Security Program and Policies

Everything you need to know about information security programs and policies, in one book * Clearly explains all facets of InfoSec program and policy planning, development, deployment, and management * Thoroughly updated for today's challenges, laws, regulations, and best practices * The perfect resource for anyone pursuing an information security management career In today's dangerous world, failures in information security can be catastrophic. Organizations must protect themselves. Protection begins with comprehensive, realistic policies. This up-to-date guide will help you create, deploy, and manage them. Complete and easy to understand, it explains key concepts and techniques through real-life examples. You'll master modern information security regulations and frameworks, and learn specific best-practice policies for key industry sectors, including finance, healthcare, online commerce, and small business. If you understand basic information security, you're ready to succeed with this book. You'll find projects, questions, exercises, examples, links to valuable easy-to-adapt information security policies...everything you need to implement a successful information security program. Sari Stern Greene, CISSP, CRISC, CISM, NSA/IAM, is an information security practitioner, author, and entrepreneur. She is passionate about the importance of protecting information and critical infrastructure. Sari founded Sage Data Security in 2002 and has amassed thousands of hours in the field working with a spectrum of technical, operational, and management personnel, as well as boards of directors, regulators, and service providers. Her first text was Tools and Techniques for Securing Microsoft Networks, commissioned by Microsoft to train its partner channel, which was soon followed by the first edition of Security Policies and Procedures: Principles and Practices. She is actively involved in the security community, and speaks regularly at security conferences and workshops. She has been quoted in The New York Times, Wall Street Journal, and on CNN, and CNBC. Since 2010, Sari has served as the chair of the annual Cybercrime Symposium. Learn how to * Establish program objectives, elements, domains, and governance * Understand policies, standards, procedures, guidelines, and plans-and the differences among them * Write policies in "plain language," with the right level of detail * Apply the Confidentiality, Integrity & Availability (CIA) security model * Use NIST resources and ISO/IEC 27000-series standards * Align security with business strategy * Define, inventory, and classify your information and systems * Systematically identify, prioritize, and manage InfoSec risks * Reduce "people-related" risks with role-based Security Education, Awareness, and Training (SETA) * Implement effective physical, environmental, communications, and operational security * Effectively manage access control * Secure the entire system development lifecycle * Respond to incidents and ensure continuity of operations * Comply with laws and regulations, including GLBA, HIPAA/HITECH, FISMA, state data security and notification rules, and PCI DSSChapter 1: Understanding Policy 2 Looking at Policy Through the Ages...3 The Bible as Ancient Policy ...4 The United States Constitution as a Policy Revolution ...5 Policy Today ...5 Information Security Policy ...7 Successful Policy Characteristics ...8 The Role of Government ...13 Information Security Policy Lifecycle ...16 Policy Development ...17 Policy Publication ...18 Policy Adoption ...19 Policy Review ...20 Test Your Skills ...22 Chapter 2: Policy Elements and Style 32 Policy Hierarchy ...32 Standards...33 Baselines ...34 Guidelines ...34 Procedures ...35 Plans and Programs...36 Policy Format ...36 Policy Audience ...36 Policy Format Types ...37 Policy Components ...38 Writing Style and Technique ...48 Using Plain Language ...48 The Plain Language Movement ...49 Plain Language Techniques for Policy Writing ...50 Test Your Skills ...54 Chapter 3: Information Security Framework 64 CIA ...65 What Is Confidentiality? ...66 What Is Integrity? ...68 What Is Availability? ...69 Who Is Responsible for CIA? ...72 Information Security Framework ...72 What Is NIST's Function? ...72 What Does the ISO Do? ...74 Can the ISO Standards and NIST Publications Be Used to Build a Framework? ...75 Test Your Skills ...82 Chapter 4: Governance and Risk Management 92 Understanding Information Security Policies ...93 What Is Meant by Strategic Alignment? ...94 Regulatory Requirements ...94 User Versions of Information Security Policies ...94 Vendor Versions of Information Security Policies ...95 Client Synopsis of Information Security Policies ...95 Who Authorizes Information Security Policy? ...96 Revising Information Security Policies: Change Drivers ...97 Evaluating Information Security Polices ...97 Information Security Governance ...100 What Is a Distributed Governance Model? ...101 Regulatory Requirements ...104 Information Security Risk ...105 Is Risk Bad? ...105 Risk Appetite and Tolerance ...106 What Is a Risk Assessment? ...106 Risk Assessment Methodologies ...108 What Is Risk Management? ...109 Test Your Skills ...113 Chapter 5: Asset Management 124 Information Assets and Systems ...125 Who Is Responsible for Information Assets? ...126 Information Classification ...128 How Does the Federal Government Classify Data? ...129 Why Is National Security Information Classified Differently? ...131 Who Decides How National Security Data Is Classified? ...133 How Does the Private Sector Classify Data?...134 Can Information Be Reclassified or Even Declassified? ...135 Labeling and Handling Standards ...136 Why Label? ...136 Why Handling Standards? ...136 Information Systems Inventory ...139 What Should Be Inventoried? ...139 Test Your Skills ...145 Chapter 6: Human Resources Security 156 The Employee Lifecycle ...157 What Does Recruitment Have to Do with Security? ...158 What Happens in the Onboarding Phase? ...165 What Is User Provisioning? ...166 What Should an Employee Learn During Orientation? ...167 Why Is Termination Considered the Most Dangerous Phase? ...168 The Importance of Employee Agreements ...170 What Are Confidentiality or Non-disclosure Agreements? ...170 What Is an Acceptable Use Agreement? ...170 The Importance of Security Education and Training ...172 What Is the SETA Model? ...173 Test Your Skills ...177 Chapter 7: Physical and Environmental Security 188 Understanding the Secure Facility Layered Defense Model ...190 How Do We Secure the Site? ...190 How Is Physical Access Controlled? ...192 Protecting Equipment ...196 No Power, No Processing? ...196 How Dangerous Is Fire? ...198 What About Disposal? ...200 Stop, Thief! ...203 Test Your Skills ...207 Chapter 8: Communications and Operations Security 218 Standard Operating Procedures (SOPs) ...219 Why Document SOPs? ...220 Developing SOPs ...220 Operational Change Control ...225 Why Manage Change? ...225 Why Is Patching Handled Differently? ...228 Malware Protection...230 Are There Different Types of Malware? ...231 How Is Malware Controlled? ...233 What Is Antivirus Software? ...234 Data Replication ...235 Is There a Recommended Backup or Replication Strategy? ...235 Secure Messaging ...237 What Makes Email a Security Risk? ...237 Are Email Servers at Risk? ...240 Activity Monitoring and Log Analysis ...242 What Is Log Management? ...242 Service Provider Oversight ...245 What Is Due Diligence? ...245 What Should Be Included in Service Provider Contracts? ...247 Test Your Skills ...252 Chapter 9: Access Control Management 264 Access Control Fundamentals ...265 What Is a Security Posture? ...266 How Is Identity Verified? ...266 What Is Authorization? ...270 Infrastructure Access Controls ...272 Why Segment a Network? ...272 What Is Layered Border Security? ...273 Remote Access Security ...277 User Access Controls ...282 Why Manage User Access? ...282 What Types of Access Should Be Monitored? ...284 Test Your Skills ...289 Chapter 10: Information Systems Acquisition, Development, and Maintenance 300 System Security Requirements ...301 Secure Code ...306 Cryptography ...310 Test Your Skills ...318 Chapter 11: Information Security Incident Management 328 Organizational Incident Response ...329 What Is an Incident? ...330 How Are Incidents Reported? ...334 What Is an Incident Response Program? ...335 What Happened? Investigation and Evidence Handling ...340 Data Breach Notification Requirements ...345 Is There a Federal Breach Notification Law? ...347 Does Notification Work? ...351 Test Your Skills ...355 Chapter 12: Business Continuity Management 370 Emergency Preparedness ...371 What Is a Resilient Organization? ...372 Business Continuity Risk Management ...374 What Is a Business Continuity Threat Assessment? ...375 What Is a Business Continuity Risk Assessment? ...376 What Is a Business Impact Assessment? ...378 The Business Continuity Plan ...380 Roles and Responsibilities ...381 Disaster Response Plans ...384 Operational Contingency Plans ...387 The Disaster Recovery Phase ...388 The Resumption Phase ...391 Plan Testing and Maintenance ...392 Why Is Testing Important? ...392 Plan Maintenance ...393 Test Your Skills ...397 Chapter 13: Regulatory Compliance for Financial Institutions 408 The Gramm-Leach-Bliley Act (GLBA) ...409 What Is a Financial Institution? ...410 What Are the Interagency Guidelines? ...412 What Is a Regulatory Examination? ...423 Personal and Corporate Identity Theft ...424 What Is Required by the Interagency Guidelines Supplement A? ...425 What Is Required by the Supplement to the Authentication in an Internet Banking Environment Guidance? ...427 Test Your Skills ...431 Chapter 14: Regulatory Compliance for the Healthcare Sector 442 The HIPAA Security Rule ...444 What Is the Objective of the HIPAA Security Rule? ...444 Enforcement and Compliance ...445 How Is the HIPAA Security Rule Organized? ...445 What Are the Physical Safeguards? ...455 What Are the Technical Safeguards? ...458 What Are the Organizational Requirements? ...461 What Are the Policies and Procedures Standards? ...463 The HITECH Act and the Omnibus Rule...464 What Changed for Business Associates? ...465 What Are the Breach Notification Requirements? ...468 Test Your Skills ...471 Chapter 15: PCI Compliance for Merchants 482 Protecting Cardholder Data ...483 What Is the PCI DDS Framework? ...486 Business-as-Usual Approach ...487 What Are the PCI Requirements? ...487 PCI Compliance ...499 Who Is Required to Comply with PCI DSS? ...499 What Is a Data Security Compliance Assessment? ...500 What Is the SAQ?...502 Are There Penalties for Noncompliance? ...503 Test Your Skills ...505 Appendix A: Information Security Program Resources 516 National Institute of Standards and Technology (NIST) Special Publications ...516 Federal Financial Institutions Examination Council (FFIEC) IT Handbooks ...518 Department of Health and Human Services HIPAA Security Series ...518 Payment Security Standards Council Documents Library ...518 Information Security Professional Development and Certification Organizations ...519 Appendix B: Sample Information Security Policy 520 Appendix C: Sample Information Systems Acceptable Use Agreement and Policy 568 Index