Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 4482: Computer Security Management: Assessment and Forensics

Published byJeremy Fowler Modified over 8 years ago

Similar presentations

Presentation on theme: "CSE 4482: Computer Security Management: Assessment and Forensics"— Presentation transcript:

1 CSE 4482: Computer Security Management: Assessment and Forensics
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 2-4 pm (CSEB 3043), or by appointment. 4/20/2017 1

2 Ch 4: Information Security Policy
Objectives Upon completion of this material you should be able to: Define information security policy and understand its central role in a successful information security program Describe the three major types of information security policy and explain what goes into each type Develop various types various types of information security policies Management of Information Security, 3rd ed. 2

3 Introduction Policy is the essential foundation of an effective information security program Policy maker sets the tone and emphasis on the importance of information security Objectives Reduced risk Compliance with laws and regulations Assurance of operational continuity, information integrity, and confidentiality Management of Information Security, 3rd ed. 3

4 Basic rules for shaping a policy
Why Policy? Policies are the least expensive means of control and often the most difficult to implement Basic rules for shaping a policy Policy should never conflict with law Policy must be able to stand up in court if challenged Policy must be properly supported and administered Management of Information Security, 3rd ed. 4

5 Why Policy? (cont’d.) Bulls-eye model
Networks: threats first meet the organization’s network Systems: computers and manufacturing systems Applications: all applications systems Management of Information Security, 3rd ed. 5

6 Policies are important reference documents
Why Policy? (cont’d.) Policies are important reference documents For internal audits For the resolution of legal disputes about management's due diligence Policy documents can act as a clear statement of management's intent Types of information security policy Enterprise information security program policy Issue-specific information security policies Systems-specific policies Management of Information Security, 3rd ed. 6

7 Policy, Standards, and Practices
Policy : A plan or course of action that influences decisions must be properly disseminated, read, understood, agreed-to, and uniformly enforced require constant modification and maintenance Standards A more detailed statement of what must be done to comply with policy Practices Procedures and guidelines explain how employees will comply with policy Management of Information Security, 3rd ed. 7

8 Policies, Standards, & Practices
Figure 4-2 Policies, standards and practices Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 8

9 Enterprise Information Security Policy (EISP)
Sets strategic direction, scope, and tone for organization’s security efforts Assigns responsibilities for various areas of information security Guides development, implementation, and management requirements of information security program Management of Information Security, 3rd ed. 9

10 corporate philosophy on security
EISP Elements corporate philosophy on security information security organization and information security roles Management of Information Security, 3rd ed. 10

11 Example ESIP Components
Statement of purpose Information technology security elements Need for information technology security Information technology security responsibilities and roles Reference to other information technology standards and guidelines Management of Information Security, 3rd ed. 11

12 Issue-Specific Security Policy (ISSP)
Provides detailed, targeted guidance Instruction for secure use of a technology systems Begins with introduction to fundamental technological philosophy of the organization Protects organization from inefficiency and ambiguity Documents how the technology-based system is controlled Identifies the processes and authorities that provide this control Indemnifies the organization against liability for an employee’s inappropriate or illegal system use Management of Information Security, 3rd ed. 12

13 Issue-Specific Security Policy- contd
ISSP topics and internet use Minimum system configurations Prohibitions against hacking Home use of company-owned computer equipment Use of personal equipment on company networks Use of telecommunications technologies Use of photocopy equipment Management of Information Security, 3rd ed. 13

14 Authorized Access and Usage of Equipment
Components of the ISSP Statement of Purpose Scope and applicability Definition of technology addressed Responsibilities Authorized Access and Usage of Equipment User access Fair and responsible use Protection of privacy Management of Information Security, 3rd ed. 14

15 Components of the ISSP - contd
Prohibited Usage of Equipment Disruptive use or misuse Criminal use Offensive or harassing materials Copyrighted, licensed or other intellectual property Other restrictions Systems management Management of stored materials Employer monitoring Virus protection Physical security Encryption Management of Information Security, 3rd ed. 15

16 Components of the ISSP - contd
Violations of policy Procedures for reporting violations Penalties for violations Policy review and modification Scheduled review of policy and procedures for modification Limitations of liability Statements of liability or disclaimers Management of Information Security, 3rd ed. 16

17 System-Specific Security Policy
System-specific security policies (SysSPs) frequently do not look like other types of policy may function as standards or procedures to be used when configuring or maintaining systems SysSPs can be separated into Management guidance Technical specifications Or combined in a single policy document Management of Information Security, 3rd ed. 17

18 Managerial Guidance SysSPs
Created by management to guide the implementation and configuration of technology Applies to any technology that affects the confidentiality, integrity or availability of information, e.g. firewall configuration Informs technologists of management intent Management of Information Security, 3rd ed. 18

19 Technical Specifications SysSPs
System administrators’ directions on implementing managerial policy Each type of equipment has its own type of policies General methods of implementing technical controls Access control lists Configuration rules Management of Information Security, 3rd ed. 19

20 Technical Specifications SysSPs - contd
Access control lists Include the user access lists, matrices, and capability tables that govern the rights and privileges A similar method that specifies which subjects and objects users or groups can access is called a capability table These specifications are frequently complex matrices, rather than simple lists or tables Enable administrations to restrict access according to user, computer, time, duration, or even a particular file Management of Information Security, 3rd ed. 20

21 Technical Specifications SysSPs - contd
Access control lists regulate Who can use the system What authorized users can access When authorized users can access the system Where authorized users can access the system from How authorized users can access the system Restricting what users can access, e.g. printers, files, communications, and applications Administrators set user privileges Read, write, create, modify, delete, compare, copy Management of Information Security, 3rd ed. 21

22 Technical Specifications SysSPs - contd
Figure 4-5 Windows XP ACL Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 22

23 Technical Specifications SysSPs - contd
Configuration rules Specific configuration codes entered into security systems Guide the execution of the system when information is passing through it Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process Management of Information Security, 3rd ed. 23

24 Technical Specifications SysSPs (cont’d.)
Figure 4-6 Firewall configuration rules Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 24

25 Guidelines for Effective Policy
policies must be properly: Developed using industry-accepted practices Distributed or disseminated using all appropriate methods Reviewed or read by all employees Understood by all employees Formally agreed to by act or assertion Uniformly applied and enforced Management of Information Security, 3rd ed. 25

26 Development steps Investigation (goals, support, particiption) Analysis (risk assessment) Design (components, dissemination) Implement (detailed specification) Maintenance Distribution

27 Policy Comprehension Figure 4-9 Readability statistics 27
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 27

28 Automated Tools Figure 4-10 The VigilEnt policy center 28
Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 28

29 The Information Securities Policy Made Easy Approach
Gathering key reference materials Defining a framework for policies Preparing a coverage matrix Making critical systems design decisions Structuring review, approval, and enforcement processes Management of Information Security, 3rd ed. 29

30 The Information Securities Policy Made Easy Approach (cont’d.)
Figure 4-11 A sample coverage matrix Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 30

31 A Final Note on Policy Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasize the preventative nature of policy Policies exist, first and foremost, to inform employees of what is and is not acceptable behavior in the organization Policy seeks to improve employee productivity, and prevent potentially embarrassing situations Management of Information Security, 3rd ed. 31

32 Enterprise Information Security Policy Issue-Specific Security Policy
Summary Introduction Why Policy? Enterprise Information Security Policy Issue-Specific Security Policy System-Specific Policy Guidelines for Policy Development Management of Information Security, 3rd ed. 32

33 Next Ch 5: Developing the security program

34 Objectives Completion of this material will enable you to:
Explain the organizational approaches to information security List and describe the functional components of an information security program Determine how to plan and staff an organization’s information security program based on its size Evaluate the internal and external factors that influence the activities and organization of an information security program List and describe the typical job titles and functions performed in the information security program Describe the components of a security education, training, and awareness program and explain how organizations create and manage these programs Management of Information Security, 3rd ed. 34

35 Introduction Some organizations use security program to describe the entire set of personnel, plans, policies, and initiatives related to information security The term “information security program” is used here to describe the structure and organization of the effort that contains risks to the information assets of the organization Management of Information Security, 3rd ed. 35

36 Organizing for Security
Variables involved in structuring an information security program Organizational culture Size Security personnel budget Security capital budget As organizations increase in size: Their security departments are not keeping up with increasingly complex organizational infrastructures Management of Information Security, 3rd ed. 36

37 Organizing for Security (cont’d.)
Information security departments tend to form internal groups To meet long-term challenges and handle day-to-day security operations Functions are likely to be split into groups Smaller organizations typically create fewer groups Perhaps having only one general group of specialists Management of Information Security, 3rd ed. 37

38 Organizing for Security (cont’d.)
Very large organizations (> 10,000 computers Security budgets often grow faster than IT budgets Even with a large budgets, the average amount spent on security per user is still smaller than any other type of organization Small organizations spend more than $5,000 per user on security; very large organizations spend about 1/18th of that, roughly $300 per user Does a better job in the policy and resource management areas Only 1/3 of organizations handled incidents according to an IR plan Management of Information Security, 3rd ed. 38

39 Organizing for Security (cont’d.)
Large organizations Have 1,000 to 10,000 computers Security approach has often matured, integrating planning and policy into the organization’s culture Do not always put large amounts of resources into security Considering the vast numbers of computers and users often involved They tend to spend proportionally less on security Management of Information Security, 3rd ed. 39

40 Security in Large Organizations
One approach separates functions into four areas: Functions performed by non-technology business units outside of IT Functions performed by IT groups outside of information security area Functions performed within information security department as customer service Functions performed within the information security department as compliance Management of Information Security, 3rd ed. 40

41 Security in Large Organizations - contd
The CISO has responsibility for information security functions Should be adequately performed somewhere within the organization The deployment of full-time security personnel depends on: Sensitivity of the information to be protected Industry regulations General profitability The more money the company can dedicate to its personnel budget The more likely it is to maintain a large information security staff Management of Information Security, 3rd ed. 41

42 Security in Large Organizations (cont’d.)
Figure 5-1 Example of information security staffing in a large organization Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 42

43 Security in Large Organizations (cont’d.)
Figure 5-2 Example of information security staffing in a very large organization Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 43

44 Security in Medium-Sized Organizations
Have between 100 and 1000 computers Have a smaller total budget Have same sized security staff as the small organization, but a larger need Must rely on help from IT staff for plans and practices Ability to set policy, handle incidents, and effectively allocate resources is worse than any other size May be large enough to implement a multi-tiered approach to security With fewer dedicated groups and more functions assigned to each group Tend to ignore some security functions Management of Information Security, 3rd ed. 44

45 Security in Medium-Sized Organizations (cont’d.)
Figure 5-3 Example of information security staffing in a medium-sized organization Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 45

46 Security in Small Organizations
Have between 10 and 100 computers Have a simple, centralized IT organizational model Spend disproportionately more on security Information security is often the responsibility of a single security administrator Have little in the way of formal policy, planning, or security measures Often outsource Web presence or ecommerce Security training and awareness is commonly conducted on a 1-on-1 basis Policies (when they exist) are often issue-specific Threats from insiders are less likely Every employee knows every other employee Management of Information Security, 3rd ed. 46

47 Security in Small Organizations (cont’d.)
Figure 5-4 Example of information security staffing in a smaller organization Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 47

48 Placing Information Security
In large organizations InfoSec is often located within the information technology department Headed by the CISO who reports directly to the top computing executive, or CIO An InfoSec program is sometimes at odds with the goals and objectives of the IT department as a whole, because the goals and objectives of the CIO and the CISO may come in conflict It is not difficult to understand the current movement to separate information security from the IT division The challenge is to design a reporting structure for the InfoSec program that balances the needs of each of the communities of interest Management of Information Security, 3rd ed. 48

49 Placing Information Security, option 1: Information Technology
Figure 5-5 Wood’s Option 1: Information security reports to information technology department Management of Information Security, 3rd ed. Source: From Information Security Roles and Responsibilities Made Easy, used with permission. 49

50 Pros/cons Widespread use Close to CEO Within IT dept Conflict of interest Security is not just a technological issue

51 Placing Information Security, option 2: Security dept
Figure 5-6 Wood’s Option 2: Information security reports to broadly defined security department Management of Information Security, 3rd ed. Source: From Information Security Roles and Responsibilities Made Easy, used with permission. 51

52 Pros/cons Also popular In a dept that focuses on security Preventive viewpoint Cultural differences Resource allocation disparity

53 Placing Information Security, option 3: Administrative services
Figure 5-7 Wood’s Option 3: Information security reports to administrative services department Management of Information Security, 3rd ed. Source: From Information Security Roles and Responsibilities Made Easy, used with permission. 53

54 Pros/Cons Close to CEO Focus on people Disparity with the other concerns

55 Placing Information Security, option 4: insurance and risk mgmt
Figure 5-8 Wood’s Option 4: Information security reports to insurance and risk management department Management of Information Security, 3rd ed. Source: From Information Security Roles and Responsibilities Made Easy, used with permission. 55

56 Placing Information Security, option 5: strategy and planning
Figure 5-9 Wood’s Option 5: Information security reports to strategy and planning department Management of Information Security, 3rd ed. Source: From Information Security Roles and Responsibilities Made Easy, used with permission. 56

57 Components of the Security Program
Organization’s information security needs Unique to the culture, size, and budget of the organization Determining what level the information security program operates on depends on the organization’s strategic plan Also the plan’s vision and mission statements The CIO and CISO should use these two documents to formulate the mission statement for the information security program Management of Information Security, 3rd ed. 57

58 Information Security Roles and Titles
Figure 5-10 Information security roles Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 58

59 Implementing Security Education, Training, and Awareness Programs
SETA program Designed to reduce accidental security breaches Consists of three elements: security education, security training, and security awareness Awareness, training, and education programs offer two major benefits: Improving employee behavior Enabling the organization to hold employees accountable for their actions Management of Information Security, 3rd ed. 59

60 Implementing SETA Programs (cont’d.)
Purpose of SETA is to enhance security: By building in-depth knowledge, to design, implement, or operate security programs for organizations and systems By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely By improving awareness of the need to protect system resources Management of Information Security, 3rd ed. 60

61 Implementing SETA Programs (cont’d.)
Table 5-3 Framework of security education, training and awareness Source: National Institute of Standards and Technology. An Introduction to Computer Security: The NIST Handbook. SP Management of Information Security, 3rd ed. 61

62 Security Education Employees within information security may be encouraged to seek a formal education If not prepared by their background or experience A number of institutions of higher learning, including colleges and universities, provide formal coursework in information security Management of Information Security, 3rd ed. 62

63 Security Education (cont’d.)
Figure 5-11 Information security knowledge map Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 63

64 Security Training Involves providing detailed information and hands-on instruction To develop user skills to perform their duties securely develop customized training or outsource Customizing training for users By functional background General user Managerial user Technical user By skill level Novice Intermediate Advanced Management of Information Security, 3rd ed. 64

65 Security awareness programs:
One of the least frequently implemented, but most effective security methods is the security awareness program Security awareness programs: Set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure Remind users of the procedures to be followed Management of Information Security, 3rd ed. 65

66 Security Awareness (cont’d.)
Refrain from using technical jargon Define learning objectives, state them clearly, and provide sufficient detail and coverage Keep things light Don’t overload the users Help users understand their roles in InfoSec Utilize in-house communications media Make the awareness program formal Provide good information early, rather than perfect information late Management of Information Security, 3rd ed. 66

67 Security Awareness (cont’d.)
Effective training and awareness programs make employees accountable for their actions Dissemination and enforcement of policy become easier when training and awareness programs are in place Demonstrating due care and due diligence can help indemnify the institution against lawsuits Management of Information Security, 3rd ed. 67

68 Security Awareness (cont’d.)
Many security awareness components are available at little or no cost Others can be very expensive Examples of security awareness components Videos Posters and banners Lectures and conferences Computer-based training Management of Information Security, 3rd ed. 68

69 Security Awareness (cont’d.)
Examples of security awareness components (cont’d.) Newsletters Brochures and flyers Trinkets (coffee cups, pens, pencils, T-shirts) Bulletin boards Management of Information Security, 3rd ed. 69

70 Security Awareness (cont’d.)
Organizations can establish Web pages or sites dedicated to promoting information security awareness The challenge lies in updating the messages frequently enough to keep them fresh Tips on creating and maintaining an educational Web site See what’s already out there Plan ahead Keep page loading time to a minimum Seek feedback Spend time promoting your site Management of Information Security, 3rd ed. 70

71 Organizing for security
Summary Introduction Organizing for security Placing information security within an organization Components of the security program Information security roles and titles Implementing security education, training, and awareness programs Management of Information Security, 3rd ed. 71

Download ppt "CSE 4482: Computer Security Management: Assessment and Forensics"

Similar presentations

Information Security Policy

Information Security Policy
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
information Security Blueprint

information Security Blueprint
Information Security Policy

Information Security Policy
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.

Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Each problem that I solved became a rule which

Each problem that I solved became a rule which
Developing the Security Program

Developing the Security Program
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Information Systems Security Officer

Information Systems Security Officer
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Chapter 5 Developing the Security Program

Chapter 5 Developing the Security Program
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Corporate Ethics Compliance *

Corporate Ethics Compliance *
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Developing the Security Program

Developing the Security Program
Network security policy: best practices

Network security policy: best practices
Developing the Security Program

Developing the Security Program

Similar presentations

Ads by Google