Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security+ Guide to Network Security Fundamentals, Fourth Edition

Published byAlbert Jennings Modified over 9 years ago

Similar presentations

Presentation on theme: "Security+ Guide to Network Security Fundamentals, Fourth Edition"— Presentation transcript:

1 Security+ Guide to Network Security Fundamentals, Fourth Edition
Chapter 14 Risk Mitigation

2 Objectives Explain how to control risk
List the types of security policies Describe how awareness and training can provide increased security Security+ Guide to Network Security Fundamentals, Fourth Edition

3 Introduction Risk Multifaceted approach to information security
Concept at the heart of information security Multifaceted approach to information security Control risk through different management techniques Develop a security policy User awareness and training Security+ Guide to Network Security Fundamentals, Fourth Edition

4 Controlling Risk Threat Threat agent Vulnerability Risk
Type of action that has potential to cause harm Threat agent Person or element with power to carry out a threat Vulnerability Flaw or weakness that allows threat agent to bypass security Risk Likelihood threat agent will exploit the vulnerability Security+ Guide to Network Security Fundamentals, Fourth Edition

5 Table 14-1 Risk classifications
Security+ Guide to Network Security Fundamentals, Fourth Edition

6 Controlling Risk (cont’d.)
Privilege Subject’s access level over an object, such as a file Privilege management Process of assigning and revoking privileges to objects Privilege auditing Periodically reviewing a subject’s privileges over an object Objective: determine if subject has the correct privileges Security+ Guide to Network Security Fundamentals, Fourth Edition

7 Figure 14-1 Sample user access and rights review
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

8 Controlling Risk (cont’d.)
Change management Methodology for making modifications and keeping track of changes Ensures proper documentation of changes so future changes have less chance of creating a vulnerability Involves all types of changes to information systems Two major types of changes that need proper documentation Changes to system architecture Changes to file or document classification Security+ Guide to Network Security Fundamentals, Fourth Edition

9 Controlling Risk (cont’d.)
Change management team (CMT) Body responsible for overseeing the changes Composed of representatives from all areas of IT, network security, and upper management Proposed changes must first be approved by CMT CMT duties Review proposed changes Ensure risk and impact of planned change are understood Security+ Guide to Network Security Fundamentals, Fourth Edition

10 Controlling Risk (cont’d.)
CMT duties (cont’d.) Recommend approval, disapproval, deferral, or withdrawal of a requested change Communicate proposed and approved changes to coworkers Incident management Response to an unauthorized incident Components required to identify, analyze, and contain an incident Security+ Guide to Network Security Fundamentals, Fourth Edition

11 Controlling Risk (cont’d.)
Incident handling Planning, coordination, communications, and planning functions needed to resolve incident Incident management objective Restore normal operations as quickly as possible with least impact to business or users Security+ Guide to Network Security Fundamentals, Fourth Edition

12 Reducing Risk Through Policies
Security policy Another means of reducing risks Important considerations regarding security policies Understanding what it is Knowing how to balance trust and control Understanding the process for designing a policy Knowing what the different types of policies are Security+ Guide to Network Security Fundamentals, Fourth Edition

13 What Is a Security Policy?
Document that outlines protections to ensure organization’s assets face minimal risks Higher level definition Set of management statements that define organization’s philosophy of how to safeguard information Lower level definition Rules for computer access and how the rules are carried out Security+ Guide to Network Security Fundamentals, Fourth Edition

14 What Is a Security Policy? (cont’d.)
Security policy functions Documents management’s overall intention and direction Details specific risks and how to address them Provides controls to direct employee behavior Helps create a security-aware organizational culture Helps ensure employee behavior is directed and monitored Security+ Guide to Network Security Fundamentals, Fourth Edition

15 Balancing Trust and Control
Three approaches to trust Trust everyone all of the time Trust no one at any time Trust some people some of the time Security policy attempts to provide right amount of trust Builds trust over time Level of control must also be balanced Influenced by security needs and organization’s culture Security+ Guide to Network Security Fundamentals, Fourth Edition

16 Designing a Security Policy
Standard Collection of requirements specific to system or procedure that must be met by everyone Guideline Collection of suggestions that should be implemented Policy Document that outlines specific requirements that must be met Security+ Guide to Network Security Fundamentals, Fourth Edition

17 Designing a Security Policy (cont’d.)
Characteristics of a policy Communicates a consensus of judgment Defines appropriate user behavior Identifies needed tools and procedures Provides directives for Human Resource action in response to inappropriate behavior Helps if necessary to prosecute violators Security+ Guide to Network Security Fundamentals, Fourth Edition

18 Designing a Security Policy (cont’d.)
Three phases of the security policy cycle Vulnerability assessment Asset identification Threat identification Vulnerability appraisal Risk assessment Risk mitigation Create the policy using information from risk management study Review the policy for compliance Security+ Guide to Network Security Fundamentals, Fourth Edition

19 Figure 14-2 Security policy cycle
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

20 Table 14-2 Security policy must and should statements
Security+ Guide to Network Security Fundamentals, Fourth Edition

21 Designing a Security Policy (cont’d.)
Security policy design should be the work of a team Development team representatives Senior level administrator Member of management who can enforce the policy Member of the legal staff Representative from the user community Team should first decide on policy goals and scope Also how specific the policy should be Security+ Guide to Network Security Fundamentals, Fourth Edition

22 Designing a Security Policy (cont’d.)
Due care Obligations imposed on owners and operators of assets Owners must exercise reasonable care of assets and take precautions to protect them Examples of due care policy statements Employees should exercise due care in opening attachments received from unknown sources Students will exercise due care when using computers in a crowded lab setting Security+ Guide to Network Security Fundamentals, Fourth Edition

23 Designing a Security Policy (cont’d.)
Policy development guidelines Notify users in advance of development of and reasons for a new security policy Provide affected users an opportunity to review and comment on policy prior to deployment Give users with responsibility the authority to carry out their responsibilities Security+ Guide to Network Security Fundamentals, Fourth Edition

24 Types of Security Policies
Security policies often broken down into subpolicies Acceptable use policy Privacy policy Security-related human resource policy Password management and complexity policy Disposal and destruction policy Classification of information policy Ethics policy Security+ Guide to Network Security Fundamentals, Fourth Edition

25 Types of security policies
Table 14-3 Types of security policies Security+ Guide to Network Security Fundamentals, Fourth Edition

26 Types of Security Policies (cont’d.)
Acceptable use policy Policy that defines actions users may perform while accessing systems Users include employees, vendors, contractors, and visitors Typically covers all computer use Generally considered most important information security policy Security+ Guide to Network Security Fundamentals, Fourth Edition

27 Types of Security Policies (cont’d.)
Privacy policy Also called personally identifiable information policy Outlines how organization uses personal information it collects Security-related human resource policy Includes statements about how an employee’s information technology resources will be addressed Typically presented at employee orientation session after employee is hired Security+ Guide to Network Security Fundamentals, Fourth Edition

28 Figure 14-3 Sample privacy policy
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

29 Types of Security Policies (cont’d.)
Security-related human resource policy (cont’d.) May include statements regarding due process and/or due diligence May include statements regarding actions to be taken when employee is terminated Password management and complexity policy Addresses how passwords are created and managed Reminds users of differences between strong and weak passwords Security+ Guide to Network Security Fundamentals, Fourth Edition

30 Figure 14-4 Weak password information
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

31 Figure 14-5 Strong password information
© Cengage Learning 2012 Security+ Guide to Network Security Fundamentals, Fourth Edition

32 Types of Security Policies (cont’d.)
Disposal and destruction policy Addresses disposal of confidential resources Describes how to dispose of equipment, records, and data Classification of information policy Designed to produce standardized framework for classifying information assets Generally involves creating classification categories Example: high, medium, low Security+ Guide to Network Security Fundamentals, Fourth Edition

33 Types of Security Policies (cont’d.)
Defining ethics can be difficult Values A person’s fundamental beliefs and principles Morals Values attributed to a belief system that helps individuals distinguish right from wrong Ethics Study of what a group of people understand to be good and right behavior Security+ Guide to Network Security Fundamentals, Fourth Edition

34 Types of Security Policies (cont’d.)
An organization does not set an employee’s values Does set ethical behavior standards Ethics policy Written code of conduct Guides employees in decision making Serves as a communication tool to reflect organization’s commitments Security+ Guide to Network Security Fundamentals, Fourth Edition

35 Awareness and Training
Providing users with security awareness training Key defense in information security Awareness and training topics Compliance Secure user practices Awareness of threats Security+ Guide to Network Security Fundamentals, Fourth Edition

36 Compliance Users should be informed regarding:
Security policy training and procedures Personally identifiable information Information classification Data labeling, handling, and disposal Compliance with laws, best practices, and standards Security+ Guide to Network Security Fundamentals, Fourth Edition

37 User Practices Table 14-4 User practices
Security+ Guide to Network Security Fundamentals, Fourth Edition

38 Threat Awareness Peer-to-peer (P2P) networks
Similar to instant messaging Users connect directly to each other Typically used for sharing audio, video, data files Tempting targets for attackers Viruses, worms, Trojans, and spyware can be sent using P2P Most organizations prohibit use of P2P High risk of infection Legal consequences Security+ Guide to Network Security Fundamentals, Fourth Edition

39 Threat Awareness (cont’d.)
Social networking Grouping individuals based on some sort of affiliation Can be physical or online Web sites that facilitate social networking called social networking sites Increasingly becoming prime targets of attacks Reasons social networking sites are popular with attackers Lots of personal data is available Security+ Guide to Network Security Fundamentals, Fourth Edition

40 Threat Awareness (cont’d.)
Reasons social networking sites are popular with attackers (cont’d.) Users are generally trusting Sites are vulnerable Security tips for using social networking sites Consider carefully who is accepted as a friend Show limited friends a reduced version of your profile Disable options and reopen only as necessary Security+ Guide to Network Security Fundamentals, Fourth Edition

41 Table 14-5 Recommended Facebook profile settings
Security+ Guide to Network Security Fundamentals, Fourth Edition

42 Table 14-6 Recommended Facebook contact information settings Security+ Guide to Network Security Fundamentals, Fourth Edition

43 Training Techniques Opportunities for security education and training
When new employee is hired After computer attack has occurred When employee promoted During annual department retreat When new user software is installed When user hardware is upgraded Security+ Guide to Network Security Fundamentals, Fourth Edition

44 Training Techniques (cont’d.)
Learner traits impact how people learn Examples of learning styles Visual Auditory Kinesthetic Training styles impact how people learn Pedagogical approach Classic teaching method Andragogical approach Art of helping an adult learn Security+ Guide to Network Security Fundamentals, Fourth Edition

45 Table 14-7 Traits of learners
Security+ Guide to Network Security Fundamentals, Fourth Edition

46 Table 14-8 Approaches to training
Security+ Guide to Network Security Fundamentals, Fourth Edition

47 Summary A risk is the likelihood that a threat agent will exploit a vulnerability Privilege management and change management are risk management approaches A security policy states how an organization plans to protect its information technology assets Development and maintenance of a security policy follows a three-phase cycle Security+ Guide to Network Security Fundamentals, Fourth Edition

48 Summary (cont’d.) Security policies are often broken into subpolicies
Acceptable use policy Privacy policy Password management and complexity policy Disposal and destruction policy Classification of information policy Ongoing awareness training provides users with knowledge and skills necessary to support information security Security+ Guide to Network Security Fundamentals, Fourth Edition

Download ppt "Security+ Guide to Network Security Fundamentals, Fourth Edition"

Similar presentations

Child Safeguarding Standards

Child Safeguarding Standards
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.
Security Controls – What Works

Security Controls – What Works
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 6 Enterprise Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 6 Enterprise Security.
Information Systems Security Officer

Information Systems Security Officer
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Purpose of the Standards

Purpose of the Standards
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Network security policy: best practices

Network security policy: best practices
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Similar presentations

Ads by Google