DOC

Reclassification

By Michele Snyder,2014-12-20 00:03
8 views 0
Reclassification

    State of Nebraska

    Information Security Systems (ISS)

    Security Officer Instruction Guide

    “A complete, easy-to-use instruction guide on how

    to use templates to develop and implement a

    successful ISS program.”

    December 31, 2001

This page is intentionally left blank for

pagination of double-sided printing.

    State of Nebraska

    Information Security Guidelines

     These Information Security Templates and Guides were developed by the Security Architecture Workgroup under a

    project funded by the Chief Information Officer and the

    Nebraska Information Technology Commission.

     Additional information about these documents can be found at: http://www.nitc.state.ne.us/tp/workgroups/security/index.htm

    Security Officers Instruction Guide

    Version 1.0

    December 31, 2001

    Prepared by:

This page is intentionally left blank for

pagination of double-sided printing.

    Table of Contents

    Chapter 1 Getting Started ..................................................................................................................................... 1 The Importance of an ISS Program ................................................................................................................................ 1 Securing Information in the Digital Age .......................................................................................................................................... 1 What makes up a good ISS Program? ............................................................................................................................ 2 About your ISS Project ................................................................................................................................................... 2 About the ISS Template Package .................................................................................................................................... 3 What are Information Security Templates? ...................................................................................................................................... 3 What makes up the Template Package? ........................................................................................................................................... 3

    Technology Dependent ............................................................................................................................................................... 3

    Information Security Template Characteristics ............................................................................................................................ 4

    Assumptions ............................................................................................................................................................................... 4

    Information Security Template Requirements .............................................................................................................................. 4 Initial vs. Existing Guides ............................................................................................................................................................... 5

    Using the Template for Initial Setup ............................................................................................................................................ 5

    Using the Template to Update existing Manual ............................................................................................................................ 5 ISS Policies and Procedures ............................................................................................................................................................ 5

    Policies, Standards, and Rules ..................................................................................................................................................... 5

    Procedures .................................................................................................................................................................................. 5 About the Security Officer Instruction Guide ................................................................................................................ 7 About this Guide............................................................................................................................................................................. 7 Security Officer Policies and Rules ................................................................................................................................................. 7 The Template Process ................................................................................................................................................................... 13

    Assemble a Security Team ........................................................................................................................................................ 13

    Conduct Business Impact Analysis ............................................................................................................................................ 13

    Publish Rules (using the templates) ........................................................................................................................................... 13

    Implement an Incident Program................................................................................................................................................. 13

    Implement an Awareness Program ............................................................................................................................................ 13 Chapter 2 Assemble a Security Team ..................................................................................................................15 The Security Team ........................................................................................................................................................ 15 Security Day-to-Day ..................................................................................................................................................................... 15 Security Advisory Committee(s) ................................................................................................................................................... 15 Incident Response Team ............................................................................................................................................................... 16 The Security Officer ..................................................................................................................................................................... 17

    Appointing the Security Officer................................................................................................................................................. 17

    The Activities of the Security Officer ........................................................................................................................................ 17

    Security Officer Training .......................................................................................................................................................... 18 Security Staff ................................................................................................................................................................. 20 Security and the IS Department ..................................................................................................................................................... 20 Security Guards ............................................................................................................................................................................ 20 Copyright Contact......................................................................................................................................................................... 20 Security Auditors ........................................................................................................................................................... 21 Security Audits ............................................................................................................................................................................. 21

    What should you audit? ............................................................................................................................................................. 21 Daily Audit/ Tracking Logs .......................................................................................................................................................... 22 Chapter 3 Conduct Business Impact Analysis .....................................................................................................25 About Business Impact Analysis ................................................................................................................................... 25 Business Impact Analysis Process ................................................................................................................................................. 25

    The Business Impact Analysis Process ...................................................................................................................................... 25

    The Business Impact Analysis ProcessThe Qualitative Approach ................................................................................... 25

    The Qualitative Approach ......................................................................................................................................................... 26

    Information Technology Inventory ............................................................................................................................... 26 What are Information Assets? ....................................................................................................................................................... 26

    Assets Types ............................................................................................................................................................................. 26

    About Each Asset ..................................................................................................................................................................... 29 Classifying Information Assets ..................................................................................................................................... 31 What is classifying information? ................................................................................................................................................... 31 Application vs. General Systems ................................................................................................................................................... 32

    What should you protect? .......................................................................................................................................................... 32 Security Classification Levels ....................................................................................................................................................... 32

    Classification Levels ................................................................................................................................................................. 32 Reclassification ............................................................................................................................................................................ 33 Assigning Values to Assets ............................................................................................................................................ 35 About Asset Values ...................................................................................................................................................................... 35 Calculating the Loss Impact .......................................................................................................................................................... 35

    Loss Impact Calculation(s) ........................................................................................................................................................ 35

    Integrity Scale ........................................................................................................................................................................... 36

    Unavailability Scale .................................................................................................................................................................. 36

    Disclosure Scale ....................................................................................................................................................................... 36

    Cost $ to Replace ...................................................................................................................................................................... 37 Calculating the Value .................................................................................................................................................................... 37

    Value Calculation ..................................................................................................................................................................... 37 Threats and Risks to Assets........................................................................................................................................... 38 Asset Threats ................................................................................................................................................................................ 38

    Threat Types ............................................................................................................................................................................. 38

    Threat Likelihood ..................................................................................................................................................................... 39

    Threat Impact ........................................................................................................................................................................... 39 Asset Risks ................................................................................................................................................................................... 40

    Calculating the Risk Factor ....................................................................................................................................................... 40

    Risk Factor Calculation ............................................................................................................................................................. 40

    Acceptable Risk Rating ............................................................................................................................................................. 41 Safeguards and Assets ................................................................................................................................................... 42 What are Safeguards? ................................................................................................................................................................... 42

    Safeguards Types ...................................................................................................................................................................... 42

    Assigning Safeguards ................................................................................................................................................................ 42

    Recalculate the Risk Factor ....................................................................................................................................................... 43

    Assume the Residual Risk ......................................................................................................................................................... 43

    Safeguard Costs ........................................................................................................................................................................ 43 Implementing and Testing Safeguards ........................................................................................................................................... 44 Safeguard Tools ............................................................................................................................................................................ 44 Chapter 4 Publishing the Rules ...........................................................................................................................47 About Publishing ISS Rules .......................................................................................................................................... 47 Using the Templates to Publish your Rules .................................................................................................................. 47 Writing in the Templates .............................................................................................................................................. 48 Communication and Addressing your Audience ............................................................................................................................ 48 Templates Design and Organization .............................................................................................................................................. 48

    Modular Documentation ........................................................................................................................................................... 48

    How are the Rules Organized? .................................................................................................................................................. 48 Updating Text ............................................................................................................................................................................... 48 Technology Dependent Areas ....................................................................................................................................................... 48 Template Mechanics ..................................................................................................................................................................... 50

    MS Word Features Used ........................................................................................................................................................... 50 Underlined Words......................................................................................................................................................................... 52 Rule Statements ............................................................................................................................................................. 54 Maintaining Rules......................................................................................................................................................................... 54

    Adding a Rule ........................................................................................................................................................................... 54 Rule Formats ................................................................................................................................................................................ 54

     Condensed Format .................................................................................................................................................................... 54

    Full Format ............................................................................................................................................................................... 55

    Full Format Rule Fields ................................................................................................................................................. 56 Assigning Priorities to Rules ......................................................................................................................................................... 56 Template Parameters { } ............................................................................................................................................................... 57 Completing the Templates ............................................................................................................................................ 60 About Completing the Templates .................................................................................................................................................. 60 The Sections of the Template(s) .................................................................................................................................................... 60 Chapter 5 Implement an Incident Program .........................................................................................................63 What is an Incident Program? ...................................................................................................................................... 63 Suspicions and Incidents ............................................................................................................................................... 63 Suspicions and Incidents ............................................................................................................................................................... 63 Prevention ...................................................................................................................................................................... 64 Detection ........................................................................................................................................................................ 64 Intrusion Detection Methods ......................................................................................................................................................... 64 Tracking Intrusions ....................................................................................................................................................................... 64

    Incident Patterns ....................................................................................................................................................................... 64 Response/ Reaction ........................................................................................................................................................ 65 Your Incident Response Team ...................................................................................................................................................... 65

    Incidents Response Centers ....................................................................................................................................................... 65 Catastrophic Event ........................................................................................................................................................................ 65 Secured Area Intrusion.................................................................................................................................................................. 65 Virus Reporting ............................................................................................................................................................................ 66 Electronic Intrusion ...................................................................................................................................................................... 66 Unauthorized Access Intrusion ...................................................................................................................................................... 66 Notifying the Intruder yes or no? ................................................................................................................................................ 66 Web Site - Contact Information ..................................................................................................................................................... 66 Notifying Employees of Incidents ................................................................................................................................................. 67 Evidence....................................................................................................................................................................................... 67

    Collecting Evidence .................................................................................................................................................................. 67

    Preserving Evidence.................................................................................................................................................................. 67 Incident Response ......................................................................................................................................................................... 67

    Gather Evidence … Report it… and Be Prompt! ....................................................................................................................... 67

    Internal Response...................................................................................................................................................................... 68

    Centralized Response ................................................................................................................................................................ 68

    External Response..................................................................................................................................................................... 68 Investigating Incidents .................................................................................................................................................................. 69

    Conducting Internal Investigations ............................................................................................................................................ 69 Documenting the Incident ............................................................................................................................................................. 70

    Incident Reporting Form ........................................................................................................................................................... 70

    Incident Reporting Retention ..................................................................................................................................................... 70 Incident Follow Up ....................................................................................................................................................................... 70

    Enforcement ............................................................................................................................................................................. 71

    What if an employee violates a Rule? ........................................................................................................................................ 71

    Legal Responsibility ................................................................................................................................................................. 71 Incident Handling ......................................................................................................................................................................... 71 Chapter 6 Implement an Awareness Program .....................................................................................................75 What is ISS Awareness? ................................................................................................................................................ 75 Awareness Briefings ..................................................................................................................................................................... 75 Continuous Awareness Materials .................................................................................................................................................. 76 What is an Awareness Program? .................................................................................................................................. 77 Incorporating your Awareness Program......................................................................................................................................... 77

    Security is Everyone’s Business ................................................................................................................................................ 77

    Awareness Applies to Everyone ................................................................................................................................................ 77

    Security and Performance Reviews ........................................................................................................................................... 77

     Mandatory Awareness Training ................................................................................................................................................. 78

    Signed Agreements ................................................................................................................................................................... 78 What makes up an Awareness Program ....................................................................................................................... 80 Awareness Campaign.................................................................................................................................................................... 80

    Campaign Mottoes/ Themes ...................................................................................................................................................... 80

    Campaign Ideas ........................................................................................................................................................................ 80 Awareness Materials ..................................................................................................................................................................... 81 Awareness Training ...................................................................................................................................................................... 81

    Training Purpose ....................................................................................................................................................................... 81

    Training Logistics ..................................................................................................................................................................... 81

    Other Special Training Topics ................................................................................................................................................... 82

    Training Audience .................................................................................................................................................................... 82

    Management ..................................................................................................................................................................... 82

    Computer User (permanent staff)................................................................................................................................. 82

    Computer User (temporary staff) ................................................................................................................................. 82

    Contractors, Agents, Auditors and non-Employees ................................................................................................................ 82

    Technical Staff/ Management ................................................................................................................................................ 83

    Security Officer/ Staff ........................................................................................................................................................... 83 Chapter 7 Getting Help with the ISS Program ....................................................................................................85 About Getting Help ....................................................................................................................................................... 85 Call for Support (?) ....................................................................................................................................................................... 85 Troubleshooting the Template ....................................................................................................................................................... 85 Appendix ..............................................................................................................................................................87 Appendix B - NITC Security Architecture Document ................................................................................................. 87 Appendix C - Reference List ......................................................................................................................................... 87 Index ....................................................................................................................................................................89

    Chapter 1 - Getting Started

    Chapter 1

    Getting Started

    The Importance of an ISS Program

    Information Systems Security (ISS) has become more and more important to organizations of all industries worldwide. ISS is much more than computer system security. It is the process of protecting all intellectual property of an organization. Dependence on information systems is integral in all business operations and it must be evaluated and protected accordingly.

    It is the purpose of this guide to help the security professions implement an ISS program throughout their organization. It provides the instruction and materials necessary to roll out an awareness program and publish a set of security policy and procedures. It is independent of any technology, but gives you the structure to customize and enter your technical details.

Securing Information in the Digital Age

    The business environment is constantly changing. Relationships with other companies,

    outside affiliates, and worldwide access has made technology very complex to meet current

    and future needs.

    Information takes many forms. It may be stored on computers, transmitted across networks,

    printed or written on paper, and spoken in conversations. Information and information

    technology systems are assets of vital importance to the institutions and government

    agencies and may impact each legislator, administrator, faculty, student, or patron that

    provides or relies upon their services.

Report this document

For any questions or suggestions please email
cust-service@docsford.com