hey please answer the questions in the screenshot the first 3 answers can be given to me at any time before the due date the earlier the better and for question 4 I will send two responses from following students so you can answer themPLEASE ASSIGN THE SAME WRITER WHO DID 63564 AND 62922
Instructions Security Policy Ed Moore Lecture Outline Faculty of Arts | Department of Security Studies and Criminology 2 What is a security policy? Case Study Steps for creating a security policy Information Technology Security Policy What is it? An Information Technology (IT) Security Policy identifies the rules and procedures for all individuals accessing and using an organization’s IT assets and resources. Effective IT Security Policy is a model of the organisation’s culture, in which rules and procedures are driven from it’s employee’s approach to their information and work A Security Policy is a unique document for each organisation Information Technology Security Policy What is it? The security policy should dictate what a company should do in day to date actions as well as when an event occurs Many of the major failures in the last decade stem from an inadequate security policy (or one that was not followed by employees) Information Technology Security Policy Designing a Security Policy Many organisations take a sample boilerplate template Unsuitable as it’s not tailored to the organisation An IT Security Policy should aim to preserve the CIA triad Confidentiality – Access of the data is only done by authorised users Integrity – Modification of the data is only done by authorised users Availability – Authorised users can access the data when they need to Information Technology Security Policy Steps for creating a security policy Start by researching What documents do you want to protect? What services are vital for the organisation? How sensitive is the data you are protecting? What is the scope of the policy? Check provided checklists (ISO 17799) Information Gathering Define Roles & Responsibilities Communicate Findings Write Policy Implement Policy Monitoring Information Technology Security Policy Step 1 – Research What level of granularity do you need in your policy? Who will you need buy-in from? Who will the owner of the security policy be? Could be a team leader inside the IT team, CIO or someone else What regulations (if any) apply to your organisation/industry? Finance (CPS234) Health (HRIP, GIPA) General Data Protection Regulation (GDPR) Who is the audience for the policy? What and how will this policy be reviewed? CPS234 – Regulations around security policy for financial institutions HRIP – Health Record and Information Privacy Act regulates how orgs store and manage data GIPA – Right to access data 7 Information Technology Security Policy ISO International Organization for Standardization (ISO) is an global organisation that publish standards for various industries They are seen as the go to for most industries including IT, building, food safety, environmental management even down to the construction of freight containers ISO17799:2005 sets standards for initiating, implementing, maintaining, and improving information security management in an organization This policy is a standard but cannot be “certified” ISO27001:2005 is an extension on ISO17799:2005 and an organisation can be certified for this standard Certification is done by an official certifying body Certification may be mandated by law based on industry Information Technology Security Policy CSP234 Specific for financial institutions Information security framework must be maintained in a manner that is consistent with the threats and vulnerabilities to which the entity is exposed All information assets must be managed and classified by their criticality and sensitivity. Information security controls are required to ensure that the entity can protect its information assets These controls must be tested through a testing program to ensure that they are effective Mechanisms must be in place to ensure that information security incidents are detected and responded to quickly. Plans must be in place that set out how the entity will respond to incidents Internal audits must review the effectiveness and the design of all information security controls 9 Information Technology Security Policy CSP234 APRA must be notified as soon as possible, but no later than 72 hours after an entity becomes aware of an information security incident If an entity discovers a weakness in its information security controls, it must notify APRA within 10 days of becoming aware of it. 10 Information Technology Security Policy HRIP Health Record and Information Privacy Act regulates how organisations must manage medical data Effects any organisation that collects, holds or uses health information Mostly hospitals, doctors and other health providers May also include universities that collect information for research Also includes scans such as retina prints and fingerprints Dictates how to perform a request for access Also states the maximum time to respond to these requests 11 Information Technology Security Policy GIPA Government Information Public Access (GIPA) is an act that dictates how information is managed by government organisations This includes public hospitals It highlights how to request information from a government organisation Similar to HRIP however this has government clauses added Like public interest considerations 12 Information Technology Security Policy GDPR General Data Protection Regulation (GDPR) is a regulation ratified by the EU which aims to protect the data of citizens inside the EU This regulation applies to any organisation within the EU Also applies to international organisations that offer goods and services or monitor the behaviour of individuals in the EU Australian businesses that may be covered by the GRPR include: an Australian business with an office in the EU an Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros an Australian business whose website mentions customers or users in the EU an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes 13 Information Technology Security Policy GDPR The GDPR protects ’personal data’: ‘any information relating to an identified or identifiable natural person’ Additional restrictions apply when information contains is considered ‘special’ Racial or ethnic, political, religious, genetic data & health GDPR-complaint privacy policy Whenever you collect information, you must request consent 14 Information Technology Security Policy FTC Federal Trade Commission is an independent body of the US government who’s job is to enforce consumer protection They are seen as the body used to prevent anti-competitive and monopolies with an industry 15 Information Technology Security Policy Case Study: Cambridge Analytica Facebook allegedly provided identifiable information to a analysis company Cambridge Analytica (CA) CA is one of the more powerful analysis companies in the world The processing took place over 3 years before Facebook terminated their account They had apparently lied about deleting old harvested data Facebook allegedly never followed up with this Two reports broke detailing how CA used personal information taken without authorization from more than 50 million Facebook users in early 2014 to build a system that could profile individual US voters in order to target them with personalized political ads. Christopher Whylie, one of the professors who worked with CA was recorded saying: “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.” 16 Information Technology Security Policy Case Study: Cambridge Analytica “The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.” Of the 50 million profiles scraped (only 270,000 of which belonged to users who’d granted permission), roughly 30 million contained enough information, including places of residence, that the company could (at least theoretically) match users to other records and build “psychographic” profiles. 17 Information Technology Security Policy Case Study: Cambridge Analytica The FTC entered a 16 month process of attempting to fine Facebook Facebook having more resources than the FTC… They recently settling on the largest fine ever issued to a company… USD$5B There have been heavy criticisms of this as Facebook’s annual revenue was USD$55.8B in 2018 (increased from USD$7.87B in 2013) Many consider this a ”win” for Facebook as this is mealy a “slap on the wrist” for the company 18 Information Technology Security Policy Step 2 – Information Gathering Identify Assets Create a list of critical business processes From that list of processes, identify critical assets ISO 17799 provides a list of things to consider This is typically a very extensive list Identify threats What threats exist? How can they be exploited? Evaluate controls From each threat, look at what can be implemented to lessen the effect This is the basis behind performing a risk assessment 19 Information Technology Security Policy Step 3 – Define roles and Responsibilities Group employees based on their job and requirements Determine what access and permissions each department Balance between protection and productivity Use of the “least privilege” concept The idea that users should not have access they don’t need when performing their daily duties This concept means that a compromised account may not have access to higher level information 20 Information Technology Security Policy Step 4 – Communicate findings Communication to the relevant parties Anyone in the policy that is required to action anything Anyone who is effected by the policy Management of those staff Business owners Policies need to be enforce from the top down Highlight the risks and vulnerabilities Policy procedures must be approved by decision makers and representatives from all stakeholder groups If there are additional legal requirements, these will also need to be verified This step is about collaboration to get people on board and to ensure the policy is not created by one department dictating rules over the business 21 Information Technology Security Policy Step 4 – Communicate findings It is common for a IT team to struggle to get management to support and enforce a security policy This can occur for a number of reasons: Immediate Payoff Expensive and time consuming “Won’t happen to us” “Don’t fix what isn’t broken” So how can you get managers to care? Explain it in direct, financial terms Company reputation Career damage 22 Information Technology Security Policy Step 5 – Write the policy When writing the policy, start with a template from a reputable company (such as SANS, NIST, etc) The policy should build upon the findings and accepted recommendations to reduce the risks Use the SMART rule Specific Measurable Agreeable Realistic Time-bound You can also use other companies’ security policies to prompt your own Check compliancy with ISO 17799 23 Information Technology Security Policy Step 6 – Implementation Decide on a date that you will start the use of the policy Don’t rush, stick to it The document should be made available to all employees Signature of acceptance should be sought from all employees (especially those involved in it) Educating employees is important so they action the policy Seminars and awareness campaigns Security seminars Printed posters, email, etc Rolling implementation is an option where the policy is implemented into segments of the company progressively Implementations rarely go smoothly, keep this in mind as teething issues are common 24 Information Technology Security Policy Step 6 – Monitoring Monitoring for compliance is vital, especially for those in an industry where law demands it This may involve an external auditing team to ensure the policy is enforced Internal auditors are an alternative if the company has capacity for them Heavy fines for companies can be imposed if organisations do not meet standards There must be punishments attached to non-compliance otherwise employees have little incentive to be compliant Monitoring and review of the policy is also critical so that it stays relevant and up to date Employee turnover can cause large issues