Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

Published byKelley Henderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC."— Presentation transcript:

1

2 Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC

3 Security+ Chapter 10 – Implementing Organizational Policies Brian E. Brzezicki

4 Security Policies (468) No company can have security without strong support from management and a structured plan. Security Policies are part of a security plan, they are used to provide structure and rules to ensure that security concerns are addressed. High level, not specific Standards and Guidelines provide the strength and detail that give the policies their support MUST be enforced, otherwise they are useless

5 Change Management (470) All organizations need to have Change Management Policies and procedures. Without structured change management, it is too easy for issues to pop up Changes are introduced that can cause disruption or problems Changes to systems/networks grow and cause problems recreating a system if needed.

6 Documentation (470) Systems, processes, procedures, and changes need to be documented. Failing to document can cause failure to recreate a system to it’s running state. documentation failures can also affect HR, legal and regulatory concerns

7 Patch Management (471) Systems need to be updated to remain in a secure state. However the patch management must also have a process to ensure that patching does not cause services outages, introduce bugs, or cause unexpected failures.

8 Due Diligence and Due Care (472) Due Diligence – research that an organization does to understand the risks it faces. Due Care – steps taken to protect against the risks an organization faces

9 Need to Know / Least Privi Least Privilege (473) lege Fundamental security concept that states a subject should only have the minimal about of knowledge or permissions that they NEED to perform their job functions.

10 Service Level Agreement (474) An agreement between a service provider and vendor that state the expected level of performance. Response time expected in a failure Amount of uptime for a system or network Performance metrics Required both from an engineering standpoint to ensure that solutions are appropriate, and also from a legal standpoint.

11 Personnel Policies

12 Personnel Policies (475) Human Resource Policies that deal directly with personnel. Behavior, expectations, conflict of interests, consequences. Some important personnel policies are Acceptable Use Privacy Policy Code of Ethics Mandatory Vacations Separation of Duties Job Rotation

13 Acceptable Use (475) Protects an organization by stating how systems and networks are allowed to be used. Should clearly state what type of actions are forbidden. This protects an organization from potential legal issues. Can anyone think of how acceptible Use policies protect an organization from legal issues?

14 Privacy Policy (n/b) A policy that states the level of privacy a user should expect. Organizations CANNOT monitor employees without the employees notified that they are being monitored. Login Banners should also be used to remind users of any system monitoring

15 Code of Ethics (476) A guide to drive a users behavior.

16 Mandatory Vacations (477) Ensuring that users take their vacations. Specifically to fight potential fraud Can also be used to ensure there are no personnel central points of failure

17 Separation of Duties (477) Ensure that no one employee can control any process from beginning to end Fights fraud Requires multiple people work together (collude) in-order to commit fraud

18 Job Rotation (477) Ensure that employees rotate or perform different functionalities, or that any single position can and is carried out by multiple people. Specifically to fight potential fraud Can also be used to ensure there are no personnel central points of failure

19 Education and Training (480) Employees are the week point in security. You must ensure employees have enough knowledge to be able to properly protect organizational assets. Education and Training are essential in that end. Some threats such as phishing can only effectively be counter through education and training.

20 Computer Disposal (481-484) Often after an upgrade cycle computers (or copiers etc) are thrown away or donated to charities or sold. Any equipment that has storage should have the data sanitized. Secure deletion Reinstallation Physical destruction of storage media Degaussing of storage media

21 Incident Response Policies (485) Very important policies that are used to guide users in the case of an incident. Policies should include Incident Response Team Response Steps

22 Incident Response Team (485) Group of Employees with varying areas of expertise that are called to respond to an incident Senior Management Systems/Network engineers Security Analysts Public Relations

23 Response Steps (486) A response to an incident should be known before hand. Even though incidents include unexpected issues and concerns, there should be a structured plan with how to deal with them. Possible Steps: Identification of an incident Containment * Evidence collection * Investigation Eradication Recovery Procedure Changes * Possibly conflicting steps

24 Preservation Evidence (488) Preserving Evidence and keeping it reliable and untainted is critical if you want to pursue legal action. When doing forensics on a computer you should follow these steps 1.Dump system RAM 2.Power down system 3.Make a it bit level image of your hard drive (3 copies) 4.Analyze one of the images

25 Preserving Evidence (n/b) In the step above we mentioned you should make at least 3 bit level images of your hard drive the reasoning is One to store with the original hard drive, in case of loss of the original One to keep to verify the integrity of the original files compared to the files after analysis One to actually analyze

26 Chain of Custody (489) If you choose to collect evidence to present in a legal proceeding, proper steps must be taken from beginning to end to ensure the integrity of the evidence. Labeling evidence Ensuring that everyone that handles the evidence is logged Ensuring no un-authorized access to evidence

27 File Deletion Terms (n/b) When a user deletes a file, it’s not actually removed (unless using a highly secure OS) Some important terms relating to this are Free space – the space a file takes up that is still available after deletion (before something else uses it) Slack space – When file space is allocated, it is done in fixed sized blocks. A file will not actually use all this space. The unused area of a file even when in use is called the slack space. Information may be hidden in this space. (see visualization)

28 Slack Space (n/b) Hackers can hide data in the slack space to avoid detection

Download ppt "Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC."

Similar presentations

Nishidh, CISSP. To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect.

Nishidh, CISSP. To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?

BUS VIDEO RECORDINGS COLLECTION – PROCESSING - REDACTION - SHARING WHAT IS RIGHT FOR YOUR DISTRICT?
Chapter 5: Asset Classification

Chapter 5: Asset Classification
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works

Security Controls – What Works
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
IS Audit Function Knowledge

IS Audit Function Knowledge
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau 1CSE465-591 Fall 2006 IA Policies.

Stephen S. Yau 1CSE Fall 2006 IA Policies.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Similar presentations

Ads by Google