Contents

 Preface

 Acknowledgments

PART ONE         The Need for IT Security Policy Frameworks

  CHAPTER 1     Information Systems Security Policy Management

What Is Information Systems Security?

Information Systems Security Management Life Cycle

What Is Information Assurance?

Confidentiality

Integrity

Nonrepudiation

What Is Governance?

Why Is Governance Important?

What Are Information Systems Security Policies?

Where Do Information Systems Security Policies Fit Within an Organization?

Why Information Systems Security Policies Are Important

Policies That Support Operational Success

Challenges of Running a Business Without Policies

Dangers of Not Implementing Policies

Dangers of Implementing the Wrong Policies

When Do You Need Information Systems Security Policies?

Business Process Reengineering (BPR)

Continuous Improvement

Making Changes in Response to Problems

Why Enforcing and Winning Acceptance for Policies Is Challenging

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 1 ASSESSMENT

  CHAPTER 2     Business Drivers for Information Security Policies

Why Are Business Drivers Important?

Maintaining Compliance

Compliance Requires Proper Security Controls

Security Controls Must Include Information Security Policies

Relationship Between Security Controls and Information Security Policy

Mitigating Risk Exposure

Educate Employees and Drive Security Awareness

Prevent Loss of Intellectual Property

Protect Digital Assets

Secure Privacy of Data

Lower Risk Exposure

Minimizing Liability of the Organization

Separation Between Employer and Employee

Acceptable Use Policies

Confidentiality Agreement and Nondisclosure Agreement

Business Liability Insurance Policies

Implementing Policies to Drive Operational Consistency

Forcing Repeatable Business Processes Across the Entire Organization

Differences Between Mitigating and Compensating Controls

Policies Help Prevent Operational Deviation

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 2 ASSESSMENT

ENDNOTES

  CHAPTER 3     U.S. Compliance Laws and Information Security Policy Requirements

U.S. Compliance Laws

What Are U.S. Compliance Laws?

Why Did U.S. Compliance Laws Come About?

Whom Do the Laws Protect?

Which Laws Require Proper Security Controls to Be Included in Policies?

Which Laws Require Proper Security Controls for Handling Privacy Data?

Aligning Security Policies and Controls with Regulations

Industry Leading Practices and Self-Regulation

Some Important Industry Standards

Payment Card Industry Data Security Standard (PCI DSS)

Statement on Standards for Attestation Engagements No. 16 (SSAE16)

Information Technology Infrastructure Library (ITIL)

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 3 ASSESSMENT

ENDNOTES

  CHAPTER 4     Business Challenges Within the Seven Domains of IT Responsibility

The Seven Domains of a Typical IT Infrastructure

User Domain

Workstation Domain

LAN Domain

LAN-to-WAN Domain

WAN Domain

Remote Access Domain

System/Application Domain

Information Security Business Challenges and Security Policies That Mitigate Risk Within the Seven Domains

User Domain

Workstation Domain

LAN Domain

LAN-to-WAN Domain

WAN Domain

Remote Access Domain

System/Application Domain

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 4 ASSESSMENT

  CHAPTER 5     Information Security Policy Implementation Issues

Human Nature in the Workplace

Basic Elements of Motivation

Personality Types of Employees

Leadership, Values, and Ethics

Organizational Structure

Flat Organizations

Hierarchical Organizations

The Challenge of User Apathy

The Importance of Executive Management Support

Selling Information Security Policies to an Executive

Before, During, and After Policy Implementation

The Role of Human Resources Policies

Relationship Between HR and Security Policies

Lack of Support

Policy Roles, Responsibilities, and Accountability

Change Model

Responsibilities During Change

Roles and Accountabilities

When Policy Fulfillment Is Not Part of Job Descriptions

Impact on Entrepreneurial Productivity and Efficiency

Applying Security Policies to an Entrepreneurial Business

Tying Security Policy to Performance and Accountability

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 5 ASSESSMENT

ENDNOTE

PART TWO        Types of Policies and Appropriate Frameworks

  CHAPTER 6     IT Security Policy Frameworks

What Is an IT Policy Framework?

What Is a Program Framework Policy or Charter?

Industry-Standard Policy Frameworks

What Is a Policy?

What Are Standards?

What Are Procedures?

What Are Guidelines?

Business Considerations for the Framework

Roles for Policy and Standards Development and Compliance

Information Assurance Considerations

Confidentiality

Integrity

Availability

Information Systems Security Considerations

Unauthorized Access to and Use of the System

Unauthorized Disclosure of the Information

Disruption of the System or Services

Modification of Information

Destruction of Information Resources

Best Practices for IT Security Policy Framework Creation

Case Studies in Policy Framework Development

Private Sector Case Study

Public Sector Case Study

Private Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 6 ASSESSMENT

  CHAPTER 7     How to Design, Organize, Implement, and Maintain IT Security Policies

Policies and Standards Design Considerations

Architecture Operating Model

Principles for Policy and Standards Development

The Importance of Transparency with Regard to Customer Data

Types of Controls for Policies and Standards

Document Organization Considerations

Sample Templates

Considerations for Implementing Policies and Standards

Building Consensus on Intent

Reviews and Approvals

Publishing Your Policies and Standards Library

Awareness and Training

Policy Change Control Board

Business Drivers for Policy and Standards Changes

Maintaining Your Policies and Standards Library

Updates and Revisions

Best Practices for Policies and Standards Maintenance

Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies

Private Sector Case Study

Public Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 7 ASSESSMENT

  CHAPTER 8     IT Security Policy Framework Approaches

IT Security Policy Framework Approaches

Risk Management and Compliance Approach

The Physical Domains of IT Responsibility Approach

Roles, Responsibilities, and Accountability for Personnel

The Seven Domains of a Typical IT Infrastructure

Organizational Structure

Organizational Culture

Separation of Duties

Layered Security Approach

Domain of Responsibility and Accountability

Governance and Compliance

IT Security Controls

IT Security Policy Framework

Best Practices for IT Security Policy Framework Approaches

What Is the Difference Between GRC and ERM?

Case Studies and Examples of IT Security Policy Framework Approaches

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 8 ASSESSMENT

ENDNOTE

  CHAPTER 9     User Domain Policies

The Weakest Link in the Information Security Chain

Social Engineering

Human Mistakes

Insiders

Seven Types of Users

Employees

Systems Administrators

Security Personnel

Contractors

Vendors

Guests and General Public

Control Partners

Contingent

System

Why Govern Users with Policies?

Acceptable Use Policy (AUP)

The Privileged-Level Access Agreement (PAA)

Security Awareness Policy (SAP)

Best Practices for User Domain Policies

Understanding Least Access Privileges and Best Fit Privileges

Case Studies and Examples of User Domain Policies

Government Laptop Compromised

The Collapse of Barings Bank, 1995

Unauthorized Access to Defense Department Systems

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 9 ASSESSMENT

 CHAPTER 10    IT Infrastructure Security Policies

Anatomy of an Infrastructure Policy

Format of a Standard

Workstation Domain Policies

LAN Domain Policies

LAN-to-WAN Domain Policies

WAN Domain Policies

Remote Access Domain Policies

System/Application Domain Policies

Telecommunications Policies

Best Practices for IT Infrastructure Security Policies

Case Studies and Examples of IT Infrastructure Security Policies

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 10 ASSESSMENT

 CHAPTER 11    Data Classification and Handling Policies and Risk Management Policies

Data Classification Policies

When Is Data Classified or Labeled?

The Need for Data Classification

Legal Classification Schemes

Military Classification Schemes

Business Classification Schemes

Developing a Customized Classification Scheme

Classifying Your Data

Data Handling Policies

The Need for Policy Governing Data at Rest and in Transit

Policies, Standards, and Procedures Covering the Data Life Cycle

Identifying Business Risks Related to Information Systems

Types of Risk

Development and Need for Policies Based on Risk Management

Risk and Control Self-Assessment

Risk Assessment Policies

Risk Exposure

Prioritization of Risk, Threat, and Vulnerabilities

Risk Management Strategies

Vulnerability Assessments

Vulnerability Windows

Patch Management

Quality Assurance Versus Quality Control

Best Practices for Data Classification and Risk Management Policies

Case Studies and Examples of Data Classification and Risk Management Policies

Private Sector Case Study

Public Sector Case Study

Private Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 11 ASSESSMENT

 CHAPTER 12    Incident Response Team (IRT) Policies

Incident Response Policy

What Is an Incident?

Incident Classification

The Response Team Charter

Incident Response Team Members

Responsibilities During an Incident

Users on the Front Line

System Administrators

Information Security Personnel

Management

Support Services

Other Key Roles

Business Impact Analysis (BIA) Policies

Component Priority

Component Reliance

Impact Report

Development and Need for Policies Based on the BIA

Procedures for Incident Response

Discovering an Incident

Reporting an Incident

Containing and Minimizing the Damage

Cleaning Up After the Incident

Documenting the Incident and Actions

Analyzing the Incident and Response

Creating Mitigation to Prevent Future Incidents

Handling the Media and Deciding What to Disclose

Business Continuity Planning Policies

Dealing with Loss of Systems, Applications, or Data Availability

Response and Recovery Time Objectives Policies Based on the BIA

Best Practices for Incident Response Policies

Disaster Recovery Plan Policies

Disaster Declaration Policy

Assessment of the Disaster’s Severity and of Potential Downtime

Case Studies and Examples of Incident Response Policies

Private Sector Case Study

Public Sector Case Study

Critical Infrastructure Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 12 ASSESSMENT

PART THREE     Implementing and Maintaining an IT Security Policy Framework

 CHAPTER 13    IT Security Policy Implementations

Simplified Implementation Process

Target State

Distributed Infrastructure

Outdated Technology

Lack of Standardization Throughout the IT Infrastructure

Executive Buy-in, Cost, and Impact

Executive Management Sponsorship

Overcoming Nontechnical Hindrances

Policy Language

Employee Awareness and Training

Organizational and Individual Acceptance

Motivation

Developing an Organization-Wide Security Awareness Policy

Conducting Security Awareness Training Sessions

Human Resources Ownership of New Employee Orientation

Review of Acceptable Use Policies (AUPs)

Information Dissemination—How to Educate Employees

Hard Copy Dissemination

Posting Policies on the Intranet

Using E-mail

Brown Bag Lunches and Learning Sessions

Policy Implementation Issues

Governance and Monitoring

Best Practices for IT Security Policy Implementations

Case Studies and Examples of IT Security Policy Implementations

Private Sector Case Study

Public Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 13 ASSESSMENT

 CHAPTER 14    IT Security Policy Enforcement

Organizational Support for IT Security Policy Enforcement

Executive Management Sponsorship

Governance Versus Management Organizational Structure

The Hierarchical Organizational Approach to Security Policy Implementation

Front-Line Managers’ and Supervisors’ Responsibility and Accountability

Grass-Roots Employees

An Organization’s Right to Monitor User Actions and Traffic

Compliance Law: Requirement or Risk Management?

What Is Law and What Is Policy?

What Security Controls Work to Enforce Protection of Privacy Data?

What Automated Security Controls Can Be Implemented Through Policy?

What Manual Security Controls Assist with Enforcement?

Legal Implications of IT Security Policy Enforcement

Who Is Ultimately Accountable for Risk, Threats, and Vulnerabilities?

Where Must IT Security Policy Enforcement Come From?

Best Practices for IT Security Policy Enforcement

Case Studies and Examples of Successful IT Security Policy Enforcement

Private Sector Case Study

Public Sector Case Study No. 1

Public Sector Case Study No. 2

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 14 ASSESSMENT

 CHAPTER 15    IT Policy Compliance and Compliance Technologies

Creating a Baseline Definition for Information Systems Security

Policy-Defining Overall IT Infrastructure Security Definition

Vulnerability Window and Information Security Gap Definition

Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance

Automated Systems

Random Audits and Departmental Compliance

Overall Organizational Report Card for Policy Compliance

Automating IT Security Policy Compliance

Automated Policy Distribution

Configuration Management and Change Control Management

Collaboration and Policy Compliance Across Business Areas

Version Control for Policy Implementation Guidelines and Compliance

Compliance Technologies and Solutions

COSO Internal Controls Framework

SCAP

SNMP

WBEM

Digital Signing

Best Practices for IT Security Policy Compliance Monitoring

Case Studies and Examples of Successful IT Security Policy Compliance Monitoring

Private Sector Case Study

Public Sector Case Study

Nonprofit Sector Case Study

CHAPTER SUMMARY

KEY CONCEPTS AND TERMS

CHAPTER 15 ASSESSMENT

  APPENDIX A Answer Key

  APPENDIX B Standard Acronyms

Glossary of Key Terms

References

Index