Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

Published byAdelia Garrett Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues."— Presentation transcript:

1 © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues Lesson 5 User Domain and IT Infrastructure Security Policies

2 Page 2 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective  Describe the different information systems security (ISS) policies associated with the User Domain.  Describe the different information security systems (ISS) policies associated with the IT infrastructure.

3 Page 3 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key Concepts  Reasons for governing users with policies  Regular and privileged users  Acceptable use policy (AUP) and privileged-level access agreement (PAA)  Security awareness policy (SAP)  Differences between public and private User Domain policies  Elements of an infrastructure security policy  Policies associated with various domains of a typical IT infrastructure  Best practices in creating and maintaining IT policies

4 Page 4 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: CONCEPTS

5 Page 5 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Awareness Policy (SAP)  Addresses: Basic principles of information security Awareness of risk and threats Dealing with unexpected risk Reporting suspicious activity, incidents, and breaches Building a culture that is security and risk aware

6 Page 6 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Acceptable Use Policy (AUP)  Attempts to protect an organization’s computers and network  Addresses password management  Addresses software licenses  Addresses intellectual property management  Describes e-mail etiquette  Describes the level of privacy an individual should expect when using an organization’s computer or network  Describes noncompliance consequences

7 Page 7 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Privileged-Level Access Agreement (PAA)  Acknowledges the risk associated with elevated access in the event the credentials are breached or abused  Asks user to promise to use access only for approved organization business  Asks user to promise not to attempt to “hack” or breach security  Asks user to promise to protect any output from these credentials such as reports, logs, files, and downloads

8 Page 8 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Policy Organization  Requirements may cross domains − Malware protection − Password/Authentication requirements  Requirements may conflict between domains  Policies will vary among organizations  Use standard document types to identify domain security control requirements

9 Page 9 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Key Purpose of an IT Infrastructure Policy

10 Page 10 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Three Ways to Organize Policies

11 Page 11 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Policy Documents

12 Page 12 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Seven Domains of a Typical IT Infrastructure

13 Page 13 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Workstation Domain  Control Standards − Device management − User permissions − Align with functional responsibilities  Baseline Standards − Specific technology requirements for each device − Review standards from vendors or organizations  Procedures − Step-by-step configuration instructions  Guidelines − Acquisitions (e.g., preferred vendors) − Description of threats and countermeasures

14 Page 14 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.  Control Standards − Firewalls − Denial of Service − Align with functional responsibilities  Baseline Standards − Specific technology requirements for each device − Review standards from vendors or organizations  Procedures − Step-by-step configuration  Guidelines − Acquisitions (e.g., preferred vendors) − Description of threats and countermeasures LAN Domain

15 Page 15 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. LAN-to-WAN Domain  Control Standards − Access control to the Internet − Traffic filtering  Baseline Standards − Specific technology requirements for perimeter devices  Procedures − Step-by-step configuration  Guidelines − DMZ, IDS/IPS, content filtering

16 Page 16 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.  Control Standards − WAN management, Domain Name Services, router security, protocols, Web services  Baseline Standards − Review standards from vendors or organizations  Procedures − Step-by-step configuration of routers and firewalls − Change management  Guidelines − When and how Web services may be used − DNS management within the LAN and WAN environments WAN Domain

17 Page 17 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.  Control Standards − VPN connections − Multi-factor authentication  Baseline Standards − VPN gateway options − VPN client options  Procedures − Step-by-step VPN configuration and debugging  Guidelines − Description of threats − Security of remote computing environments, such as working from home Remote Access Domain

18 Page 18 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.  Control Standards − Firewalls − Denial of Service − Align with functional responsibilities  Baseline Standards − Specific technology requirements for each device − Review standards from vendors or organizations  Procedures − Step-by-step configuration  Guidelines − Acquisitions (e.g., preferred vendors) − Description of threats and countermeasures System/Application Domain

19 Page 19 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: PROCESS

20 Page 20 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Different Types of Users Within an Organization

21 Page 21 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Example of User Types

22 Page 22 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. User Access Requirements

23 Page 23 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Contingent and System Accounts

24 Page 24 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Creating Policy Documents  Documents should − Differentiate between core requirements and technological requirements − Follow a standard format − Remain relevant without constant modification − Not contain duplicate content

25 Page 25 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: ROLES

26 Page 26 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Who Develops User Policies  Chief financial officer (CFO)  Chief operations officer (COO)  Information security manager  IT manager  Marketing and sales manager  Unit manager  Materials manager  Purchasing manager  Inventory manager

27 Page 27 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Roles and Responsibilities: Who Need Training?

28 Page 28 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Roles and Responsibilities  Information Security (IS) Manager − Policy creation, application, and alignment with organizational goals  IT Auditor − Ensuring that controls are in place per policy  System/Application Administrator − Applying controls to Workstation, LAN, and LAN- to-WAN Domains

29 Page 29 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: CONTEXTS

30 Page 30 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Differences and Similarities in User Domain Policies Differences Public organizations must follow Sarbanes Oxley Compliance (SOX), Health Insurance Portability and Accountability Act (HIPAA), and other compliance laws Private organizations are often smaller and easier to control from a user standpoint Private organizations may not follow public- compliance laws

31 Page 31 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Differences and Similarities in User Domain Policies Similarities Private organizations may follow public- compliance laws depending on their governance requirements Public organizations may be small is size and thus have similar control over their user populations

32 Page 32 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. DISCOVER: RATIONALE

33 Page 33 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The User as the Weakest Link in the Security Chain

34 Page 34 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. The User as the Weakest Link in the Security Chain

35 Page 35 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Lack of Controls  With lack of controls all of the following and more are possible: Workstations would have different configurations LANs would allow unauthorized traffic WANs would have vulnerabilities Network devices would not be configured the same Users would have access to data they are not directly working with

36 Page 36 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Summary  Reasons for governing users with policies  Regular and privileged users  Acceptable use policy (AUP) and privileged-level access agreement (PAA)  Security awareness policy (SAP)  Differences between public and private User Domain policies  Elements of an infrastructure security policy  Policies associated with various domains of a typical IT infrastructure  Best practices in creating and maintaining IT policies

37 Page 37 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. OPTIONAL SLIDES

38 Page 38 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Roles and Responsibilities: Who Needs Training?

39 Page 39 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Best Practices for IT Infrastructure Security Policies

40 Page 40 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Best Practices for IT Infrastructure Security Policies (Continued)

41 Page 41 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Best Practices for IT Infrastructure Security Policies (Continued)

Download ppt "© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Fundamentals of Information Systems Security

Fundamentals of Information Systems Security
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Separate Domains of IT Infrastructure

Separate Domains of IT Infrastructure
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Managing Risk in Information Systems Strategies for Mitigating Risk

Managing Risk in Information Systems Strategies for Mitigating Risk
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.

Similar presentations

Ads by Google