Download PentaSafe, Inc. Strategic Business Overview Updated 11/11/99

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts

Distributed firewall wikipedia , lookup

Transcript 
Security Policies
• Jim Stracka
• www.pentasafe.com
The Problem Today
VigilEnt Security Solution
VigilEnt Policy Center
VigilEnt Security Manager
VigilEnt Security Agents
Overwhelming Validation
Customers
Strategic
Alliances
Investors
LEHMAN BROTHERS
Agenda
• Business Issues
• What Is An Information Security Policy ?
• Policy Development Process
• Conclusion
Business Issues
• Organizations Embracing New Business
Models
• Increased Risks In New Economy
Environments
• How Do You Conduct E-Business Safely ?
• Security Is A BUSINESS Issue Not A
Technology Issue
• Security Must Be Governed By Policy
Why have a Security Policy ?
• Clearly Establishes Expectations
• Acts As An Extension Of The Organizations
Leadership
• Opportunity To Address Asset Protection
• Ensures Proper Compliance With Laws,
Regulations etc
• Ensures Implementation Of Proper Controls
• Reduces Liability
What is a Policy ?
• A Policy Defines Expectations
• Policies Are Written At A High Level
• Technology Changes, But Policies Rarely Do
• Your Policy Should Indicate A “Perfect
World” (Security Gap)
Policy or Standard?
The Rule Process Should Incorporate Two Levels:
• Policy: Few And Short Statements
Sets The Goal Your Trying To Achieve
Language Used (Will / Shall)
• Standard: Gets Much More Specific; To
Platform; Technology; Procedure Language
Used (Should / Could)
The Problem Today
Anatomy of a Security Policy
Elements of a Viable Policy:
•
•
•
•
•
•
•
•
•
Policy Statements
Purpose
Scope
Controls
Definitions
Applicable Entities
Roles And Responsibilities
References
Information Assets
Policy Elements: Policy Statement
The Policy Statement is a one or two sentence
description of the policy. It describes the
control environment, not how the
organization will accomplish the objective.
Policy Statement
Policy Elements: Purpose
The policy Purpose describes the reason for
this particular policy (i.e., why it exists).
Purpose
Policy Elements: Scope
The policy Scope primarily defines who falls
under the jurisdiction of the policy. As a further
explanation of scope, policy statements should
indicate who must observe the policies and
when it may be acceptable for worker actions or
activities to be inconsistent with policies.
Scope
Policy Elements: Information Assets
• Integral element of any security policy
• Not likely restated for each policy statement
• However, it is important to identify for each policy
statement if there are any specific inclusions or
exclusions to this information (this is most effectively
done on a class basis)
Examples:
“The provisions set forth in this policy
statement apply to all identified classes of
information assets.”
“This policy applies only to information assets
that are classified as ‘Confidential’ or ‘Highly
Sensitive’.”
Short, to the Point, Clear
• Keep It Brief
• Policy Never Tells Or Suggests How To
Achieve The Objective
• Policy Rarely Changes Because It Does Not
Depend On A Person, Process, or
Technology
Develop A “Policy On Policy”
Clearly Define The Policy Administration Process:
• For Developing New Policy
• For Requesting Modification To Existing Policy
• To Suggest The Elimination Of Outdated Policy
–
–
–
–
Who Writes The Policy?
Who Reviews The Policy?
Who Approves The Policy?
What Is The Process For Requesting Exceptions?
Policy Priorities
• The Policies Of The Organization As A Whole
Should Take Precedence
• More Granular Section Policies Can Always Be
Added To The Overall Policies For The
Organization
• Specific Enterprise Sections May Require
Additional Policies Due To The Nature Of Their
Business
Integration of Policy & IT
Make Use Of What Is Available
• Use Of Policy To Develop Standards
• Use Of Standards To Communicate Policy
• Make Use Of Platform Specific MVS, AS400,
Sun/Solaris, Novell, NT Standards To Develop
Policy
The Problem Today
Policy Life-Cycle
The greatest challenge of implementing an
information security policy is keeping the policy
active. The policy life-cycle process is shown
below; the last two steps tend to be the
most overlooked:
– Monitoring,
compliance and
enforcement;
and
– Review and
Update
Code of Conduct
• Use Your Corporate “Code of Conduct” To Help
Support Your Policy Efforts
• The “Code of Conduct” Usually Supports
Business Directives and Ethical Actions
• Make Sure Your Policy Efforts Support Your
“Code of Conduct”
Consequences
• There Should Be A Separate Policy That
Delineates The Consequences Of Failure To
Comply With Policy
• Appropriate Procedures Must Be Identified,
Communicated, and Enforced
• Need to work with Human Resources / Senior
Management
Policy Implementation
• Develop “Educated” Draft(s)
• Involve Many Areas / Departments
(Form A Policy Committee)
• Obtain Leadership Approval From The Start
• Train Staff On Policy / And Security Issues
• Communicate Content / Milestones Of
Process
• Use A Machine To Sustain The Process
Ideal Times To Develop Policies
•
•
•
•
Your Organization Just Suffered A Loss
Competing Organization Just Suffered A Loss
Press Discussing A Major Vulnerability
Your Organization Just Received Adverse Audit
Report
• Your Organization Just Hit With Lawsuit
• Your Organization Will Make Major Changes
• Other InfoSec Initiatives Are Well Underway
Conclusion
• Developing Policy Is Not An Easy Process
• Why Do Many Fail?
– Complicated Process
– Many Twists And Turns
– Lack Of Management Support
• Automated Tools Are Long Overdue
Do you want more???
Jim Stracka
888-400-2834
[email protected]
www.pentasafe.com
Related documents
Chapter 5 Product Life
Chapter 5 Product Life
Cancer Journal
Cancer Journal
www.hcscc.sa.gov.au
www.hcscc.sa.gov.au
KotlerMM_ch10
KotlerMM_ch10
Insect Life
Insect Life
Developing a Marketing Plan
Developing a Marketing Plan
A reporting system on the WEB
A reporting system on the WEB
ESF projekts „Profesionālajā izglītībā iesaistīto vispārizglītojošo
ESF projekts „Profesionālajā izglītībā iesaistīto vispārizglītojošo
Increase Market Share Adobe PDF
Increase Market Share Adobe PDF
Name of Course Marketing and International Sales (MISA) Course
Name of Course Marketing and International Sales (MISA) Course