SlideShare une entreprise Scribd logo

The Role of Information Security Policy

Télécharger en tant que DOCX, PDF
Robot Mode
Robot Mode

A paper I wrote for an information security class at UOP.

TechnologieActualités & Politique
1  sur  6
THE ROLE OF INFORMATION SECURITY POLICY The Role of Information Security Policy Jarin Udom CMGT/400 November 22, 2013 Eric Clifford 1
THE ROLE OF INFORMATION SECURITY POLICY 2 The Role of Information Security Policy According to Kevin Mitnick, one of the world’s most famous (or infamous) hackers, “companies could spend millions of dollars towards technological protections and that's money wasted if somebody could basically call somebody on the telephone and either convince them to do something on the computer which lowers the computers defenses or reveals the information that they're seeking” (PBS, n.d.). Technical defenses have become increasingly sophisticated, but the human element is still the biggest—and will likely continue to be the biggest—security vulnerability at any organization. Although not completely effective, arguably the best ways to mitigate this risk are policies, standards, and a concerted organizational effort to train and educate employees and others working for the organization. Policies and Standards What is the difference between information security policies and standards? Information security policies outline the ways an organization will protect information in the form of highlevel business rules and guidelines (PJ, 2009). Information security standards dictate more detailed requirements for how an organization will implement those policies (PJ, 2009). For example, an information security policy may require all sensitive emails be encrypted and digitally signed. The corresponding standard may specify that all sensitive email is to be encrypted and digitally signed via PGP, using a 2048-bit key size and the RSA algorithm. Policies In any organization, it’s important to start with a high level security policy before considering standards, guidelines, or procedures. A security policy addresses the overarching goals, concerns, and risks of the organization’s overall information security efforts. Information
THE ROLE OF INFORMATION SECURITY POLICY 3 security policies are “made by management when laying out the organization’s position” (Conklin, White, Williams, Davis, Cothren, & Schou, 2011) on organizational security issues. According to Diver (2006), when developing a security policy it’s important to consider the company’s level of process maturity. She further elaborates that aiming too high at first, especially in large organizations, “isn’t likely to be successful for a number of reasons including lack of management buy-in, unprepared company culture and resources and other requirements not in place” (Diver, 2006). Since information security policies are generally created by management, it’s also important to assemble a team of subject matter experts to provide information and assist managers and executives during the process. Standards Most standards in an organization are developed based on the organization’s high-level security policy. However, according to Conklin et al. (2011), other standards are “externally driven. Regulations for banking and financial institutions, for example, may require certain security measures be taken by law.” Once a security policy is in place, engineers and subject matter experts can begin the task of determining the best standards for implementing the individual goals of the policy. For general information security, the National Institute of Standards and Technology’s (NIST) Computer Security Resource Center is an excellent place to start. NIST’s website contains a plethora of recommended cybersecurity standards and best practices. Similarly, the Open Web Application Security Project’s (OWASP) wiki is a community-maintained resource for web and other application security recommendations and vulnerabilities. Finally, the organization may wish to employ subject matter experts and consultants to develop standards based on industry-standard best practices and experience. Role of Employees
THE ROLE OF INFORMATION SECURITY POLICY 4 As stated above, people are the weak link in any organizational information security plan. Most people realize that employees with trusted access privileges may abuse their access to compromise an organization’s information. However, as Kevin Mitnick illustrated, employees can also be unwittingly tricked into divulging sensitive information or information that can assist an intruder in compromising computer systems. Organizations must include human factors in their security policies, and they must take efforts to inform employees and others working for the organization about policies, standards, procedures and guidelines. It is absolutely essential that employees understand that information compromises can have serious consequences, not just for the organization but also for the employee themselves. Employees and others working for the organization must be ever vigilant against social engineering attempts, phishing, physical security, and other human-oriented intrusion attempts. For example, an intruder may attempt to gain access to a secure facility by waiting for an authorized employee to swipe their security badge and then following them through the door, or “piggybacking”, before it closes. Organizations can prevent this kind of intrusion by implementing clear policies that every person passing into a secure area must swipe their badge before entering. This kind of policy counteracts the normal human tendency to avoid inconveniencing others. Another example might be an intruder attempting to gain sensitive security information over the phone. Kevin Mitnick famously exploited the natural human tendency to be helpful by calling government agencies and posing as a fellow employee who was having technical problems, and he was able to convince employees to give him the names of computer systems and even execute commands on his behalf (PBS, n.d.). Employees should verify the identity of any unknown caller, even if they claim to be in distress or a high-level executive (another
THE ROLE OF INFORMATION SECURITY POLICY 5 common tactic). However, an exception can be made for familiar voices, as studies have shown that people are quite good at recognizing voices—an accuracy rate of 92% when hearing a familiar voice for only 5.3 seconds and an accuracy rate of 79% when hearing a barely familiar voice for 15.3 seconds (Kreiman & Sidtis, 2011, p. 177). Conclusion As Kevin Mitnick said, “the human side of computer security is easily exploited and constantly overlooked” (PBS, n.d.). While the proliferation of botnets, worms, and easily available “script kiddy” tools has clearly made the role of technological information security measures more important than ever, the human element remains the weak point of any information security plan. In order to mitigate this risk, organizations must develop clear information security policies and then use them to develop standards to be implemented throughout the organization. In addition, they must train and educate employees about both the risks and importance of social engineering attempts, phishing, physical security, and other human-based intrusion attempts.
THE ROLE OF INFORMATION SECURITY POLICY 6 References Conklin, A., White, G., Williams, D., Davis, R., Cothren, C., & Schou, C. (2011). Principles of Computer Security CompTIA Security+ and Beyond (Exam SY0-301). (3 ed.). New York, NY: McGraw Hill Professional. Diver, S. (2006). Information security policy - a development guide for large and small companies.SANS Institute Reading Room, Retrieved from http://www.sans.org/reading-room/whitepapers/policyissues/information-security-policydevelopment-guide-large-small-companies-1331 Kreiman, J., & Sidtis, D. (2011). Foundations of voice studies: An interdisciplinary approach to voice production and perception. (1st ed., p. 177). John Wiley & Sons. Retrieved from http://books.google.com/books?id=gwu48EvAXIsC PBS. (n.d.). Testimony of an ex-hacker. Retrieved from http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html PJ. (2009, February 03). What are policies, standards, guidelines and procedures?. Retrieved from http://mindfulsecurity.com/2009/02/03/policies-standards-and-guidelines/

Recommandé

Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgEric Vanderburg
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Password Management
Password ManagementPassword Management
Password ManagementDavon Smart
 

Recommandé

Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness TrainingDave Monahan
 
Information security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation security: importance of having defined policy & process
Information security: importance of having defined policy & processInformation Technology Society Nepal
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgInformation Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Information Security Lesson 11 - Policies & Procedures - Eric VanderburgEric Vanderburg
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Password Management
Password ManagementPassword Management
Password ManagementDavon Smart
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
E commerce
E commerce E commerce
E commerce DrSelvamohanaK
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber securityAvani Patel
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDumindu Pahalawatta
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Symmetric and asymmetric key cryptography
Symmetric and asymmetric key cryptographySymmetric and asymmetric key cryptography
Symmetric and asymmetric key cryptographyMONIRUL ISLAM
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorismRaheela Patel
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 pptvasanthimuniasamy
 
Data Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfData Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfDarylBallesteros3
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemRoshan Ranabhat
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101mateenzero
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 

Contenu connexe

Tendances

IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber securityAvani Patel
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDumindu Pahalawatta
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness TrainingJen Ruhman
 
Symmetric and asymmetric key cryptography
Symmetric and asymmetric key cryptographySymmetric and asymmetric key cryptography
Symmetric and asymmetric key cryptographyMONIRUL ISLAM
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 pptvasanthimuniasamy
 
Data Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfData Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfDarylBallesteros3
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemRoshan Ranabhat
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee TrainingPaige Rasid
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101mateenzero
 

Tendances (20)

IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
E commerce
E commerce E commerce
E commerce
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber security
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Symmetric and asymmetric key cryptography
Symmetric and asymmetric key cryptographySymmetric and asymmetric key cryptography
Symmetric and asymmetric key cryptography
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Cyber terrorism
Cyber terrorismCyber terrorism
Cyber terrorism
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Data Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdfData Protection Predictions for 2023.pdf
Data Protection Predictions for 2023.pdf
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by Adam
 
Information security management
Information security managementInformation security management
Information security management
 
Cybersecurity Employee Training
Cybersecurity Employee TrainingCybersecurity Employee Training
Cybersecurity Employee Training
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
 

En vedette

Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Roles and responsibilities information item may 2013
Roles and responsibilities information item may 2013Roles and responsibilities information item may 2013
Roles and responsibilities information item may 2013dvodicka
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 
Network security and policies
Network security and policiesNetwork security and policies
Network security and policieswardjo
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
Roles & Responsibilities on a Web Team
Roles & Responsibilities on a Web TeamRoles & Responsibilities on a Web Team
Roles & Responsibilities on a Web TeamShane Diffily
 
SECRET ART OF WAR TO CLOSE EVERY SALE
SECRET ART OF WAR TO CLOSE EVERY SALESECRET ART OF WAR TO CLOSE EVERY SALE
SECRET ART OF WAR TO CLOSE EVERY SALEAndy Ng
 
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDLBài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDLNguyen Khanh
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecuritylearnt
 
Bai giang bài 13: Bảo mật thông tin
Bai giang bài 13: Bảo mật thông tinBai giang bài 13: Bảo mật thông tin
Bai giang bài 13: Bảo mật thông tinthaohien1376
 
Difference between business intelligence, business analytics, and business an...
Difference between business intelligence, business analytics, and business an...Difference between business intelligence, business analytics, and business an...
Difference between business intelligence, business analytics, and business an...Santosh Mishra
 

En vedette (16)

Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Roles and responsibilities information item may 2013
Roles and responsibilities information item may 2013Roles and responsibilities information item may 2013
Roles and responsibilities information item may 2013
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
 
Network security and policies
Network security and policiesNetwork security and policies
Network security and policies
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
Roles & Responsibilities on a Web Team
Roles & Responsibilities on a Web TeamRoles & Responsibilities on a Web Team
Roles & Responsibilities on a Web Team
 
SECRET ART OF WAR TO CLOSE EVERY SALE
SECRET ART OF WAR TO CLOSE EVERY SALESECRET ART OF WAR TO CLOSE EVERY SALE
SECRET ART OF WAR TO CLOSE EVERY SALE
 
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDLBài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
Bài 13. BẢO MẬT THÔNG TIN TRONG CÁC HỆ CSDL
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Bai giang bài 13: Bảo mật thông tin
Bai giang bài 13: Bảo mật thông tinBai giang bài 13: Bảo mật thông tin
Bai giang bài 13: Bảo mật thông tin
 
Difference between business intelligence, business analytics, and business an...
Difference between business intelligence, business analytics, and business an...Difference between business intelligence, business analytics, and business an...
Difference between business intelligence, business analytics, and business an...
 

Similaire à The Role of Information Security Policy

The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020Jessica Graf
 
ISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloJohn Intindolo
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Securityijtsrd
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
I-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia WarwarI-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia WarwarClaudia Warwar
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance frameworkAnne ndolo
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadVinoth Sn
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case StudyAngilina Jones
 
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docxeugeniadean34240
 
NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk ModelsDavid Sweigert
 
The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information SecuritySimoun Ung
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Professionamiable_indian
 
News letter June 11
News letter June 11News letter June 11
News letter June 11captsbtyagi
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Deepa Devadas
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 

Similaire à The Role of Information Security Policy (20)

The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
 
ISSC361_Project_John_Intindolo
ISSC361_Project_John_IntindoloISSC361_Project_John_Intindolo
ISSC361_Project_John_Intindolo
 
An Empirical Study on Information Security
An Empirical Study on Information SecurityAn Empirical Study on Information Security
An Empirical Study on Information Security
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and Prospect
 
I-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia WarwarI-Week April 2004 - Claudia Warwar
I-Week April 2004 - Claudia Warwar
 
An information security governance framework
An information security governance frameworkAn information security governance framework
An information security governance framework
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-upload
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Target Data Security Breach Case Study
Target Data Security Breach Case StudyTarget Data Security Breach Case Study
Target Data Security Breach Case Study
 
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
1Running head IDENTITY MANAGEMENT AND SECURITY AWARENESS TRAI.docx
 
NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models NIST Privacy Engineering Working Group -- Risk Models
NIST Privacy Engineering Working Group -- Risk Models
 
The Evolving Landscape on Information Security
The Evolving Landscape on Information SecurityThe Evolving Landscape on Information Security
The Evolving Landscape on Information Security
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Profession
 
News letter June 11
News letter June 11News letter June 11
News letter June 11
 
Sem 001 sem-001
Sem 001 sem-001Sem 001 sem-001
Sem 001 sem-001
 
Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10Gp2 Public Policy Assign8 644 Sp10
Gp2 Public Policy Assign8 644 Sp10
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 

Dernier

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Dernier (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

The Role of Information Security Policy

  • 1. THE ROLE OF INFORMATION SECURITY POLICY The Role of Information Security Policy Jarin Udom CMGT/400 November 22, 2013 Eric Clifford 1
  • 2. THE ROLE OF INFORMATION SECURITY POLICY 2 The Role of Information Security Policy According to Kevin Mitnick, one of the world’s most famous (or infamous) hackers, “companies could spend millions of dollars towards technological protections and that's money wasted if somebody could basically call somebody on the telephone and either convince them to do something on the computer which lowers the computers defenses or reveals the information that they're seeking” (PBS, n.d.). Technical defenses have become increasingly sophisticated, but the human element is still the biggest—and will likely continue to be the biggest—security vulnerability at any organization. Although not completely effective, arguably the best ways to mitigate this risk are policies, standards, and a concerted organizational effort to train and educate employees and others working for the organization. Policies and Standards What is the difference between information security policies and standards? Information security policies outline the ways an organization will protect information in the form of highlevel business rules and guidelines (PJ, 2009). Information security standards dictate more detailed requirements for how an organization will implement those policies (PJ, 2009). For example, an information security policy may require all sensitive emails be encrypted and digitally signed. The corresponding standard may specify that all sensitive email is to be encrypted and digitally signed via PGP, using a 2048-bit key size and the RSA algorithm. Policies In any organization, it’s important to start with a high level security policy before considering standards, guidelines, or procedures. A security policy addresses the overarching goals, concerns, and risks of the organization’s overall information security efforts. Information
  • 3. THE ROLE OF INFORMATION SECURITY POLICY 3 security policies are “made by management when laying out the organization’s position” (Conklin, White, Williams, Davis, Cothren, & Schou, 2011) on organizational security issues. According to Diver (2006), when developing a security policy it’s important to consider the company’s level of process maturity. She further elaborates that aiming too high at first, especially in large organizations, “isn’t likely to be successful for a number of reasons including lack of management buy-in, unprepared company culture and resources and other requirements not in place” (Diver, 2006). Since information security policies are generally created by management, it’s also important to assemble a team of subject matter experts to provide information and assist managers and executives during the process. Standards Most standards in an organization are developed based on the organization’s high-level security policy. However, according to Conklin et al. (2011), other standards are “externally driven. Regulations for banking and financial institutions, for example, may require certain security measures be taken by law.” Once a security policy is in place, engineers and subject matter experts can begin the task of determining the best standards for implementing the individual goals of the policy. For general information security, the National Institute of Standards and Technology’s (NIST) Computer Security Resource Center is an excellent place to start. NIST’s website contains a plethora of recommended cybersecurity standards and best practices. Similarly, the Open Web Application Security Project’s (OWASP) wiki is a community-maintained resource for web and other application security recommendations and vulnerabilities. Finally, the organization may wish to employ subject matter experts and consultants to develop standards based on industry-standard best practices and experience. Role of Employees
  • 4. THE ROLE OF INFORMATION SECURITY POLICY 4 As stated above, people are the weak link in any organizational information security plan. Most people realize that employees with trusted access privileges may abuse their access to compromise an organization’s information. However, as Kevin Mitnick illustrated, employees can also be unwittingly tricked into divulging sensitive information or information that can assist an intruder in compromising computer systems. Organizations must include human factors in their security policies, and they must take efforts to inform employees and others working for the organization about policies, standards, procedures and guidelines. It is absolutely essential that employees understand that information compromises can have serious consequences, not just for the organization but also for the employee themselves. Employees and others working for the organization must be ever vigilant against social engineering attempts, phishing, physical security, and other human-oriented intrusion attempts. For example, an intruder may attempt to gain access to a secure facility by waiting for an authorized employee to swipe their security badge and then following them through the door, or “piggybacking”, before it closes. Organizations can prevent this kind of intrusion by implementing clear policies that every person passing into a secure area must swipe their badge before entering. This kind of policy counteracts the normal human tendency to avoid inconveniencing others. Another example might be an intruder attempting to gain sensitive security information over the phone. Kevin Mitnick famously exploited the natural human tendency to be helpful by calling government agencies and posing as a fellow employee who was having technical problems, and he was able to convince employees to give him the names of computer systems and even execute commands on his behalf (PBS, n.d.). Employees should verify the identity of any unknown caller, even if they claim to be in distress or a high-level executive (another
  • 5. THE ROLE OF INFORMATION SECURITY POLICY 5 common tactic). However, an exception can be made for familiar voices, as studies have shown that people are quite good at recognizing voices—an accuracy rate of 92% when hearing a familiar voice for only 5.3 seconds and an accuracy rate of 79% when hearing a barely familiar voice for 15.3 seconds (Kreiman & Sidtis, 2011, p. 177). Conclusion As Kevin Mitnick said, “the human side of computer security is easily exploited and constantly overlooked” (PBS, n.d.). While the proliferation of botnets, worms, and easily available “script kiddy” tools has clearly made the role of technological information security measures more important than ever, the human element remains the weak point of any information security plan. In order to mitigate this risk, organizations must develop clear information security policies and then use them to develop standards to be implemented throughout the organization. In addition, they must train and educate employees about both the risks and importance of social engineering attempts, phishing, physical security, and other human-based intrusion attempts.
  • 6. THE ROLE OF INFORMATION SECURITY POLICY 6 References Conklin, A., White, G., Williams, D., Davis, R., Cothren, C., & Schou, C. (2011). Principles of Computer Security CompTIA Security+ and Beyond (Exam SY0-301). (3 ed.). New York, NY: McGraw Hill Professional. Diver, S. (2006). Information security policy - a development guide for large and small companies.SANS Institute Reading Room, Retrieved from http://www.sans.org/reading-room/whitepapers/policyissues/information-security-policydevelopment-guide-large-small-companies-1331 Kreiman, J., & Sidtis, D. (2011). Foundations of voice studies: An interdisciplinary approach to voice production and perception. (1st ed., p. 177). John Wiley & Sons. Retrieved from http://books.google.com/books?id=gwu48EvAXIsC PBS. (n.d.). Testimony of an ex-hacker. Retrieved from http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html PJ. (2009, February 03). What are policies, standards, guidelines and procedures?. Retrieved from http://mindfulsecurity.com/2009/02/03/policies-standards-and-guidelines/