Planning Levels
Once the organization’s overall strategic plan is translated into strategic plans for each major division or operation, the next step is to translate these plans into tactical objectives that move toward reaching specific, measurable, achievable, and time-bound accomplishments. The process of strategic planning seeks to transform broad, general, sweeping statements into more specific and applied objectives. Strategic plans are used to create tactical plans, which in turn are used to develop operational plans.
Tactical planning focuses on undertakings that will be completed within one or two years. The process of tactical planning breaks each strategic goal into a series of incremental objectives. Each objective in a tactical plan should be specific and should have a delivery date within a year of the plan’s start. Budgeting, resource allocation, and personnel are critical components of the tactical plan. Tactical plans often include project plans and resource acquisition planning documents (such as product specifications), project budgets, project reviews, and monthly and annual reports. The CISO and security managers use the tactical plan to organize, prioritize, and acquire resources necessary for major projects and to provide support for the overall strategic plan.
Managers and employees use operational planning derived from tactical planning to organize the ongoing, day-to-day performance of tasks. An operational plan includes the necessary tasks for all relevant departments as well as communication and reporting requirements, which might include weekly meetings, progress reports, and other associated tasks. These plans must reflect the organizational structure, with each subunit, department, or project team conducting its own operational planning and reporting. Frequent communication and feedback from the teams to the project managers and/or team leaders, and then up to the various management levels, will make the planning process more manageable and successful.
Planning and the CISO
The first priority of the CISO and the information security management team is the creation of a strategic plan to accomplish the organization’s information security objectives. While each organization may have its own format for the design and distribution of a strategic plan, the fundamental elements of planning share characteristics across all types of enterprises. The plan is an evolving statement of how the CISO and various elements of the organization will implement the objectives of the enterprise information security policy (EISP), as you will learn later in this module.
As a clearly directed strategy flows from top to bottom, a systematic approach is required to translate it into a program that can inform and lead all members of the organization. Strategic plans formed at the highest levels of the organization are used to create an overall corporate strategy. As lower levels of the organizational hierarchy are involved (moving down the hierarchy), the plans from higher levels are evolved into more detailed, concrete planning. So, higher-level plans are translated into more specific plans for intermediate layers of management. That layer of strategic planning by function (such as financial, IT, and operations strategies) is then converted into tactical planning for supervisory managers and eventually provides direction for the operational plans undertaken by non-management members of the organization. This multilayered approach encompasses two key objectives: general strategy and overall strategic planning. First, general strategy is translated into specific strategy; second, overall strategic planning is translated into lower-level tactical and operational planning.
Information security, like information technology, must support more than its own functions. All organizational units will use information, not just IT-based information, so the information security group must understand and support the strategic plans of all business units. This role may sometimes conflict with that of the IT department, as IT’s role is the efficient and effective delivery of information and information resources, while the role of information security is the protection of all information assets.
Information Security Policy, Standards, and Practices
Management from all communities of interest, including general staff, information technology, and information security, must make policy the basis for all information security planning, design, and deployment. Policies direct how issues should be addressed and how technologies should be used. Policies do not specify the proper operation of equipment or software—this information should be placed in the standards, procedures, and practices of users’ manuals and systems documentation. In addition, policy should never contradict law; policy must be able to stand up in court, if challenged; and policy must be properly administered through dissemination and documented acceptance. Otherwise, an organization leaves itself exposed to significant liability.
Good security programs begin and end with policy. Information security is primarily a management problem, not a technical one, and policy is a management tool that obliges personnel to function in a manner that preserves the security of information assets. Security policies are the least expensive control to execute but the most difficult to implement properly. They have the lowest cost in that their creation and dissemination require only the time and effort of the management team. Even if the management team hires an outside consultant to help develop policy, the costs are minimal compared to those of technical controls.
Policy as the Foundation for Planning
Policies function like laws in an organization because they dictate acceptable and unacceptable behavior there, as well as the penalties for failure to comply. Like laws, policies define what is right and wrong, the penalties for violating policy, and the appeal process. Standards, on the other hand, are more detailed statements of what must be done to comply with policy. They have the same requirements for compliance as policies. Standards may be informal or part of an organizational culture, as in de facto standards. Or, standards may be published, scrutinized, and ratified by a group, as in formal or de jure standards. Practices, procedures, and guidelines effectively explain how to comply with policy.
Table 3-1 and Figure 3-3 show the relationships among policies, standards, guidelines, procedures, and practices. These relationships are further examined in the nearby feature.
Policies, Practices, Standards, Guidelines, and Procedures
The relationships among these terms, even when carefully defined, sometimes confuse the reader. The following examples are provided for assistance. Note that many organizations may use the terms differently and publish documents they identify as policy, which may be a combination of what this text defines as policy, standards, or procedures.
The initial statement of intent is the policy
Policy: Employees must use strong passwords on their accounts. Passwords must be changed regularly and protected against disclosure.
The standard provides specifics to help employees comply with the policy
Standard: Passwords must be at least 10 characters long and incorporate at least one lowercase letter, one uppercase letter, one numerical digit (0–9), and one special character permitted by our system (&%$#@!). Passwords must be changed every 90 days and must not be written down or stored on insecure media.
The practice identifies other reputable organizations and agencies that offer recommendations the organization may have adopted or adapted.
Practice: US-CERT recommends the following:
- Use a minimum password length of 15 characters for administrator accounts.
- Require the use of alphanumeric passwords and symbols.
- Enable password history limits to prevent the reuse of previous passwords.
- Prevent the use of personal information as passwords, such as phone numbers and dates of birth.
- Use a minimum password length of 8 characters for standard users.
- Disable local machine credential caching if not required through the use of a Group Policy Object (GPO).
- Deploy a secure password storage policy that provides password encryption.
- Guidelines provide examples and recommendations to assist users in complying with the new policy.
Guidelines: In order to create strong yet easy-to-remember passwords, consider the following recommendations from NIST SP 800-118: “Guide to Enterprise Password Management” (draft), April 2009:
Mnemonic method—A user selects a phrase and extracts a letter of each word in the phrase (such as the first letter or second letter of each word), adding numbers or special characters or both.
Example: “May the force be with you always, young Jedi” becomes Mtfbwya-yJ
Altered passphrases—A user selects a phrase and alters it to form a derivation of that phrase. This method supports the creation of long, complex passwords. Passphrases can be easy to remember due to the structure of the password: It is usually easier for the human mind to comprehend and remember phrases within a coherent structure than a string of random letters, numbers, and special characters.
Combining and altering words—A user can combine two or three unrelated words and change some of the letters to numbers or special characters.
Finally, procedures are step-by-step instructions for accomplishing the task specified in the policy.
Procedures: To change your login password on our system, perform the following steps:
1. Log in using your current (old) password.
2. On your organizational portal home page, click the [Tools] Menu option.
3. Select Change Password.
4. Enter your old password in the first field and your new password in the second. The system will ask you to confirm your new password to prevent you from mistyping it.
5. The system will then report that your password has been updated and ask you to log out and log back in with your new password.
Do not write your new password down. If you own a smartphone, you may request that your department purchase an approved password management application like eWallet for storing passwords.
As stated earlier, many organizations combine their policy and standards in the same document and then provide directions or a Web link to a page with guidelines and procedures.
The meaning of the term security policy depends on the context in which it is used. Governmental agencies view security policy in terms of national security and national policies to deal with foreign states. A security policy can also communicate a credit card agency’s method for processing credit card numbers. In general, a security policy is a set of rules that protects an organization’s assets. An information security policy provides rules for protection of the organization’s information assets.
Management must define three types of security policy, according to SP 800-14 of the National Institute of Standards and Technology (NIST):
- Enterprise information security policies
- Issue-specific security policies
- Systems-specific security policies
0 comments:
Post a Comment