• DISCOVER
  • CREATE
IN-FOCUS
CONCEPTS
PROCESS
ROLES
CONTEXT
RATIONALE
HANDS-ON LAB
CHALLENGE
CONTRIBUTING FACTORS
COURSE OF ACTION
Key Concepts:
  • Information systems security (ISS) and information assurance in organizations
  • ISS policies and their importance in organizations
  • Four information security controls
  • Business drivers that create the need for ISS policy framework
  • U.S. compliance laws and industry standards

Security Policies and Implementation Issues

Information Security Policy Management

Information Security Policy Management
Introduction to ISS
Assume that you work for an organization that does not have anti-virus software installed on its computers. What could be the implications? To address the implications of not using anti-virus software, you need to perform risk assessment and define security policies. Let's review some basic concepts related to ISS and ISS policies.

Think about answers to the following questions and then click each question to reveal its answer. Next, click the ACTIVITY button to attempt a simple activity on information security controls in an ISS policy framework.
  • What is ISS?
  • What is the difference between ISS and IA?
  • What are ISS policies?
X
ISS refers to protecting information and the systems that store and process the information against risks that may lead to unauthorized access, use, disclosure, disruption, modification, or destruction of the information.

ISS focuses on protecting information regardless of form or process, while IA focuses on protecting information during process and use.
ISS policies require placement of controls in processes specific to an information system. ISS policies cover every threat to a system and protect people and information. The policies also set rules for users, define the consequences of violations, and minimize risks to an organization.
Policy Development
Information forms the basis of today’s world. What would happen if everyone had access to information belonging to an individual or an organization? The information may be misused. To protect information, it is important to develop and enforce policies.

The following list shows you guidelines for developing policies to secure personally identifiable information (PII) data. Position the mouse pointer over each keyword to learn about these guidelines. Next, click the ACTIVITY button to attempt a simple activity.
Examine
Collaborate
Align
Educate
Retain
Limit
Disclose
Encrypt
Examine
Comprehend local, state, and federal requirements.
Collaborate
Work closely with the chief privacy officer (CPO).
Align
Coordinate privacy policies with data classification policies.
Educate
Conduct training in correct handling of PII data.
Retain
Ensure proper controls around data retention and destruction.
Limit
Collect data only from an individual to whom you will provide the service or product.
Disclose
Let the individual know what data is being collected and how it will be used.
Encrypt
Use encryption when storing or transmitting PII data.
Personnel Involved in Security Policy Creation
There are several personnel involved in the creation of a security policy.

Click each role to learn more.
  • Chief information security officer
  • IA auditor
  • Security manager
  • Risk manager
  • Compliance officer
A person responsible for research and strategy alignment with organizational objectives.

A person responsible for overall information auditing and compliance alignment with statutory requirements.

A person responsible for framework and control alignment with organizational objectives.

A person responsible for risk-related process alignment with audit, compliance, and governance requirements.

A person responsible for compliance and governance alignment with organizational objectives.

U.S. Compliance Laws
Several government agencies in the United States pass laws to secure information. These laws protect consumers from potential scams and ensure the privacy of personal information.

Let's review some laws related to information security. Position the mouse pointer over each law to learn more. Then, click the ACTIVITY button to answer a question on information security regulations.

U.S. Compliance Laws
  • The Digital Millennium Copyright Act (DMCA)
  • The Gramm-Leach-Bliley Act (GLBA)
  • The Sarbanes-Oxley (SOX) Act
  • The Federal Information Security Management Act (FISMA)
Brief Description
Sets new or enhanced standards for all publically traded companies in the United States.
Requires government agencies to adopt a common set of information security standards. For many government agencies, FISMA creates mandatory requirements to ensure the confidentiality, integrity, and availability of data.
Year Enacted
2002
2002
Importance of Security Policies
Organizations need to protect their customer data. They can ensure data protection by using a defined ISS policy. What are the repercussions of not having a standardized policy?

Click the following reasons that highlight the importance of using and enforcing security policies.
  • To protect systems from insider threats
  • To protect information at rest and in transit
  • To control changes to the IT infrastructure
Insider threats refer to challenges posed by users with authorized access who can wreak havoc on an information system. Policies can help in monitoring user activity.

Data at rest, such as on a backup tape, or data in transit, such as when traveling across a network, requires a security policy to ensure protection.

Organizations are dynamic and constantly changing. Managing change helps reduce the risk of introducing vulnerabilities into a system.

X

In this section, you will have an opportunity to practice the concepts and processes that you have explored in this lesson.

The Hands-On Lab provides you with an engaging learning experience that is diagnostic and flexible. Following the instructions provided in the Lab Manual, you will be able to practice the steps IT Security Specialists perform on a daily basis and develop the skills required for effective execution and management of IT Security operations.

In this section, you will have an opportunity to apply what you’ve learned in this lesson in the context of analyzing a business situation. Although simplified, a problem scenario provided here depicts the challenges often faced by professionals in the workplace.

In this interactive case study, you will explore a business situation, review critical information related to the problem discussed in the case, decide on the course of action, and receive a decision analysis summary that discusses the implications of your decision. Once you analyze the impact of your decision, explore alternative solutions to learn about other potential ways to address the issue in the case. Complete your work on the case by submitting the graded assignment that will reflect on your process of analyzing the business situation and defining an appropriate course of action.

You work for TzarTech Corp., a technology company that recently won a large Department of Defense (DoD) contract to create security policies. The policies should comply with DoD requirements. For this assignment, you will work in a group that would be assigned by your instructor. Click the image of the chief security officer to know what he wants to share with you.

After you have gone through the challenge, navigate to Contributing Factors from the panel at the top of your screen.
As you know, we have won a DoD contract that will add over 30 percent to our revenue. I would like you to form a team of two or three people for developing security policies for our computing equipment. I will mail you a list of the equipment shortly.

You need to make your own budget, project timeline, and toll gate decisions. Create an academic paper describing the policies, standards, and controls that would make our organization DoD compliant.

Contributing Factors
From where do you think you can gather information on DoD requirements? Let's find out by clicking the contributing factors. After you have gone through the contributing factors, navigate to Course of Action from the panel at the top of your screen.

Research the Internet
Read
E-mail

Select the icon from the top to receive additional
information related to the situation

Check the following links to learn about DoD-based requirements:
Hi,

As discussed in our meeting, here is a list of the computing equipment in our organization:

12 servers running Microsoft Server 2012 R2, providing the following:

  • Active Directory (AD)
  • Domain Name System (DNS)
  • Dynamic Host Configuration Protocol (DHCP)
  • Enterprise Resource Planning (ERP) application (Oracle)
  • A Research and Development (R&D) Engineering network segment for testing, separate from the production environment
  • Microsoft Exchange Server for e-mail
  • Symantec e-mail filter
  • Websense for Internet use

Two Linux servers running Apache Server to host your Web site 390 PCs/laptops running: Microsoft Windows 7 or Windows 8

  • Microsoft Office 2013
  • Microsoft Visio
  • Microsoft Project
  • Adobe Reader

2 Linux servers running TzarTech Corp.'s Web site Apache

You need to create security policies that meet DoD standards for this computing equipment. Please keep me updated on the developments in this regard.

Regards,
John Adams
Chief Security Officer
TzarTech Corp.
  • Identify the open source software that you were able to find for each server.
  • Identify the open source software that you would recommend for each server, considering the stability and security of the software.
  • Provide a rationale for your choice of open source software.
  • Cite examples of successful software implementation in financial organizations.
Course of Action
Use the following checklist as a guide to complete this assignment. Note that the tasks that you have completed are already checked in the list.

Tasks

  • Have a discussion with the chief security officer.
  • Research the Internet to know more about DoD requirements.
  • Check the list of computing equipment at TzarTech.
  • Select a team leader for your project group.
  • Develop a list of compliance laws required for DoD contracts.
  • List controls placed on the computing equipment.
  • List standards that would be required for all equipment.
  • Create DoD-compliant policies for the computing equipment.
  • Develop a deployment plan for the implementation of these polices, standards, and controls.
  • In the final delivery document, list all DoD frameworks that your team finds.
  • Submit the assignment to your instructor.
At the end of this lesson, you should be able to:
  • Identify the four information security controls.
  • Compare information systems security (ISS) and information assurance (IA) in organizations.
  • Describe ISS policies and their importance in organizations.
  • Identify business drivers that create the need for an ISS policy framework.
  • Describe various U.S. compliance laws and industry standards.
In this lesson, you will learn about the four information security controls. You will also examine the various components of information security governance and the process for creating a policy framework. In addition, you will explore the importance of a security policy in an organization.