BCS2014

Cyber Security

Lecture 4:
Cyber Security Plans and Policies
Learning Objectives
• Identify the roles in organizations that are active in planning
• Explain strategic organizational planning for information security
• Explain the principal components of Info. Sec system implementation planning in the
organizational planning scheme
• Recognize the importance of security policies
• Understand the various policies and the rationale for them
• Know what elements go into good policies
• Create policies for network administration
• Evaluate and improve existing policies
• Developing Information Security Policy
• Policy Development and Implementation using the SDLC

2
The Role of Planning
• Successful organizations utilize planning
• Planning involves:
 Representatives of the three communities of interest
 Individuals internal and external to the organization
 Employees
 Management
 Outside stakeholders

• Among the factors that affect planning are:

 physical environment
 political and legal environment
 competitive environment
 technological environment
3
Precursors to Planning
• To implement effective planning, an organization’s leaders usually begin
from previously developed positions that explicitly state the
organization’s ethical, entrepreneurial, and philosophical perspectives.

• Precursor documents developed to support organizational planning

include:
 Mission statement
 Vision statement
 Values statement

4
The Mission Statement
• A mission statement explicitly declares the business of the
organization and its intended areas of operations.
• The mission statement explains what the organization does and for
whom
• Example: Random Widget Works designs and manufactures quality widgets and
associated equipment and supplies for use in modern business environments.

• A mission statement should be concise, reflect both internal and

external operations and robust enough to remain valid for a period of
four to six years.

5
Vision Statement
• The vision statement expresses where the organization wants to go, while the
mission statement describes how it wants to get there.

• Taken together, the mission, vision, and values statements provide the
philosophical foundation for planning and guide the creation of the strategic
plan.

• Vision statements should be ambitious, as they are meant to express the

aspirations of the organization and to serve as a means for visualizing its future.
Random Widget Works will be the preferred manufacturer of choice for every
• Example: business’s widget equipment needs, with an RWW widget in every machine they use.

6
Values Statement
• By establishing a formal set of organizational principles and qualities in a
values statement, as well as benchmarks for measuring behavior against
these published values, an organization makes its conduct and performance
standards clear to its employees and the public.

Random Widget Works values commitment, honesty, integrity and social

• Example: responsibility among its employees, and is committed to providing its services in
harmony with its corporate, social, legal and natural environments.

7
Strategic Planning - Discussion

• Why is it necessary to have a strategic plan in place before creating

lower level plans?
Strategic Planning
• Strategic planning is
– “The process of defining and specifying the long-term direction
(strategy) to be taken by an organization, and the allocation and
acquisition of resources needed to pursue this effort”.
• It guides organizational efforts and focuses resources toward specific,
clearly defined goals in the midst of an ever-changing environment
• A clearly directed strategy flows from top to bottom, and a systematic
approach is required to translate it into a program that can inform
and lead all members of the organization.

9
Top-down Strategic Planning

Organization Hierarchy Planning Hierarchy

Source: Management of Information Security, 6th edition, Cengage Learning

10
Creating a Strategic Plan
• After an organization develops a general strategy, it must create an overall
strategic plan by extending that general strategy into specific strategic plans
for major divisions.
• Each level of each division translates those objectives into more specific
objectives for the level below.
• The conversion of goals from the strategic level to the next lower level relies
on the executive’s ability:
 to know and understand the strategic goals of the entire organization,
 to know and appreciate the strategic and tactical abilities of each unit
within the organization, and
 to negotiate with peers, superiors, and subordinates.
11
Planning Levels
• Once the organization’s overall strategic plan is translated
into strategic goals for each major division or operation,
the next step is to translate these strategies into tasks
with specific, measurable, achievable, and time-bound
objectives.

• Strategic planning then begins a transformation from

general, sweeping statements toward more specific and
applied objectives.

• Strategic plans are used to create tactical plans, which are

in turn used to develop operational plans.
12
 Tactical Planning
Strategic Planning Levels • has a more short-term focus than
strategic planning
• usually one to three years
• breaks applicable strategic goals into
a series of incremental objectives

Operational Planning –
• used by managers and employees to
organize the ongoing, day-to-day
performance of tasks
• includes clearly identified coordination
activities across department
boundaries such as:
 communications requirements
 weekly meetings
 Summaries
 progress reports

13
Planning and the CISO
• The priority of the Chief Information Security Officer (CISO) and the
InfoSec management team should be the structure of a strategic plan.

• While each organization may have its own format for the design and
distribution of a strategic plan, the fundamental elements of planning
are the same for all types of enterprises.

14
Typical Strategic Plan Elements
• The basic components of a typical organizational-level strategic plan
include:
1. Executive Summary
2. Mission, Vision and Values Statements
3. Organizational Profile and History
4. Strategic Issues and Challenges
5. Organizational Goals and Objectives
6. Major Business Units (or Products/Services) Goals and Objectives
7. Appendices (as applicable) – market analyses, internal/external
surveys, budgets, and R&D projections.
15
Tips For Planning
1. Articulate a comprehensive and meaningful vision statement that shares the
organizations intent, to attract others to join in the effort to achieve that goal.
2. Try to bring a sense of logical analysis of the objectives and what has been
accomplished; for example, by using tools to track outcomes against intentions
to measure effects against prior actions.
3. Work from an overarching plan that has been developed with the input from
key stakeholders.
4. Seek transparency in planning to make planning changes understandable by
stakeholders.
5. Make planning a process that engages everyone involved to work toward the
common objectives

16
Tips For Planning (Cont. )
6. Stick with the process over times since results may not always be achieved as
quickly as intended.
7. Develop consistent and repeatable methods of planning that are adopted as
part of the organization’s culture.
8. Explain what is being done so that stakeholders understand the intentions of
the process.
9. Use processes that fit the organization’s culture.
10. Make the process as engaging as possible so that participants are not
overwhelmed and feel put upon by the required actions.

17
Planning for InfoSec Planning
• CIO and CISO play important roles in translating overall strategic planning into tactical and
operational InfoSec plans.

• CIO
 translates strategic plan into departmental and InfoSec objectives.
 Ensure that the various IT functional areas in the organization provide broad support
for the plan.

• CISO
 translates InfoSec objectives into tactical and operational objectives.
 Reports to CIO.
 Convince the CIO of the priorities of the InfoSec program, both within and outside of
the IT function.
18
Implementing the Security Program using
the SecSDLC
• Scaled up the SDLC approach to support the design, implementation and
maintenance of an entire security program.

• The SecSDLC may differ from the traditional

SDLC in several specific activities, but the overall
methodology is the same.

• The SecSDLC process involves the identification of specific threats and the risks
that they represent as well as the subsequent design and implementation of
specific controls to counter those threats and manage the risk.

19
The benefits:

• Reduce security risks from the start

• Ensure compliance with relevant regulations
• Improve the quality and performance of the system

20
SecSDLC Waterfall Methodology

Source: Management of Information Security, 6th edition, Cengage Learning

21
Investigation Phase
for SecSDLC
• Identifies problem to be solved

• Begins with the objectives,

constraints, and scope of the project

• A preliminary cost/benefit analysis is

then developed

• Ends with a feasibility analysis

22
Feasibility
•Feasibility analysis
determines whether the
organization has the
resources and commitment
to conduct a successful
security analysis and
design.

23
 Analysis in the SecSDLC
• In analysis phase, the team studies the documents
from the investigation phase.

• Conduct a preliminary analysis of

 Existing security polices
 Current threats and attacks
 Legal issues

• Risk management is involved:

 Process of identifying, assessing & evaluation
of levels of risks facing the organization.
24
Design in SecSDLC
Two distinct phases:
Logical design phase: Physical design phase:
 Create and develop a  Evaluate technology to
security blueprint support security
 Implement key policies blueprint
 Feasibility analysis  Generate alternative
 develop or outsource solutions
 Agree on final design

25
Design elements
• Information security policy
• Management must define
 General security policy
 Issue-specific security policy
 Systems-specific security policy
• SETA - Security education, training and awareness program contains
 Security education
 Security training
 Security awareness
• The design phase continues with the formation of the Controls and Safeguards:
• Managerial controls
• Operational controls
• Technical controls 26
Managerial Control
• Address the design, scope and implementation of the security
planning process & security program

• Addresses risk management and security control overview

• Addresses scope of legal compliance

27
Operational Controls
• Manages functions and lower-level planning
 Disaster recovery
 Incident response planning
 Personal security
 Physical security
 Protection of production inputs and output

28
Technical Controls
• Addresses tactical issues &
technical issues related to design
and implementing security.

• Reviews the technologies

necessary to protect information
assets.

29
Contingency planning
• Another element of the design phase is the creation of contingency
planning.

• Contingency planning is planning to prepared for, react to, recover from

event of security breach and restoration of normal business operations.
 Incident Response Planning (IRP)
 Disaster Recovery Planning (DRP)
 Business Continuity Planning (BCP)

30
Physical security
• In design phase, physical security needs to be addressed.

• Physical security - Design, implementation and maintenance of

countermeasures that protect the physical resources of an organization

• Physical resources include

 People
 Hardware
 Supporting information system elements

31
 • Acquire, test, implement, and
Implementation retest security solutions.

in SecSDLC • Evaluate personnel issues and

conduct specific training and
education programs.

• Present tested package to

management for approval.

32
Management of the Project Plan

• The most important element of the implementation phase is the

management of the project plan.

 Planning the project

 Supervising tasks and action steps within the project plan
 Wrapping up the plan

33
Project Team
• Should consist of individuals experienced in one
or multiple technical and nontechnical areas.

• Organizations should examine the options for staffing the information security
function

 Decide how to position and name the function

 Plan for proper staffing of the function
 Understand impact of information security across every role in IT
 Integrate information security concepts into personnel management
34
Maintenance in the
SecSDLC
• Maintenance models focus
organization effort on system
maintenance
 External monitoring
 Internal monitoring
 Planning and risk assessment
 Vulnerability assessment and
remediation
 Readiness and review
35
What Is a Security Policy?
• Security policy: A document that defines how an
organization deals with certain aspects of security
• End-user behavior
• IT response to incidents
• Specific issues and incidents
• Can also deal with regulatory requirements
• How to comply with certain regulations
• Example – inform healthcare workers how to comply with HIPAA
rules when using medical records software
• Some policies can be advisory, not mandatory

36
Why policy?
• Policy is the essential foundation of an effective information security
program.
• The success of any information security program lies in policy
development.
• In 1989, the National Institute of Standards and Technology (NIST)
addresses this point as:

“ The success of an information resources protection program

depends on the policy generated, and on the attitude of management
toward securing information on automated systems….”
37
Why policy?
Information Security policies – designed to provide structure in the
workplace and explain the will of organization’s management in
controlling the behavior of its employees.
• Policy is designed to create a productive and effective work
environment.
• Some basic rules must be followed when developing a policy:
• Policy should never conflict with the law.
• Policy must be able to stand up in court if challenged.
• Policy must be properly supported and administered.

38
Why policy?
Policy may be difficult to implement. The following guidelines can help
in the formulation of IT policy as well as InfoSec policy:

• All policies must contribute to the success of the organization.

• Management must ensure the adequate sharing of responsibility

for the proper use of information systems.

• End users of information systems should be involved in the steps

of policy formulation.

39
What is a Cybersecurity Policy?
• Cybersecurity policy: Document that states how an organization plans
to protect its information assets and information systems and ensure
legal and regulatory compliance
• Asset: A resource with a value
• Information asset: Any information item, regardless of storage format,
that represents value to the organization
• Examples: Customer data, employee records, IT information, reputation, and
brand

Copyright 2019 Pearson Education, Inc. 40

Policy, Standards, and Practices
Policies must also specify the penalties for unacceptable behavior and
define an appeals process.

Policies should not specify the proper operation of equipment or

software.
• this information should be placed in other documents called "standards"
"procedures" "practices' and "guidelines’.

Policies define what you can do and not do, whereas the other
documents focus on the how.

41
Policy, Standards, and Practices

Relationship among policies, standards, practices, procedures, and guidelines.

42
Important Standards
• Many standards exist to guide the creation of security
policies
• These standards include:
• ISO 17999 – how to develop policies
• NIST SP 800-53 – identifies 18 families of security controls
• ISO 27001 – requires systematic review of security risks; includes
design and implementation of controls to address risks and
management of those controls
• ISO 27002 – recommends best practices for initiating,
implementing, and maintaining security systems
• ISO 17799 – establishes guidelines and principles for information
security management in an organization

43
Defining User Policies
• System misuse is a major issue for organizations
• Effective user policies must be clear and specific
• User policies must cover these areas:
• Passwords
• Internet use
• Email usage
• Installing/uninstalling software
• Instant messaging
• Desktop configuration
• Bring your own device (BYOD)
• Variations: CYOD, COPE, COBO

44
Defining System Administration Policies
Organizations must clearly define system administration
policies
• New employees
• Access to resources and applications
• Computer security and acceptable use policies
• Departing employees
• Terminate logins, accounts, and access to all systems
• Obtain facility keys and search former employee’s workstation
• Change requests
• Monitor access to resources
• Software, hardware, and website changes

45
Security Breaches
• Most networks will experience a security breach
• Types of breaches include:
• Virus infection
• Quarantine and isolate infected machine(s); scan and clean
• DoS attacks
• Use firewall logs or IDS to locate the source of the attack
• Intrusion by a hacker
• Copy logs of affected systems and scan all systems
• Log incidents and notify appropriate personnel

46
Defining Access Control
• Trade-offs must be made between access and security
• Least privileges – each person is given the minimum
system access necessary to perform their job
• Implicit deny – all users are implicitly denied access to
network resources until an administrator explicitly grants
them
• Other important access control concepts include:
• Separation of duties
• Job rotation
• Mandatory vacations

47
Development Policies
• Flawed code will result in security breaches
• All programming code must be checked for
backdoors/Trojan horses
• Buffers must have error handling implemented
• Communications must adhere to guidelines
• Code that opens ports must be documented
• Input should be filtered to prevent attacks
• Vendors should document that there are no security
flaws in its code

48
Standards, Guidelines, and Procedures
• These documents relate to and support policies
• Standard – statement of desired level of operation
• Guideline – suggestion about how to achieve standard
• Procedure – instructions on how to handle issues
• Data classification
• Public information – no restrictions on who can view
• Private information – intended for internal use only
• DoD clearances
• Confidential, secret, top secret, and top secret SCI

49
Disaster Recovery
• Disaster – any event that significantly disrupts an
organization’s operations
• Documents that prepare for disasters include:
• Disaster recovery plan (DRP)
• Plan to return business to normal operations after disaster
• Business continuity plan (BCP)
• Plan to get minimal business functions back up and running
• Impact analysis
• States the damage to your organization that a given disaster might
cause

50
Disaster Recovery (cont.)
• Disaster recovery and business continuity standards
• ISO 27035 – detecting, reporting, responding to incidents
• NIST 800-61 – guidance on incidence response teams, response
procedures, and related items
• Fault tolerance – three primary backup types:
• Full – backup of all changes
• Differential – all changes since last full backup
• Incremental – all changes since previous backup

51
Guidelines for Effective Policy
For policies to be effective and legally defensible, they must be
properly:
1. Developed using industry-accepted practices, and formally
approved by management (Development)
2. Distributed using all appropriate methods (Dissemination)
3. Read by all employees (Review)
4. Understood by all employees (comprehension)
5. Formally agreed to by act or affirmation (compliance)
6. Uniformly applied and enforced (uniform enforcement)

52
Developing Information Security Policy
• View policy development as three-part project:
• First part – designed and written
• Second part - review and formally approve the document
• Third part - perpetuate the policy within the organization.

• The first part is an exercise in project management, whereas the

latter two parts require adherence to good business practices and
legal regulations.

53
Policy Distribution
• The most common alternatives are hard copy distribution and
electronic distribution.
• Ensure that the policy actually reached the end users
• Hard copy distribution
• Directly distributing a copy to the employee
• Posting in a publicly available location (Bulletin board)
• Electronic distribution
• E-mail
• Newsletter
• Intranet
• Document management systems
54
Policy Reading
• Literacy or language issues – barriers to reading policies
• Visually impaired employees also require additional assistance
• Audio
• Large-type versions of documents
• Simple translations of policy documents

55
Policy Comprehension
• A quote attributed to Confucius states: “Tell me and I forget; show
me and I remember; let me do and I understand.”
• Employee can review a policy; may not ensure that they truly
understand what the policy requires of them.
• Policy documents must be
• Written at reasonable reading level
• Minimal technical jargon and management terminology
• Uses some form of assessment to gauge how well employees
understand the policy’s underlying issues.
• Quizzes
• Other forms of examination
56
Policy Compliance
• Policy compliance means the employee must agree to the policy
• Can an employee refuses to agree to comply with policy?
• not yet been adjudicated in the legal system
• Can be avoided by incorporating policy confirmation statements into
employment contracts, annual evaluations, or other documents

57
Policy Enforcement
• Final component of the design and implementation of effective
policies.
• Policy enforcement must be able to withstand external scrutiny.

58
Policy Development and Implementation using the
SDLC
• A policy development or redevelopment project should be:
• Well planned
• Properly funded
• Aggressively managed to ensure that is completed on time and within
budget
• The policy development project can be guided by the systems
development life cycle (SDLC) process

59
Policy Development and Implementation using the
SDLC
Investigation Phase
• Obtain support from senior management.
• Obtain support and active involvement of IT management,
specifically the CIO.
• Clear articulation of goals.
• Participation of the correct individuals affected by the
recommended policies.
• A detailed outline of the scope of the policy development project
and estimates for the cost and scheduling of the project.

60
Policy Development and Implementation using the
SDLC
Analysis Phase
Should produce the following:
• A new or recent risk assessment or IT audit documenting the
current InfoSec needs of the organization.
• Gathering of key reference materials, including any existing policies.

61
Policy Development and Implementation using the
SDLC
Design Phase
• Drafting of the actual policy document.
• Commonly done by a single author.
• Document should incorporate all specifications and restrictions from
the previous phases.
• Resources at your disposal, including:
• The web
• Government sites
• Professional literature
• Peer networks
• Professional consultants
62
Policy Development and Implementation using the
SDLC
Implementation Phase
• Create a plan to distribute and verify the distribution of the policies
• Members of the organization must explicitly acknowledge that they
have received and read the policy (compliance).
• Attach a cover sheet that states “I have received, read, understood, and
agreed to this policy”.
• A banner screen that displays a brief statement
• Pop-up windows to display end-user license agreements (EULAs)
• Compliance assessment, such as short quiz
• ensures that the policy is properly distributed, read, understood,
and agreed to by those to whom it applies
63
Policy Development and Implementation using the
SDLC
Maintenance Phase
• monitors, maintains, and modifies the policy as needed to ensure
that it remains effective as a tool to meet changing threats.
• users can report problems, preferably anonymously through a Web
form.
• Monitored either by the organization's legal team or a committee assigned.
• make sure that everyone is required to follow the policy equally
• policies are not implemented differently in different areas or hierarchies of
the organization
• uniform enforcement

64
Successful Policy Characteristics
• Endorsed • Adaptable
• Management supports the • The policy can be changed
policy
• Enforceable
• Relevant • Controls that can be used to
• The policy is applicable and support and enforce the
supports the goals of the policy exist
organization
• Inclusive
• Realistic • The policy scope includes all
• The policy makes sense relevant parties
• Attainable
• The policy can be successfully
implemented

Copyright 2019 Pearson Education, Inc.

65
A Final Note on Policy
• Policies help organizations avoid litigation, their first and foremost
function is to inform employees of what is and is not acceptable
behavior in the organization.
• Policy seeks to improve employee productivity and prevent
potentially embarrassing situations
• General causes of unethical and illegal behavior:
• Ignorance – deter by education (training, reminders, and awareness
programs)
• Accident - Careful planning and control help prevent accidental
modification to systems and data
• Intent - technical controls, and appropriate penalties or litigation if these
controls fail
66
A Final Note on Policy (Cont.)
• Deterrence can be created when three conditions are present:
• Fear of the penalty
• Probability of being apprehended
• Probability of penalty being applied
• Information security personnel must do everything in their power to
deter these acts and to use policy, education and training, and
technology to protect information and systems.

67
Summary
• Planning is central to the management of any organization and is based on the
preparation, application, and control of a sequence of action steps to achieve
specific goals.
• Strategic planning lays out the long-term direction to be taken by the organization
and guides organizational efforts.
• InfoSec governance is the process of creating and maintaining the organizational
structures that manage the InfoSec function within an enterprise.
• The traditional SDLC can be adapted to support the specialized implementation of a
security project by using the SecSDLC.

68
Summary
• Technology is not enough to ensure a secure network
• Create clear and specific policies detailing procedures on your network:
• Employee computer resource use
• New employees and outgoing employees
• Access rights
• How to respond to an emergency
• Security of code in applications and websites
• User policies must cover all aspects of how the user is expected to use
company technology and be enforced
• IT staff also needs clearly defined policies
• Developing effective Information Security Policy
• Policy Development and Implementation using the SDLC

69