6. Written a policy lately?
ORANG PCI-DSS
41 CFR 102
E BOOK SAS-70
FISMAISO 27001
WeBTRUST
BITS SysTrust ISO 17799 /
DITSCAP FIPS 199 BS 7799
Cloud Audit HIPAA
7. The language of policy
[Organization] and applicable
subsidiary Level 2 Unit ISMs will
coordinate and document the
establishment of all external network
connections for their unit with Network
Services. As every external network
connection is potentially an entry point
for intruders, Level 2 Unit ISMs must
document all external network
connections in their unit, including
modems.
13. What is the focus?
Systems must be patched within 30
days of release of patch from vendor
Management approval is required to
download any copyrighted material
from the Internet
18. The Next Generation:
• Simplify, streamline, squeeze out jargon
• Prioritize and heat map based on relative
risk and audience
• Build approaches that transcend
documentation and encourage good
behavior
19. Fin.
• Peter Hesse, Gemini Security Solutions
@pmhesse, pmhesse@geminisecurity.com
• Extra special thanks to my partner-in-crime
on this work, Michael Santarcangelo
@catalyst (www.securitycatalyst.com)
Notes de l'éditeur
Is it just because we’ve been doing it so long we don’t remember?
Policies are written to counter known or notional risk.
What game are we playing if I show this to you?
Helps set the rules of the game – guidance -- not that they can’t be changed later
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Policies are hard to develop so people follow useful frameworks. <click>
Then they have to follow some more frameworks. <click>
And some more. And more and more.
You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
Can you understand this? I can&#x2019;t.
Length of policy also a huge problem.
Policies are largely formed by cut and paste. By cutting and pasting without thinking through why things are in there (&#x201C;I just know they have to be&#x201D;) we create additional problems. Policies which are harder to justify, policies the writers can&#x2019;t even understand, policies that are too long.
Like making sausage
Quote from http://googleblog.blogspot.com/2010/09/trimming-our-privacy-policies.html We&#x2019;re also simplifying our main Google Privacy Policy to make it more user-friendly by cutting down the parts that are redundant and rewriting the more legalistic bits so people can understand them more easily.
Did you know that NIST created a guide for improving the security of your XP home installation, aimed at federal teleworkers? Useful, right? It is 175 pages.
However, they distill the guide down to 5 main points, care to guess what they are?
-Patching
-Running as limited user
-Anti-malware
-Personal firewall
-Perform backups
Do they need the rest of the document?
Policies often treat as one-size-fits-all, but that is not the case. If a policy includes every risk mitigation technique known to the organization, it will have requirements that apply only to IT, only to management, only to finance &#x2013; and few that apply to all users. Yet, they&#x2019;re all in the same policy. We need multiple policies, or multiple views of the same policy, to make sense to the audience
Is the risk associated with these two policy statements equivalent?
Do these statements apply to the average user? (No, 1 is for IT only, 2 is for people doing downloads, and management to know that they need to approve &#x2013; but how do they determine if they should?)
What do you do when one of these policies is met, but the other isn&#x2019;t?
- Here is what we&#x2019;re doing. We are working on prioritizing policy based on a heat map. Heat map can change based on the revelation of new threats, improved perception of risk, improved controls being put into place.
- Not getting into the metrics / qualitative/ quantitative holy war, but policies related to greater risks should have greater importance; those that relate to lower risks should be waived, deemed less important, or excised entirely
- The heat map could automatically filter based on the perspective of the audience
- Here is what we&#x2019;re doing. We are working on prioritizing policy based on a heat map. Heat map can change based on the revelation of new threats, improved perception of risk, improved controls being put into place.
- Not getting into the metrics / qualitative/ quantitative holy war, but policies related to greater risks should have greater importance; those that relate to lower risks should be waived, deemed less important, or excised entirely
- The heat map could automatically filter based on the perspective of the audience
- Here is what we&#x2019;re doing. We are working on prioritizing policy based on a heat map. Heat map can change based on the revelation of new threats, improved perception of risk, improved controls being put into place.
- Not getting into the metrics / qualitative/ quantitative holy war, but policies related to greater risks should have greater importance; those that relate to lower risks should be waived, deemed less important, or excised entirely
- The heat map could automatically filter based on the perspective of the audience