Instructions Security Policy Ed Moore Lecture Outline Faculty of Arts | Department of Security Studies and Criminology 2 What is a security policy? Case Study Steps for creating a security policy...

Instructions
Security Policy
Ed Moore
Lecture Outline
Faculty of Arts | Department of Security Studies and Criminology
2
What is a security policy?
Case Study
Steps for creating a security policy
Information Technology Security Policy
What is it?
An Information Technology (IT) Security Policy identifies the rules and procedures for all individuals accessing and using an organization’s IT assets and resources.
Effective IT Security Policy is a model of the organisation’s culture, in which rules and procedures are driven from it’s employee’s approach to their information and work
A Security Policy is a unique document for each organisation
Information Technology Security Policy
What is it?
The security policy should dictate what a company should do in day to date actions as well as when an event occurs
Many of the major failures in the last decade stem from an inadequate security policy (or one that was not followed by employees)
Information Technology Security Policy
Designing a Security Policy
Many organisations take a sample boilerplate template
Unsuitable as it’s not tailored to the organisation
An IT Security Policy should aim to preserve the CIA triad
Confidentiality – Access of the data is only done by authorised users
Integrity – Modification of the data is only done by authorised users
Availability – Authorised users can access the data when they need to
Information Technology Security Policy
Steps for creating a security policy
Start by researching
What documents do you want to protect?
What services are vital for the organisation?
How sensitive is the data you are protecting?
What is the scope of the policy?
Check provided checklists (ISO 17799)
Information Gathering
Define Roles & Responsibilities
Communicate Findings
Write Policy
Implement Policy
Monitoring
Information Technology Security Policy
Step 1 – Research
What level of granularity do you need in your policy?
Who will you need buy-in from?
Who will the owner of the security policy be?
Could be a team leader inside the IT team, CIO or someone else
What regulations (if any) apply to your organisation/industry?
Finance (CPS234)
Health (HRIP, GIPA)
General Data Protection Regulation (GDPR)
Who is the audience for the policy?
What and how will this policy be reviewed?
CPS234 – Regulations around security policy for financial institutions
HRIP – Health Record and Information Privacy Act regulates how orgs store and manage data
GIPA – Right to access data
7
Information Technology Security Policy
ISO
International Organization for Standardization (ISO) is an global organisation that publish standards for various industries
They are seen as the go to for most industries including IT, building, food safety, environmental management even down to the construction of freight containers
ISO17799:2005 sets standards for initiating, implementing, maintaining, and improving information security management in an organization
This policy is a standard but cannot be “certified”
ISO27001:2005 is an extension on ISO17799:2005 and an organisation can be certified for this standard
Certification is done by an official certifying body
Certification may be mandated by law based on industry
Information Technology Security Policy
CSP234
Specific for financial institutions
Information security framework must be maintained in a manner that is consistent with the threats and vulnerabilities to which the entity is exposed
All information assets must be managed and classified by their criticality and sensitivity.
Information security controls are required to ensure that the entity can protect its information assets
These controls must be tested through a testing program to ensure that they are effective
Mechanisms must be in place to ensure that information security incidents are detected and responded to quickly.
Plans must be in place that set out how the entity will respond to incidents
Internal audits must review the effectiveness and the design of all information security controls
9
Information Technology Security Policy
CSP234
APRA must be notified as soon as possible, but no later than 72 hours after an entity becomes aware of an information security incident
If an entity discovers a weakness in its information security controls, it must notify APRA within 10 days of becoming aware of it.
10
Information Technology Security Policy
HRIP
Health Record and Information Privacy Act regulates how organisations must manage medical data
Effects any organisation that collects, holds or uses health information
Mostly hospitals, doctors and other health providers
May also include universities that collect information for research
Also includes scans such as retina prints and fingerprints
Dictates how to perform a request for access
Also states the maximum time to respond to these requests
11
Information Technology Security Policy
GIPA
Government Information Public Access (GIPA) is an act that dictates how information is managed by government organisations
This includes public hospitals
It highlights how to request information from a government organisation
Similar to HRIP however this has government clauses added
Like public interest considerations
12
Information Technology Security Policy
GDPR
General Data Protection Regulation (GDPR) is a regulation ratified by the EU which aims to protect the data of citizens inside the EU
This regulation applies to any organisation within the EU
Also applies to international organisations that offer goods and services or monitor the behaviour of individuals in the EU
Australian businesses that may be covered by the GRPR include:
an Australian business with an office in the EU
an Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros
an Australian business whose website mentions customers or users in the EU
an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes
13
Information Technology Security Policy
GDPR
The GDPR protects ’personal data’: ‘any information relating to an identified or identifiable natural person’
Additional restrictions apply when information contains is considered ‘special’
Racial or ethnic, political, religious, genetic data & health
GDPR-complaint privacy policy
Whenever you collect information, you must request consent
14
Information Technology Security Policy
FTC
Federal Trade Commission is an independent body of the US government who’s job is to enforce consumer protection
They are seen as the body used to prevent anti-competitive and monopolies with an industry
15
Information Technology Security Policy
Case Study: Cam
idge Analytica
Facebook allegedly provided identifiable information to a analysis company Cam
idge Analytica (CA)
CA is one of the more powerful analysis companies in the world
The processing took place over 3 years before Facebook terminated their account
They had apparently lied about deleting old harvested data
Facebook allegedly never followed up with this
Two reports
oke detailing how CA used personal information taken without authorization from more than 50 million Facebook users in early 2014 to build a system that could profile individual US voters in order to target them with personalized political ads.
Christopher Whylie, one of the professors who worked with CA was recorded saying:
“We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”
16
Information Technology Security Policy
Case Study: Cam
idge Analytica
“The claim that this is a data
each is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”
Of the 50 million profiles scraped (only 270,000 of which belonged to users who’d granted permission), roughly 30 million contained enough information, including places of residence, that the company could (at least theoretically) match users to other records and build “psychographic” profiles.
17
Information Technology Security Policy
Case Study: Cam
idge Analytica
The FTC entered a 16 month process of attempting to fine Facebook
Facebook having more resources than the FTC…
They recently settling on the largest fine ever issued to a company… USD$5B
There have been heavy criticisms of this as Facebook’s annual revenue was USD$55.8B in 2018 (increased from USD$7.87B in 2013)
Many consider this a ”win” for Facebook as this is
mealy a “slap on the wrist” for the company
18
Information Technology Security Policy
Step 2 – Information Gathering
Identify Assets
Create a list of critical business processes
From that list of processes, identify critical assets
ISO 17799 provides a list of things to conside
This is typically a very extensive list
Identify threats
What threats exist?
How can they be exploited?
Evaluate controls
From each threat, look at what can be implemented to lessen the effect
This is the basis behind performing a risk assessment
19
Information Technology Security Policy
Step 3 – Define roles and Responsibilities
Group employees based on their job and requirements
Determine what access and permissions each department
Balance between protection and productivity
Use of the “least privilege” concept
The idea that users should not have access they don’t need when performing their daily duties
This concept means that a compromised account may not have access to higher level information
20
Information Technology Security Policy
Step 4 – Communicate findings
Communication to the relevant parties
Anyone in the policy that is required to action anything
Anyone who is effected by the policy
Management of those staff
Business owners
Policies need to be enforce from the top down
Highlight the risks and vulnerabilities
Policy procedures must be approved by decision makers and representatives from all stakeholder groups
If there are additional legal requirements, these will also need to be verified
This step is about collaboration to get people on board and to ensure the policy is not created by one department dictating rules over the business
21
Information Technology Security Policy
Step 4 – Communicate findings
It is common for a IT team to struggle to get management to support and enforce a security policy
This can occur for a number of reasons:
Immediate Payoff
Expensive and time consuming
“Won’t happen to us”
“Don’t fix what isn’t
oken”
So how can you get managers to care?
Explain it in direct, financial terms
Company reputation
Career damage
22
Information Technology Security Policy
Step 5 – Write the policy
When writing the policy, start with a template from a reputable company (such as SANS, NIST, etc)
The policy should build upon the findings and accepted recommendations to reduce the risks
Use the SMART rule
Specific
Measurable
Agreeable
Realistic
Time-bound
You can also use other companies’ security policies to prompt your own
Check compliancy with ISO 17799
23
Information Technology Security Policy
Step 6 – Implementation
Decide on a date that you will start the use of the policy
Don’t rush, stick to it
The document should be made available to all employees
Signature of acceptance should be sought from all employees (especially those involved in it)
Educating employees is important so they action the policy
Seminars and awareness campaigns
Security seminars
Printed posters, email, etc
Rolling implementation is an option where the policy is implemented into segments of the company progressively
Implementations rarely go smoothly, keep this in mind as teething issues are common
24
Information Technology Security Policy
Step 6 – Monitoring
Monitoring for compliance is vital, especially for those in an industry where law demands it
This may involve an external auditing team to ensure the policy is enforced
Internal auditors are an alternative if the company has capacity for them
Heavy fines for companies can be imposed if organisations do not meet standards
There must be punishments attached to non-compliance otherwise employees have little incentive to be compliant
Monitoring and review of the policy is also critical so that it stays relevant and up to date
Employee turnover can cause large issues