTTR
 Probability of success or failure of an
individual system does not depend on MTTR
55
 AVAILABILITY
•
•
•
•
Different concept entirely
Comparison of MTTF & MTTR
Mathematically: MTTF / (MTTF + MTTR)
Grossly misused throughout industry in the
form of “nines”; usually, MTTF >> MTTR
• Misuse due to two-dimensional nature
• Does not mean that MTTR and Availability
do not matter
56
AVAILABILITY - IT DEPENDS
57
RELIABILITY VS. AVAILABILITY
System “A”
 1 failure; end of year 9
 Down entire year 10
 Reliability: MTTF = 9
yrs; only 1 sample
 Availability: 90 %
 More reliable (?), less
available
 Less certain
System “B”
 4 failures, avg. 1/2.5 yrs
 Down 5 min each time
 Reliability: MTTF = 2.5
yrs, 4 samples
 Availability: 99.996 %
 More available, less
reliable
 More certain
58
 HOW SYSTEMS FAIL
• Independently due to internal, local failure
• Due to a “common cause” effect; that is,
something that affects entire system at
once
• Natural or man-made disaster, for example;
tend to be high severity, low frequency
• Human error is most frequent commoncause failure mode; often less severe than
disasters
 Applies to Facilities, Security, IT, BCP
59
CASE #1 - WHO CAN GO INTO
THE DATA CENTER
 Client is a hedge fund; they develop and use




proprietary applications to execute trades.
Frequent hacker target; security is tight.
Big battle over who has access to data center.
Facilities team is responsible for power and
cooling in there!
Facilities team members are not employees:
Should they be allowed in?
60
CASE #1 - WHO CAN GO INTO
THE DATA CENTER
Result for Case #1:
Debate spurred client to grow in-house staff
and reduce presence of non-employees
while expanding the ability to grant and
track physical access privileges.
61
CASE #2 - OPERATOR
TRAINING FOR NEW SITE
 Client was considering building a new facility
specifically designed as a data center.
 Limited pool of building engineers to transfer to
new facility; mostly air conditioning guys.
 Client is late in recognizing problem and
planning for commencing operations.
 How should the client prepare to operate and
how much should they spend to do it?
62
CASE #2 - OPERATOR
TRAINING FOR NEW SITE
Result for Case #2:
Client saw the folly of spending $25 million on
a new site and risking outage due to human
error; instead implemented a full program of
procedure writing and training to reduce
errors.
63
CASE #3 - WHO SEES STATUS
INFO ON BUILDING SYSTEMS
 Client agreed to lease space in former co-lo site





taken over by landlord.
Landlord has never managed critical facilities
before.
Power and cooling status info goes to NOC via
HP OpenView and other means systems.
NOC personnel are trained in only IT, not
Facilities.
Analysis finds AVAILABILITY too low
What should the landlord do?
64
CASE #3 - WHO SEES STATUS
INFO ON BUILDING SYSTEMS
Case #3 Results:
Landlord contracted for fast emergency
response, added auto-paging capability, and
trained NOC staff to relay vital information to
qualified responder en route.
65
RECOMMENDATIONS &
CONCLUSIONS
1.
When confronting a risk, ask yourself:


2.
Then, compare this risk to others you face:


3.
How often is it likely to occur?
How bad will its impact be if it does occur?
Is it likely to occur more or less frequently?
Is its likely impact more or less severe than
others?
Apply this approach consistently across IT,
Facilities and Security
66
MORE RECOMMENDATIONS &
CONCLUSIONS
4.
When evaluating a risk reduction measure:



5.
What does it require of other sectors - e.g., if
it’s a Facilities measure, what do IT and
Security need to do to make it work?
Who will do those things and how?
Same question for Security and IT initiatives
Then, look across sectors...


What other exposures are out there?
Who should address them?
67
Payment Card Industry (PCI)
Security Standard



Developed by the PCI Security Council formed
by major card issuers like Visa, MasterCard and
American Express.
Requires agent financial institutions and major
merchants (over 6 million transactions annually)
to have an annual external audit for compliance.
Failure to comply can lead to a fine of $500,000.
PCI Standards
1.Install and maintain a firewall to protect
cardholder data
2. Do not use vendor supplied defaults for
system passwords and other security
parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data
across the Internet
PCI Standards
5. Use regularly updated anti-virus software
6. Develop and maintain secure systems and
applications
7. Restrict access to cardholder data by
business on a need-to-know basis
8. Assign a unique ID to each person with
computer access
PCI Standards
9. Restrict physical access to cardholder data
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and
processes
12. Maintain a policy that addresses
information security
Related documents
CALAseminar.041210
CALAseminar.041210
Do you display ethical deeds?
Do you display ethical deeds?
Information Privacy Policy - McGraw Hill Higher Education
Information Privacy Policy - McGraw Hill Higher Education
1960s Ethical Climate
1960s Ethical Climate
Ethics and Privacy
Ethics and Privacy
intro - Moodle @ UCOL
intro - Moodle @ UCOL
Module 1: Everyday Engg Ethics
Module 1: Everyday Engg Ethics
Ethics
Ethics
Ethics in Hospitality and Tourism Powerpoint
Ethics in Hospitality and Tourism Powerpoint
how organizations shape ethical conduct acting responsibly to
how organizations shape ethical conduct acting responsibly to