Presentation is loading. Please wait.

Presentation is loading. Please wait.

FORESEC Academy FORESEC Academy Security Essentials (II)

Published byCleopatra Carroll Modified over 8 years ago

Similar presentations

Presentation on theme: "FORESEC Academy FORESEC Academy Security Essentials (II)"— Presentation transcript:

1 FORESEC Academy FORESEC Academy Security Essentials (II)

2 FORESEC Academy Preface It never ceases to amaze me - fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your security policy," but nobody ever explains what the policy is, let alone how to write or evaluate it. That is why we undertook this research and education project on basic security policy. We hope you will find this module useful and that you will participate in its evolution. Consensus is a powerful tool. We need the ideas and criticisms from the information security community in order to make this, “The Roadmap,” a usable and effective policy. Thank you!

3 FORESEC Academy Objectives  Defining Security Policy  Using Security Policy to Manage Risk  Identifying Security Policy  Evaluating Security Policy  Issue-specific Security Policy  Exercise: Writing a Personal Security Policy  Contingency Planning within your Policy

4 FORESEC Academy Documentation is Critical  If it is not in writing it never happened.  You must clearly document: - What is expected of users - What you plan on doing - How you plan on doing it - What other people are required to do

5 FORESEC Academy Defining a Policy  Policies direct the accomplishment of objectives - Program Policy - Issue-specific Policy - System-specific Policy An effective and realistic Security Policy is the key to effective and achievable security.

6 FORESEC Academy Defining a Policy (2)  What makes up a policy? -Purpose -Related documents -Cancellation -Background -Scope -Policy statement -Action - Responsibility

7 FORESEC Academy Defining a Policy (3)  Who can sign the policy?  What process is used to: - draft a policy - approve a policy - implement a policy

8 FORESEC Academy Risk Assessment  What do you do? - The “important bid” story -When is it okay to violate or change policy? -Who has the authority to do it? -What are the risks involved?

9 FORESEC Academy Managing Risks in Your Job  Identify risks  Communicate your findings  Update (create) policy as needed  Develop metrics to measure compliance

10 FORESEC Academy Identifying Security Policy  Who does the procedure?  What is the procedure?  When is the procedure done?  Where is the procedure done?  Why is the procedure done?

11 FORESEC Academy Roles and Responsibilities  Formal organizational structure - Who has the title - Who is listed at the top of the organizational chart  Informal organizational structure - Who gets things done - Who really makes decisions

12 FORESEC Academy Levels of Policy  Recognize that policies can exist on different levels - Enterprise-wide/corporate policy - Division-wide policy - Local policy - Issue-specific policy - Procedures and checklists

13 FORESEC Academy Checkpoint: Procedure Guidance  Policies address the who, what, and why.  Procedures address the how, where, and when.

14 FORESEC Academy Evaluating Security Policy  What if your existing policy is confusing and hard to read?  What if it doesn’t cover all the bases?  Use a checklist to evaluate your policy.

15 FORESEC Academy Evaluating Security Policy (2)  Use a checklist: - Does it contain the expected elements? - Is it clear? - Is it concise? - Is it realistic? - Does it provide sufficient guidance?

16 FORESEC Academy Evaluating Security Policy (3)  Checklist, continued... - Is it consistent? - Is it forward-looking? - Are there means to keep it current? - Is the policy readily available to those who need it?

17 FORESEC Academy Issue-Specific Security Policy  Anti-Virus  Password Assessment  Backups  Proprietary Information  Personal Security Policy

18 FORESEC Academy Anti-virus Policy  Define the problem - Various practices risk the introduction of viruses into systems and networks  Develop a solution - Define the scope - Layer the defense strategy - Identify responsibilities - Measure the effectiveness

19 FORESEC Academy Password Assessment Policy  Define the problem - Password assessment is a necessary part of security, but may appear illegal if carried out without proper authority/safeguards  Develop a solution - Identify the risks - Enumerate the countermeasures - Enable administrators to legally assess passwords - Escrow passwords for use during incidents

20 FORESEC Academy Data Backup Policy  Define the problem - Backups are critical to protect information and allow disaster recovery, but are often performed sporadically  Develop a solution - Identify backups as critical - Empower system administrators - Provide for exceptions when necessary - Make sure the policy is implemented

Download ppt "FORESEC Academy FORESEC Academy Security Essentials (II)"

Similar presentations

Writing an Environmental Health Emergency Response Plan Lesson 3 – Starting your Environmental Health Emergency Response Plan.

Writing an Environmental Health Emergency Response Plan Lesson 3 – Starting your Environmental Health Emergency Response Plan.
Project Appraisal Module 5 Session 6.

Project Appraisal Module 5 Session 6.
Program design overview Pre-contract to post-program year Office on Volunteerism and Community Service.

Program design overview Pre-contract to post-program year Office on Volunteerism and Community Service.
NEXT  BACK END Powerful Tools for Profitability and Protection Powerful Tools for Profitability and Protection Brought to you by ZERORISK HR, Inc. Brought.

NEXT  BACK END Powerful Tools for Profitability and Protection Powerful Tools for Profitability and Protection Brought to you by ZERORISK HR, Inc. Brought.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Business Continuity and Disaster Recovery Planning.

Business Continuity and Disaster Recovery Planning.
Software Quality Assurance Plan

Software Quality Assurance Plan
Environmental Management System (EMS)

Environmental Management System (EMS)
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
EFFECTIVE DELEGATION AND SUPERVISION

EFFECTIVE DELEGATION AND SUPERVISION
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Content Framework for the Committee Report Using PowerPoint to prepare a formal committee report John A. Cagle.

Content Framework for the Committee Report Using PowerPoint to prepare a formal committee report John A. Cagle.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
ISO 9001 Interpretation : Exclusions

ISO 9001 Interpretation : Exclusions
Computer Security: Principles and Practice

Computer Security: Principles and Practice
The 10 Deadly Sins of Information Security Management

The 10 Deadly Sins of Information Security Management

Similar presentations

Ads by Google