Running Head SECURITY AWARENESSSecurity Awareness .docx
The Role of Information Security Policy Jessica Graf Assignment 1 Unit 8 IAS5020
1. The Role of Information Security Policy
IAS5020- Info Sec Reg & Legal Env
Jessica Graf
Capella University
Dr. David Bouvin
June 7, 2015
2. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 1
June 7, 2015
When it comes to developing a security policy for this college or any other business, the CIA
triad has to be the foundation to that policy. The three areas of the triad are confidentiality, integrity and
availability. Often times though the area of non-repudiation is also include as an important area to be
covered in a security policy. The goal of any security policy is to keep assets safe (data, servers,network,
people and reputation) and balance that against the usability.
Before you can even attempt to write a successfulsecurity policy, you must know certain things
about a business. How risk tolerant are they? What are the federaland state regulations they must follow?
What are they trying to keep safe and how are they currently doing that? What type of budget do they
have? What are their priorities as far as what to secure?
The first objective of security is confidentiality: keeping information away from people who
should not have it. Accomplishing this objective requires that we know what data we are protecting and
who should have access to it. It requires that we provide protection mechanisms for the data while it is
stored in the computer and while it is being transferred over networks between computers. We will need
to know the application programs that we use (or could use) to manipulate the data and control the use of
those applications. Confidentiality has taken on an expanded meaning in the form of privacy controls. For
some industries, such as health care and finance, privacy is now a regulatory issue. The U.S.,European,
Canadian, and Australian governments (with others following) have legislated privacy controls to varying
degrees. (Langevin, 2008)
The second objective of security is integrity: assuring that the information stored in the computer
is never contaminated or changed in a way that is not appropriate. Both confidentiality and availability
contribute to integrity. Keeping data away from those who should not have it and making sure that those
who should have it can get it are fairly basic ways to maintain the integrity of the data. The need for data
integrity connects computer security to a closely related discipline: business continuity planning and data
recovery. Data will eventually be damaged by hardware failure, software failure, human errors, or
3. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 2
June 7, 2015
security failures. Recovery processes are a necessary part of any business IT plan and frequently are
under the control of a security department. (Proctor & Brynes, 2002)
The third objective of security is availability: ensuring that data stored in the computer can be
accessed by the people who should access it. Availability is a broad subject addressing things such as
fault tolerance to protect against denial of service and access control to ensure that data is available to
those authorized to access it. Most computers can at least differentiate between two classes of users:
system administrators and general end users. The major exceptions to this rule are the desktop operating
systems that have become common on personal computers. Availability has also taken on an expanded
meaning. One of the most common forms of security problem for Internet applications is the "denial of
service" (DoS) attack. (Khandhar, 2015)
This is a focused attempt by a cyber-attacker to make a computer system and its data unavailable.
This can be done in two ways. First, the attacker may try to damage the target computer or some network
component on which the computer depends. Second, the attacker may simply send so many messages to
the target computer that it cannot possibly process them all. Other people attempting to use that computer
for legitimate purposes find that the computer is too busy to service them. (Fischer, 2014)
Security can impact profitability in a positive or negative manner, depending on how it is
managed. Improving security to reduce risk may cost money, and as with most of life, the last 20 percent
of risks to be eliminated will cost 80 percent of the money. Once basic security needs have been met, it is
important to balance risk reduction costs against the potential for loss if security fails. Most business
plans contain some allowance for downside risks. Many security-related risks exceed these allowances,
but a case-by-case analysis should be done before large security investments are made. (Dell
SecureWorks,2014)
Implementing a robust information security program within the federalgovernment is
challenging. Federaland other public institutions have to contend with constantly changing technology,
multiple compliance requirements, increasing complexity of information security, and changing threats,
4. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 3
June 7, 2015
much like any other business in the private sector. However,the Federal government is often more of a
target then other entities because of the nature of what it is, what it handles and what it stands for.
Because of these things it is a bigger target, more risk adverse and has more responsibility to keep its
assets safe. Governments and public institutions are often the target of threat actors. Threat actors are
broken into five groups:
1. Nation-state actors
2. Organized criminal actors
3. Corporate espionage actors
4. Terrorists (Dell SecureWorks,2014)
Threat actors will target a specific organization or entity and perpetrate a sustained campaign
until they achieve their goals. The actors' persistence,adaptability and variability also differentiate
between actors from less organized and opportunistic advanced threat actors. Threat actors may act
independently or more likely, as part of a larger team or effort. In the case of teams,activities may be
fully compartmentalized much like how a business separates roles,functions and organizations
internally. (Dell SecureWorks,2014) While organized criminal elements may be after information and
access that can lead to financial gain, nation-state sponsored actors may be driven by the desire to obtain
intelligence, or gain competitive advantage for industry. (Bucci & Rosenzweig, 2013)
Security benefits do have both direct and indirect costs. Direct costs include purchasing,
installing, and administering security measures,such as access controlsoftware or fire suppression
systems. Additionally, security measures can sometimes affect system performance,employee morale, or
retraining requirements. All of these have to be considered in addition to the basic cost of the control
itself. In many cases,these additional costs may well exceed the initial cost of the control (as is often
seen,for example, in the costs of administering an access controlpackage). Solutions to security problems
should not be chosen if they cost more, in monetary or non monetary terms, directly or indirectly, than
simply tolerating the problem. In addition, organizations greater flexibility and agility in defending their
5. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 4
June 7, 2015
information systems, the concept of overlays was introduced in this revision. Overlays provide a
structured approach to help organizations tailor security control baselines and develop specialized security
plans that can be applied to specific missions/business functions, environments of operation, and/or
technologies. This specialization approach is important as the number of threat-driven controls and
control enhancements in the catalog increases and organizations develop risk management strategies to
address their specific protection needs within defined risk tolerances. In addition, organizations greater
flexibility and agility in defending their information systems, the concept of overlays was introduced in
this revision. (NIST, 2013)
Overlays provide a structured approach to help organizations tailor security control baselines and
develop specialized security plans that can be applied to specific missions/business functions,
environments of operation, and/or technologies. This specialization approach is important as the number
of threat-driven controls and control enhancements in the catalog increases and organizations develop risk
management strategies to address their specific protection needs within defined risk tolerances. (NIST,
2013)
When it comes to the impact any security policy can have on customers and business partners that
have a relationship with a government agency or public institution it can be a dual edge sword. If the
policy is too tight it can impact the relationship because of the issues in accessing data and resources that
are needed. A good example of this was the health care website that was put out by the US government.
While the issues were not all about security, it was about availability and how the failure of the website
impacted the trust and reputation of the public institution responsible for it. (Fischer, 2014)
Respect for customer security and privacy is one of the most important issues facing any
organization (public or private) today. The public is getting sick and tired of reading about privacy
breaches every day in the headlines, and they want to know that your company is doing everything
reasonable and responsible to safeguard their personally identifiable information (PII).
6. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 5
June 7, 2015
To gain and keep customer trust, public institutions must exercise better judgment in the
collection, use, and protection of PII. Not only do you need to provide training and awareness of this to
your personnel, but you also need to keep your customers, with whom you already have a business
relationship, and consumers, with whom you would like to have a business relationship, and who may
have provided some information to you, informed regarding what you are doing to protect their privacy
and ensure the security of their information through various awareness messages. (DellSecureWorks,
2014)
In the end, it comes down to developing a security policy, any organization has to asses it risks,
their tolerance for risk, what they are protecting and from whom. They must make sure that the policy
meets their needs of security in balance with the business goals and customers’ needs. They also must
make sure they are in compliance with federal and state laws. However,the policy must be flexible
enough to embrace new technologies and threats, both internal and external.
7. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 6
June 7, 2015
References
Bucci, S., & Rosenzweig, P. (2013, April 1). A Congressional Guide: Seven Stepsto U.S.Security,
Prosperity, and Freedomin Cyberspace. Retrieved from The Heritage Foundation:
http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-
security-prosperity-and-freedom-in-cyberspace
Cornell University Law School. (2014). Legal Information Institute. Retrieved from 42 U.S. Code Part A
- Improved Privacy Provisions and Security Provisions:
https://www.law.cornell.edu/uscode/text/42/chapter-156/subchapter-III/part-A
Dell SecureWorks. (2014). Security for Public Instutuions.
Dell SecureWorks. (2014). Threat Actors. Austin,TX: Dell.
Dennis, C. M. (2013, January 28). Lexology. Retrieved from Data security laws and the rising
cybersecurity debate: http://www.lexology.com/library/detail.aspx?g=cc5c9a56-7a60-46ab-9cf4-
f36cada0cafa
Fischer, E. A. (2014). Cybersecurity Issues and Challenges: In Brief . Washington D.C: Congressional
Research Service .
Khandhar, P. (2015, April 22). Dell SecureWorks. Retrieved from Banking Botnets Persist Despite
Takedowns: http://www.secureworks.com/cyber-threat-intelligence/threats/banking-botnets-
persist-despite-takedowns/
Langevin, J. R. (2008, September 16). GAO.gov. Retrieved from GAO-08-1075R – Federal Legal
Requirements for Critical Infrastructure IT Securit: http://www.gao.gov/new.items/d081075r.pdf
NIST. (2013). Security and Privacy ControlsforFederal Information Systems and Organizations.
Washington DC: NIST.
Proctor, P. E.,& Brynes, C. (2002). Secured Enterprise, The: Protecting Your Information Assets. New
York: Prentice Hall.
8. T h e R o l e o f I n f o r m a t i o n S e c u r i t y P o l i c y | 7
June 7, 2015