Operation Security University of the Cumberlands WK14 Implementing Policies HW

Question Description
Your policies need high visibility to be effective. When implementing policies, you can use various methods to spread the word throughout your organization. Use management presentations, videos, panel discussions, guest speakers, and road shows, in a manner that ensures that management’s support is clear, especially where employees feel overwhelmed with policies, directives, guidelines, and procedures Week 14 SEcurity Policy Framework Case Study.pdf Click for more options Based on the above case study or the Case Study on Page 168 of your text, write a 3 – 6 page paper to include the below information:
Assign roles and responsibilities for employees at varying levels in the corporate hierarchy that are responsible for security policies.
Analyze risk assessment and risk mitigation strategies and policy needs based on best practices
Summarize your findings
Include proper APA citations for any references you use in your research. Ensure you have proper spelling, grammar, and mechanics throughout your writing.Please name your file Lastname_14_CaseStudy_Assignment.doc and submit it according to the directions below.Upload Instructions:Select the Submit Assignment button to the right. Click Choose File, located in the File Upload box. Navigate to your file location. Once the file is located, select it and then select the Open button. Click Submit Assignment to complete the upload process.Reference:Rees, J., BANDYOPADHYAY, S., & SPAFFORD, E. H. A Policy Framework for Information Security. Commuunication of the ACM, 46.
Tags: security policy Implementing policies Mitigation Strategies Operation Security high visibility
Unformatted Attachment Preview
Creating and maintaining effective security strategy and policy for software applications. A Policy Framework for Information Security A s organizations increasingly rely on information systems as the primary way to conduct operations, keeping such systems (and the associated data) secure receives increasing emphasis. However, the prevalent model within many organizations appears to be an ad hoc approach to security, where the latest hreach becomes the model for fliture occurrences. For example, Microsoft issued over 80 critical patches for its IIS Web Server software over the past three years. Despite the low initial cost of the software, the maintenance costs over time are prohibitive [2]. A well-designed and maintained security policy potentially can reduce such costly forays, as well as provide protection from disaster. Our objective here is to provide information security professionals and top management a tramework through which useable security strategy and policy for applications can be created and maintained in line with the standard information technology hfe cycle. This framework, the Policy Framework for Interpreting Risk in E-Business Security (PFIRES), was initially developed for e-commerce activities and has since been generalized to handle securit)policy for all types of organizations engaged in computing and Internet operations. This framework offers a possible starting point for understanding a security policy’s impact on an organization, and is intended to guide organizations in developing, implementing, and maintaining security policy. Information Security Policy Security policies are generally high-level, technology neutral, concern risks, set directions and procedures, and define penalties and countermeasures if the policy is transgressed, and must not be confused with implementation-specific information, which would be part of the security standards, procedures, and BY JACKIE REES, SUBHAIYOTI BANDYOPADHYAY, AND EUGENE H . SPAFFORD COMMUNICATIONSOFTHEACM July 200J/Vol. 46, No 7 101 guidelines. Security policies are created by empow- ure 1. Because policy development is an iterative ered organizational representatives from human process, the model includes feedback loops at every resources, legal and regulatory matters, information step. Feedback is also necessary to ensure the systems, public relations, security, and the various requirements of the previous step are satisfied. lines of business. A guideline for developing InterOrganizational change is defined as a continuum, net-specific security policy was discussed in [5], with the two end points being tactical and strategic. while more generalizable security policies and Tactical changes involve short-term goal achieveguidelines can be found in [8]. The problem with ment and how to control and evaluate the process of current approaches is that none address the prob- achieving goals, whereas strategic changes are longlem of keeping up with the increasing rate of term, broad-based initiatives involving positioning change in technology and within the marketplace applications nor do they Feedback and typically involve consider how to keep such members ot senior manpolicies consistent and agement [6]. Most orgaaligned with organizanizational change falls tional objectives. somewhere between To develop a tool to aid these two end points. in the formulation and management of security Assess Phase policies, other tools in The Assess phase can similarly changing busibe initiated by two disness arenas were examtinct events: either a ined. As is the case for decision to execute the most systems problems, model from scratch or the best approach was .1 response to a profound to be a structured posed change output one, including analyzing from the Review risk and delegating Trends and Manage resources to protect the Events step. In either Environment most valued assets of the case, the goal is to assess organization [1]. PFIRES the proposed change against the existing policy and Figure i. PFIRES life-cycle was developed borrowing model. organizational environment. The Assess phase has from both the new prodthree possible results, as shown in Figure 2. uct development life cycle [7], and the systems For a company executing the PFIRES model for development life cycle (SDLC) [4]. the first time, the Assess phase is the logical starting While creating security policy is not an exact sci- point. However, before beginning the process of ence, well-defined processes can be put into place so implementing security policy, the company needs to that all security-related requirements are systemati- review existing policy and complete a full risk assesscally considered. An analogue is the SDLC, which ment. These are conducted during the two steps embodies a well-defined process for considering busi- included in the Assess phase: Policy Assessment and ness requirements, translating such requirements Risk Assessment. into an information systems context, and then develPolicy Assessment. Whether PFIRES is initiated oping an information system that supports those as a result of initial policy creation or a change to requirements. PFIRES is intended to be systematic, existing policy. Policy Assessment is conducted to yet dynamic. The framework is detailed enough to review existing policies, standards, guidelines, and ensure that an organization does not overlook any- procedures. The determination of whether the prothing while addressing a security issue, but dynamic posed change is strategic or tactical will affect how enough to ensure the speed and execution required steps later in the life cycle will be explored; however, to adapt rapidly to changing business scenarios. if this is the organizations first time executing the model, the effort is by definition strategic in nature. There are four sub-steps within the Policy AssessA Policy Framework for Interpreting ment step: Analyze Policy Environment, Identify Risk in E-Business Security The PFIRES life cycle consists of four major phases: Policy Gaps and Contradictions, Summarize Policy Assess, Plan, Deliver, and Operate, as shown in Fig- Assessment Results, and Develop Policy Recom102 July 2003/Vol 46, No. 7 COMMUNICATIONS OF THE ACM mendations. Executed in sequence, these sub-steps result in a decision regarding vt^hether to accept the proposed changes and an assessment of how the proposed change afFects existing policy. Once the policy assessment is complete, a decision needs to be made on where the proposed change falls within the change continuum. The position on the change continuum that the proposed change falls in will help determine the scope of the Risk Assessment step, thus influencing the execution of the subsequent steps of the life cycle. Risk Assessment. Risk Assessment identifies the business assets an organization wants to protect, and identifies potential threats to Figure 2. The Assess phase those assets. The various flowchart sub-steps in the risk assessment process are: • Conduct Security Assessment identifies elements in the current or proposed environment subject to threats that could compromise information assets. • Assess Business Risk identifies the most valuable assets in terms of security. While intangible assets are difficult to valuate, it is beneficial to rank them. • Develop Security Recommendations involves identifying security options, determining payroll and non-payroll cost, determining the priority of options, verifying results and developing a cost/benefit matrix. • Summarize Assessment Final Recommendations documents the results of both the Policy and Risk Assessments so management can decide whether to accept the proposed change. If accepted, the life cycle for this particular proposed change continues in the Plan phase. If rejected, but it is determined that other policy changes are required, the Plan phase follows as well. Otherwise, the life cycle resumes in the Operate phase. Plan Phase The Plan phase prepares for the implementation of the proposed change including creating or updating policy and defining the requirements for the proposed change. The Plan Phase has two sub-steps. Policy Development and Requirements Definition. Policy Development. It is vital to develop security strategy and policy that is in line with existing business strategy and policy. Activities during Policy Development assure this. Policy Development itself consists of two suh-steps: Create/Update Security Strategy and Create/Update Security Resume Operate Policy. Phase Create/Update Security Strategy, No, but policy needs Security strategy is an updating overview of future business direction along with the security controls needed to support these business functions. A security strategy session should be held consisting of the following tasks: identify fijture business initiatives; identify risks to each initiative; identify security options; prioritize security initiatives and document security strategy. This session should include key management personnel not only for their thought leadership but to gain their confidence in the entire process. Create/Update Security Policy. Specific tasks of this sub-step include identifying areas for security policy, drafting security policy, reviewing security policy and publishing security policy. Require?nents Definition. Within Requirements Definition an organization analyzes its security policy in order to define the requirements of the new security architecture in light of the updated policy. The three sub-steps are outlined here. Translate Recommendations to Requirements. The high-priority recommendations developed in the Risk Assessment are used in this sub-step to create the security infrastructure necessary to support the change. Develop Detailed Security Requirements. The highlevel requirements from the previous sub-step are expanded to a sufficient level of detail so that control selection can begin. This sub-step carefully considers the overall technical environment so that the proposed change will tightly integrate and support the Because policy development is an iterative process, the model includes feedback loops at every step. COMMUNICATIONS OF THE ACM July 1003/Vol 46. No 7 103 existing environment. Interoperability requirements such as systems and network support, and standards and application programming interface support must be considered. Verify Requirements. The requirements defined in the previous two sub-steps are validated against the inputs to the Requirements Definition step. All requirements should map back to a specific risk (as documented in the Risk Assessment) or to a specific point in the Security Policy. It is also important during this substep to evaluate the detailed requirements against industry best practices. Additionally, particular market segments may need to meet requirements specified by their country or local government, or by other authoritative bodies. control requirements is selected and mapped to the infrastructure design. The controls list should be validated to assure duplicate requirements are not being met by different solutions and to identify opportunities for controls reuse across the security infrastructure. Controls Implementation. This step implements the controls selected in the prior step. Activities include building, testing, and implementing the final security infrastructure. This step is executed through four substeps: Create Implementation Plan, Build, Test, and Pilot and Deployment. During deployment, once figure 3- Activities in the Monitor Operations step. the mfrastructute is in place in the “live” environment, a final risk assessment should be performed to assure The Deliver Phase that all known threats have been addressed and the The Deliver Phase is the actual implementation of solution is secure. the policy. The phase consists of two steps: Controls Create Implementation Plan. A specific plan is credefinition and Controls implementation, as shown ated in order to translate design into reality. With a in Table 1. detailed plan, the security infrastructure is more Controls Definition. Controls are practices, pro- likely to be built on time and to meet requirements. cedures or mechanisms that reduce security risks, Build. The scope of this sub-step will vary widely and this step defines those needed to meet the depending on the controls. However, there are some requirements of the security policy. Controls Defin- specific planning considerations. It is in this subition consists of four sub-steps: Design Infrastruc- step where detailed procedures and performance ture, Determine Controls, Evaluate Solutions, and support are developed to support the selected conSelect Controls. These sub-steps are sequential in trols. These procedures are critical to the successful nature and follow the ongoing management and moni^ ^ ^ ^ Sub-step ^ 1 ^ 1 widely used SDLC [4]. toring of the security architecAssess Design Infrastructure. Plan ture. This sub-step also includes In this sub-step, the Deliver Controls Design Infrastructure activities to develop training Determine Controls Definition requirements from the products including help files and Evaluate Solucions Plan phase are used to manuals. Select Controls design a high-level security Controls Create Implementation Plan Test. Once the security infraImplementation Build infrastructure containing structure has been built, it must Test technical, procedural, and be tested to ensure the design was Pilot and Deployment organizational components. Operate completely executed, the identiDetermine Controls. fied threats have been addressed, The high-level designs are translated into controls Table 1. The Deliver and no new vulnerabilities have steps and and their requirements. Specific organizations may phase been identified. Activities during sub-steps. have additional requirements, such as a control prothis sub-step will include three vided by a partner-vendor or other preferred types of testing: vulnerability assessment, security provider. infrastructure validation, and appliaition security Evaluate Solutions. The security marketplace is support. growing rapidly, and it is likely there will be several Pilot and Deployment. Once tested, the security choices meeting the general requirements. The pur- infrastructure is deployed to the production envipose of this sub-step is to identify and evaluate the ronment. Whether a pilot is required depends on options for each control and select the best option. scope. Deployment includes configuring and Select Controls. The solution best meeting the installing security architecture components and 104 July 200J/Vol.46,No. 7 COMMUNICATIONS OF THE ACM With a detailed plan, the security infrastructure is more likely to he huilt on time and to meet requirements. will be necessary include: after a break-in or hack has occurred; when an employee is suspected of violating corporate policy; after an unplanned security event caused a system to crash and afi:er a fraud has occurred. Security Services. Security services deals with providing security specialists to project teams as they Operate Phase The Operate phase occurs on a daily basis. Its pur- design new capabilities, refine existing processes, or pose is to monitor the controls that have been put in otherwise undertake change within the environplace to secure the organization and handle incidents ment. The security services function can be viewed as they arise. In addition, business and technology as a consulting role and can be filled by a dedicated group within the security organization or by an trends are watched and analyzed. Monitor Operations. The purpose of this step is external service provider. Compliance. Compliance includes those activities to define the daily activities throughout the organization to ensure the security policy is enforced across necessary to ensure the infrastructure is following the security infrastructure. These activities can be security policy guidelines. It is typically thought of as broken into a few general categories as depicted in an internal audit function, but a security compliance Figure 3. This step is unique because it is not clearly program is more proactive than quarterly audit executed through a series ot sub-steps, but instead reports and findings. consists of several simultaneous activities that must Review Trends and Manage Events. A security polcoexist to support the icy that is not constantly evaluated environment. and updated is of no value. This final activity identifies those events Administration and End Users • Protect your authentlcaton credentials • Do not download material from or trends that may signal a need to Operations. This activity unknown sources reevaluate the security policy. This covers administrative • Comply with Internee acceptable use policies step can be broken down into the functions and can • Review recenc CERT alerts on new following four sub-steps: Manage include, but is not lim- Unix Security vulnerabilities Administrators events {planned and unplanned); ited to: user administra• Change security standards based on new threats Identify internal trends; Identify tion {adding, deleting, • Installation procedures for tested security patches to install external trends; and Escalate to and modifying system Assess phase. As in the Monitor and application users); Operations step, these activities are evaluating and applying security patches to systems Table 2. Examples not sequential. Although escalation and applications; system and application monitoting of communications messages. is always the last step, event manfor security events; monitoring security news agement and trend identification resources for new vulnerabilities and administering can take place simultaneously. anti-virus applications Manage Events. Events are situations outside of Communications. This activity communicates to different audiences the appropriate security messages normal activity, for example, individuals violating an (see Table 2). Each organization will have several dif- acceptable use policy by seeking sports scores on the ferent audiences, some requiring only an awareness Web during business hours. Although outside of of security, and others requiring time-sensitive infor- approved or normal activity, such an event can easily be planned for by establishing procedures so if it mation. does occur it can be processed as part of planned Investigations. Investigations includes activities operations. Conversely, there are situations that can necessary to examine a situation or incident, determine root cause or verify facts, and recommend be anticipated but not in exact detail, such as data action. Common situations where ati investigation destruction. These unexpected events require an rolling out new processes and procedures through communication and training. Deployment should ensure that security requirements as set forth in the policy are met, and that no new security risks are introduced. COMMUNICATIONS OF THE ACM July 2003/Vol 46, No 7 105 By effectively managing security risks, the organization is better positioned to successfully achieve its objectives. incident response process including documenting the incident, maintaining records of what was altered during the incident, providing appropriate information to support legal action, procedures for tracing the source of an event, guidelines for when or how to escalate an event through chain of management, and procedures for containment of events to limit damage [3]. Identify External Trends. This sub-step looks for external trends that may indicate the need to reassess current security policy. Its key components are identifying information that may have security relevance and determining whether to escalate a trend or event to the Assess phase. To determine if an event or trend should be escalated, it must be considered within the …

Place this order or similar order and get an amazing discount. USE Discount code “GET20” for 20% discount