Scribd
Upload
20 views33 pages

Lecture 35

Uploaded by

MUHAMMAD AHMAD
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
20 views33 pages

Lecture 35

Uploaded by

MUHAMMAD AHMAD
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 33

Information Security

Lecture # 35

Dr. Shafiq Hussain


Associate Professor & Chairperson
Department of Computer Science

1
Objectives
• Introduction to Security Policy.

2
Security Policy
• A security policy is a document that spells out
principles and strategies for an organization to
maintain the security of its information assets.

3
Security Policy (Cont..)
• A security policy (also called an information security
policy or IT security policy) is a document that spells
out the rules, expectations, and overall approach that
an organization uses to maintain the confidentiality,
integrity, and availability of its data.

4
Security Policy (Cont..)
• Security policies exist at many different levels, from
high-level constructs that describe an enterprise’s
general security goals and principles to documents
addressing specific issues, such as remote access or
Wi-Fi use.

5
Security Policy (Cont..)
• A security policy is frequently used in conjunction
with other types of documentation such as standard
operating procedures.

6
Security Policy (Cont..)
• These documents work together to help the company
achieve its security goals.

• The policy defines the overall strategy and


security stance, with the other documents helping
build structure around that practice.

7
Security Policy (Cont..)
Some of the benefits of a well-designed and
implemented security policy include:

Guides the implementation of technical controls


• A security policy doesn’t provide specific low-level
technical guidance, but it does spell out the intentions
and expectations of senior management in regard to
security.

8
Security Policy (Cont..)
Guides the implementation of technical controls
• It’s then up to the security or IT teams to translate
these intentions into specific technical actions.

• For example, a policy might state that only authorized


users should be granted access to proprietary
company information.

9
Security Policy (Cont..)
Guides the implementation of technical controls
• The specific authentication systems and access
control rules used to implement this policy can
change over time, but the general intent remains the
same.

10
Security Policy (Cont..)
Guides the implementation of technical controls
• Without a place to start from, the security or IT teams
can only guess senior management’s desires.

• This can lead to inconsistent application of security


controls across different groups and business entities.

11
Security Policy (Cont..)
Sets clear expectations
• Without a security policy, each employee or user will
be left to his or her own judgment in deciding what’s
appropriate and what’s not.

• This can lead to disaster when different employees


apply different standards.

12
Security Policy (Cont..)
Sets clear expectations
• A security policy should also clearly spell out how
compliance is monitored and enforced.

13
Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• Documented security policies are a requirement of
legislation like HIPAA and Sarbanes-Oxley, as well
as regulations and standards like PCI-DSS, ISO
27001, and SOC2.

14
Security Policy (Cont..)
Helps meet regulatory and compliance requirements
• Even when not explicitly required, a security policy is
often a practical necessity in crafting a strategy to
meet increasingly stringent security and data privacy
requirements.

15
Security Policy (Cont..)
Improves organizational efficiency and helps meet
business objectives
• A good security policy can enhance an organization’s
efficiency.

• Its policies get everyone on the same page, avoid


duplication of effort, and provide consistency in
monitoring and enforcing compliance.

16
Security Policy (Cont..)
Improves organizational efficiency and helps meet
business objectives
• Security policies should also provide clear guidance
for when policy exceptions are granted, and by
whom.

17
Security Policy (Cont..)
Three types of security policies
• Security policies can vary in scope, applicability, and
complexity, according to the needs of different
organizations.

18
Security Policy (Cont..)
Three types of security policies
• While there’s no universal model for security
policies, the National Institutes of Standards and
Technology (NIST) spells out three distinct types in
Special Publication (SP) 800-12:

19
Security Policy (Cont..)
Three types of security policies
Program policy
• Program policies are strategic, high-level blueprints
that guide an organization’s information security
program.

20
Security Policy (Cont..)
Three types of security policies
Program policy
• They spell out the purpose and scope of the program,
as well as define roles and responsibilities and
compliance mechanisms.

21
Security Policy (Cont..)
Three types of security policies
Program policy
• Also known as master or organizational policies,
these documents are crafted with high levels of input
from senior management and are typically technology
agnostic.

22
Security Policy (Cont..)
Three types of security policies
Program policy
• They are the least frequently updated type of policy,
as they should be written at a high enough level to
remain relevant even through technical and
organizational changes.

23
Security Policy (Cont..)
Three types of security policies
Issue-specific policy
• Issue-specific policies build upon the generic security
policy and provide more concrete guidance on certain
issues relevant to an organization’s workforce.

24
Security Policy (Cont..)
Three types of security policies
Issue-specific policy
• Common examples could include a network security
policy, bring-your-own-device (BYOD) policy, social
media policy, or remote work policy.

25
Security Policy (Cont..)
Three types of security policies
Issue-specific policy
• These may address specific technology areas but are
usually more generic.

26
Security Policy (Cont..)
Three types of security policies
Issue-specific policy
• A remote access policy might state that offsite access
is only possible through a company-approved and
supported VPN, but that policy probably won’t name
a specific VPN client.

• This way, the company can change vendors without


major updates.

27
Security Policy (Cont..)
Three types of security policies
System-specific policy
• A system-specific policy is the most granular type of
IT security policy, focusing on a particular type of
system, such as a firewall or web server, or even an
individual computer.

28
Security Policy (Cont..)
Three types of security policies
System-specific policy
• NIST states that system-specific policies should
consist of both a security objective and operational
rules.

29
Security Policy (Cont..)
Three types of security policies
System-specific policy
• IT and security teams are heavily involved in the
creation, implementation, and enforcement of system-
specific policies but the key decisions and rules are
still made by senior management.

30
Questions
Any Question Please?

You can contact me at: [email protected]

Your Query will be answered within one working day.

31
Further Readings
• Chapter No. 1
Computer_Security_Principles_and_Practice_(3rd_E
dition)
By William Stallings and Lawrie Brown

32
Thanks

33

You might also like