In this assignment, you are to create a security management policy that addresse
ID: 456934 • Letter: I
Question
In this assignment, you are to create a security management policy that addresses the management and the separation of duties throughout the seven domains of a typical IT infrastructure. You are to define what the information systems security responsibility is for each of the seven domains of a typical IT infrastructure. From this definition, you must incorporate a definition for the separation of duties into the Procedures section of the policy definition template that you will fill out later in this step. The company that’s the subject of this case study is Five Fourths Bank:
Five Fourths Bank is a regional Bank that has multiple branches and locations throughout the area.
Bank Management made the strategic decision to focus on online banking and use of the Internet.
The bank prides itself on its customer service department and their ability to quickly answer customer questions.
The organization needs to be in compliance with the Gramm-Leach-Bliley Act (GLBA), FS-ISAC, and IT best practices regarding its employees.
The organization wants to monitor and control use of the Internet by implementing web content filtering.
The organization wants to eliminate personal use of organization-owned IT assets and systems. However, they allow BYOD to attach to their guest wireless network.
The organization wants to monitor and control use of messaging systems by implementing e-mail security controls.
The bank wants to implement this policy for all its IT assets and to incorporate a policy review process into its annual awareness training.
The organization wants to define a policy framework, including a security management policy defining the separation of duties for information systems.
Explanation / Answer
Purpose
This policy defines the objectives, accountabilities and application of information security management in the Department of . . ..
Replaces
<Previous Policy Document>
Commences
<date>
File:
<file reference or policy number>
Scope
This policy covers the management of security for Department information including technology infrastructure, information systems, business information systems, and the systems and services that store, process and communicate Department information.
Principle
The <Director General/Chief Executive Officer/Commissioner> is accountable for use of Department resources and to ensure the requirements for information security are satisfied in accordance with the principles of risk management, including:
· protecting the availability, confidentiality and integrity of information;
· control of access to and proper use of information and information systems;
· authentication of users; and
· non-repudiation of electronic transactions
Responsibility
The Department’s Corporate Executive Committee is responsible to oversee this policy.
Staff members, including contractors and consultants, are responsible to ensure they comply with this policy.
Custodian
Director, Information Services
Date
Approver
Executive Director, Corporate Services
Date
Endorser
Director General
Date
1. Policy
The Department of . . . is responsible for the security of its information and information systems.
2. Objectives
To ensure that Department requirements for information security are satisfied in accordance with the principles of risk management:
a. the control of access to and proper use of information and information systems
b. the availability, confidentiality and integrity of information
c. the authentication of users
d. the non-repudiation of electronic transactions
3. Definition
Interpretation:‘Department information’ means
e. any official information, government record or personal information (see the Criminal Code, the State Records Act 2000 (WA), Freedom of Information Act 1992)
f. which is created or obtained by the Department, stored by the Department or on Department facilities
Interpretation:‘Department resources’ includes
g. official information, equipment and facilities (see the Public Sector Management Act (1994), section 9(b))
4. Application
a. The Department will adopt relevant standards for information security management and risk management, including WA Government guidelines
b. The compliance with these guidelines is to be managed by the Information Security Group
c. Compliance means:
· regular reviews of security exposures
· investigation of security infringements, as required
· an ongoing action plan to achieve continuous improvement in security, within the operational budget allocation
d. The Department’s framework for information security management is summarised in the appendices. <Departments should include, policy lists, and delegations>
5. Accountabilities and Responsibilities
5.1. The Director General
a. Is accountable for Department compliance with this information security management policy
b. Shall establish a management group to approve information security policies, standards and procedures, and to supervise the management of the information security management process.
5.2. Director, Information Services
Director, Information Services is responsible for:
a. Information
b. Information infrastructure
c. Information policies
5.3. Information Security Group
The Information Security Group is responsible for:
a. formulating and managing the Department’s information security policy
b. Coordinating the implementation of security across the Department.
5.4. Information Security Manager
The Information Security Manager, <Section>, is responsible for:
a. establishing and maintaining a management system for the information security process within the Department
b. maintaining the Department’s information and security policies, such as the Computer and Telecommunications Facility Policy.
5.5. Staff
Department staff are responsible to:
c. understand and comply with the Department’s information security policies, standards and procedures, such as:
· the Computer and Telecommunications Facilities Policy
· the Intellectual Property Policy
· the Backup and Recovery Policy
· the Virus and Vulnerability Patching Policy
d. never subvert or attempt to subvert any security measures related to the protection of Department information systems and assets
e. report immediately any actual or suspected security incidents, weaknesses or failures to the Service Desk, Line Manager or Information Security Manager
5.6. System Owners
a. Are responsible for ensuring the compliance of their systems with this Information Security Management Policy.
5.7. Divisional Heads, Executive Directors, Directors
a. Are responsible for managing the risks to their business processes and assets
b. Must manage the information and information systems that belong to their business processes and assets
c. Must ensure that the security requirements that are justified for their processes and assets are satisfied
d. Are responsible for managing the risks to their information and information systems
e. Are responsible for authorising, controlling access to and administering their information and systems
f. Must identify and justify security requirements for their information and information systems
g. Are responsible for the development, management and maintenance of jurisdiction specific information security management system including policy, standards and procedures
h. Are responsible for their staff and contractors being properly educated about relevant Department information security policy, standards and procedures and being properly trained and authorised to use the information and information systems necessary to perform their work.
6. Policy Promulgation
Commencement date
Communication process
7. Policy Review
The Department reviews and updates this policy as needed.
8. Contact
Questions related to this policy document may be directed to the Director, Information Services on (08) 9999-9999.
9. Appendix – Minimum Standards (per ISO AS/NZS ISO/IEC 17799:2006)
Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.
Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions.
9.1. How to establish security requirements
It is essential that an organization identifies its security requirements. There are three main sources of security requirements.
1. One source is derived from assessing risks to the organization, taking into account the organization’s overall business strategy and objectives. Through a risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated.
2. Another source is the legal, statutory, regulatory, and contractual requirements that an organization, its trading partners, contractors, and service providers have to satisfy, and their socio-cultural environment.
3. A further source is the particular set of principles, objectives and business requirements for information processing that an organization has developed to support its operations.
9.2. Assessing Security Risks
Security requirements are identified by a methodical assessment of security risks. Expenditure on controls needs to be balanced against the business harm likely to result from security failures.
9.3. Selecting Controls
Once security requirements and risks have been identified and decisions for the treatment of risks have been made, appropriate controls should be selected and implemented to ensure risks are reduced to an acceptable level [for the Department].
9.4. Minimum Controls [Protections or Objectives]
Controls considered to be essential to an organization from a legislative point of view include, depending on applicable legislation[, must address]:
a) data protection and privacy of personal information (see 15.1.4);
b) protection of organizational records (see 15.1.3);
c) intellectual property rights (see 15.1.2).
9.5. [Recommended] Common Controls
Controls considered to be common practice for information security include:
a) information security policy document (see 5.1.1);
b) allocation of information security responsibilities (see 6.1.3);
c) information security awareness, education, and training (see 8.2.2);
d) correct processing in applications (see 12.2);
e) technical vulnerability management (see 12.6);
f) business continuity management (see 14);
g) management of information security incidents and improvements (see 13.2).
10. Appendix – Information Security Categories (delete as needed)
The International standards define the following information security categories:
Category
Summary
Risk assessment
Security policy
management direction
Organization of information security
governance of information security
Asset management
inventory and classification of information assets
Human resources security
security aspects for employees joining, moving and leaving an organization
Physical and environmental security
protection of the computer facilities
Communications and operations management
management of technical security controls in systems and networks
Access control
restriction of access rights to networks, systems, applications, functions and data
Information systems acquisition, development and maintenance
building security into applications
Information security incident management
anticipating and responding appropriately to information security breaches
Business continuity management
protecting, maintaining and recovering business- critical processes and systems
Compliance
ensuring conformance with information security policies, standards, laws and regulations
AS/NZS ISO/IEC 17799:2006 is identical with and has been reproduced from ISO/IEC 17799:2005.
ISO/IEC 27002:2005 comprises ISO/IEC 17799:2005 and ISO/IEC 17799:2005/Cor.1:2007. Its technical content is identical to that of ISO/IEC 17799:2005. ISO/IEC 17799:2005/Cor.1:2007 changes the reference number of the standard from 17799 to 27002.
11. Appendix – Information Security Controls (delete as needed)
AS/NZS ISO/IEC 17799:2006 defines 39 information security controls in twelve categories.
Category
Section
Purpose
Sub-sections
4 Risk Assessment
4.1 Assessing Security risks
Risk assessments should identify, quantify, and prioritize risks against criteria relevant to the organization.
4.2 Treating Security risks
Controls to manage or reduce the risk or its impact
5 Security Policy
5.1 Information Security Policy
To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
6 Organization Of Information Security
6.1 Internal Organization
To manage information security within the organization.
6.1.1 Management Commitment To Information Security
6.1.2 Information Security Co-Ordination
6.1.3 Allocation Of Information Security Responsibilities
6.1.4 Authorization Process For Information Processing Facilities
6.1.5 Confidentiality Agreements
6.1.6 Contact With Authorities
6.1.7 Contact With Special Interest Groups
6.1.8 Independent Review Of Information Security
6.2 External Parties
To maintain the security of the organization’s information and information processing facilities that are accessed, processed, communicated to, or managed by external parties.
6.2.1 Identification Of Risks Related To External Parties
6.2.2 Addressing Security When Dealing With Customers
6.2.3 Addressing Security In Third Party Agreements
7 Asset Management
7.1 Responsibility For Assets
To achieve and maintain appropriate protection of organizational assets.
7.1.1 Inventory Of Assets
7.1.2 Ownership Of Assets
7.1.3 Acceptable Use Of Assets
7.2 Information Classification
To ensure that information receives an appropriate level of protection.
7.2.1 Classification Guidelines
7.2.2 Information Labelling And Handling
8 Human Resources Security
8.1 Prior To Employment
To ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
8.2 During Employment
To ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error
8.2.1 Management Responsibilities
8.2.2 Information Security Awareness, Education, And Training
8.2.3 Disciplinary Process
8.3 Termination Or Change Of Employment
To ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner.
8.3.1 Termination Responsibilities
8.3.2 Return Of Assets
8.3.3 Removal Of Access Rights
9 Physical And Environmental Security
9.1 Secure Areas
To prevent unauthorized physical access, damage, and interference to the organization’s premises and information.
9.1.1 Physical Security Perimeter
9.1.2 Physical Entry Controls
9.1.3 Securing Offices, Rooms, And Facilities
9.1.4 Protecting Against External And Environmental Threats
9.1.5 Working In Secure Areas
9.1.6 Public Access, Delivery, And Loading Areas
9.2 Equipment Security
To prevent loss, damage, theft or compromise of assets and interruption to the organization’s activities.
9.2.1 Equipment Siting And Protection
9.2.2 Supporting Utilities
9.2.3 Cabling Security
9.2.4 Equipment Maintenance
9.2.5 Security Of Equipment Off-Premises
9.2.6 Secure Disposal Or Re-Use Of Equipment
9.2.7 Removal Of Property
10 Communications And Operations Management
10.1 Operational Procedures And Responsibilities
To ensure the correct and secure operation of information processing facilities.
10.1.1 Documented Operating Procedures
10.1.2 Change Management
10.1.3 Segregation Of Duties
10.1.4 Separation Of Development, Test, And Operational Facilities
10.2 Third Party Service Delivery Management
To implement and maintain the appropriate level of information security and service delivery in line with third party service delivery agreements.
10.2.1 Service Delivery
10.2.2 Monitoring And Review Of Third Party Services
10.2.3 Managing Changes To Third Party Services
10.3 System Planning And Acceptance
To minimize the risk of systems failures.
10.3.1 Capacity Management
10.3.2 System Acceptance
10.4 Protection Against Malicious And Mobile Code
To protect the integrity of software and information.
10.4.1 Controls Against Malicious Code
10.4.2 Controls Against Mobile Code
10.5 Back-Up
To maintain the integrity and availability of information and information processing
facilities.
10.5.1 Information Back-Up
10.6 Network Security Management
To ensure the protection of information in networks and the protection of the supporting infrastructure
10.6.1 Network Controls
10.6.2 Security Of Network Services
10.7 Media Handling
To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities.
10.7.1 Management Of Removable Media
10.7.2 Disposal Of Media
10.7.3 Information Handling Procedures
10.7.4 Security Of System Documentation
10.8 Exchange Of Information
To maintain the security of information and software exchanged within an organization and with any external entity.
10.9 Electronic Commerce Services
To ensure the security of electronic commerce services, and their secure use.
10.9.1 Electronic Commerce
10.9.2 On-Line Transactions
10.9.3 Publicly Available Information
10.10 Monitoring
To detect unauthorized information processing activities.
10.10.1 Audit Logging
10.10.2 Monitoring System Use
10.10.3 Protection Of Log Information
10.10.4 Administrator And Operator Logs
10.10.5 Fault Logging
10.10.6 Clock Synchronization
11 Access Control
11.1 Business Requirement For Access Control
To control access to information.
11.1.1 Access Control Policy
11.2 User Access Management
To ensure authorized user access and to prevent unauthorized access to information systems.
11.2.1 User Registration
11.2.2 Privilege Management
11.2.3 User Password Management
11.2.4 Review Of User Access Rights
11.3 User Responsibilities
To prevent unauthorized user access, and compromise or theft of information and information processing facilities.
11.3.1 Password Use
11.3.2 Unattended User Equipment
11.3.3 Clear Desk And Clear Screen Policy
11.4 Network Access Control
To prevent unauthorized access to networked services.
11.4.1 Policy On Use Of Network Services
11.4.2 User Authentication For External Connections
11.4.3 Equipment Identification In Networks
11.4.4 Remote Diagnostic And Configuration Port Protection
11.4.5 Segregation In Networks
11.4.6 Network Connection Control
11.4.7 Network Routing Control
11.5 Operating System Access Control
To prevent unauthorized access to operating systems.
11.5.1 Secure Log-On Procedures
11.5.2 User Identification And Authentication
11.5.3 Password Management System
11.5.4 Use Of System Utilities
11.5.5 Session Time-Out
11.5.6 Limitation Of Connection Time
11.6 Application And Information Access Control
To prevent unauthorized access to information held in application systems.
11.6.1 Information Access Restriction
11.6.2 Sensitive System Isolation
11.7 Mobile Computing And Teleworking
To ensure information security when using mobile computing and teleworking facilities.
11.7.1 Mobile Computing And Communications
11.7.2 Teleworking
12 Information Systems Acquisition, Development and Maintenance
12.1 Security Requirements Of Information Systems
To ensure that security is an integral part of information systems.
12.1.1 Security Requirements Analysis And Specification
12.2 Correct Processing In Applications
To prevent errors, loss, unauthorized modification or misuse of information in applications.
12.2.1 Input Data Validation
12.2.2 Control Of Internal Processing
12.2.3 Message Integrity
12.2.4 Output Data Validation
12.3 Cryptographic Controls
To protect the confidentiality, authenticity or integrity of information by cryptographic means.
12.3.1 Policy On The Use Of Cryptographic Controls
12.3.2 Key Management
12.4 Security Of System Files
To ensure the security of system files.
12.5 Security In Development And Support Processes
To maintain the security of application system software and information.
12.5.1 Change Control Procedures
12.5.2 Technical Review Of Applications After Operating System Changes
12.5.3 Restrictions On Changes To Software Packages
12.5.4 Information Leakage
12.5.5 Outsourced Software Development
12.6 Technical Vulnerability Management
To reduce risks resulting from exploitation of published technical vulnerabilities.
12.6.1 Control Of Technical Vulnerabilities
13 Information Security Incident Management
13.1 Reporting Information Security Events And Weaknesses
To ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken.
13.1.1 Reporting Information Security Events
13.1.2 Reporting Security Weaknesses
13.2 Management Of Information Security Incidents And Improvements
To ensure a consistent and effective approach is applied to the management of information security incidents.
13.2.1 Responsibilities And Procedures
13.2.2 Learning From Information Security Incidents
13.2.3 Collection Of Evidence
14 Business Continuity Management
14.1 Information Security Aspects Of Business Continuity Management
To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
14.1.1 Including Information Security In The Business Continuity Management Process
14.1.2 Business Continuity And Risk Assessment
14.1.3 Developing And Implementing Continuity Plans Including Information Security
14.1.4 Business Continuity Planning Framework
14.1.5 Testing, Maintaining And Re-Assessing Business Continuity Plans
15 Compliance
15.1 Compliance With Legal Requirements
To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements.
15.1.1 Identification Of Applicable Legislation
15.1.2 Intellectual Property Rights (Ipr)
15.1.3 Protection Of Organizational Records
15.1.4 Data Protection And Privacy Of Personal Information
15.1.5 Prevention Of Misuse Of Information Processing Facilities
15.1.6 Regulation Of Cryptographic Controls
15.2 Compliance With Security Policies And Standards, And Technical Compliance
To ensure compliance of systems with organizational security policies and standards.
15.2.1 Compliance With Security Policies And Standards
15.2.2 Technical Compliance Checking
15.3 Information Systems Audit Considerations
To maximize the effectiveness of and to minimize interference to/from the information systems audit process.
15.3.1 Information Systems Audit Controls
12. Potential Policies (delete as needed)
The ISO/AS/NZS Information Security Controls can be used as a framework or structure for information security policies.
Purpose
This policy defines the objectives, accountabilities and application of information security management in the Department of . . ..
Replaces
<Previous Policy Document>
Commences
<date>
File:
<file reference or policy number>
Scope
This policy covers the management of security for Department information including technology infrastructure, information systems, business information systems, and the systems and services that store, process and communicate Department information.
Principle
The <Director General/Chief Executive Officer/Commissioner> is accountable for use of Department resources and to ensure the requirements for information security are satisfied in accordance with the principles of risk management, including:
· protecting the availability, confidentiality and integrity of information;
· control of access to and proper use of information and information systems;
· authentication of users; and
· non-repudiation of electronic transactions
Responsibility
The Department’s Corporate Executive Committee is responsible to oversee this policy.
Staff members, including contractors and consultants, are responsible to ensure they comply with this policy.
Custodian
Director, Information Services
Date
Approver
Executive Director, Corporate Services
Date
Endorser
Director General
Date