INFORMATION Lecture 10

SECURITY Ms. Hirra Anwar

WEEK 10-AGENDA
1. Information Security Policy, Standards,
and Practices
2. Types of Security Policies
3. The Information Security Blueprint
4. Security Education, Training, and
Awareness Program
5. Continuity Strategies
WEEK 10-AGENDA
1. Information Security Policy, Standards,
and Practices
2. Types of Security Policies
3. The Information Security Blueprint
4. Security Education, Training, and
Awareness Program
5. Continuity Strategies
INFORMATION SECURITY POLICY,
STANDARDS, AND PRACTICES
● Management from all communities of interest, including
general staff, information technology, and information security,
must make policies the basis for all information security
planning, design, and deployment.*

● Policies direct how issues should be addressed and how

technologies should be used.
 POLICY AS THE FOUNDATION
FOR PLANNING
Information Security Policy→ written instructions provided by
management that inform employees and others in the workplace
about proper behavior regarding the use of information and
●information assets.
Examples of Information Security Policy Templates | SANS Institute →
PDF

Policy: How the issue should

be addressed
POLICY AS THE FOUNDATION
FOR PLANNING
● Policies function like laws in an organization because they
dictate acceptable and unacceptable behavior there, as
well as the penalties for failure to comply. Like laws, policies
define what is right and wrong, the penalties for violating policy,
and the appeal process.

● Example: a security policy can also communicate a credit card

agency’s method for processing credit card numbers.
STANDARDS
● Standards → are more detailed statements of what must
be done to comply with policy.

● Example:
ISO/IEC 27002:2022 Information security, cybersecurity and priv
acy protection — Information security controls

● Standards may be informal or part of an organizational culture,

as in de facto standards. Or, standards may be published,
scrutinized, and ratified by a group, as in formal or de jure
standards. What must be done to
comply with policy
PRACTICES, PROCEDURES,
GUIDELINES
● Practices, procedures, and guidelines effectively explain
how to comply with policy.

● Figure 4-2 shows the relationships among policies, standards,

guidelines, procedures, and practices.

● This relationship is further examined in the Offline feature

(p180-181).
Passwords should be
strong

10 characters, I
uppercase, one special
character

Recommendations for
strong password

Step by step process

to update password
CRITERIA OF EFFECTIVE
POLICY
1. Dissemination: Available to employees for review
2. Review (Reading): Should be in intelligible form
3. Comprehension: Employee must understand the requirements
and contents of policy
4. Compliance: Employee should agree on compliance
5. Uniform enforcement
WEEK 10-AGENDA
1. Information Security Policy, Standards,
and Practices
2. Types of Security Policies
3. The Information Security Blueprint
4. Security Education, Training, and
Awareness Program
5. Continuity Strategies
TYPES OF SECURITY
POLICIES
1. Enterprise Information Security Policy
2. Issue Specific Security Policy
3. System Specific Security Policy
ENTERPRISE INFORMATION
SECURITY POLICY
1. The high-level information security policy that sets the
strategic direction, scope, and tone for all of an
organization’s security efforts.
2. An EISP is also known as a security program policy, general
security policy, IT security policy, high-level InfoSec policy, or
simply an InfoSec policy.
3. Usually about 2-10 pages long
COMPONENTS OF EISP

Purpose,
Scope,
Constraint,
applicability
COMPONENTS OF EISP
ISSUE SPECIFIC SECURITY
POLICY
1. An organizational policy that provides detailed, targeted
guidance to instruct all members of the organization in the use
of a resource, such as one of its processes or technologies.
● An ISSP may cover the following topics, among others:
 Use of the Internet and World Wide Web,
 BYOD
 Email
 Prohibitions against hacking or testing organization security controls,
 etc.
ISSP

Example: Email
SYSTEM SPECIFIC SECURITY
POLICY
1. SysSPs often function as standards or procedures to be used
when configuring or maintaining systems.
2. SysSPs can be separated into two general groups, managerial
guidance SysSPs and technical specifications SysSPs, or they
can be combined into a single policy document that contains
elements of both.
SYSTEM SPECIFIC SECURITY
POLICY
Example 1: Workstation Security (For HIPAA) Policy
SYSTEM SPECIFIC SECURITY
POLICY
Example 2:
● a SysSP might describe the configuration and operation of a
network firewall.
● This document could include:

 a statement of managerial intent;

 guidance to network engineers on the selection,

configuration, and operation of firewalls; and

 an access control list that defines levels of access for each

authorized user.
MANAGEMENT GUIDANCE
1. A managerial guidance SysSP document is created by
management to guide the implementation and configuration of
technology and to address the behavior of employees in ways
that support information security.
2. For example, while the method for implementing a firewall
belongs in the technical specifications SysSP, the firewall’s
configuration must follow guidelines established by
management.
3. An organization might not want its employees to access the
Internet via the organization’s network, for instance; in that
case, the firewall should be implemented accordingly.
TECHNICAL SPECIFICATIONS
1. Each type of equipment requires its own set of policies, which
are used to translate management’s intent for the technical
control into an enforceable technical approach.
2. For example, an ISSP may require that user passwords be
changed quarterly; a systems administrator can implement a
technical control within a specific application to enforce this
policy.
ACCESS CONTROL LISTS
● An access control list (ACL) → consists of details about user
access and use permissions and privileges for an
organizational asset or resource, such as a file storage
system, software component, or network communications
device.

● In general, ACLs regulate the following:

 Who can use the system
 What authorized users can access
 When authorized users can access the system
 Where authorized users can access the system
ACCESS CONTROL LISTS
● A capabilities table → is similar to an ACL, but it focuses on
users, the assets they can access, and what they can do with
those assets. In some systems, capability tables are called user
profiles or user policies.

● These specifications frequently take the form of complex

matrices rather than simple lists or tables, resulting in an access
control matrix that combines the information in ACLs and
capability tables.
CONFIGURATION RULES
● Configuration rules (or policies) → govern how a security
system reacts to the data it receives.
 Rule-based policies are more specific to the operation of a system than
ACLs, and they may or may not deal with users directly.

● Many security systems—for example, firewalls, intrusion

detection and prevention systems (IDPSs), and proxy servers—
use specific configuration scripts that represent the
configuration rule policy to determine how the system
handles each data element they process.
POLICY MANAGEMENT
● Policies are living documents that must be managed. To remain
viable, security policies must have:
 a responsible manager (policy managers),
 a schedule of reviews,
 a method for making recommendations for reviews, and
 a policy issuance and revision date (expiration date)
WEEK 10-AGENDA
1. Information Security Policy, Standards,
and Practices
2. Types of Security Policies
3. The Information Security Blueprint
4. Security Education, Training, and
Awareness Program
5. Continuity Strategies
THE INFORMATION
SECURITY BLUEPRINT
Is the basis for the design, selection, and implementation of all
security program elements, including policy implementation, ongoing
policy management, risk management programs, education and training
programs, technological controls,
and program maintenance.

● in information security, a framework or security model customized to

an organization, including implementation details.

● The security blueprint builds on top of the organization’s

information security policies.

● It specifies task with the order of implementation.

THE INFORMATION
SECURITY BLUEPRINT
● Contains the implementation details.

● Model to be followed during design, selection , initial and

ongoing implementation of security controls including
policies.

● There are several published information security

frameworks from government agencies and other sources.

● Because each information security environment is unique, the

security team may need to modify or adapt pieces from
several frameworks.
 ISO/IEC 27000
ISO/IEC 27000 is the overarching standard that provides the
fundamental terminology, concepts, and definitions for the ISO/IEC
27000 family of standards.

This family addresses information security management and contains a

series of standards, each focusing on different aspects of securing
information assets.

ISO/IEC 27001 and ISO/IEC 27002 are standards created by the

International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) to guide and ensure effective
information security management within organizations.
 ISO/IEC 27001
Purpose: This standard provides the framework for setting up,
implementing, maintaining, and continuously improving an Information Security
Management System (ISMS).

Core Focus: It outlines the requirements to protect information

systematically through risk assessment and risk management, covering
confidentiality, integrity, and availability of information.

Certification: Organizations can be certified for ISO 27001 compliance,

proving they have a secure ISMS in place. These organization can
effectively respond to security threats and vulnerabilities, minimizing the
risk of data breaches or unauthorized access.
 ISO/IEC 27002
Purpose: It is a supplementary standard to ISO 27001 that provides
best practices and guidance for implementing the controls within an
ISMS.

Core Focus: While ISO 27001 specifies what needs to be done, ISO
27002 offers how to do it by detailing best practices for each control. It
complements ISO 27001 certification by helping organizations align with
global best practices for security measures.

Controls: Organized into domains like access control, physical security,

and incident response.
Guidance for Implementation: Detailed suggestions on implementing
and managing each control based on organizational needs.
 ISO/IEC 27000

● The ISO/IEC 27000 series is becoming

increasingly important in the field,
especially among global organizations.

● Many certification bodies and

corporate organizations are complying
with it or will someday be expected to
comply with it.

● Also see Table 4-4, p198-200

NIST CYBERSECURITY
FRAMEWORK
● Provides an effective approach to “manage cybersecurity risk
for those processes, information, and systems directly involved
in the delivery of critical infrastructure services.”

● Designed specifically to be vendor-neutral.

● Overview of its core component:

NIST CYBERSECURITY
FRAMEWORK
The intent of the framework is to allow organizations to:
1. Describe their current cybersecurity posture
2. Describe their target state for cybersecurity
3. Identify and prioritize opportunities for improvement within the
context of
continuous and repeatable process
4. Assess progress towards the target state
5. Communication among internal and external stakeholders about
cybersecurity
risk
COMPONENTS
The NIST Framework consists of three fundamental components:

1. Framework Core
2. Framework Tiers
3. Framework Profile
FRAMEWORK CORE
Identify: Develop the organizational understanding to manage cybersecurity risk to
systems, assets, data, and capabilities.

Protect: Develop and implement the appropriate safeguards to ensure delivery of

critical infrastructure services.

Detect: Develop and implement the appropriate activities to identify the occurrence
of a cybersecurity event.

Respond: Develop and implement the appropriate activities to take action regarding
a detected cybersecurity event.

Recover: Develop and implement the appropriate activities to maintain plans for resilience
and to restore any capabilities or services that were impaired due to a cybersecurity
event.”
FRAMEWORK TIERS
The Framework then provides a self-defined set of tiers so
organizations can relate the maturity of their security
programs and implement corresponding measures and
functions.

Tier 1: Partial: In this category, an organization does not

have formal risk management practices, and security
activities are relatively informal and ad hoc.
Tier 2: Risk Informed: Organizations in this category have
developed but not fully implemented risk management
practices, and have just begun their formal security
programs, so security is not fully established across the
organization.
FRAMEWORK TIERS
Tier 3: Repeatable: Organizations in this category not only
have risk management practices formally established, they
also have documented policy implemented.

Tier 4: Adaptive: The most mature organization falls into

this tier. The organization not only has well-established risk
management and security programs, it can quickly adapt to
new environments and threats. The organization is
experienced at managing risk and responding to threats and
has integrated security completely into its culture.
FRAMEWORK PROFILE
Organizations are expected to identify which tier their
security programs most closely match.
This profile is then used to perform a gap analysis—
comparing the current state of information security and risk
management to a desired state, identifying the difference,
and developing a plan to move the organization toward the
desired state.
Then use corresponding recommendations within the
Framework to improve their programs.
WEEK 10-AGENDA
1. Information Security Policy, Standards,
and Practices
2. Types of Security Policies
3. The Information Security Blueprint
4. Security Education, Training, and
Awareness Program
5. Continuity Strategies
SECURITY EDUCATION, TRAINING,
AND AWARENESS PROGRAM
A managerial program designed to improve the security of
information assets by providing targeted knowledge, skills, and
guidance for an organization’s employees.
1. Improving awareness of the need to protect system resources
2. Developing skills and knowledge so computer users can perform
their jobs more
securely
3. Building in-depth knowledge as needed to design, implement, or
operate security programs for organizations and systems
 SECURITY EDUCATION,
TRAINING, AND AWARENESS
PROGRAM
Security education, training, and awareness (SETA) A managerial
program designed to improve the security of information assets by
providing targeted knowledge, skills, and guidance for an organization’s
employees.
1. The purpose of SETA is to enhance security by doing the following:
2. Improving awareness of the need to protect system resources
3. Developing skills and knowledge so computer users can perform
their jobs more securely
4. Building in-depth knowledge as needed to design, implement, or
operate security programs for organizations and systems
SECURITY EDUCATION,
TRAINING, AND AWARENESS
PROGRAM
SECURITY AWARENESS
PROGRAM
A security awareness program is one of the least frequently
implemented but most beneficial programs in an organization.
•newsletters, security posters, videos, bulletin boards, flyers
The goal is to keep the idea of information security in users’ minds
and to stimulate users to care about security.
If a security awareness program is not actively implemented,
employees may begin to neglect security matters and the risk of
employee accidents and failures is likely to increase.
SECURITY AWARENESS
PROGRAM
WEEK 10-AGENDA
1. Information Security Policy, Standards,
and Practices
2. Types of Security Policies
3. The Information Security Blueprint
4. Security Education, Training, and
Awareness Program
5. Continuity Strategies
CONTINUITY STRATEGIES
● A key role for all managers is contingency planning (CP). It is
prepared by the organization to anticipate, react to, and
recover from events that threaten the security of information
and information assets in the organization. This plan also helps
restore the organization to normal modes of business
operations after an event.

● Various types of contingency plans are available to respond to

adverse events
TYPES OF CP
TYPES OF CP
1. The incident response plan (IR plan) focuses on immediate
response, but if the attack escalates or is disastrous (for
example, a fire, flood, earthquake, or total blackout), the process
moves on to disaster recovery and the BC plan.
2. The disaster recovery plan (DR plan) typically focuses on
restoring systems at the original site after disasters occur, and
so is closely associated with the BC plan.
3. The business continuity plan (BC plan) occurs concurrently
with the DR plan when the damage is major or ongoing, and
requires more than simple restoration of information and
information resources. The BC plan establishes critical business
functions at an alternate site.
TYPES OF CP
● Some experts argue that the DR and BC plans are so closely
linked that they are indistinguishable (a.k.a. business resumption
planning, or BRP). However, each has a distinct role and
planning requirement.

● You can also further distinguish among these types of planning

by examining when each comes into play during the life of an
incident. Figure 4-13 shows a sample sequence of events.
CRISIS MANAGEMENT
Crisis management refers to the actions an organization takes
during and immediately after a disaster. Crisis management
focuses first and foremost on the people involved.
INCIDENT RESPONSE
PLANNING
● IR is reactive and consists of the following four phases:
a. Planning → a set of documents that direct the actions of
each person who must help the organization react to and
recover from the incident.
b. Detection → possible, probable, and definite indicators
of an incident (e.g. changes to logs)
c. Reaction → consists of actions stop the incident, mitigate
its impact, and provide information for recovery (e.g.
notification of key personnel)
d. Recovery → restore the system to a fully functional state
e.g. launch needed human resources into action and collect
relevant evidence.
CPMT
1. Champion
As with any strategic function, the contingency planning project must have a
high-level manager to support, promote, and endorse the findings of the
project. This could be the CIO or ideally the CEO.
2. Project Manager
A mid-level manager or even the CISO must lead the project and make sure a
sound planning process is used, a complete and useful project plan is
developed, and resources are prudently managed to reach the goals of the
project.
3. Team Members
The team members should be managers or their representatives from the
various communities of interest: business, information technology, and
information security.
STEPS IN CONTINGENCY
PLANNING

Provide
authority and
guidance
BUSINESS IMPACT ANALYSIS
An investigation and assessment of the various adverse events
that can affect the organization, conducted as a preliminary
phase of the contingency planning process, which includes a
determination of how critical a system or set of information is to
the organization’s core processes and recovery priorities.

Different from Risk Management; identifying threats, risks

and vulnerabilities
ACTIVITY – PART 1
Write down a scenario where an adverse incident
takes place in a company and turns into a disaster.
QUESTIONS & FEEDBACK