This document discusses information security policies and provides an overview of key topics:
1) It outlines a framework for designing security policies including commitment, risk assessment, and risk mitigation.
2) Risk assessment involves analyzing business, physical, technological, and human risks while risk mitigation uses administrative, physical, and technical controls.
3) The document also provides an example security policy for email at SandZ Technologies and discusses implementing policies through training, awareness programs, and audits.
2. Agenda
• Introduction
• Security Policy Framework
• Need for IS Policy
• E-mail Policy: SandZ Technologies
• Implementing security policy
• Conclusion
Information Security Policy
3. Introduction
• Tangible to intangible assets based
organizations
• Need for protecting information assets
• The objective of the policy is to convey the
risk concerning information security and
what preventive measures a company has
adapted.
Information Security Policy
4. Security Policy Designing
Framework
Commitment
Risk Assessment
Risk Mitigation
Final Policy
Information Security Policy
5. Commitment
• Educate the top management
• Align according to corporate vision and
business objectives
• We also need to analyze the following:
• What are the information assets of a company in
terms of hardware and software, network as well as
the future investment plan in IT/IS?
• What is the company's dependence on IT in real
measurable terms?
• What is the impact of the threat?
Information Security Policy
6. Risk Assessment
• Business risks, physical risks, environmental
risks, technological risks, human risks and so
on…….
• Tabulate and prioritize the risks involved based
on impact and probability of occurrence.
Ex: Probability of a website getting hacked is an annual
frequency of 0.5 i.e. once in 2 years, and the business
loss for each event is Rs 100 lakhs. So the product of
probability and consequences gives us an Annual
Loss Expectancy of Rs 50 lakhs (0.5 X 100).
Information Security Policy
7. Threats
Natural and Environmental Threats: Database Security:
Disaster recovery Network & Telecommunication Security
Backup and recovery
WAN recovery
Human Threats: Operating Systems Security:
Password Security & Controls Firewall Security
Internet access and security Data Classification
Web server Security
Intranet Security
Virus-Protection
E-commerce Security
Data encryption
Email security: Administrative Controls:
Technical controls Physical Security
Logical Access Controls Incidence Response management
Program Change Controls Punitive actions
Version Controls
Application Software Security
Information Security Policy
8. Risk Mitigation
• Security is not possible with single
defense. Have multiple layers of
protection.
• The measures for risk mitigations could
be:
Administrative Measures
Physical Measures
Technical Measures
Information Security Policy
9. Risk Mitigation
Administrative Physical Technical
Measures Measures Measures
• Policies, • Perimeter • Logical Access
Procedures, Control Control
• Network Access
Standards and measures
• Physical Access
Guidelines; Controls
• Personnel • Identification
Control
• Intruder
Screening and and
Security Detection Authentication
awareness • Fire Protection devices
training • Data Encryption
• Environmental
Monitoring.
Information Security Policy
11. Final Policy
• Security policy is not the last and final
word.
• It is a master plan, which identifies a
company's security concerns and is the
first step towards building a secure
infrastructure.
Information Security Policy
12. Anatomy of Security Policy
Specific issues
Policy
that the policy Best practices
Statement
is addressing
Mandatory
Policy Scope Policy details
practices
Compliance Procedure for Essential
Validity
requirements implementation Policies
Monitoring and
Owner Review-details reporting Annexure
mechanism
Information Security Policy
14. SandZ Technologies
• Mainly concentrated into providing online
education in the domains of electronic
design.
• E-mails in and out of company are crucial
and are confidential.
• E-mail policy to reduce the risk of
hampering company image and important
information.
Information Security Policy
17. Implementation of Security
Policies
• Conduct Security Awareness Seminars, workshops and
quizzes.
• Have Security Week for the organization.
• Prepare Do's & Don'ts of Security Policy, distribute and
display them.
• Create posters, stickers, t-shirts, mugs and mouse pads
all with security messages.
• Run slogan competitions.
• Perform security audits.
Information Security Policy
18. Conclusion
An ounce of prevention is better than a
pound of detection and correction
Information Security Policy
19. References
• Avinash Kadam, Writing an Information Security Policy,
Network Magazine,Issue of october 2002. Chief
Executive - Assurance and Training at Miel e-Security,
Pvt. Ltd.
• Whitman ME & Mattord HJ (2007) Managing Information
security, Thomson Course Technology.
Information Security Policy