CSOL-540, Operational Policy, Fall 2019
I learned Security Policy as part of CSOL-540 Operational Policy course with Cameron (Thaine) Carter in Fall 2019 using the 2 books:
Johnson, Robert. Security Policies and Implementation Issues, 2nd Edition. Burlington, MA: Jones & Bartlett Learning. 2015. ISBN-13: 9781284055993
Bosworth, Seymour; Kabay, Michel E.; and Whyne, Eric. Computer Security Handbook, Set, 6th ed. Hoboken, NJ: John Wiley & Sons, Inc., 2014. ISBN 978-1-118-12706-3.
The definition I'm providing here is a combination of what I understand about the Security Policy, what the book says about it, and the comments by my Professor.
Security Policy is a high-level blueprint document for a given organization that translates the principles protecting its information as it goes through different phases against risks that would lead to unauthorized access, use, disclosure, disruption, modification, or destruction. In practice, a security policy is a set of several documents. They outline the controls, actions, and processes an organization is to undertake. Example of policy: Employees are not authorized to install applications that are not approved in any business owned computer.
Now, we may be tricked to focus more on the realm of information when talking about security, but security policy must include protection principles for people and physical assets. For most of us, locking front doors before going to bed is second nature, but we may lack those same instincts when it comes to handling data. A security policy is one way to address this shortfall and start forcing individuals, especially in the context of a business, to learn new habits, new culture as we increasingly face threats in the cybersphere.
As professor Carter put it, "Any organization that lacks an effective security policy is asking for trouble. Not only will the organization be unprepared for cyberattacks, but it will also likely suffer lawsuits and fines for the lack of due care. Drafting and implementing a security policy, however, is a complicated process. It requires inputs from all across the organization and serious buy-in by senior management, but security professionals are typically the ones responsible for putting the whole thing together".
Laws, Regulations, Standards
To be compliant, an organization, depending on the area of the business it is evolving, needs to know the laws, regulations, and standards affecting its business. And in this page, I will be taking as an example a covered entity or health care business. A covered entity is an organization that handles health information according to the government classification, and it is obligated to conform with ePHI protection laws. I will start by giving out definitions of laws, regulations, and standards to better understand the context to which they can be applied, avoiding confusion in the process before moving ahead with some examples of laws a covered entity is expected to comply with.
Laws are products of written statutes passed by the US Congress or State Legislatures. Laws typically spurs action to create regulations and standards. Example HIPAA HSS create regulation.
Mandatory rules or standards adopted by government administrative agencies to interpret, implement, and enforce laws. Regulations are legally enforceable.
Voluntary rules from Government agencies. If made mandatory, it becomes a regulation. Standards are mandatory or voluntary rules from private organizations.
There are three types of security controls: Administrative, Physical, and Technical. Administrative and Physical are part of non-cryptographic controls, and cryptographic control is part of Technical controls. Administrative security controls are more about policy and procedures, while physical security controls are about managing the physical security aspect of business premises. In the context of this document, I will limit my comments on the use of technical controls.
The quality of security controls that are built depends on the understanding of the threats, vulnerabilities, and risks. The security controls to apply to include physical, administrative and technical. The following are four examples of laws, regulations, or standards a covered entity should follow: HIPAA, HITECH, PCI-DSS, and California IPA if operating in California.
Health Insurance Portability and Accountability Act of 1996, HIPAA is a law passed by the US Congress and signed into law in 1996 by president Bill Clinton. Its privacy regulations stipulate requirements for the use, disclosure, and dissemination of personally identifiable healthcare information as well as patient rights. Security control includes administrative, physical, and technical. For the technical part, encryption and Message Authentication Code (MAC) are some controls that need to be implemented to comply with the law. Encryption ensures confidentiality, and MAC provides data integrity and authentication.
According to Pham, “HIPAA mandates that organizations must Implement a mechanism to encrypt electronic protected health information, ePHI, whenever deemed appropriate. Protecting ePHI at rest and in transit means encrypting not only data collected or processed but also data stored or archived as backups” (2013). In the same token, the rules specify that health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form “must ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit”(n.d).
Technology for Economic and Clinical Health Act. which dealt with creating a standard for PHI records so that the records could easily be transmitted via computer and shared between different providers and organizations
Payment Card Industry Data Security Standard PCI-DSS is a mandatory standard that HIC must comply with for credit card processing. I assume HIC will be processing credit card transactions for those patients who will be making their payment using credit cards.
Information Practices Act – Civil Code §§ 1798 – 1798.78. This law expands on the constitutional guarantee of privacy by providing limits on the collection, management, and disclosure of personal information by state agencies.
wpadmin (2013, July 24). Encrypting Backup Data for HIPAA and PCI Compliance. Retrieved from Otawa website: Encrypting Backup Data for HIPAA and PCI Compliance
HHS (n.d.). Summary of the HIPAA Security Rule. Retrieved from HHS website: U.S. Department of Health & Human Services (n.d), Summary of the HIPAA Security Rule
Data Classification and Security Policy Models
All organizations small, medium, and large deal with a huge and diverse amount of information. It is virtually unfeasible for an organization to label all that flow of infomation and expect to be successful. Not only it is expensive, but it will also be less efficient. Businesses need to classify the information and apply a label based on the sensitivity of the data for their security policy implementation to be effective.
We are attempted to believe that it is often little scientific and engineering rigor in security best practices; after all, how can we apply scientific or mathematical logic to data security. Well, that is not true. There is still a chance of science of security. The formal security policy models are a reference to mathematical and security in systems can be abstractly represented by these formal security models. The U.S. Government has this classification scheme that uses the language of Top Secret, Secret, and so forth, this can be described by a formal policy model.
There are different types of formal models: Bell-LaPadula Model and Biba model. Biba is for integrity while Bell-LaPadula is good for data confidentiality. Furthermore, the government makes use of Bell-LaPadula for classification systems using labels such as Unclassified, Confidential, Secret, and Top Secret. These classes are referred to as levels. A user or process or something that needs access to given data is being referred to as a subject. For a subject to access data, he or it must be cleared into that level, its security clearance. A data to be accessed is being referred to as Object. An object is classified at a level which is called security classification.
I can cite other policy models such as Clark-Wilson deal with the separation of duty and transactions while Chinese Wall, which deal with Conflict of interest. Other models include Role-based policy model for access to information depends on job function (principle of least privilege), The Discretionary Access Control, DAC model's access depend on identity, while the Mandatory Access Control, MAC's access to information depends on user clearance and information classification.
Northwell Health (2016, April 4). Administrative Policy and Procedure Manual. Retrieved from Northwell Health website in pdf: Administrative Polic and Procedural Manual
Bosworth, Seymour; Kabay, Michel E.; and Whyne, Eric. Computer Security Handbook, Set, 6th ed. Hoboken, NJ: John Wiley & Sons, Inc. 2014.
Implementation, Enforcement, and Compliance Plan Summary
After a Security Policy is developed, now it is the time to move forward with its implementation, its enforcement, and its compliance mechanisms. A security policy is good, but if it is not implemented, people not complying or the policy not being enforced, then it was a waste of time and money to have worked on that policy in the first place. Since security policy is for all the stakeholders and its application so consequential, leaders are to be involved heavily right from the very beginning of the development and the involvement to be seen throughout. They should also be the first to observe all the items prescribed in the policy and be the leading examples as this will be critical to force or encourage the rest of the employees to follow suit.
- An awareness training is to be conducted at least once per year. The following must be taken into account for well-rounded awareness:
New employee and contractor: To be done at the time of hire before access to data is granted
Promotion: As employees get promoted to higher roles, security awareness must be provided
All users: At least once per year, all employees should be reminded via training of the policy
Post-incident: After major security incidents occurred or when misunderstanding was noticed
- Provide individuals with employee awareness and training to ensure they are equipped with the knowledge and skill needed to implement the security policies.
- Make awareness activity an ongoing effort to reinforces key concepts of security policies as it sets the tone and goals for security policy implementation
- Initiate training which should focus on mechanics -what is expected to be done and when. And encourage a member of the leadership team to kick off the training.
- Make employees sign the Acceptable Use Policies.
- Select and use multiple methods to disseminate security policy messages and materials.
- Initiate a communication plan that outlines what information is to be shared.
- Use hard-copy less for the dissemination of security policy as it is costly while being less effective.
- Leverage the use of emails and company intranet for the dissemination of communications.
Monitoring and Reporting
- As much as possible, using automated Security Controls should be leveraged as human judgment is expensive and inconsistent. Examples: Authentication methods, Authorization methods, Data encryption, Logging events.
- For non-automated controls situations where humans judgment is required, manual controls are to be done: Example: Background checks, Log reviews, Access rights reviews.
- Properly retain records as required by state and or Federal laws to avoid costly fines.
- Executive Management under the Information Security Organization is held accountable for controlling risks; therefore, a CISO/CIO is in charge of leading the implementation, compliance, and enforcement of the security policy for an organization
- Stay transparent and exercise the best effort to communicate accurately and often
- Leverage the use of tools (e.g., Intrusion Detection Systems, IDS) that are effective in keeping HIC up to changing risks, inventory systems, check configuration against policies.
- Building security baselines and applied them to security policies. Example: Configuring the servers to use AD to authenticate and ensures that passwords meet standard requirements.
- Verify compliance using different methods [- Use of automated systems (For example, the security policy may dictate that specific protocols are removed or specific services are disabled: MBSA, SCCM, Nessus), - Random audits and departmental compliance].
- Use a formal process for tracking, monitoring, and reporting configuration change requests to avoid compliance violations; these changes then are reviewed by key players in the organization.
- Use group policy as necessary as possible.
- Collaborate across business areas, overcommunicate, and build change into a predictable schedule and set of resources to mitigate the risk of conflicts due to changes. For example sending reminder emails both to approvers and stakeholders.
- Implement the use of version control for security policy.
- Leverage the use of emerging and existing technologies to ensure compliance. Examples include SCAP (this includes CVE, CVSS), or WBEM, Digital Signing, and SNMP.
- Quarantine systems that are out of compliance.
Johnson, Robert. Security Policies and Implementation Issues, 2nd Edition. Burlington, MA: Jones & Bartlett Learning. 2015. ISBN-13: 9781284055993
As someone aspiring to become a cybersecurity professional, an understanding of security policy is an absolute necessity as it carries a lot of weight in the context of applying cybersecurity principles. Without going to a learning session as I did through CSOL-540, I would lack its understanding and the value it brings to the information security professionalism aspect. Security policy does not change so frequently after it is in place, but a cyber professional has this implied obligation to check its consistency and suggest updates when deemed necessary. Not only it proves the professional level that sets us apart with regular users, but ethically, it increasingly equips the cyber professional with the necessary background needed to make the right choice when in situational dilemmas.
The reason is that cybersecurity, while it has been around for a while, is not that old as other fields; therefore, a lot of room of improvement is still there to uncover. As a new discipline, there will be instances where no process has been documented in the security policy to handle that particular, unfamiliar situation. In such circumstances, the professionalism aspect of cybersecurity personnel and its ethical values will be big contributor factors.
For the most part, businesses now are investing more and more in cybersecurity in hope they will reduce risks of getting their data compromised; government coming up with new laws and regulations and private entities suggesting standards, yet, stories of hack, data breaches and so forth would not subside. A cyber professional should be aware of this reality, act professionally and be ethically sound as they are in the mission of protecting data for people, businesses, government, and different other organizations.
Reflecting the time spent during this class and going through projects to sharpen the knowledge, I was not aware of a need for a security policy to organizations, especially when exposing their business to the world via the Internet, let alone knowing its importance. I have learned, as there are rules to drive a car, to build houses, or to treat patients, that handling data have rules also. And the professional aspect plays a big role when promoting a security-aware environment and mindset, be it at home, office, or any other setting in that matter. Those instincts with developed through years about locking doors before going to sleep should be developed and start living them so that the risks to which data are being exposed to are mitigated.
As it is common in the medical field where health practitioners take the oath of Hippocrates, so do cyber professionals should take that kind of oath, so they are reminded of the gravity of the responsibilities they are about to get involved as they require to maintain a great degree of ethical values. As we know, sources of attacks are several, and some are from insider threats, meaning those who have access to confidential data within an organization and cyber professionals should maintain a degree of professionalism, integrity, and ethically proper to raise above this realm of possibility.