O BJECTIVES

Compose a statement of authority

Develop and evaluate policies related to the

information security policies documents
objectives and ownership

Create and asses policies associated with the

management of security-related activities

Assess and manage the risks inherent in working

with third parties

C OMPOSING A S TATEMENT OF
A UTHORITY

The statement should be issued by an authority

figure such as a CEO, President

Buy-in from top management is a must

It provides adequate credibility to the policy for all

employees

C OMPOSING A S TATEMENT OF
A UTHORITY C ONT.

The statement is an introduction to the policy

Statement of authority & statement of culture

It sets the tone for the document to come

Exposes the values of the company and what

security measures will be deployed to protect
them

An attempt at recruiting employees to act in a

secure fashion to protect the company

C OMPOSING A S TATEMENT OF
A UTHORITY C ONT.

The goal of the statement of authority: to deliver

a clear message about the importance of
information security for all employees

If the message is not clear, employees will either

act erroneously by mistake or will disregard the
whole document altogether

The statement is a teaching tool

It should be created, promoted and used as such

C OMPOSING A S TATEMENT OF
A UTHORITY C ONT.

The statement should reflect the company

culture in both format and content

Information security is first and foremost cultural

and behavioral

Employees need to identify and embrace with the

company culture

It is made easier if the documents that are part of

the security policy are clearly in accordance with
the company policy

S ECURITY P OLICY D OCUMENT

P OLICY

States the need for written information security

policies as well as who is responsible for creating,
approving, enforcing & reviewing policies

These responsibilities must be clearly stated in the

document so that no phase of the process is
abandoned or ignored

Strong leadership is always a part of successful

information security policies

S ECURITY P OLICY D OCUMENT

P OLICY C ONT.

Emphasizes managements approach and

commitment to information security

No Information policy can be successful without full

and unequivocal support from Management

Its a policy about needing and having policies!

F EDERAL L AW & I NFORMATION

S ECURITY P OLICY

Many private sector industries are federally regulated:

Financial Sector:

GLBA (Gramm-Leach-Bliley Act)

SOX (Sarbanes-Oxley, which affects

publicly-traded companies)

Healthcare:

HIPAA (Health Insurance Portability & Accountability Act

Educational Institutions:

FERPA (Family Educational Rights & Privacy Act)

F EDERAL L AW & I NFORMATION

S ECURITY P OLICY C ONT.

Some organizations may fall under several

federal mandates

If necessary, companies should hire 3rd-party

experts to identify under which mandates a
company falls

ISO 17799 can be mapped to several federal

mandate regulations

Here again, it may be advantageous to hire 3rdparty compliance experts to guide and support
the companys compliance team

S ECURITY P OLICY D OCUMENT

P OLICY C ONT.

10

The Information Security Policy Document policy

should reference federal and state regulations to
which the organization is subject

It is important to integrate those regulations in

the policies written for and deployed by the
company

The first step towards compliance is awareness!

11

T HE N EED FOR AN E MPLOYEE

V ERSION OF THE S ECURITY
P OLICIES

Whole document can be too complex &

intimidating

The goal is to create a guide of what is acceptable

and what is not. Making the document too
complex defeats that purpose

The goal is for employees to read, understand

and act according to the policies

The policies are useless without proper employee

support

T HE N EED FOR AN E MPLOYEE

V ERSION OF THE S ECURITY
P OLICIES C ONT.

12

Employees should only be given those policies

that apply to them

Need-to-know and the concept of least privilege

apply here as well!

Acceptable Use Agreement should be drafted

and distributed to all employees

It should include (but is not limited to):

An Internet use policy

An Email use policy

T HE N EED FOR AN E MPLOYEE

V ERSION OF THE S ECURITY
P OLICIES C ONT.

13

Remind all employees that information cannot

be protected if they dont all buy in and adopt
the policies that regulate the company

Again, information security is behavioral and

cultural

There is no technical device that a company can

deploy that will protect the confidentiality,
integrity and availability of data if employees are
not also enrolled in actively protecting the
company data

P OLICIES

14

ARE

D YNAMIC

Organizations change, either directly or

indirectly. Their policies must also change to
reflect this dynamic situation

Scheduled, regular reviews should take place

Change drivers are events within an organization

that affect culture, procedures, activities,
responsibilities, and more

Change drivers must be identified and analyzed

15

P OLICIES

ARE

D YNAMIC C ONT.

Change drivers may introduce new activities

and/or vulnerabilities

Identified change drivers should trigger new risk

& vulnerability assessments

Companies should also have regularly scheduled

risk and vulnerability assessments

For separation of duties purposes, it is

recommended that vulnerability assessments be
conducted by 3rd-party consultants

16

P OLICIES

D YNAMIC C ONT.

Who is responsible for this document?

ARE

The ISO, or a member of Upper Management

What ownership means:

Developing, maintaining & reviewing policies

Policy owner does not approve policies. That is

done at a higher level

Information Security Policy Document defines

both ownership and authority

17

P OLICIES

ARE

D YNAMIC C ONT.

Decisions should include:

Who is in charge of security management?

What is the scope of their enforcement

authority?

When should third-party expertise be brought in?

M ANAGING O RGANIZATIONAL
S ECURITY

18

Three topics on which to focus:

Information Security Infrastructure

Identification of risks from 3rd-party consultants

Security Requirements for outsourcing

M ANAGING O RGANIZATIONAL
S ECURITY C ONT.

19

Designing & maintaining a secure environment

requires input from representatives of each
department of the company:

Management

IT (developers, network engineers, administrators)

HR

Legal & Financial services

Collaboration of all these parties is required to

create and maintain a successful information
security policy

M ANAGING O RGANIZATIONAL
S ECURITY C ONT.

20

Designing & maintaining a secure environment

requires input from representatives of each
department of the company:

Management

IT (developers, network engineers,

administrators)

HR

Legal & Financial services

M ANAGING O RGANIZATIONAL
S ECURITY C ONT.

21

Who is a third-party?

Business partners

Vendors

Contractors (including temporary workers)

M ANAGING O RGANIZATIONAL
S ECURITY C ONT.

22

Physical Security

Protecting the network from attacks from the

outside is recommended, but a company should
not forget to protect the physical security of the
servers themselves

Why bother to hack when you can steal?

M ANAGING O RGANIZATIONAL
S ECURITY C ONT.

23

If physical access for 3rd-party is allowed, proper

control must be deployed to:

Select who gets physical access

To which areas is physical access granted

Has due diligence been extended to verify the

integrity and credibility of those 3rd-party
contractors?

O UTSOURCING I S A G ROWING
T REND

24

Outsourcing is seen as some as a business tool

used to lower costs. It also comes with risks:

Is the work being outsourced out of the country?

If so, to which country?

How is security handled in the culture of that

country?

How effectively are Intellectual Property laws

enforced and respected in that country?

O UTSOURCING I S A G ROWING
T REND C ONT.

25

Is the data secure during transmission?

Is the data transferred electronically?

What secure protocols are used?

Is the data physically sent overseas?

What courier system is used?

How reliable/reputable/dependable is this

courier system?

O UTSOURCING I S A G ROWING
T REND C ONT.

26

Is the data securely stored while away from the

corporate network?

What security controls are deployed at the

periphery of the target network?

What access control methods are used on the

target control?

What auditing methods are used on the target

network?

O UTSOURCING I S A G ROWING
T REND C ONT.

27

How to conduct due diligence on a company

located halfway across the world?

Is this company foreign-owned, or a subsidiary of

a US-owned corporation?

Is this company reputable?

Has the company sent a representative on-site to

verify the information provided to them?