Security Policy, Standard

and Practices

Security Policy
Policy

forms the basis of all information

security tasks.
IS policies are the least expensive but
difficult to implement
Policies are set of guidelines that senior
manger enforces on other members
It regulates the activities of organizations
members who make decisions.

Standard and Practices

Standards

are more detailed description of

what must be done to comply with policy
guidelines.
Standards consist of specific low level
mandatory controls that help enforce and
support the information security policy.
The policies drives standard and standard
state the practices, procedures and
guidelines.

Standard and Practices

Practice

Guidelines
Guidelines consist of recommended, nonmandatory controls that help support
standards or serve as a reference when no
applicable standard is in place.
Guidelines should be viewed as best practices
that are not usually requirements, but are
strongly recommended
For ex, a standard may require passwords to
be 8 characters or more and a supporting
guideline may state that it is best practice to
also ensure the password expires after 30
days

Procedures
Procedures consist of step by step
instructions to assist workers in
implementing the various policies, standards
and guidelines
Explains how to implement policies,
guidelines and standard in a step by step
fashion.
For ex, a procedure could be written to
explain how to install Windows securely,
detailing each step that needs to be taken so
that it satisfies the applicable policy,
standards and guidelines

Example.
A policy may state all business information must
be adequately protected when being transferred.
A supporting data transfer standard builds upon
this, requiring that all sensitive information be
encrypted using a specific encryption type and
that all transfers are logged.
A supporting guideline explains the best practices
for recording sensitive data transfers and provides
templates for the logging of these transfers.
A procedure provides step by step instructions for
performing encrypted data transfers and ensures
compliance with the associated policy, standards
and guidelines.

Standard and Practices

Common Standards
The

most common is Information

Technology code of practice (BS7799)
This code was adopted by ISO and IEC
ISO-

International organization for

Standardization
IEC- stands for international Electro-technical
commission

Risk Management

Basics
Assets:
Is

a resource, process, product, infrastructure

anything which any organization considers to
be protected.
The loss of asset causes tangible or intangible
impacts on the organization.
Threat
Is

a presence of any potential event that could

cause an adverse effect on the organization.
It could be initiated by human (attack on your
website) or natural (earthquake)

Basics
Safeguard:
Is

a control or countermeasure put in a place

to reduce the risk associated with threat.

Vulnerability:
Is

the absence or weakness of safeguard

Basics
Threat Agent

Gives rise to

Threat

Exploits

vulnerability

Leads to

Risk
Asset
Can damage

Exposure
causes an

Safeguard
Can be
countered by

Risk Management
Risk

management

Is

an ongoing iterative process that includes

identifying, evaluating and mitigating risk in
an organization.
It is about knowing

what we have,
What are the problems areas
what are the likely threats
and how well it can be prevented

Risk management
Risk
Is

management

a targeted, proactive solution to potential

threats and incidents .
Is the skill of handling the identified risks in
the best possible way for the interest of the
organization.
is the process of identifying risk, assessing
risk, and taking steps to reduce risk to an
acceptable level
Risk = threat x vulnerability x asset value

Risk management

Objective:The objective of performing risk

management is to enable the organization to
accomplish its mission(s)
by better securing the IT systems that store,
process, or transmit organizational information;
by enabling management to make well-informed
risk management decisions to justify the
expenditures that are part of an IT budget;
by assisting management in authorizing (or
accrediting) the IT systems on the basis of the
supporting documentation resulting from the
performance of risk management.

Risk Management Process

mission &
security
objective

Information
protection
requirements

Implement
counter
measures

Decides on
risk counter
measures

Evaluate risk

Define
Alternatives

Risk Management Process

Step

1. (mission and objective)

Every

Step

management sets a clear policy direction

2. (protection requirements)

by

understanding the security risk, the

security needs are given.
By considering asset value and exposure factor
requirements are specified.
Step

3. (risk evaluation)

Risk

evaluation requires keen eyesight.

It provides a baseline that can be used to focus
mitigation and improvement activities.

Risk Management Process

Step
In

3. (risk evaluation)

this risk analysis we considers

What needs to be protected?
From whom and what must be protected?
How is it threatened?
How it could be protected etc

Step

4. (risk response)

Find

out the alternatives available

What safeguard could be applied.

Risk Management Process

Step

5. (selection of safeguard)

After

finding out the various countermeasures

for protecting the assets we have to choose a
set that matches the threats envisaged.
Some selection measures:

Accountability features of the safeguard

Level of manual operation required
Cost/benefit analysis
Ability for recovery.

Risk Management Process

Step

6. (implementation of safeguard)

Implementation

process is involves
implementation and continuous monitoring to
check whether the countermeasure proved any
beneficial.

Risk Management Process

Risk

management encompasses three

processes:
risk

assessment,
risk mitigation,
evaluation and assessment.

Risk Assessment
Risk
is

assessment

the first process in the risk management

methodology.
Organizations use risk assessment to
determine the extent of the potential threat
and the risk associated
The output of this process helps to identify
appropriate controls for reducing or
eliminating risk

Risk Assessment

Step1 : system characterization

define the scope of the effort i.e. boundaries and
resources are identified.
Understand the system processing environment
(hardware, software, data, user etc)

Step2 : identify threat

Identify threat and threat source

Step3: Vulnerability identification

develop a list of system vulnerabilities(flaws or

weaknesses) that could be exploited by the
potential threat-sources

Risk Assessment
Step

4: Control Analysis

analyze

the controls that have been

implemented, or are planned for
implementation, to minimize or eliminate the
likelihood (or probability) of a threat.

Step

5 : Likelihood Determination

The

likelihood that a potential vulnerability

could be exercised by a given threat-source
can be described as high, medium, or low.

Risk Assessment

Step 6: Impact Analysis

determine

the adverse impact resulting from a

successful threat exercise of a vulnerability.
(e.g. loss of availability, confidentiality,
integrity)

Step

7: Risk Determination

assess

the level of risk to the system

Risk level (High, Medium, Low)

Risk Assessment
Step

8: Control Recommendation

controls

that could eliminate the identified

risks, are provided.
The goal of the recommended controls is to
reduce the level of risk to an acceptable level.
Step

9: Result Documentation

Once

the risk assessment has been completed

the results should be documented in an official
report or briefing.

Risk Mitigation
Risk
the

mitigation,

second process of risk management,

involves prioritizing, evaluating, and
implementing the appropriate risk-reducing
controls recommended from the risk
assessment process.
Address the greatest risks and strive for
sufficient risk mitigation at the lowest cost,
with minimal impact on other mission
capabilities.

Risk Mitigation
Risk

mitigation,

Step

1: Prioritize Actions (based on risk levels)

Step 2: Check the feasibility of recommended
Control Options.
Step 3: Conduct Cost-Benefit Analysis
Step 4: Select Control
On the basis of the results of the cost-benefit
analysis, management determines the most costeffective control.

Risk Mitigation
Risk

mitigation,

Step

5: Assign Responsibility

Appropriate persons who have the appropriate

expertise and skill-sets to implement the selected
control are identified, and responsibility is assigned.
Step

6: Develop a Safeguard Implementation

Plan
Step 7: Implement Selected Control(s)

Evaluation & Assessment

System is always bound to change and These

changes mean that new risks will surface and
risks previously mitigated may again become
a concern. Thus, the risk management
process is ongoing and evolving. So :
the awareness and cooperation of members
Apply good security practice by having specific
schedule for assessing and mitigating mission
risks
senior managements commitment;
evaluation and assessment of the new risks

Business Continuity
and
Disaster Recovery Planning

BCP & DRP

Plans

must be made to preserve business

in case of disaster or disruption of service.
There are two types of planning to recover
form such cases:
Business

Continuity Plan (BCP)

Disaster Recovery Plan(DRP)

BCP & DRP

BCP

DRP

BCP refers the means by which loss

of business may be avoided by
defining these requirements for
continuity of the operations.

DRP deals with restoration of

computer system with its software
during and after the disaster has
occurred.

BCP ensures that you can continue

your business function and keep
making money, even after a
disaster.

DR is the process of resuming the

business after a disruptive event .

Its a pre-emptive process used in

preparation for handling the
disaster.

DRP address the procedure to be

followed during and after the loss.

BCP is a management issue

carried out by management

Its technical issue carried out by

IT people,

BCP & DRP

IT Risk
Avoidance
No Business
Activity

Disaster Recovery

Business Continuity Planning

Risk
avoidance

Manual
Process

Recovery
Process

Normal
Process

BCP

BCP is a holistic process that encompasses

planning for potential disaster,
crafting a plan for data backup, hardware and
other resources
Managing the plan in dynamic fashion
And practice the plan. E.g. Mock Fire drills

BCP allows preparation, testing and

maintenance of specific actions to recover
normal data processing.
BCP ensure the continuation of business
function even after disaster destroys the data
processing capabilities.

BCP
BCP process has following key phases
1. Scope and plan initiation
2. Business Impact Analysis(BIA)
3. Development of Business continuity plan
4. Approval to the business continuity plan and
implementation

BCP Process
1. Scope and plan initiation
This phase covers the organisations initial
response to a disaster.
The process in this phase are

Establish the requirement for continuity of operations

Get management support
Establish teams functional, technical, Business
continuity coordinator
Create work plan
Submit initial report to management
Obtain approval

BCP Process
2. Business Impact Analysis (BIA)
It is a process used to help business units
understand the impact of disruptive event.
When performing BIA the goals are

Prioritization of criticality :

Identify every critical business process unit

Prioritize it
Evaluate the impact of disruption

Estimation of downtime

Estimate maximum tolerable downtime (MTD)

MTD is the time that the business process can
remain interrupted before reaching a position of no
recovery.

BCP Process
2. Business Impact Analysis (BIA)
BIA goals

Identification of resources

The resources required for critical process are

identified
The most time sensitive process receives maximum
resource allocation.

BCP Process
2. Business Impact Analysis (BIA)

Process in BIA

Select appropriate information gathering tools

surveys, interviews, software tools

Select the interviewees, design the

questionnaires
Analyse the gathered information
Identify time critical business function
Assign MTDs
Rank the critical business function by MTDs
Report recovery options
Obtain managements approaval

BCP Process
2. Business Impact Analysis (BIA)

Example BIA

Suppose companys central database stop

functioning then key personnel should ask

Who are the key customers? What will be the

impact on them?
What are our internal/external suppliers? What
happens if they fail to deliver support ?
What are the key processes required to execute
daily, weekly, monthly to support the business
request and overall deliverables?

BCP Process
3. Development of Business Continuity Plan
Decides a recovery strategy which includes

Recovering business operations

Facilities and supplies
Users
Network and data centers

Decide the scope of recovery

Plan methods for recovering data

Taking backups of data and applications

Using on site storage of media etc.

BCP Process
4. Approval to the business continuity plan and
implementation

Take the approval from the management

Test the plan and fix it if any problems found.
Build the plan into organisation
Awareness and training must be given.

DRP
DRP Goals
Provide

for smooth and rapid restoration of

services
Clearly document the DR requirement
establish the alternative means of operation in
advance
Train the personnel in recovery procedure
Validate the processes, data required for
recovery of services

DRP
DRP steps

1. define business goals

Identify the systems and processes and their

impact on overall business goals.
Document the areas to be recover and amount of
loss acceptable.

2. Identify key Personnel

find right person to declare the disaster

Name and role of persons with contact no is
maintained.

DRP
DRP steps
3. Identify single point of failure
The goal is to mitigate the risk
Impact of failure, probability of failure, estimated
incidents, expected loss and the expected cost of
mitigation is included

4. Create a DR team
5. Develop a DRP addressing the functional
Recovery
Restoring/ sustaining business operation
Transferring data back to machine

as well as technical areas.

Hardware issue, software issue, network issue.

DRP
DRP steps
6. Create procedure that support DR plan
7. Test and redefine DRP

DRP
DR plan
Plan

Define the affected area (scope)

Team members (along with contact no)
Report format
Operational

analysis

Review physical security

Self assessment through data access audit
Review of critical services, process and functions
Risk

analysis

Technical and non-technical risk analysis

BIA

DRP
DR plan
Documentation

Vendor list
Remote locations
Critical Phone numbers
Critical software system

Downtime

tolerance and recovery priorities

Business unit list

Tolerance for downtime
Components of recovery

DRP
Alternate sites : is a location, other than normal
facility, used to process data and/or conduct critical
business function in the event of a disaster.
Cold site
These are offsite pre-configured facility that has the
necessary utilities.
Cold site only have basic environment (electric wiring,
air conditioning, flooring etc), they do not offer any
components at the site in advance.
Activation of the site may takes several weeks. So low
access cost versus time.

DRP
Alternate

sites :

Warm site
These are partially configured, usually with network
connections and selected peripheral equipment, such as
disk drive and controllers but without main computing
equipment or a low grade CPU.
It is called warm because the computing equipment can
be obtained quickly for emergency installation and the
site is ready within several hours.

DRP
Alternate

sites :

Hot site
This is stationary or mobile facility containing all the
backup support of a cold site plus a similar computer to
the one at the primary site.
These are fully configured and ready to use.
The only additional needs are staff, programs and data
files.
The cost associated with third party hot site are usually
high.
The hot site is intended for emergency operation for
limited time period and not for prolonged duration.

DRP
Alternate

sites :

Reciprocal arrangements
This is an arrangement between two or more
organisation that possess similar information process
facility.
Both parties promise each other to provide computer
time in event of emergency.
Duplicate IPF
These are dedicated, self developed recovery sites that
can back up critical applications.
They can work as stand by hot site or reciprocal
arrangement with another organisations IPF
installation.

DRP test types

Checklist
The

test

copies of DR plan is distributed to each

business unit head.
Then it reviewed to ensure that it address all
procedures and critical areas of the
organisation.
Its a priliminary test and Not a satisfactory
test.

DRP test types

Structured walk through test
Business management representative hold a
meeting to walk through the plan.
The goal is to ensure that plan accurately reflects
the orgnaisations ability to recover from a
disaster.
Faults in the plan are picked up

Simulation test
All the operational and support personnel are
expected to perform in practice session.
The goal is test the ability of personnel to respond
to simulated disaster

DRP test types

Parallel test
Full test of recovery plan, utilizing all personnel
The test processing runs parallel to the real
processing without stopping the business and
then the results are compared.
The goal is to ensure the critical systems will run
at the alternate processing backup site.

Full interruption test

Here disaster is replicated even to point of ceasing
normal operations as if it real disaster.
It is very scary form of test but shows in absolute
way whether the plan works or not.

Ethics and Best practices

Ethics
Laws:

rules that mandate or prohibit

certain societal behavior

Ethics:

define socially acceptable behavior

Importance of Ethics to Security

Information

Security professionals are

entrusted with the crown jewels of an
organization.
Ethical behavior, both on and off-the-job,
is the assurance that we are worthy of that
trust.
IS sets and upholds a standard
Promote

example

uniform adherence to policy through

Ethics Overview
Ethics

is about the way we should

conduct ourselves when providing our
services within the IT Security
profession.

The

purpose of Ethics in Information

Security is not just philosophically
important, it can mean the survival of a
business or an industry.

Ethics and Information Security

Ethical Challenges in InfoSec

Misrepresentation of certifications, skills

Abuse of privileges
Inappropriate monitoring
Withholding information
Divulging information inappropriately
Overstating issues
Conflicts of interest
Management / employee / client issues

Ethical Challenges Snake Oil

Consultants"

who profess to offer

information security consulting, but offer
profoundly bad advice
"Educators", both individuals and
companies, that offer to teach information
security, but provide misinformation
(generally through ignorance, not intent)

Ethical Challenges Snake Oil

"Security

Vendors", who oversell the

security of their products
"Analysts", who oversimplify security
challenges, and try to upsell additional
services to nave clients
"Legislators", who push through "from-thehip" regulations, without thoughtful
consideration of their long-term impact

Ethical Differences Across Cultures

Cultural

differences create difficulty in

determining what is and is not ethical

Difficulties

arise when one nationalitys

ethical behavior conflicts with ethics of
another national group

Example:
many

of ways in which Asian cultures use

computer technology is software piracy

Ethics and Education

Within a small population, Educating people

can help in leveling ethical perceptions.

Employees must be trained in expected

behaviors of an ethical employee, especially in
areas of information security.

They must be trained to understand what is

ethical and what is not.

Proper ethical training is vital in creating

informed, well prepared, and low-risk
system user

Ethics
Quality

of professional security activity

depends upon the willingness of
practitioners
to

observe special standards of conduct and

to manifest good faith in professional
relationships.

Rule1
A member shall perform professional duties in
accordance with the law and the highest moral
principles.
Ethical Considerations
1. A member shall abide by the law of the land in
which the services are rendered and perform all
duties in an honorable manner.
2. A member shall not knowingly become
associated in responsibility for work with
colleagues who do not conform to the law and
these ethical standards.
3. A member shall be fair and respect the rights of
others in performing professional responsibilities

Rule2
A member shall observe the precepts (general rule) of
truthfulness, honesty, and integrity
Ethical Considerations
A member shall disclose all relevant information to
those having a right to know.
A right to know is a legally enforceable claim or
demand by a person for disclosure of information by a
member.

This right does not depend upon prior knowledge by the

person of the existence of the information to be disclosed.

A member shall not knowingly release misleading

information, nor encourage or otherwise participate
in the release of such information.

Rule3
A member shall be faithful and diligent
(thorough) in discharging professional
responsibilities.
Ethical Considerations
A member is faithful when fair and steadfast
(Persistent ) in adherence to promises and
commitments.
A member is diligent when employing best
efforts in an assignment.
A member shall not act in matters involving
conflicts of interest without appropriate
disclosure and approval.
A member shall represent services or products
fairly and truthfully.

Rule4
A

member shall be competent in

discharging professional responsibilities.
Ethical Considerations
A member is competent who possesses
and applies the skills and knowledge
required for the task.
A member shall not accept a task beyond
the member's competence nor shall
competence be claimed when not
possessed.

Rule5
A member shall safeguard confidential information
and exercise due care to prevent its improper
disclosure.
Ethical Considerations
Disclosure of Confidential information should be
restricted.
Due care requires that

the professional must not knowingly reveal confidential

information or
use a confidence to the disadvantage of the principal or
to the advantage of the member or a third person unless
the principal consents after full disclosure of all the facts.
This confidentiality continues after the business
relationship between the member and his principal has
terminated.

Rule5
Ethical Considerations

A member who receives information and has

not agreed to be bound by confidentiality is
not bound from disclosing it.
A member is not bound by confidential disclosures
of acts or omissions that constitute a violation of
the law.

member shall not disclose confidential

information for personal gain without
appropriate authorization.

Rule6
A member shall not maliciously injure
the professional reputation or practice of
colleagues, clients, or employers.
Ethical Considerations

member shall not comment falsely and

with malice concerning a colleague's
competence, performance, or professional
capabilities.
A member who knows, or has reasonable
grounds to believe, that another member has
failed to conform to Code of Ethics, should
inform the Ethical Standards Council.

Responsible Professional
Guidelines
A responsible professional
Acts with integrity
Increases personal competence

Sets high standards of personal performance

Accepts responsibility for his/her work
Advances the health, privacy, and
general welfare of the public

Ethical
Guidelines

Ethical
Guidelines