Written Information Security Plan (WISP)
Transcription
Written Information Security Plan (WISP)
BRYANT UNIVERSITY Written Information Security Plan (WISP) Author: Office of Information Services Last Review Date: 6/5/2012 Version 2.0 Executive Summary - This document details Bryant University’s Written Information Security Plan (WISP). The WISP sets forth university procedures for evaluating electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting university information assets and technology resources. The goal is consistent delivery across all departments . Adoption of the WISP ensures that the university implements effective security controls that safeguard university information, business processes, applications, and infrastructure. DOC NO. IS-MGT-03B WRITTEN INFORMATION SECURITY PLAN (WISP) TABLE OF CONTENTS 1. Background and Introduction …………………………………………………………………………………………………………………………………… 3 2. Guidelines ………………………………………………………………………………………………………………………………………………………………… 3 3. Plan Coordination …………………………………………………………………………………………………………………………………………………….. 3 4. Security Goals & Objectives ….……………………………….…………………………….…………………………………………..….…………....…….. 3 5. WISP Framework .....................................................................................……..……….…………………..…………………………….... 4 6. Security Controls..................................................................……..……………….…………………………………………………………….…. 5 7. Information Security Programs ………………………………………………………….……………...……….………………..…………………..……….. 5 8. Security Governance ………………………………………………………………………………….………………………………………………………….….. 6 9. Security Metrics …………….……………………………………………………….………….…………………………………………………………..…………. 7 10. Security Lifecycle ………………………………………….………………….………………….……………………………………..…………………..………… 7 VERSION CONTROL Version 1.0 – Draft – for Approval …………..…………………………………………………..……………..……………………………………. 5/14/2012 Version 2.0 – Incorporated comments from IS department level review ………………..………………………………………………… 6/5/2012 DOC NO. IS-MGT-03B 2 WRITTEN INFORMATION SECURITY PLAN (WISP) 1. Background and Introduction External and Internal Threats - Attackers continue to take advantage of the rapid pace of technology for financial gain, including theft of intellectual property. The latest threats aggressively target multiple resources to ensure successful exploitation. Single, public-facing resources are no longer the greatest risk. Instead, every employee and endpoint is a potential point of entry. Combinations of vulnerability exploits, spam, phishing, malicious URLs and social engineering are easier to obfuscate, automate, and deploy than ever before. The Written Information Security Plan (WISP) is intended to promote the protection of the confidentiality, integrity, availability, and accountability of the University’s information assets by instituting sound information security controls throughout the University. In addition to this Plan, other University policies on data confidentiality and safeguarding may apply to specific data, computers, computer systems, provided or operated by University departments. The objective is to enable university businesses, students, employees, faculty, partners and customers to conduct research or business, exchange information and ideas in a secure environment where risk is carefully managed and protection of assets is both comprehensive and pervasive. This Plan applies to everyone who uses, maintains or manages University business processes, applications and infrastructure. 2. Guidelines The Office of Information Services (OIS) will set electronic guidelines for the safeguarding of University information that is in electronic format. OIS will maintain and provide access to policies and procedures that are designed to safeguard against anticipated threats to the security or integrity of University information, in either electronic or other formats, and to guard against the unauthorized use of University information. Each relevant University business unit is responsible for securing protected student, financial and educational records located in its unit in accordance with this Plan and all other University policies and applicable laws. Each relevant University business unit must develop and maintain a plan that details the safeguards and security procedures for information located in its unit. Each relevant University business unit will make its security plan available to OIS upon request. 3. Plan Coordination The University employees designated for the coordination and execution of the Plan are the Information Security Officer (ISO) for the Office of Information Services and representatives from divisional units that serve as the Information Security Program Committee (ISPC). The Plan will be evaluated periodically and adjusted as necessary in light of relevant circumstances, including changes in the University’s business arrangements or operations, or as a result of testing and monitoring the safeguards. The ISO and ISPC will work collaboratively in developing and overseeing an effective security program that ensures appropriate information security controls are in place and effective across the University. 4. Security Goals and Objectives The security program has the following key goals: 1. Develop and communicate a comprehensive security framework and strategic programs under the WISP framework: Meet business, technical , operational and regulatory requirements of the University; Protect from threats against information and IT resources; Based on the security principle of Defense in Depth (A methodology based on applying multiple defense mechanisms in layers across the enterprise to protect internal data, systems, networks, and users. This strategy is effective at providing security assurance, cost efficient, scalable, adaptive to changing threats, and proven to work.) 2. Align with industry best practices [ISO 27002 Code of Practice]. DOC NO. IS-MGT-03B 3 WRITTEN INFORMATION SECURITY PLAN (WISP) 3. Manage security throughout its lifecycle. 4. Integrate security and compliance into “normal” operations. 5. Identify/assign/acquire appropriate resources and investments (tools, technology, training, staffing) to implement and maintain the security programs. 6. Develop a WISP implementation roadmap for the University inclusive of all departments. Review and receive approval from the President’s Cabinet for implementing security programs across all divisions based on the WISP roadmap. 7. Develop and implement a comprehensive communication plan designed to increase general awareness and educate/ advise key stakeholders of the security policy, WISP components, key program deliverables, and WISP implementation roadmap. 5. WISP Framework The security approach is documented in the Written Information Security Plan. The WISP sets forth university procedures for evaluating electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting university information assets and technology resources. The program will be implemented over time and will be scaled in accordance with university priorities within the practical constraints of finite resources. The WISP framework is shown below: DOC NO. IS-MGT-03B 4 WRITTEN INFORMATION SECURITY PLAN (WISP) Key Considerations The WISP covers all University computing resources and information assets; including but not limited to those managed by administrative staff, decentralized departments, third party managed services. The WISP framework and security programs apply to all departments, including but not limited to main campus location, third party managed facilities. 6. Security Controls Security controls are based on ISO /IEC 27002 Code of Practice for Information Security Management. ISO 27002 includes 12 control areas, 41 control objectives and 135 controls along with guidance for implementing and maintaining the controls. Compliance with the security controls helps ensure information security requirements are met. Sections 1.0 through 3.0 of the ISO 27002 Code of Practice include the following general areas: 1.0 Scope – Guidelines and general principles for initiating, implementing, maintaining and improving Information Security management within an organization 2.0 Terms and definitions – Definition of key terms used in the ISO 27002 Code of Practice 3.0 Structure of the Standard – Overview description of the Control Areas, Control Objectives and Controls Sections 4.0 – 15.0 reference the specific 12 control areas of the ISO 27002 Code of Practice. The 12 control areas are as follows: 4.0 Risk Assessment - Risk assessments are conducted to identify, quantify and prioritize security risks. 5.0 Security Policy - An information security policy document is approved, published and communicated. 6.0 Organization of Information Security - A management framework is established to control information security across the university. 7.0 Asset Management - All assets are accounted for and have an owner. 8.0 Human Resources Security - Security responsibilities are addressed prior to employment in adequate job descriptions and in terms and conditions of employment. 9.0 Physical & Environmental Security - Critical or sensitive information processing facilities are housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. 10.0 Communications & Operations Management - Responsibilities and procedures for management and operation of all information processing facilities are established. 11.0 Access Control - Access to information, information processing facilities, and business processes are controlled on the basis of business and security requirements. 12.0 Information Systems Acquisition, Development & Maintenance - All security requirements are identified at the requirements phase of a project and agreed and documented as part of the business case. 13.0 Information Security Incident Management - Formal event reporting and escalation procedures are in place. 14.0 Business Continuity Management - A business continuity management process are implemented to minimize the impact on the university and recover from loss of information assets. 15.0 Compliance - All relevant statutory, regulatory, and contractual requirements and the university’s approach to meet these requirements are explicitly defined, documented and kept up to date. 7. Information Security Programs The four security programs included in the WISP: 1. 2. 3. 4. Management & Communications (People Focus) - Documented standards and procedures that provide instructions for implementing key management and communications controls Cyber-Security (Technology Focus) - Documented standards and procedures that provide instructions for implementing key cyber-security controls Applications & Information Security (Process Focus) - Documented standards and procedures that provide instructions for implementing key application and information security controls Infrastructure & Operations Security (Process Focus) - Documented standards and procedures that provide instructions for implementing key infrastructure and operations security controls DOC NO. IS-MGT-03B 5 WRITTEN INFORMATION SECURITY PLAN (WISP) 8. Security Governance The Bryant University Information Security Policy Statement (DOC No. IS-MGT-03A) is approved by the President’s cabinet. The policy statement sets the direction for information security at the University. The CIO will oversee security controls, programs and direct the efforts of an Information Security Program committee responsible for developing and issuing guidelines to follow in the implementation of this policy. Governance Teams • President’s Cabinet – Establish policy to protect the assets and interests of the University • The Chief Information Officer (CIO) - oversees the Information Security Program • Information Security Program Committee (ISPC) – Leads in the development of standards, guidelines and procedures required to protect the University’s information assets and technology resources • Information Security Officer – Chairs the ISPC responsibe for designing, implementing and managing the security program Information Security Program Committee Charter Bryant University recognizes that protection of information assets and technology resources is critical to the functioning of the University. It is the responsibility of all members of the University community to safeguard these assets. The Information Security Program Committee will foster adoption of a written information security program that includes consistent and complete standards, guidelines and procedures to protect these assets. Objectives The Information Security Program Committee serves the following functions: • • • • • • Oversight of guidelines and recommendations for implementing the University’s information security policy; Oversight in the development of standards, guidelines and procedures required to protect the University’s information assets and technology resources; Serve as a forum for collaboration among the participants to ensure consistent approaches to assessing, mitigating and responding to risks; Ensure security controls are implemented, maintained and reported; Facilitate requests to provide information security assurance, metrics and reports; Bring confidence to our constituents and other interested parties that their information is being protected in accordance with recognized security standards, while at the same time assuring university management that our own proprietary information is being properly protected. Roles and Responsibilities The Chief Information Officer oversees the Information Security Program Committee that is composed of the Information Security Officer, or the CIO’s designee, and representatives from university departments. The ISO, or CIO’s designee, has responsibility for designing, implementing and managing the security program. The ISO will manage and monitor security controls to ensure their existence and effectiveness in mitigating risks. The ISO will have responsibility for publishing, maintaining, and disseminating guidelines and recommendations in the implementation of the University’s security policy. The ISO will monitor and report on processes and controls in place to ensure quality and effectiveness. DOC NO. IS-MGT-03B 6 WRITTEN INFORMATION SECURITY PLAN (WISP) 9. The Security Metrics Operational Metrics There are many sources that provide a sampling of operational security metrics, including NIST (National Institute of Science and Technology), CIS (Center for Internet Security), OWASP (Open Web Application Security Project) and IATAC (Information Assurance Technology Analysis Center): NIST - Special Pub 800-53 Information Security Metrics Guide CIS - Security Metrics Initiative OWASP - Application Security Metrics Project IATAC - State the Art (SOAR) Report: Measuring Cyber Security and Information Assurance Each of these initiatives identifies several key information security metrics. A goal of the Security Program is to build a baseline model of security metrics that will evolve over time. Compliance Metrics Compliance metrics are used to measure compliance with security controls. Operational Metrics Compliance Metrics Seven key steps to establish a security metrics program: Define the metrics program goal(s) and objectives Decide what metrics to generate Develop strategies for generating the metrics Establish benchmarks and targets Determine how the metrics will be reported Create an action plan and act on it Establish a formal program review/refinement cycle Control Environment: Policies, procedures, practices and organizational structures that provide reasonable assurance business objectives are achieved and undesired events are prevented or detected and corrected. Control Objective: Description of what we are trying to achieve. Control: A statement that describes how Bryant will attain the control objective. Control Documentation: The control design and implementation details. Control Evidence: Proof that the control exists. Control Testing: Assessment of the control effectiveness in mitigating risk. A well thought out set of security metrics will allow management to measure the long-term effectiveness of the security program. 10. Security Lifecycle The four key phases of the Information Security Management System (ISMS): Phase 1 (PLAN) - Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives. • Develop the WISP, which includes the four strategic programs. Phase 2 (DO) - Implement and operate the ISMS policy, controls, processes, and procedures. • Assign Security Controls to each of the strategic programs Phase 3 (CHECK) - Assess and, where applicable, measure process performance against ISMS policy, objectives, and practical experience and report the results to management for review. • Develop, collect and review operational and compliance metrics for each program Phase 4 (ACT) - Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS. DOC NO. IS-MGT-03B 7 WRITTEN INFORMATION SECURITY PLAN (WISP) • Remediate control gaps or accept risks (depending on risk level and tolerance) DOC NO. IS-MGT-03B 8