Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (17)
Similar a Security Policy: The Next Generation
Similar a Security Policy: The Next Generation (20)
Último
Último (20)
Security Policy: The Next Generation
- 1. Security Policies: The Next Generation Peter Hesse Gemini Security Solutions, Inc. Security B-Sides Atlanta | October 8, 2010
- 2. Why do we have security policies?
- 3. We need rules to play the game
- 4. Written a policy lately?
- 5. Written a policy lately? ISO 27001
- 6. Written a policy lately? ORANG PCI-DSS 41 CFR 102 E BOOK SAS-70 FISMAISO 27001 WeBTRUST BITS SysTrust ISO 17799 / DITSCAP FIPS 199 BS 7799 Cloud Audit HIPAA
- 7. The language of policy [Organization] and applicable subsidiary Level 2 Unit ISMs will coordinate and document the establishment of all external network connections for their unit with Network Services. As every external network connection is potentially an entry point for intruders, Level 2 Unit ISMs must document all external network connections in their unit, including modems.
- 10. What happens if we simplify?
- 12. One-size-fits-all or tailor made?
- 13. What is the focus? Systems must be patched within 30 days of release of patch from vendor Management approval is required to download any copyrighted material from the Internet
- 14. Improving security policy: Prioritize
- 15. Improving security policy: Prioritize
- 16. Improving security policy: Prioritize
- 17. Improving security policy: Prioritize
- 18. The Next Generation: • Simplify, streamline, squeeze out jargon • Prioritize and heat map based on relative risk and audience • Build approaches that transcend documentation and encourage good behavior
- 19. Fin. • Peter Hesse, Gemini Security Solutions @pmhesse, pmhesse@geminisecurity.com • Extra special thanks to my partner-in-crime on this work, Michael Santarcangelo @catalyst (www.securitycatalyst.com)
Notas del editor
- Is it just because we’ve been doing it so long we don’t remember? Policies are written to counter known or notional risk.
- What game are we playing if I show this to you? Helps set the rules of the game – guidance -- not that they can’t be changed later
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Policies are hard to develop so people follow useful frameworks. <click> Then they have to follow some more frameworks. <click> And some more. And more and more. You end up with something you didn&#x2019;t really expect. Kind of reminds me of a platypus, webbed feet, duck bill, thick fur, mostly aquatic, lays eggs&#x2026;
- Can you understand this? I can&#x2019;t. Length of policy also a huge problem.
- Policies are largely formed by cut and paste. By cutting and pasting without thinking through why things are in there (&#x201C;I just know they have to be&#x201D;) we create additional problems. Policies which are harder to justify, policies the writers can&#x2019;t even understand, policies that are too long. Like making sausage
- Quote from http://googleblog.blogspot.com/2010/09/trimming-our-privacy-policies.html We&#x2019;re also simplifying our main Google Privacy Policy to make it more user-friendly by cutting down the parts that are redundant and rewriting the more legalistic bits so people can understand them more easily.
- Did you know that NIST created a guide for improving the security of your XP home installation, aimed at federal teleworkers? Useful, right? It is 175 pages. However, they distill the guide down to 5 main points, care to guess what they are? -Patching -Running as limited user -Anti-malware -Personal firewall -Perform backups Do they need the rest of the document?
- Policies often treat as one-size-fits-all, but that is not the case. If a policy includes every risk mitigation technique known to the organization, it will have requirements that apply only to IT, only to management, only to finance &#x2013; and few that apply to all users. Yet, they&#x2019;re all in the same policy. We need multiple policies, or multiple views of the same policy, to make sense to the audience
- Is the risk associated with these two policy statements equivalent? Do these statements apply to the average user? (No, 1 is for IT only, 2 is for people doing downloads, and management to know that they need to approve &#x2013; but how do they determine if they should?) What do you do when one of these policies is met, but the other isn&#x2019;t?
- - Here is what we&#x2019;re doing. We are working on prioritizing policy based on a heat map. Heat map can change based on the revelation of new threats, improved perception of risk, improved controls being put into place. - Not getting into the metrics / qualitative/ quantitative holy war, but policies related to greater risks should have greater importance; those that relate to lower risks should be waived, deemed less important, or excised entirely - The heat map could automatically filter based on the perspective of the audience
- - Here is what we&#x2019;re doing. We are working on prioritizing policy based on a heat map. Heat map can change based on the revelation of new threats, improved perception of risk, improved controls being put into place. - Not getting into the metrics / qualitative/ quantitative holy war, but policies related to greater risks should have greater importance; those that relate to lower risks should be waived, deemed less important, or excised entirely - The heat map could automatically filter based on the perspective of the audience
- - Here is what we&#x2019;re doing. We are working on prioritizing policy based on a heat map. Heat map can change based on the revelation of new threats, improved perception of risk, improved controls being put into place. - Not getting into the metrics / qualitative/ quantitative holy war, but policies related to greater risks should have greater importance; those that relate to lower risks should be waived, deemed less important, or excised entirely - The heat map could automatically filter based on the perspective of the audience