up

2020-01-29 - Policy

There is a full-ride scholarship available. Requires a year or more working for the DoD

read: the entropy police

TL;DR: Assessments lead to Policies which can be Audited

What is auditing

• testing something against a standard
• with evidence

Auditing vs Assessing

• Audit
  • There is a standard
  • Comparison of reality against the standard
  • ‘how do you know’ that something matches/doesn’t
  • Often includes assessing
• Assess
  • Subjective Measurement
  • Questions
    • What security issues exist?
    • How good/bad is something
    • What needs to be done to improve something

Assessments lead to Policies which can be Audited.

three-levels of auditing

• Policy
  • Is the policy effective
  • is it followed
• Procedure
  • how are things happening
• System / app level

What is a Policy

• Plan of action, influences decisions
  • “Administrative control”
• for effectivenmess:
  • Disseminated
  • read
  • understoofd
  • agreed to
  • enforced
• Must be maintained

Security Control Functions

• Deterrent
• Directive
• Preventative
• Detective
• Corrective
• Compensating
• Recovery

Policy vs Procedure

• Policy
  • What/why you can/can’t have/do
  • mostly based on some standard
  • “The employees can come in the building in the morning.”
• Procedure
  • who/what/when/how of policy
  • who does what when and how
  • “Greg shall unlock the doors at 7AM”

Policy examples

• Password policy
  • “12 characters or more”
• Email policy
  • “work-related email only”
• Sensitive Info Handling policy
• Anti-virus software policy

No USB sticks.

• “All user-level passwords must be changed at least every 6 months”

Procedure example

“The system administrator will ensure that the password are changed by blocking users offending the policy after n time expires”

read policies from RIT, from otheruniversities, ISPs, etc.

Enterprise infosec policy

• Sets strategic direction
• Assigns responsibilities for areas of security
• guides development, implementations, and management
• Owned by c-level
• Not in audit world
• includes
  • overview of corp philosophy
• example components
  • statement of purpose
  • sec elements
  • need for infosec

issue-specific sec policy

• detailed, targeted guidance
  • instructs in the secure use of the system
  • starts with explanation of how relates to enterprise
• protects orgs from inefficiency and ambiguity
• examples
  • email
  • server config
  • photocopy
  • clean-desk
  • no hacking
  • phone-use policy
• starts with statement of purpose