Written Information Security Plan (WISP)

BRYANT UNIVERSITY
Written Information Security Plan (WISP)
Author: Office of Information Services
Last Review Date:
6/5/2012
Version 2.0
Executive Summary - This document details Bryant University’s Written Information Security Plan (WISP). The WISP sets
forth university procedures for evaluating electronic and physical methods of accessing, collecting, storing, using,
transmitting, and protecting university information assets and technology resources. The goal is consistent delivery across
all departments . Adoption of the WISP ensures that the university implements effective security controls that safeguard
university information, business processes, applications, and infrastructure.
DOC NO. IS-MGT-03B
WRITTEN INFORMATION SECURITY PLAN (WISP)
TABLE OF CONTENTS
1. Background and Introduction …………………………………………………………………………………………………………………………………… 3
2. Guidelines ………………………………………………………………………………………………………………………………………………………………… 3
3. Plan Coordination …………………………………………………………………………………………………………………………………………………….. 3
4. Security Goals & Objectives ….……………………………….…………………………….…………………………………………..….…………....…….. 3
5. WISP Framework .....................................................................................……..……….…………………..…………………………….... 4
6. Security Controls..................................................................……..……………….…………………………………………………………….…. 5
7. Information Security Programs ………………………………………………………….……………...……….………………..…………………..……….. 5
8. Security Governance ………………………………………………………………………………….………………………………………………………….….. 6
9. Security Metrics …………….……………………………………………………….………….…………………………………………………………..…………. 7
10. Security Lifecycle ………………………………………….………………….………………….……………………………………..…………………..………… 7
VERSION CONTROL
Version 1.0 – Draft – for Approval …………..…………………………………………………..……………..……………………………………. 5/14/2012
Version 2.0 – Incorporated comments from IS department level review ………………..………………………………………………… 6/5/2012
DOC NO. IS-MGT-03B
2
WRITTEN INFORMATION SECURITY PLAN (WISP)
1. Background and Introduction
External and Internal Threats - Attackers continue to take advantage of the rapid pace of technology for financial gain,
including theft of intellectual property. The latest threats aggressively target multiple resources to ensure successful
exploitation. Single, public-facing resources are no longer the greatest risk. Instead, every employee and endpoint is a
potential point of entry. Combinations of vulnerability exploits, spam, phishing, malicious URLs and social engineering are
easier to obfuscate, automate, and deploy than ever before.
The Written Information Security Plan (WISP) is intended to promote the protection of the confidentiality, integrity,
availability, and accountability of the University’s information assets by instituting sound information security controls
throughout the University. In addition to this Plan, other University policies on data confidentiality and safeguarding may
apply to specific data, computers, computer systems, provided or operated by University departments. The objective is to
enable university businesses, students, employees, faculty, partners and customers to conduct research or business,
exchange information and ideas in a secure environment where risk is carefully managed and protection of assets is both
comprehensive and pervasive. This Plan applies to everyone who uses, maintains or manages University business
processes, applications and infrastructure.
2. Guidelines
The Office of Information Services (OIS) will set electronic guidelines for the safeguarding of University information that is
in electronic format. OIS will maintain and provide access to policies and procedures that are designed to safeguard
against anticipated threats to the security or integrity of University information, in either electronic or other formats, and
to guard against the unauthorized use of University information. Each relevant University business unit is responsible for
securing protected student, financial and educational records located in its unit in accordance with this Plan and all other
University policies and applicable laws. Each relevant University business unit must develop and maintain a plan that
details the safeguards and security procedures for information located in its unit. Each relevant University business unit
will make its security plan available to OIS upon request.
3. Plan Coordination
The University employees designated for the coordination and execution of the Plan are the Information Security Officer
(ISO) for the Office of Information Services and representatives from divisional units that serve as the Information
Security Program Committee (ISPC). The Plan will be evaluated periodically and adjusted as necessary in light of relevant
circumstances, including changes in the University’s business arrangements or operations, or as a result of testing and
monitoring the safeguards.
The ISO and ISPC will work collaboratively in developing and overseeing an effective security program that ensures
appropriate information security controls are in place and effective across the University.
4. Security Goals and Objectives
The security program has the following key goals:
1. Develop and communicate a comprehensive security framework and strategic programs under the WISP framework:
 Meet business, technical , operational and regulatory requirements of the University;
 Protect from threats against information and IT resources;
 Based on the security principle of Defense in Depth (A methodology based on applying multiple defense
mechanisms in layers across the enterprise to protect internal data, systems, networks, and users. This strategy is
effective at providing security assurance, cost efficient, scalable, adaptive to changing threats, and proven to
work.)
2. Align with industry best practices [ISO 27002 Code of Practice].
DOC NO. IS-MGT-03B
3
WRITTEN INFORMATION SECURITY PLAN (WISP)
3. Manage security throughout its lifecycle.
4. Integrate security and compliance into “normal” operations.
5. Identify/assign/acquire appropriate resources and investments (tools, technology, training, staffing) to implement and
maintain the security programs.
6. Develop a WISP implementation roadmap for the University inclusive of all departments. Review and receive approval from
the President’s Cabinet for implementing security programs across all divisions based on the WISP roadmap.
7. Develop and implement a comprehensive communication plan designed to increase general awareness and educate/ advise
key stakeholders of the security policy, WISP components, key program deliverables, and WISP implementation roadmap.
5. WISP Framework
The security approach is documented in the Written Information Security Plan. The WISP sets forth university procedures
for evaluating electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting
university information assets and technology resources. The program will be implemented over time and will be scaled in
accordance with university priorities within the practical constraints of finite resources.
The WISP framework is shown below:
DOC NO. IS-MGT-03B
4
WRITTEN INFORMATION SECURITY PLAN (WISP)
Key Considerations
 The WISP covers all University computing resources and information assets; including but not limited to those managed by
administrative staff, decentralized departments, third party managed services.
 The WISP framework and security programs apply to all departments, including but not limited to main campus location,
third party managed facilities.
6. Security Controls
Security controls are based on ISO /IEC 27002 Code of Practice for Information Security Management. ISO 27002 includes
12 control areas, 41 control objectives and 135 controls along with guidance for implementing and maintaining the
controls. Compliance with the security controls helps ensure information security requirements are met.
Sections 1.0 through 3.0 of the ISO 27002 Code of Practice include the following general areas:
1.0 Scope – Guidelines and general principles for initiating, implementing, maintaining and improving Information
Security management within an organization
2.0 Terms and definitions – Definition of key terms used in the ISO 27002 Code of Practice
3.0 Structure of the Standard – Overview description of the Control Areas, Control Objectives and Controls
Sections 4.0 – 15.0 reference the specific 12 control areas of the ISO 27002 Code of Practice. The 12 control areas are as follows:
4.0 Risk Assessment - Risk assessments are conducted to identify, quantify and prioritize security risks.
5.0 Security Policy - An information security policy document is approved, published and communicated.
6.0 Organization of Information Security - A management framework is established to control information security
across the university.
7.0 Asset Management - All assets are accounted for and have an owner.
8.0 Human Resources Security - Security responsibilities are addressed prior to employment in adequate job
descriptions and in terms and conditions of employment.
9.0 Physical & Environmental Security - Critical or sensitive information processing facilities are housed in secure
areas, protected by defined security perimeters, with appropriate security barriers and entry controls.
10.0 Communications & Operations Management - Responsibilities and procedures for management and operation of
all information processing facilities are established.
11.0 Access Control - Access to information, information processing facilities, and business processes are controlled on
the basis of business and security requirements.
12.0 Information Systems Acquisition, Development & Maintenance - All security requirements are identified at the
requirements phase of a project and agreed and documented as part of the business case.
13.0 Information Security Incident Management - Formal event reporting and escalation procedures are in place.
14.0 Business Continuity Management - A business continuity management process are implemented to minimize the
impact on the university and recover from loss of information assets.
15.0 Compliance - All relevant statutory, regulatory, and contractual requirements and the university’s approach to
meet these requirements are explicitly defined, documented and kept up to date.
7. Information Security Programs
The four security programs included in the WISP:
1.
2.
3.
4.
Management & Communications (People Focus) - Documented standards and procedures that provide
instructions for implementing key management and communications controls
Cyber-Security (Technology Focus) - Documented standards and procedures that provide instructions for
implementing key cyber-security controls
Applications & Information Security (Process Focus) - Documented standards and procedures that provide
instructions for implementing key application and information security controls
Infrastructure & Operations Security (Process Focus) - Documented standards and procedures that provide
instructions for implementing key infrastructure and operations security controls
DOC NO. IS-MGT-03B
5
WRITTEN INFORMATION SECURITY PLAN (WISP)
8. Security Governance
The Bryant University Information Security Policy Statement (DOC No. IS-MGT-03A) is approved by the President’s
cabinet. The policy statement sets the direction for information security at the University. The CIO will oversee security
controls, programs and direct the efforts of an Information Security Program committee responsible for developing and
issuing guidelines to follow in the implementation of this policy.
Governance Teams
• President’s Cabinet – Establish policy to protect the assets and interests of the University
• The Chief Information Officer (CIO) - oversees the Information Security Program
• Information Security Program Committee (ISPC) – Leads in the development of standards, guidelines and procedures
required to protect the University’s information assets and technology resources
• Information Security Officer – Chairs the ISPC responsibe for designing, implementing and managing the security
program
Information Security Program Committee Charter
Bryant University recognizes that protection of information assets and technology resources is critical to the functioning of the
University. It is the responsibility of all members of the University community to safeguard these assets. The Information Security
Program Committee will foster adoption of a written information security program that includes consistent and complete
standards, guidelines and procedures to protect these assets.
Objectives
The Information Security Program Committee serves the following functions:
•
•
•
•
•
•
Oversight of guidelines and recommendations for implementing the University’s information security policy;
Oversight in the development of standards, guidelines and procedures required to protect the University’s information
assets and technology resources;
Serve as a forum for collaboration among the participants to ensure consistent approaches to assessing, mitigating and
responding to risks;
Ensure security controls are implemented, maintained and reported;
Facilitate requests to provide information security assurance, metrics and reports;
Bring confidence to our constituents and other interested parties that their information is being protected in
accordance with recognized security standards, while at the same time assuring university management that our own
proprietary information is being properly protected.
Roles and Responsibilities
The Chief Information Officer oversees the Information Security Program Committee that is composed of the Information
Security Officer, or the CIO’s designee, and representatives from university departments.
The ISO, or CIO’s designee, has responsibility for designing, implementing and managing the security program. The ISO will
manage and monitor security controls to ensure their existence and effectiveness in mitigating risks. The ISO will have
responsibility for publishing, maintaining, and disseminating guidelines and recommendations in the implementation of the
University’s security policy. The ISO will monitor and report on processes and controls in place to ensure quality and
effectiveness.
DOC NO. IS-MGT-03B
6
WRITTEN INFORMATION SECURITY PLAN (WISP)
9. The Security Metrics
Operational Metrics
There are many sources that provide a sampling of operational security metrics, including NIST (National Institute of
Science and Technology), CIS (Center for Internet Security), OWASP (Open Web Application Security Project) and IATAC
(Information Assurance Technology Analysis Center):
 NIST - Special Pub 800-53 Information Security Metrics Guide
 CIS - Security Metrics Initiative
 OWASP - Application Security Metrics Project
 IATAC - State the Art (SOAR) Report: Measuring Cyber Security and Information Assurance
Each of these initiatives identifies several key information security metrics. A goal of the Security Program is to build a
baseline model of security metrics that will evolve over time.
Compliance Metrics
Compliance metrics are used to measure compliance with security controls.
Operational Metrics
Compliance Metrics
Seven key steps to establish a security metrics program:
 Define the metrics program goal(s) and objectives
 Decide what metrics to generate
 Develop strategies for generating the metrics
 Establish benchmarks and targets
 Determine how the metrics will be reported
 Create an action plan and act on it
 Establish a formal program review/refinement cycle
 Control Environment: Policies, procedures, practices and
organizational structures that provide reasonable assurance
business objectives are achieved and undesired events are
prevented or detected and corrected.
 Control Objective: Description of what we are trying to
achieve.
 Control: A statement that describes how Bryant will attain
the control objective.
 Control Documentation: The control design and
implementation details.
 Control Evidence: Proof that the control exists.
 Control Testing: Assessment of the control effectiveness in
mitigating risk.
A well thought out set of security metrics will allow
management to measure the long-term effectiveness of the
security program.
10. Security Lifecycle
The four key phases of the Information Security Management System (ISMS):
Phase 1 (PLAN) - Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving
information security to deliver results in accordance with an organization’s overall policies and objectives.
• Develop the WISP, which includes the four strategic programs.
Phase 2 (DO) - Implement and operate the ISMS policy, controls, processes, and procedures.
• Assign Security Controls to each of the strategic programs
Phase 3 (CHECK) - Assess and, where applicable, measure process performance against ISMS policy, objectives, and
practical experience and report the results to management for review.
• Develop, collect and review operational and compliance metrics for each program
Phase 4 (ACT) - Take corrective and preventive actions, based on the results of the internal ISMS audit and
management review or other relevant information, to achieve continual improvement of the ISMS.
DOC NO. IS-MGT-03B
7
WRITTEN INFORMATION SECURITY PLAN (WISP)
•
Remediate control gaps or accept risks (depending on risk level and tolerance)
DOC NO. IS-MGT-03B
8