Global-level (tier 1) and topic-specific (tier 2) policies address policy on a broad level; they usually encompass the entire enterprise. The application-specific (tier 3) policy focuses on one specific system or application. As the construction of the organization information security architecture takes shape, the final element will be the translation of tier 1 and tier 2 policies down to the application and system level (tier 3).
Many security issue decisions apply only at the application or system level. Some examples of these issues include
◾ Who has the authority to read or modify data?
◾ Under what circumstances can data be read or modified? ◾ How is remote access to be controlled?
To develop a comprehensive set of tier 3 policies, use a process that determines secu- rity requirements from a business or mission objective. Try to avoid implementing requirements based on security issues and concerns. Remember, the security staff has been empowered to support the business process of the organization. Typically, the tier 3 policy is more free-form than tier 1 and tier 2 policies. As you prepare to create tier 3 policies, keep in mind the following concepts:
◾ Understand the overall business objectives or mission of the enterprise ◾ Understand the mission of the application or system
◾ Establish requirements that support both sets of objectives
Summary
In this chapter, we discussed that policy is the cornerstone of an organization’s information security architecture. That a policy is important to establish both inter- nally and externally what an organization’s position on a particular topic might be. We defined what a policy, standards, procedure, and guideline is and what should be included in each of these documents or statements (Figure 1.4).
Sample Security Policy I. Purpose
To provide direction regarding the protection of Michigan State Specific Agency (MSSA) infor-
mation resources from unauthorized access, modification, duplication, destruction or disclosure.
II. Application
This policy applies to all MSSA personnel including employees, interns, vendors, contractors, and volunteers. This policy pertains to all information resources used to conduct MSSA business or used to transmit or store MSSA Restricted or Confidential information.
A MSSA information resource includes information that is electronically generated, printed, filmed, typed, stored or verbally communicated. Information resources must be protected according to its sensitivity, criticality and value, regardless of the media on which it is stored, the manual or automated systems that process it, or the methods by which it is distributed.
III. Definitions
1. Information Resource—any information created, stored in temporary or permanent form,
filed, produced or reproduced, regardless of the form or media. Information includes, but is not limited to
a. Personally identifiable information (PII) b. Reports, files, folders, memoranda c. Statements, examinations, transcripts d. Images, and
e. Communications
Information resources also include any electronically based system configured for the col- lection, processing, transmission, and dissemination of MSSA information resources. This includes, but is not limited to, software, hardware, and equipment such as servers, mainframes, midrange systems, telecommunications hardware, routers, switches, and software applications. 2. Information Owner—the Director of a MSSA Division where the information resource is
created, or who is the primary user of the information resource.
3. Business Owner—where multiple information owners for the same information resource
occur, the information owners must designate a Business Owner who will have authority to make decisions on behalf of all the owners of the information resource.
4. Information Classification Categories—all MSSA information shall be classified by the
information owner into one of three classification categories:
a. Restricted: This classification applies to information that is the most sensitive to
MSSA and typically only a small number of personnel are authorized to view this type of information. The disclosure of this restricted information could have seri- ous and damaging effects on MSSA and its partners. This type of information could include, but is not limited to, customer PII data (Social Security numbers, driver’s license numbers, credit card numbers, etc.), human resource data (Social Security numbers, medical information, etc.), financial data, administrative passwords, encryption keys, litigation, archaeological site location information, and strategic planning documentation.
b. Confidential: This classification refers to proprietary business information that is
intended for use within MSSA for normal day-to-day responsibilities. Examples of this type of information could include, but are not limited to, policies, procedures, standards, business process flow diagrams, phone directories, organizational charts, archaeological collections, and documents labeled as confidential.
c. Public: This classification applies to information that is approved for public access or
to data whose disclosure would have no negative effects on MSSA. Examples could include, but are not limited to, agency announcements, publicly published phone numbers and addresses, general information about archaeological sites (excluding locations), and press releases.
5. Reclassification—the information owner is to establish a review cycle for all information
classified as Restricted or Confidential, and reclassify it when it no longer meets the cri- teria established for such information. This cycle should be commensurate with the value of the information but should not exceed 1 year.
6. Custodian—the individual or entity designated by the information owner that is respon-
sible for maintaining safeguards established by the information owner.
7. Users—authorized personnel who are responsible for using and safeguarding the infor-
mation resources under their control according to the directions of the information owner.
IV. Policy
MSSA information resources residing in the various agency divisions are strategic and vital assets belonging to the people of Michigan. These assets shall be available and protected com- mensurate with the value of the assets. Measures shall be taken to protect these assets against unauthorized access, disclosure, modification or destruction, whether accidental or deliberate, as well as to assure the availability, integrity, utility, authenticity, and confidentiality of informa- tion. Access to MSSA information resources shall be appropriately managed.
All MSSA personnel are accountable for their actions relating to information resources. Information resources shall be used only for intended purposes as defined by MSSA and consis- tent with applicable laws.
V. Responsibilities
1. The information owner has the responsibility to
a. Identify the classification level of all information resources within their division b. Define and verify implementation of appropriate safeguards to ensure the confiden-
tiality, integrity, and availability of the information resource
c. Monitor the safeguards to ensure their compliance and report instances of noncompliance
d. Authorize access to those who have a demonstrated business need for the informa- tion resource, and
e. Remove access to those who no longer have a business need for the information resource
2. The Custodian has the responsibility to
a. Implement integrity controls and access control requirements specified by the infor- mation owner
b. Advise the information owner of any major deficiency or vulnerability encountered that results in a failure to meet requirements
c. Comply with all MSSA-specific guidelines and procedures to implement, support, and maintain information security
3. The Users have the responsibility to
a. Access only the information for which they have been authorized b. Use the information only for the purpose intended
c. Ensure that authenticating information (e.g., password) is in compliance with exist- ing MSSA/SOM security standards
d. Maintain the integrity, confidentiality and availability of information accessed con- sistent with the information owner’s expectations while under their control
There are three types of policies and you will use each type at different times in your information security program and throughout the organization to support the business process or mission. The three types of policies are
1. Global (tier 1)—these are used to create the organization’s overall vision and direction
2. Topic-specific (tier 2)—these address particular subjects of concern. We will discuss the information security architecture and each category such as the following
3. Application-specific policies—these focus on decisions taken by management to control particular applications (financial reporting, payroll, etc.) or sys- tems (budgeting system)
e. Comply with all MSSA/SOM-specific guidelines and procedures to implement, sup- port, and maintain MSSA/SOM Information Security policies and standards f. Report violations or suspected violations of policies and standards to the appropriate
MSSA management or the MSSA Information Security Project Manager
Access to information resources will be granted by the information owner to those with an approved business need. (Refer to MSSA Information Security Access
Control Policy.)
VI. Compliance
1. The MSSA Division Directors (information owner) shall:
a. Ensure there are adequate controls and separation of duties for tasks that are suscep- tible to fraudulent or other unauthorized activity
b. Manage MSSA/SOM information resources, personnel, and physical property rel- evant to MSSA’s mission, as well as the right to monitor the actual utilization of all MSSA/SOM assets
c. Ensure that all employees and contract personnel are aware of and accept their obli- gation to protect MSSA/SOM information resources
2. All authorized users (including but not limited to, agency personnel, temporary employ- ees, and independent contractors) of MSSA information resources, shall formally acknowledge that they will comply with the information security policies and procedures of MSSA or they shall not be granted access to information resources.
1