© © obpcnh/Shutterstock
Contents
PART ONE The Need for IT Security Policy Frameworks
CHAPTER 1 Information Systems Security Policy Management
What Is Information Systems Security?
Information Systems Security Management Life Cycle
What Is Information Assurance?
What Are Information Systems Security Policies?
How Policies and Standards Differ
How Policies and Procedures Differ
Where Do Information Systems Security Policies Fit Within an Organization?
Why Information Systems Security Policies Are Important
Policies That Support Operational Success
Challenges of Running a Business Without Policies
Dangers of Not Implementing Policies
Dangers of Implementing the Wrong Policies
When Do You Need Information Systems Security Policies?
Business Process Reengineering (BPR)
Making Changes in Response to Problems
Why Enforcing and Winning Acceptance for Policies Is Challenging
CHAPTER 2 Business Drivers for Information Security Policies
Why Are Business Drivers Important?
Compliance Requires Proper Security Controls
Security Controls Enforce Information Security Policies
Educate Employees and Drive Security Awareness
Prevent Loss of Intellectual Property
Labeling Data and Data Classification
Full Disclosure and Data Encryption
Minimizing Liability of the Organization
Separation Between Employer and Employee
Confidentiality Agreement and Nondisclosure Agreement
Business Liability Insurance Policies
Implementing Policies to Drive Operational Consistency
Forcing Repeatable Business Processes Across the Entire Organization
Differences Between Mitigating and Compensating Controls
Policies Help Prevent Operational Deviation
CHAPTER 3 Compliance Laws and Information Security Policy Requirements
What Are U.S. Compliance Laws?
Federal Information Security Management Act (FISMA)
Health Insurance Portability and Accountability Act (HIPAA)
Family Educational Rights and Privacy Act (FERPA)
Children’s Internet Protection Act (CIPA)
Why Did U.S. Compliance Laws Come About?
Which Laws Require Proper Security Controls to Be Included in Policies?
Which Laws Require Proper Security Controls for Handling Privacy Data?
Aligning Security Policies and Controls with Regulations
Industry Leading Practices and Self-Regulation
Some Important Industry Standards
Payment Card Industry Data Security Standard (PCI DSS)
Clarified Statement on Standards for Attestation Engagements No. 18 (SSAE18)
Information Technology Infrastructure Library (ITIL)
General Data Protection Regulation (GDPR)
European Telecommunications Standards Institute (ETSI)
Asia-Pacific Economic Framework (APEC)
CHAPTER 4 Business Challenges Within the Seven Domains of IT Responsibility
The Seven Domains of a Typical IT Infrastructure
CHAPTER 5 Information Security Policy Implementation Issues
Personality Types of Employees
Leadership, Values, and Ethics
Advantages of a Hierarchical Model
Disadvantages of a Hierarchical Model
The Importance of Executive Management Support
Selling Information Security Policies to an Executive
Before, During, and After Policy Implementation
The Role of Human Resources Policies
Relationship Between HR and Security Policies
Policy Roles, Responsibilities, and Accountability
Responsibilities During Change
Step 2: Create a Powerful Coalition
Step 3: Create a Vision for Change
Step 4: Communicate the Vision
Step 6: Create Short-Term Wins
Step 8: Anchor the Changes in Corporate Culture
When Policy Fulfillment Is Not Part of Job Descriptions
Impact on Entrepreneurial Productivity and Efficiency
Tying Security Policy to Performance and Accountability
PART TWO Types of Policies and Appropriate Frameworks
CHAPTER 6 IT Security Policy Frameworks
What Is an IT Policy Framework?
What Is a Program Framework Policy or Charter?
Industry-Standard Policy Frameworks
NIST Special Publication (SP) 800-53
Issue-Specific or Control Standards
System-Specific or Baseline Standards
Business Considerations for the Framework
Roles for Policy and Standards Development and Compliance
Information Assurance Considerations
Information Systems Security Considerations
Unauthorized Access to and Use of the System
Unauthorized Disclosure of the Information
Disruption of the System or Services
Destruction of Information Resources
Best Practices for IT Security Policy Framework Creation
Case Studies in Policy Framework Development
Private Sector Case Study Three
CHAPTER 7 How to Design, Organize, Implement, and Maintain IT Security Policies
Policies and Standards Design Considerations
Principles for Policy and Standards Development
The Importance of Transparency with Regard to Customer Data
Types of Controls for Policies and Standards
Document Organization Considerations
Considerations for Implementing Policies and Standards
Publishing Your Policy and Standards Library
Business Drivers for Policy and Standards Changes
Maintaining Your Policy and Standards Library
Best Practices for Policies and Standards Maintenance
CHAPTER 8 IT Security Policy Framework Approaches
IT Security Policy Framework Approaches
Risk Management and Compliance Approach
The Physical Domains of IT Responsibility Approach
Roles, Responsibilities, and Accountability for Personnel
The Seven Domains of a Typical IT Infrastructure
Domain of Responsibility and Accountability
Best Practices for IT Security Policy Framework Approaches
What Is the Difference Between GRC and ERM?
Case Studies and Examples of IT Security Policy Framework Approaches
CHAPTER 9 User Domain Policies
The Weakest Link in the Information Security Chain
Why Govern Users with Policies?
The Privileged-Level Access Agreement (PAA)
Security Awareness Policy (SAP)
Best Practices for User Domain Policies
Understanding Least Access Privileges and Best Fit Access Privileges
Case Studies and Examples of User Domain Policies
CHAPTER 10 IT Infrastructure Security Policies
Anatomy of an Infrastructure Policy
System/Application Domain Policies
Best Practices for IT Infrastructure Security Policies
Case Studies and Examples of IT Infrastructure Security Policies
Critical Infrastructure Case Study
CHAPTER 11 Data Classification and Handling Policies and Risk Management Policies
When Is Data Classified or Labeled?
The Need for Data Classification
Military Classification Schemes
Business Classification Schemes
Developing a Customized Classification Scheme
The Need for Policy Governing Data at Rest and in Transit
Policies, Standards, and Procedures Covering the Data Life Cycle
Identifying Business Risks Related to Information Systems
Development and Need for Policies Based on Risk Management
Risk and Control Self-Assessment
Prioritization of Risks, Threats, and Vulnerabilities
Common Vulnerability Scan Tools
Quality Assurance Versus Quality Control
Best Practices for Data Classification and Risk Management Policies
Case Studies and Examples of Data Classification and Risk Management Policies
CHAPTER 12 Incident Response Team (IRT) Policies
Incident Response Team Members
Responsibilities During an Incident
Information Security Personnel
Business Impact Analysis (BIA) Policies
Development and Need for Policies Based on the BIA
Procedures for Incident Response
Containing and Minimizing the Damage
Cleaning Up After the Incident
Documenting the Incident and Actions
Analyzing the Incident and Response
Creating Mitigation to Prevent Future Incidents
Handling the Media and Deciding What to Disclose
Business Continuity Planning Policies
Dealing with Loss of Systems, Applications, or Data Availability
Response and Recovery Time Objectives Policies Based on the BIA
Best Practices for Incident Response Policies
Disaster Recovery Plan Policies
Assessment of the Disaster’s Severity and of Potential Downtime
Case Studies and Examples of Incident Response Policies
Critical Infrastructure Case Study
PART THREE Implementing and Maintaining an IT Security Policy Framework
CHAPTER 13 IT Security Policy Implementations
Simplified Implementation Process
Lack of Standardization Throughout the IT Infrastructure
Executive Buy-in, Cost, and Impact
Executive Management Sponsorship
Overcoming Nontechnical Hindrances
Employee Awareness and Training
Organizational and Individual Acceptance
Developing an Organization-Wide Security Awareness Policy
Conducting Security Awareness Training Sessions
Human Resources Ownership of New Employee Orientation
Review of Acceptable Use Policies (AUPs)
Information Dissemination—How to Educate Employees
Posting Policies on the Intranet
Brown Bag Lunches and Learning Sessions
Best Practices for IT Security Policy Implementations
Case Studies and Examples of IT Security Policy Implementations
CHAPTER 14 IT Security Policy Enforcement
Organizational Support for IT Security Policy Enforcement
Executive Management Sponsorship
Governance Versus Management Organizational Structure
The Hierarchical Organizational Approach to Security Policy Implementation
Front-Line Managers’ and Supervisors’ Responsibility and Accountability
An Organization’s Right to Monitor User Actions and Traffic
Compliance Law: Requirement or Risk Management?
What Is Law and What Is Policy?
What Security Controls Work to Enforce Protection of Personal Data?
What Automated Security Controls Can Be Implemented Through Policy?
What Manual Security Controls Assist with Enforcement?
Legal Implications of IT Security Policy Enforcement
Who Is Ultimately Accountable for Risks, Threats, and Vulnerabilities?
Where Must IT Security Policy Enforcement Come From?
Best Practices for IT Security Policy Enforcement
Case Studies and Examples of Successful and Unsuccessful IT Security Policy Enforcement
CHAPTER 15 IT Policy Compliance and Compliance Technologies
Creating a Baseline Definition for Information Systems Security
Policy-Defining Overall IT Infrastructure Security Definition
Vulnerability Window and Information Security Gap Definition
Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance
Random Audits and Departmental Compliance
Overall Organizational Report Card for Policy Compliance
Automating IT Security Policy Compliance
Training Administrators and Users
Configuration Management and Change Control Management
Configuration Management Database
Tracking, Monitoring, and Reporting Configuration Changes
Collaboration and Policy Compliance Across Business Areas
Version Control for Policy Implementation Guidelines and Compliance
Compliance Technologies and Solutions
COSO Internal Control—Integrated Framework
Best Practices for IT Security Policy Compliance Monitoring
Case Studies and Examples of Successful IT Security Policy Compliance Monitoring