In this assignment, you are to create a security management policy that addresse
ID: 3918529 • Letter: I
Question
In this assignment, you are to create a security management policy that addresses the management and the separation of duties throughout the seven domains of a typical IT infrastructure. You are to define what the information systems security responsibility is for each of the seven domains of a typical IT infrastructure. From this definition, you must incorporate a definition for the separation of duties into the Procedures section of the policy definition template that you will fill out later in this step. The scenario you are to work with is for the mock XYZ Credit Union/Bank:
* The organization is a regional XYZ Credit Union/Bank that has multiple branches and locations throughout the region
* Online banking and use of the Internet are the bank’s strengths, given its limited human resources
* The customer service department is the organization’s most critical business function
* The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT best practices regarding its employees
* The organization wants to monitor and control use of the Internet by implementing content filtering
* The organization wants to eliminate personal use of organization-owned IT assets and systems
* The organization wants to monitor and control use of the e-mail system by implementing e-mail security controls
* The organization wants to implement this policy for all the IT assets it owns and to incorporate this policy review into its annual security awareness training
* The organization wants to define a policy framework, including a security management policy defining the separation of duties for information systems security
Create the IT policy, standard, guideline, and procedure for the XYZ Credit Union/Bank organization regarding the use of personal devices (cell phones, tablets, home computers, etc.). All of these may be contained in a single document, but each one should start on a new page.
Explanation / Answer
Introduction:
Security policy is defined as the set of practices that regulate how an organization manages, protects, and assigns resources to achieve its security objectives. These security objectives must be tempered with the organization’s goals and situation and determine how the organization will apply its security objectives. This combination of the organization’s goals and security objectives underlie the management controls that are applied in nearly all business practices to reduce the risks associated with fraud and human error.
Security policies have evolved gradually and are based on a set of security principles. While these principles themselves are not necessarily technical, they do have implications for the technologies that are used to translate the policy into automated systems.
This top-level information security policy is a key component of the XYZ Credit Union/Bank. Overall information security management framework and should be considered alongside more detailed information security documentation including, system level security policies, security guidance and protocols or procedures. XYZ Credit Union/Bank is exposed to a variety of operational and transactional risks, including crime, employee fraud, and natural disaster. Additionally, because of the nature and amount of information gathered regarding the financial transactions of its customers and the extensive use of technology to process this information,
The passage of the Gramm-Leach-Bliley Financial Modernization Act of 1999 (“GLBA”) intensified regulatory attention on technology risk management and information security. The Act required regulatory authorities to promulgate guidelines for safeguarding customer information. These standards require that each financial institution implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution and the nature and scope of its activities. While all parts of the financial institution are not required to implement a uniform set of policies, all elements of the information security program must be coordinated.
Security Principles:
In 1992, the Organization for Economic Cooperation and Development (OECD) issued a series of guidelines intended for the development of laws, policies, technical and administrative measures, and education. These guidelines include:
1. Accountability. Everyone who is involved with the security of information must have specific accountability for their actions.
2. Awareness. Everyone must be able to gain the knowledge essential in security measures, practices, and procedures. The major impetus for this is to increase confidence in information systems.
3. Ethics. The method in which information systems and their associated security mechanisms are used must be able to respect the privacy, rights, and legitimate interests of others.
4. Multidisciplinary principle. All aspects of opinion must be considered in the development of policies and techniques. These must include legal, technical, administrative, organizational, operational, commercial, and educational aspects.
5. Proportionality. Security measures must be based on the value of the information and the level of risk involved.
6. Integration. Security measures should be integrated to work together and establish defensive depth in the security system.
7. Timeliness. Everyone should act together in a coordinated and timely fashion when a security breach occurs.
8. Reassessment. Security mechanisms and needs must be reassessed periodically to ensure that the organization’s needs are being met.
9. Democracy. The security of the information and the systems where it is stored must be in line with the legitimate use and information transfer of that information.
In addition to the OECD security principles, some additional principles are important to bear in mind when defining policies. These include:
10. Individual accountability. Individuals are uniquely identified to the security systems, and users are held accountable for their actions. Authorization. The security mechanisms must be able to grant authorizations for access to specific information or systems based on the identification and authentication of the user.
11. Least privilege. Individuals must only be able to access the information that they need for the completion of their job responsibilities, and only for as long as they do that job.
Separation of duty. Functions must be divided between people to ensure that no single person can a commit a fraud undetected.
14. Auditing. The work being done, and the associated results must be monitored to ensure compliance with established procedures and the correctness of the work being performed.
15. Redundancy. This addresses the need to ensure that information is accessible when required; for example, keeping multiple copies on different systems to address the need for continued access when one system is unavailable.
16. Risk reduction. It is impractical to say that one can completely eliminate risk. Consequently, the objective is to reduce the risk as much as possible.
There are also a series of roles in real-world security policy that are important to consider when developing and implementing policy. These roles are important because they provide distinctions between the requirements in satisfying different components of the policy. These roles are:
1. originator — the person who creates the information
2. authorizer — the person who manages access to the information
3. owner — may or may not be a combination of the two previous roles
4. custodian — the user who manages access to the information and
carries out the authorizer’s wishes with regard to access
5. user — the person who ultimately wants access to the information to complete a job responsibility.
When looking at the primary security goals — confidentiality, integrity, and availability — security policies are generally designed around the first two goals, confidentiality and integrity. Confidentiality is concerned with the privacy of, and access to, information. It also works to address the issues of unauthorized access, modification, and destruction of protected information. Integrity is concerned with preventing the modification of information and ensuring that it arrives correctly when the recipient asks for it.
Information Security policy
Introduction
Objective and Overview Businesses are today rapidly embracing new technologies and modern ways of working. Historically-separate domains no longer have the luxury of operating in a vacuum. Business competitiveness depends on business-technology alignment. Newer generations understand this intuitively. Meanwhile, the volume of information created and consumed on mobile devices is growing, which is also changing the way individuals’ use and share information. As employees spend more time using their personal devices, interacting on social networks, and sharing information via file-sharing services, we must look for ways to ensure security and data preservation while safeguarding privacy of the users.
An effective governance structure that has an accurate view of “the big picture” can observe how investments in one area of the business affect other areas of the business and prioritize investments accordingly – including “free” investments like social networks and file sharing sites. File sharing services, social media, and mobile devices have presented organizations with data security and business risk management challenges, but the larger problem – as always – is a people issue. Employees will do what comes naturally in the absence of clearly articulated policies – and even then, effective enforcement is required to ensure that governance policies actually do govern behavior. Effective IT governance, therefore, is a cross-functional activity that requires a unified vision, collective commitment, and enforcement.
Technology is innovating much faster than the speed of change in organizational cultures. As organizations extend out to clouds and mobile devices, IT departments have to radically change how they operate, including how they procure products and services, how they manage technology and data assets, and IT’s own role within the organization. Similarly, governance policies have to continuously evolve to better align with the modern business world.
IT Strategy
IT will endeavor to transform the Bank’s workplace by enabling end user capabilities through access to data and services anywhere and anytime. The goal will be to make technologies available to provide the right information, to the right people, at the right time, in order to help our staff, perform with greater efficiency and productivity. The focus will be on end-to-end delivery of mobile solutions that enhance enterprise-wide mobile computing capabilities. Procurement will be carried out as per the Corporate Procurement Policy.
The XYZ Credit Union/ Bank is committed to business solutions which involve, where appropriate from a cost and risk perspective, acquiring services rather than assets. This will improve service delivery by reducing the time to go-live and also control costs as new services could be acquired during the life of a contract without protracted procurement cycles.
Governance
Overview
The IT Security Policy recognizes that effective IT governance is essential to achieving long-term, sustainable business outcomes. It must, therefore, be defined in terms of business objectives at every level, which, in turn, link to overall corporate strategy and direction. Governance clearly, is far more than a focus exclusively on compliance and assurance.
The cornerstones of our IT governance model, therefore, need to go beyond pure IT perspectives and define and implement governance to meet business outcomes and align with business strategy. All governance arrangements will be periodically reviewed against this definition so as to evaluate if some can be minimized or eliminated. Our focus would be to implement governance processes that address the full life cycle beginning from the setting of business objectives and then to decision making, execution and compliance, and evaluation of performance against objectives.
Goals
Our governance goals are:
• Setting decision rights and accountability, as well as establishing policies that are aligned to business objectives. These will preserve and grow enterprise value.
• Balancing technology investments (under the overall Board approved budget) in accordance with policies and in support of business objectives so as to coherently realize strategy.
• Establishing measures to monitor adherence to decisions and policies.
• Mitigating risk by ensuring that processes, behaviors, and procedures are in accordance with the Bank policies.
• Ensuring that the staff will have freedom to use IT resources subject to compliance with the Bank policies.
Responsibility & Structure
The Guidelines should determine the limits for procurement under different methods, which are listed in the table below: In terms of the minimum structures and functions required for effective governance, our view is that less is more when it comes to creating an effective governance structure. The best way is to avoid a proliferation of governance groups that would create unnecessary complexity and bureaucracy within the organization. Groups would be set up as and when required with well-defined roles and responsibilities to avoid confusion.
While the Board and executive management will be responsible for overall governance, including in the area of Information Technology, IT governance would primarily be overseen by an IT Investment Council. The Council would decide or approve all significant IT investments within the Board approved budget. In cases where demand exceeds supply, the council will help resolve investment conflicts and provide clarity and direction. At the second level, the Council would be supported by small teams (of not more than four persons each) which would look at investment prioritization, enterprise architecture and standards, financial analysis, risk assessment and the Project Management Office (PMO). In the startup phase of the Bank, some of these teams could be combined. Details of these teams are as below:
• A combined team of business unit heads and IT functional heads familiar with the capabilities of the IT organization and enterprise road map of initiatives will make prioritization recommendations to the investment council. This team would also ensure consistency and collaboration across disparate business units.
• Enterprise Architecture and Standards Management would be the responsibility of a team, from the IT Division, with the requisite skill sets. These standards would include approved technical protocols, software applications and hardware. The architecture and standards recommended by this team would reflect the technology required to fulfill business goals.
• Financial Management: a cross functional group from business, finance and technology would play a critical role in governance in verifying business cases, tracking the financial benefit of projects in progress and verifying financial results as part of benefits realization. The group would coordinate with other areas of the Bank whenever it is necessary.
• Risk Management: this team would be drawn from business, risk and technology; it would calculate risk around IT investments. Risks would be assessed holistically and would include compliance, revenue, brand and execution risks. This group would also coordinate with other areas of the Bank whenever it is necessary.
• The PMO, a part of the IT Division, will determine the impact of the recommended changes and also maintain the "supply side" of the IT portfolio. By understanding the types of resources and their availability, the PMO will work with other teams to determine when projects can be implemented. The PMO will maintain a benefits scorecard ensuring initiatives delivered and what was expected and also a project investment dashboard, which serves as a one-page summary of the intent of each proposed initiative. The PMO will, thus, function as the hub for governance information.
Operational Policies:
To ensure a robust and secure technology platform for the organization, a suitable internal policies and procedures are required.
• IT asset management, end-user device security, logical access and passwords, malware protection, email usage and internet usage.
• Data Protection including data classification, data retention and disposal, data masking and backup.
• Data Centre security to cover security issues and best practices relating to operating systems, applications, databases and networks
• Enterprise level IT security that would include, change management, incident management, business continuity and privacy related issues. It is important to emphasize that, unless there is evidence that users utilized IT resources in an illegal fashion, the privacy of such users is inviolable.
The Governance model should have the following properties:
• Integration of IT plans with strategic planning across other functions
• Appropriate accountability for IT initiatives
• Transparency of IT plans and investments
• Adoption of a broad enterprise-wide view
Bibliography
n.d. 28 July 2018. <https://www.ndb.int/wp-content/uploads/2017/02/ndb-information-technology-policy-20160412.pdf>.
n.d. 28 July 2018. <https://www.isaca.org/Knowledge-Center/cobit/Documents/CF-Vol-1-2014-Information-Security-Management-at-HDFC-Bank_nlt_Eng_0114.pdf>.
n.d. 28 July 2018. <http://www.ittoday.info/AIMS/DSM/82-10-85.pdf>.
n.d. 28 July 2018. <https://www.sans.org/security-resources/policies>.
n.d. 28 July 2018. <http://www.unionbankofindia.co.in/pdf/INFOSECPOLICY2015.pdf>.