Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Published byMartha Watson Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions."— Presentation transcript:

1 Network Security Policy Anna Nash MBA 737

2 Agenda Overview Goals Components Success Factors Common Barriers Importance Questions

3 Overview A Network Security Policy:  Provides rules for access to and proper use of computer and network resources  Defines procedures to prevent and respond to improper use of network components, including associated data and systems

4 Goals The goal of Network Security Policy is to:  Strategically align network controls with enterprise business objectives in a value added fashion  Provide the appropriate mechanisms for effectively managing risk related to the network infrastructure and network-accessible assets  Provide the metrics needed to ensure that network security risks are appropriately mitigated and access policies effectively followed

5 Components Network security policies are subjective, developed to meet the specific goals and risks of each individual organization However, there are components common to all successful network security policies, including:  Asset Management  HR Security  Physical Security  Communications/Operations Management  Access Control  Software Security  Incident Management  Business Continuity Management  Compliance

6 Components: Asset Management Asset Management is the set of policies and procedures designed to protect organizational assets Assets include information, software assets, physical assets, people and intangibles such as reputation Typical Asset Management Policies include:  Inventory  Ownership Assignment  Defined Acceptable Use

7 Components: HR Security HR Security is the set of policies and procedures designed to ensure employees, contractors and third party users understand their responsibilities and are an appropriate fit for their role(s) within the organization. HR policies can be targeted to different timeframes  Prior to employment  During employment  Termination / Change of employment Typical HR Security Policies include:  Screening / Background Checks  Security Awareness Training  Disciplinary Processes  Termination Responsibilities  Removal of Access Rights

8 Components: Physical Security Physical Security is the set of policies and procedures designed to prevent unauthorized physical access, damage and interference to the organization’s physical premises and information Should also prevent loss or theft of physical assets Typical Physical Security Policies include:  Physical entry policies  Security of offices, rooms and facilities  Equipment maintenance procedures  Security of equipment off-premises  Disposal or removal of property

9 Components: Communications/Operations Mgt. Communications and Operations Management policies and procedures are designed to ensure the correct and secure operation of IT facilities This encompasses a broad set of controls including:  Malicious code protection  Back-Ups  Network Controls  Handling and Disposal of removable media  Protection of information exchange including E-Mail  Protection of on-line transactions  Logging and Monitoring of systems to record security events

10 Components: Access Control Access Control policies and procedures are designed to control access to the organization’s information Access Control policies typically include:  User access management  User permission management  Password management  Reviews of access  Authentication mechanisms  Network separation and associated controls  Telework controls and restrictions

11 Components: Software Security Software security policies and procedures are designed to ensure security is an integral part of IT systems (both those systems provided by third parties, and those developed in-house) Typical Software Security policies include:  Security requirements  Input data validation  Output validation  Integrity Checks  Encryption Requirements  Change Control  Security Patching / Vulnerability Management

12 Components: Incident Management Incident Management policies and procedures are designed to ensure that security events are discovered, communicated and corrected in a timely manner Typical Incident Management policies include:  Reporting of events  Reporting of vulnerabilities and weaknesses  Incident Handling and Recovery  Reporting of lessons learned after incidents

13 Components: Business Continuity Management Business Continuity Management policies and procedures are designed to minimize the impact of system failures or disasters and to ensure timely recovery of critical systems Scope includes both preventative and recovery controls Organization must understand the business impact of failures and disasters prior to formulating policies for prevention and recovery Typical Business Continuity Management policies include:  Scope definition (requirements for critical business continuity)  Continuity Plan  Testing and maintenance of plan

14 Components: Compliance Compliance policies and procedures are designed to help the organization avoid breaches of any relevant laws or regulatory requirements. Should also focus on avoiding contractual breaches and security requirements or policy violations Typical Compliance policies include:  Documentation of applicable legislation  Data protection (organization trade secrets, private personal information)  Information System Audit controls

15 Network Security Policy: Success Criteria The success of a Network Security Policy is directly related to:  Policy’s alignment with business objectives  Support from management  Employee awareness & acceptance of policy  Enforceability of the policy  Corporate dedication to treat the policy as a living document

16 Network Security Policy: Common Barriers Barriers common to unsuccessful Network Security Policies include:  Lack of funding  Lack of alignment with business objectives and organizational risk  Idiots

17 Importance The risks surrounding network based operations are increasing:  Cyber attacks are growing both in frequency and severity  There is a growing gap between the rate of technology adoption and the rate of controls adoption  Convergence of technologies has led to a convergence of risk, increasing the potential impact of attaches The dependence on technology, particularly network operations, is similarly increasing

18 Questions ?

Download ppt "Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions."

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
ISMS standards and control processes ISO27001 & ISO27002

ISMS standards and control processes ISO27001 & ISO27002
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer Systems

Auditing Computer Systems
ISO Information Security Management

ISO Information Security Management
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Introduction to Network Defense

Introduction to Network Defense
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google