SlideShare une entreprise Scribd logo

SMBs - Hierarchy of Business-Security Documents 2015-11

Télécharger en tant que PPTX, PDF
A
Alan Watkins
1  sur  23
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Relating to Business Strategies & Operations to Cyber Security Policies & Procedures (Rev. 11/20/2015)
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Introduction  Background Best practices for Information Security Programs involve a hierarchy of documents; although, many organizations (both large and small) may not have resources (or intention) to create and implement all of the identified documents. At a minimum (for “common practice”), there should always be operational level policies that dictate what can and cannot be done and procedures that provide steps for how to protect an organization’s information assets. The sets of documents are divided into Organization-Level and Operational-Level.  Organization-Level Documents These documents are comprised of overarching business strategies which set the overall business purpose and direction for a 3- to 5-year period. These documents are generally reviewed on an annual basis, but only updated when necessary, at least every 5 years. Approval authority for these documents belongs to an organization’s governing body (e.g., Board of Directors) or Executive Committee (e.g., President/CEO, CFO, COO, CIO, etc.), depending on the size of the business and its governance structure. How these strategies are implemented fall under the Operational-Level Documents. 2
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Introduction (cont’d)  Operational-Level Documents In order to implement the upper-level strategies, an organization should have operational policies to dictate what should or should not be done (i.e., what is allowed or prohibited), and operational procedures to dictate how things are done. In addition, an organization may have specific standards or guidelines providing technical details in support of specific policies or procedures (e.g., defining password complexity requirements). Having these three operational levels of documents (policies, procedures, and standards/guidelines) can assist organizations in making changes as technologies evolve, because each document type has a different source and approval level. Unlike the higher level strategy and policy approval requirements, usually operating procedures and standards can be approved and implemented with department-level approvals (e.g., under authority of the CIO, IT Director or an organizational IT governing board/committee); although they should also require review by some sort of IT Security Committee, depending on the organization’s governance structure and process. This means the procedures and standards, which the policy should require to be reviewed at least annually, can be amended and updated as needed to keep pace with changes in technologies, without all the higher level political processes (by a governing body). 3
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Typical Hierarchy of Documents 4
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Risk Management Plan (Information Assets Risk Analysis Matrix) 5
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Typical Organization Documents 6
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Typical Organization Documents (cont’d) 7
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Organization-Level Documents  Business Plan (or Business Strategy)  Includes Vision, Mission, Purpose, Business Strategies & Financial Forecasts (3–5 year outlook)  Reviewed Annually, Updated Every 3–5 Years  Risk Management Plan  Identification of primary business risks and potential impacts (matches 3–5 year period for Business Plan)  Strategies for risk avoidance and risk mitigation  Includes levels of “acceptable risk”  Plan and strategy for addressing physical, economic, and cyber risks 8
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Typical Organization Documents (cont’d) 9
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Organization-Level Documents (cont’d)  Information Technology Strategy  Direction for use of Technology (3–5 year horizon)  Outline of Near-Term Action Plans (1–3 years)  Reviewed Annually, Updated Every 3–5 Years  Information Security Strategy  Direction for Securing Organization’s Critical Information (3–5 year horizon)  Reviewed Annually, Updated Every 3–5 Years 10
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Operational-Level Documents  Overview The following Operational-Level Documents, which are considered subordinate to organizational strategies, should be created and implemented to execute the organization’s Information Security Program. Those documents, marked with an asterisk (*) below, are considered to be mandatory and necessary components for successful implementation of a security program. (NOTE: policy titles will vary from one organization to another.)  Business Continuity & Disaster Recovery Plan  Information Technology Disaster Recovery Plan *  Physical Security Plan (continued on next page) 11
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Operational-Level Documents (cont’d)  Information Security Policy *  Information Security Standards *  Information Classification Standards *  Data Security & Encryption Standards  Identity Management Procedures  Information Security Audit Procedures  Information Security Testing Procedures  Computer Security Incident Response Plan/Policy *  Acceptable Use Policy *  Red Flags Program Policy (1) (1) Dependent on federal law applicability 12
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (1)  Business Continuity & Disaster Recovery Plan “Business Continuity” refers to the ability to maintain a sustainable level of business operations over an extended duration (weeks to months) after a major disaster. “Disaster Recovery” refers to the ability to restore some critical operational services in the immediate time period (hours to days) after a disaster. This plan will usually have an organization-wide component, and may also have division-level, department-level or workgroup-level plans which are more focused on the near-term recovery from a disaster and then for continuing, longer term business operations. This plan should contain a component for how IT services and data will be used for longer term business continuity. This document may also be referred to as a “Continuity Of Operations Plan” (COOP). 13
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (2)  Information Technology Disaster Recovery Plan * This plan is for the more immediate recovery of IT data and services, to support the organization’s business functions in the case of a disaster; it must include how data and services (e.g., hardware and software) will be backed up or replicated, usually in off-site storage of backup files/media and creation of “warm” or “cold” data center facilities (or having redundant equipment within an existing facility).  Physical Security Policy This policy should be tightly coupled with the Information Security Policy, and should cover the organization’s necessary site/facility and personnel security measures for day-to-day operations. 14
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Typical Policies 15
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (3)  Information Security Policy * This policy provides for the overarching protection of the organization’s information and technology assets; which must be applicable and enforceable across all divisions, departments, and employees, as well as anyone else who has access to the organization’s systems, and include third party vendors, partners, and clients; the policy must reference applicable standards and other subordinate documents (e.g., operating procedures) which provide the technical definitions and details about how the policy is to be implemented. The policy should contain a requirement for training of employees and acknowledgement they understand the policy. 16
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Typical Procedures & Standards 17
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (4)  Information Security Standards * These are internal standards, usually adopted by an IT governance board, which provide details about security configurations, settings, and other applicable standards (e.g., password complexity and auto-expiration) to implement the related policies; these standards should coincide with adopted national or international standards (e.g., NIST, ISO/IEC, COBIT).  Information/Data Classification Standards * These standards define the different classification levels (or types) of information or data which must be secured; starting with open and accessible “public information,” to “internal (sensitive) information” (which may still be subject to the California Public Records Act or federal Freedom of Information Act), “personal/private information” (e.g., related to employees and their benefits), and “confidential information.” The security standards and security policy should dictate who (by job role) is authorized to access which levels of information and what controls should be in place for each level of protection. The policy also needs to specify roles and responsibilities of Data Owners and users. 18
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (5)  Data Security & Encryption Standards These standards help define what measures, including encryption, need to be used for data at rest (saved on storage media), data in transit (active network traffic), and data in use (part of an open user application); and should also include when different levels of encryption are required, especially when transmitting confidential data to external parties (e.g., employee benefits data sent to an insurance carrier).  Identity Management Procedures These procedures (including user roles and access controls) define the lifecycle of a user account, from initial request (for internal employees or any non-employees who are authorized to access the organization’s systems), account creation with user roles/groups assigned to limit access rights only to those systems and applications allowed, disabling an account after a specified period of inactivity (non-use), and terminating an account when the person leaves the organization. 19
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (6)  Information Security Audit Procedures These procedures should be aligned with other standards (e.g., COBIT, ISACA) and dictate the types and frequencies of security audits to be performed, as well as who the audience will be for different audit results - some may be for internal use only, while others may be public information.  Information Security Testing Procedures These procedures define the types and frequencies of security testing to be performed; this can range from simple tabletop exercises, to other pen-and-paper drills or using a virtual environment to test security staff skills, to internal or external penetration testing of actual organizational networks and systems (using internal staff or hiring a certified security tester). 20
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (7)  Computer Security Incident Response Policy * This policy dictates roles, responsibilities, and provides a plan of action to be taken before, during, and after a “Computer Security Incident,” based on identified standards and best practices. This Incident Response Plan follows the same general procedures as Crisis Management or Emergency Management, with a goal of stopping and containing the security breach or other identified security event (e.g., malware infection, denial of service attack or web site defacement), and restoring systems to normal operations. This policy also provides steps for preserving potential evidence, when there might be future legal action (either criminal or civil). 21
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (8)  Acceptable Use Policy * This policy dictates what is acceptable use, and what is not acceptable use, of the organization’s IT resources, specifically including Internet access and Email, and including whatever other systems the organization wants to address (for example: telecommunications devices, cell phones, smart phones, etc.).  Red Flags Program Policy (**) This policy (Identity Theft Awareness & Training) must be adopted and approved by the governing body (i.e., Board of Directors) and must affirmatively state that the organization has a program in place (as defined within the policy) for training employees in the recognition of “red flags” that indicate possible identity theft; including what actions employees should take with affected customers, and also what steps the organization takes to help make its customers aware of identity theft issues and how they can recognize when they might be a victim. (**) May be required by federal law, depending on “creditor” status. 22
ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Prioritizing Information Security Measures Most of the preceding documents will usually contain some basic information related to a particular Information Security strategy, plan, policy, procedure or standard, which is understandable to non-technical staff and managers. The lower level documents (especially procedures and standards) will contain more complex and technical details related to the functions and responsibilities of the IT group and Information Security staff. One of the responsibilities of the highest level person in charge of overall Information Security (e.g., Chief Information Security Officer or Information Security Manager), is to translate the lower level technical details into simple business management language, so that non-technical managers can participate in prioritizing which security measures are to be implemented over a certain period of time and at a certain cost limit. A key to the success of having necessary Information Security controls implemented is to relate specific measures to their ability to reduce or mitigate a business risk. The goal will be to first protect those Information Assets with the highest risk and work through the priorities for each asset at decreasing levels of risk until management is willing to accept a risk without implementing any security measure (based on prior business risk analysis). 23

Recommandé

Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Information classification
Information classificationInformation classification
Information classificationJyothsna Sridhar
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
IT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfIT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfAlan McSweeney
 
Post-Mainframe Managed Services
Post-Mainframe Managed ServicesPost-Mainframe Managed Services
Post-Mainframe Managed ServicesModern Systems
 
Implementing security
Implementing securityImplementing security
Implementing securityDhani Ahmad
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
 

Recommandé

Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Information classification
Information classificationInformation classification
Information classificationJyothsna Sridhar
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
IT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfIT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfAlan McSweeney
 
Post-Mainframe Managed Services
Post-Mainframe Managed ServicesPost-Mainframe Managed Services
Post-Mainframe Managed ServicesModern Systems
 
Implementing security
Implementing securityImplementing security
Implementing securityDhani Ahmad
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
 
Are you ready for the transformation
Are you ready for the transformationAre you ready for the transformation
Are you ready for the transformationHariharan V Ganesarethinam
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
Data governance guide
Data governance guideData governance guide
Data governance guideAstalapulosListestos
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSChristina33713
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentVinit Thakur
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information PolicyMLG College of Learning, Inc
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework SummaryJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Cisa 2013 ch4
Cisa 2013 ch4Cisa 2013 ch4
Cisa 2013 ch4Aladdin Dandis
 
Cisa 2013 ch2
Cisa 2013 ch2Cisa 2013 ch2
Cisa 2013 ch2Aladdin Dandis
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the CloudOnRamp
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014Aladdin Dandis
 
Cisa 2013 ch3
Cisa 2013 ch3Cisa 2013 ch3
Cisa 2013 ch3Aladdin Dandis
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014Aladdin Dandis
 
Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.pptImXaib
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writingPasangdolmoTamang
 

Contenu connexe

Tendances

It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Eryk Budi Pratama
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Aladdin Dandis
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSChristina33713
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentVinit Thakur
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the CloudOnRamp
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykEryk Budi Pratama
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 

Tendances (20)

Are you ready for the transformation
Are you ready for the transformationAre you ready for the transformation
Are you ready for the transformation
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detail
 
Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)Protecting Agile Transformation through Secure DevOps (DevSecOps)
Protecting Agile Transformation through Secure DevOps (DevSecOps)
 
Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0Module 4 disaster recovery student slides ver 1.0
Module 4 disaster recovery student slides ver 1.0
 
Data governance guide
Data governance guideData governance guide
Data governance guide
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information Policy
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
 
Cisa 2013 ch4
Cisa 2013 ch4Cisa 2013 ch4
Cisa 2013 ch4
 
Cisa 2013 ch2
Cisa 2013 ch2Cisa 2013 ch2
Cisa 2013 ch2
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
Ch3 cism 2014
Ch3 cism 2014Ch3 cism 2014
Ch3 cism 2014
 
Cisa 2013 ch3
Cisa 2013 ch3Cisa 2013 ch3
Cisa 2013 ch3
 
Ch4 cism 2014
Ch4 cism 2014Ch4 cism 2014
Ch4 cism 2014
 

Similaire à SMBs - Hierarchy of Business-Security Documents 2015-11

Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.pptImXaib
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writingPasangdolmoTamang
 
CSIA 413 Cybersecurity Policy, Plans, and ProgramsProject #4 IT .docx
CSIA 413 Cybersecurity Policy, Plans, and ProgramsProject #4 IT .docxCSIA 413 Cybersecurity Policy, Plans, and ProgramsProject #4 IT .docx
CSIA 413 Cybersecurity Policy, Plans, and ProgramsProject #4 IT .docxmydrynan
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managGrazynaBroyles24
 
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxRunning Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxjeffsrosalyn
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standardsManish Chaurasia
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docxdurantheseldine
 
Determine Maintenance strateg.docx
Determine Maintenance strateg.docxDetermine Maintenance strateg.docx
Determine Maintenance strateg.docxDarkKnight367793
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Lumbs Latest Resume
Lumbs Latest ResumeLumbs Latest Resume
Lumbs Latest ResumeJohn Lumb
 
Harrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docxHarrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docxshericehewat
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 

Similaire à SMBs - Hierarchy of Business-Security Documents 2015-11 (20)

Policy formation and enforcement.ppt
Policy formation and enforcement.pptPolicy formation and enforcement.ppt
Policy formation and enforcement.ppt
 
Information security policy how to writing
Information security policy how to writingInformation security policy how to writing
Information security policy how to writing
 
CSIA 413 Cybersecurity Policy, Plans, and ProgramsProject #4 IT .docx
CSIA 413 Cybersecurity Policy, Plans, and ProgramsProject #4 IT .docxCSIA 413 Cybersecurity Policy, Plans, and ProgramsProject #4 IT .docx
CSIA 413 Cybersecurity Policy, Plans, and ProgramsProject #4 IT .docx
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
 
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docxRunning Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
Running Head ZIFFCORP AUDIT PROPOSAL 1 ZiffCo.docx
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
An IT Governance program
An IT Governance programAn IT Governance program
An IT Governance program
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
What are policies procedures guidelines standards
What are policies procedures guidelines standardsWhat are policies procedures guidelines standards
What are policies procedures guidelines standards
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
File000169
File000169File000169
File000169
 
Asset Management: Climbing the Asset Maturity Curve
Asset Management: Climbing the Asset Maturity CurveAsset Management: Climbing the Asset Maturity Curve
Asset Management: Climbing the Asset Maturity Curve
 
Determine Maintenance strateg.docx
Determine Maintenance strateg.docxDetermine Maintenance strateg.docx
Determine Maintenance strateg.docx
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
Lumbs Latest Resume
Lumbs Latest ResumeLumbs Latest Resume
Lumbs Latest Resume
 
Harrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docxHarrisburg UniversityISEM 547 IT PolicyOb.docx
Harrisburg UniversityISEM 547 IT PolicyOb.docx
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
 

SMBs - Hierarchy of Business-Security Documents 2015-11

  • 1. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Relating to Business Strategies & Operations to Cyber Security Policies & Procedures (Rev. 11/20/2015)
  • 2. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Introduction  Background Best practices for Information Security Programs involve a hierarchy of documents; although, many organizations (both large and small) may not have resources (or intention) to create and implement all of the identified documents. At a minimum (for “common practice”), there should always be operational level policies that dictate what can and cannot be done and procedures that provide steps for how to protect an organization’s information assets. The sets of documents are divided into Organization-Level and Operational-Level.  Organization-Level Documents These documents are comprised of overarching business strategies which set the overall business purpose and direction for a 3- to 5-year period. These documents are generally reviewed on an annual basis, but only updated when necessary, at least every 5 years. Approval authority for these documents belongs to an organization’s governing body (e.g., Board of Directors) or Executive Committee (e.g., President/CEO, CFO, COO, CIO, etc.), depending on the size of the business and its governance structure. How these strategies are implemented fall under the Operational-Level Documents. 2
  • 3. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Introduction (cont’d)  Operational-Level Documents In order to implement the upper-level strategies, an organization should have operational policies to dictate what should or should not be done (i.e., what is allowed or prohibited), and operational procedures to dictate how things are done. In addition, an organization may have specific standards or guidelines providing technical details in support of specific policies or procedures (e.g., defining password complexity requirements). Having these three operational levels of documents (policies, procedures, and standards/guidelines) can assist organizations in making changes as technologies evolve, because each document type has a different source and approval level. Unlike the higher level strategy and policy approval requirements, usually operating procedures and standards can be approved and implemented with department-level approvals (e.g., under authority of the CIO, IT Director or an organizational IT governing board/committee); although they should also require review by some sort of IT Security Committee, depending on the organization’s governance structure and process. This means the procedures and standards, which the policy should require to be reviewed at least annually, can be amended and updated as needed to keep pace with changes in technologies, without all the higher level political processes (by a governing body). 3
  • 4. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Typical Hierarchy of Documents 4
  • 5. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Risk Management Plan (Information Assets Risk Analysis Matrix) 5
  • 6. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Typical Organization Documents 6
  • 7. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Typical Organization Documents (cont’d) 7
  • 8. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Organization-Level Documents  Business Plan (or Business Strategy)  Includes Vision, Mission, Purpose, Business Strategies & Financial Forecasts (3–5 year outlook)  Reviewed Annually, Updated Every 3–5 Years  Risk Management Plan  Identification of primary business risks and potential impacts (matches 3–5 year period for Business Plan)  Strategies for risk avoidance and risk mitigation  Includes levels of “acceptable risk”  Plan and strategy for addressing physical, economic, and cyber risks 8
  • 9. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Typical Organization Documents (cont’d) 9
  • 10. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Organization-Level Documents (cont’d)  Information Technology Strategy  Direction for use of Technology (3–5 year horizon)  Outline of Near-Term Action Plans (1–3 years)  Reviewed Annually, Updated Every 3–5 Years  Information Security Strategy  Direction for Securing Organization’s Critical Information (3–5 year horizon)  Reviewed Annually, Updated Every 3–5 Years 10
  • 11. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Operational-Level Documents  Overview The following Operational-Level Documents, which are considered subordinate to organizational strategies, should be created and implemented to execute the organization’s Information Security Program. Those documents, marked with an asterisk (*) below, are considered to be mandatory and necessary components for successful implementation of a security program. (NOTE: policy titles will vary from one organization to another.)  Business Continuity & Disaster Recovery Plan  Information Technology Disaster Recovery Plan *  Physical Security Plan (continued on next page) 11
  • 12. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Operational-Level Documents (cont’d)  Information Security Policy *  Information Security Standards *  Information Classification Standards *  Data Security & Encryption Standards  Identity Management Procedures  Information Security Audit Procedures  Information Security Testing Procedures  Computer Security Incident Response Plan/Policy *  Acceptable Use Policy *  Red Flags Program Policy (1) (1) Dependent on federal law applicability 12
  • 13. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (1)  Business Continuity & Disaster Recovery Plan “Business Continuity” refers to the ability to maintain a sustainable level of business operations over an extended duration (weeks to months) after a major disaster. “Disaster Recovery” refers to the ability to restore some critical operational services in the immediate time period (hours to days) after a disaster. This plan will usually have an organization-wide component, and may also have division-level, department-level or workgroup-level plans which are more focused on the near-term recovery from a disaster and then for continuing, longer term business operations. This plan should contain a component for how IT services and data will be used for longer term business continuity. This document may also be referred to as a “Continuity Of Operations Plan” (COOP). 13
  • 14. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (2)  Information Technology Disaster Recovery Plan * This plan is for the more immediate recovery of IT data and services, to support the organization’s business functions in the case of a disaster; it must include how data and services (e.g., hardware and software) will be backed up or replicated, usually in off-site storage of backup files/media and creation of “warm” or “cold” data center facilities (or having redundant equipment within an existing facility).  Physical Security Policy This policy should be tightly coupled with the Information Security Policy, and should cover the organization’s necessary site/facility and personnel security measures for day-to-day operations. 14
  • 15. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Typical Policies 15
  • 16. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (3)  Information Security Policy * This policy provides for the overarching protection of the organization’s information and technology assets; which must be applicable and enforceable across all divisions, departments, and employees, as well as anyone else who has access to the organization’s systems, and include third party vendors, partners, and clients; the policy must reference applicable standards and other subordinate documents (e.g., operating procedures) which provide the technical definitions and details about how the policy is to be implemented. The policy should contain a requirement for training of employees and acknowledgement they understand the policy. 16
  • 17. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Typical Procedures & Standards 17
  • 18. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (4)  Information Security Standards * These are internal standards, usually adopted by an IT governance board, which provide details about security configurations, settings, and other applicable standards (e.g., password complexity and auto-expiration) to implement the related policies; these standards should coincide with adopted national or international standards (e.g., NIST, ISO/IEC, COBIT).  Information/Data Classification Standards * These standards define the different classification levels (or types) of information or data which must be secured; starting with open and accessible “public information,” to “internal (sensitive) information” (which may still be subject to the California Public Records Act or federal Freedom of Information Act), “personal/private information” (e.g., related to employees and their benefits), and “confidential information.” The security standards and security policy should dictate who (by job role) is authorized to access which levels of information and what controls should be in place for each level of protection. The policy also needs to specify roles and responsibilities of Data Owners and users. 18
  • 19. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (5)  Data Security & Encryption Standards These standards help define what measures, including encryption, need to be used for data at rest (saved on storage media), data in transit (active network traffic), and data in use (part of an open user application); and should also include when different levels of encryption are required, especially when transmitting confidential data to external parties (e.g., employee benefits data sent to an insurance carrier).  Identity Management Procedures These procedures (including user roles and access controls) define the lifecycle of a user account, from initial request (for internal employees or any non-employees who are authorized to access the organization’s systems), account creation with user roles/groups assigned to limit access rights only to those systems and applications allowed, disabling an account after a specified period of inactivity (non-use), and terminating an account when the person leaves the organization. 19
  • 20. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (6)  Information Security Audit Procedures These procedures should be aligned with other standards (e.g., COBIT, ISACA) and dictate the types and frequencies of security audits to be performed, as well as who the audience will be for different audit results - some may be for internal use only, while others may be public information.  Information Security Testing Procedures These procedures define the types and frequencies of security testing to be performed; this can range from simple tabletop exercises, to other pen-and-paper drills or using a virtual environment to test security staff skills, to internal or external penetration testing of actual organizational networks and systems (using internal staff or hiring a certified security tester). 20
  • 21. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (7)  Computer Security Incident Response Policy * This policy dictates roles, responsibilities, and provides a plan of action to be taken before, during, and after a “Computer Security Incident,” based on identified standards and best practices. This Incident Response Plan follows the same general procedures as Crisis Management or Emergency Management, with a goal of stopping and containing the security breach or other identified security event (e.g., malware infection, denial of service attack or web site defacement), and restoring systems to normal operations. This policy also provides steps for preserving potential evidence, when there might be future legal action (either criminal or civil). 21
  • 22. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Document Descriptions (8)  Acceptable Use Policy * This policy dictates what is acceptable use, and what is not acceptable use, of the organization’s IT resources, specifically including Internet access and Email, and including whatever other systems the organization wants to address (for example: telecommunications devices, cell phones, smart phones, etc.).  Red Flags Program Policy (**) This policy (Identity Theft Awareness & Training) must be adopted and approved by the governing body (i.e., Board of Directors) and must affirmatively state that the organization has a program in place (as defined within the policy) for training employees in the recognition of “red flags” that indicate possible identity theft; including what actions employees should take with affected customers, and also what steps the organization takes to help make its customers aware of identity theft issues and how they can recognize when they might be a victim. (**) May be required by federal law, depending on “creditor” status. 22
  • 23. ABW Consulting Services © 2014-2015. ABW Consulting Services. All Rights Reserved. Prioritizing Information Security Measures Most of the preceding documents will usually contain some basic information related to a particular Information Security strategy, plan, policy, procedure or standard, which is understandable to non-technical staff and managers. The lower level documents (especially procedures and standards) will contain more complex and technical details related to the functions and responsibilities of the IT group and Information Security staff. One of the responsibilities of the highest level person in charge of overall Information Security (e.g., Chief Information Security Officer or Information Security Manager), is to translate the lower level technical details into simple business management language, so that non-technical managers can participate in prioritizing which security measures are to be implemented over a certain period of time and at a certain cost limit. A key to the success of having necessary Information Security controls implemented is to relate specific measures to their ability to reduce or mitigate a business risk. The goal will be to first protect those Information Assets with the highest risk and work through the priorities for each asset at decreasing levels of risk until management is willing to accept a risk without implementing any security measure (based on prior business risk analysis). 23