Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policies and Procedures Security+ Guide to Network Security Fundamentals Chapter 11.

Published bySophia Matthews Modified over 8 years ago

Similar presentations

Presentation on theme: "Policies and Procedures Security+ Guide to Network Security Fundamentals Chapter 11."— Presentation transcript:

1 Policies and Procedures Security+ Guide to Network Security Fundamentals Chapter 11

2 2 Objectives Define the security policy cycle Define the security policy cycle Explain risk identification Explain risk identification Design a security policy Design a security policy Define types of security policies Define types of security policies Define compliance monitoring and evaluation Define compliance monitoring and evaluation

3 3 Understanding the Security Policy Cycle First part of the cycle is risk identification First part of the cycle is risk identification Risk identification seeks to determine the risks that an organization faces against its information assets Risk identification seeks to determine the risks that an organization faces against its information assets That information becomes the basis of developing a security policy That information becomes the basis of developing a security policy A security policy is a document or series of documents that clearly defines the defense mechanisms an organization will employ to keep information secure A security policy is a document or series of documents that clearly defines the defense mechanisms an organization will employ to keep information secure

4 4 Understanding the Security Policy Cycle

5 5 Reviewing Risk Identification First step in security policy cycle is to identify risks First step in security policy cycle is to identify risks Involves the four steps: Involves the four steps: –Inventory the assets –Determine what threats exist against the assets and by which threat agents –Investigate whether vulnerabilities exist that can be exploited –Decide what to do about the risks

6 6 Reviewing Risk Identification

7 7 Asset Identification An asset is any item with a positive economic value An asset is any item with a positive economic value Many types of assets, classified as follows: Many types of assets, classified as follows: –Physical assets – Data –Software – Hardware –Personnel Along with the assets, attributes of the assets need to be compiled Along with the assets, attributes of the assets need to be compiled

8 8 Asset Identification After an inventory of assets has been created and their attributes identified, the next step is to determine each item’s relative value After an inventory of assets has been created and their attributes identified, the next step is to determine each item’s relative value Factors to be considered in determining the relative value are listed on pages 386 and 387 of the text Factors to be considered in determining the relative value are listed on pages 386 and 387 of the text

9 9 Threat Identification A threat is not limited to those from attackers, but also includes acts of God, such as fire or severe weather A threat is not limited to those from attackers, but also includes acts of God, such as fire or severe weather Threat modeling constructs scenarios of the types of threats that assets can face Threat modeling constructs scenarios of the types of threats that assets can face The goal of threat modeling is to better understand who the attackers are, why they attack, and what types of attacks may occur The goal of threat modeling is to better understand who the attackers are, why they attack, and what types of attacks may occur

10 10 Threat Identification A valuable tool used in threat modeling is the construction of an attack tree A valuable tool used in threat modeling is the construction of an attack tree An attack tree provides a visual image of the attacks that may occur against an asset An attack tree provides a visual image of the attacks that may occur against an asset

11 11 Threat Identification Access student grade system Steal passwordDefeat security Use unattended computer Exploit software security hole Look under mouse pad Watch over shoulder

12 12 Vulnerability Appraisal After assets have been inventoried and prioritized and the threats have been explored, the next question becomes, what current security weaknesses may expose the assets to these threats? After assets have been inventoried and prioritized and the threats have been explored, the next question becomes, what current security weaknesses may expose the assets to these threats? Vulnerability appraisal takes a current snapshot of the security of the organization as it now stands Vulnerability appraisal takes a current snapshot of the security of the organization as it now stands

13 13 Vulnerability Appraisal To assist with determining vulnerabilities of hardware and software assets, use vulnerability scanners To assist with determining vulnerabilities of hardware and software assets, use vulnerability scanners These tools, available as free Internet downloads and as commercial products, compare the asset against a database of known vulnerabilities and produce a discovery report that exposes the vulnerability and assesses its severity These tools, available as free Internet downloads and as commercial products, compare the asset against a database of known vulnerabilities and produce a discovery report that exposes the vulnerability and assesses its severity

14 14 Risk Assessment Final step in identifying risks is to perform a risk assessment Final step in identifying risks is to perform a risk assessment Risk assessment involves determining the likelihood that the vulnerability is a risk to the organization Risk assessment involves determining the likelihood that the vulnerability is a risk to the organization Each vulnerability can be ranked by the scale Each vulnerability can be ranked by the scale Sometimes calculating anticipated losses can be helpful in determining the impact of a vulnerability Sometimes calculating anticipated losses can be helpful in determining the impact of a vulnerability

15 15 Risk Assessment Formulas commonly used to calculate expected losses are: Formulas commonly used to calculate expected losses are: –Single Loss Expectancy –Annualized Loss Expectancy An organization has three options when confronted with a risk: An organization has three options when confronted with a risk: –Accept the risk –Diminish the risk –Transfer the risk

16 16 Risk Assessment

17 17 Designing the Security Policy Designing a security policy is the logical next step in the security policy cycle Designing a security policy is the logical next step in the security policy cycle After risks are clearly identified, a policy is needed to mitigate what the organization decides are the most important risks After risks are clearly identified, a policy is needed to mitigate what the organization decides are the most important risks

18 18 What Is a Security Policy? A policy is a document that outlines specific requirements or rules that must be met A policy is a document that outlines specific requirements or rules that must be met –Has the characteristics listed on page 393 of the text –Correct vehicle for an organization to use when establishing information security A standard is a collection of requirements specific to the system or procedure that must be met by everyone A standard is a collection of requirements specific to the system or procedure that must be met by everyone A guideline is a collection of suggestions that should be implemented A guideline is a collection of suggestions that should be implemented

19 19 Balancing Control and Trust To create an effective security policy, two elements must be carefully balanced: trust and control To create an effective security policy, two elements must be carefully balanced: trust and control Three models of trust: Three models of trust: –Trust everyone all of the time –Trust no one at any time –Trust some people some of the time

20 20 Designing a Policy When designing a security policy, you can consider a standard set of principles When designing a security policy, you can consider a standard set of principles These can be divided into what a policy must do and what a policy should do These can be divided into what a policy must do and what a policy should do

21 21 Designing a Policy

22 22 Designing a Policy Security policy design should be the work of a team and not one or two technicians Security policy design should be the work of a team and not one or two technicians The team should have these representatives: The team should have these representatives: –Senior level administrator –Member of management who can enforce the policy –Member of the legal staff –Representative from the user community

23 23 Elements of a Security Policy Because security policies are formal documents that outline acceptable and unacceptable employee behavior, legal elements are often included in these documents Because security policies are formal documents that outline acceptable and unacceptable employee behavior, legal elements are often included in these documents The three most common elements: The three most common elements: –Due care –Separation of duties –Need to know

24 24 Elements of a Security Policy

25 25 Due Care Term used frequently in legal and business settings Term used frequently in legal and business settings Defined as obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them Defined as obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them

26 26 Separation of Duties Key element in internal controls Key element in internal controls Means that one person’s work serves as a complementary check on another person’s Means that one person’s work serves as a complementary check on another person’s No one person should have complete control over any action from initialization to completion No one person should have complete control over any action from initialization to completion

27 27 Need to Know One of the best methods to keep information confidential is to restrict who has access to that information One of the best methods to keep information confidential is to restrict who has access to that information Only that employee whose job function depends on knowing the information is provided access Only that employee whose job function depends on knowing the information is provided access

28 28 Types of Security Policies Umbrella term for all of the subpolicies included within it Umbrella term for all of the subpolicies included within it In this section, you examine some common security policies: In this section, you examine some common security policies: –Acceptable use policy –Human resource policy –Password management policy –Privacy policy –Disposal and destruction policy –Service-level agreement

29 29 Types of Security Policies

30 30 Types of Security Policies

31 31 Types of Security Policies

32 32 Acceptable Use Policy (AUP) Defines what actions users of a system may perform while using computing and networking equipment Defines what actions users of a system may perform while using computing and networking equipment Should have an overview regarding what is covered by this policy Should have an overview regarding what is covered by this policy Unacceptable use should also be outlined Unacceptable use should also be outlined

33 33 Human Resource Policy Policies of the organization that address human resources Policies of the organization that address human resources Should include statements regarding how an employee’s information technology resources will be addressed Should include statements regarding how an employee’s information technology resources will be addressed

34 34 Password Management Policy Although passwords often form the weakest link in information security, they are still the most widely used Although passwords often form the weakest link in information security, they are still the most widely used A password management policy should clearly address how passwords are managed A password management policy should clearly address how passwords are managed In addition to controls that can be implemented through technology, users should be reminded of how to select and use passwords In addition to controls that can be implemented through technology, users should be reminded of how to select and use passwords

35 35 Privacy Policy Privacy is of growing concern among today’s consumers Privacy is of growing concern among today’s consumers Organizations should have a privacy policy that outlines how the organization uses information it collects Organizations should have a privacy policy that outlines how the organization uses information it collects

36 36 Disposal and Destruction Policy A disposal and destruction policy that addresses the disposing of resources is considered essential A disposal and destruction policy that addresses the disposing of resources is considered essential The policy should cover how long records and data will be retained The policy should cover how long records and data will be retained It should also cover how to dispose of them It should also cover how to dispose of them

37 37 Service-Level Agreement (SLA) Policy Contract between a vendor and an organization for services Contract between a vendor and an organization for services Typically contains the items listed on page 403 Typically contains the items listed on page 403

38 38 Understanding Compliance Monitoring and Evaluation The final process in the security policy cycle is compliance monitoring and evaluation The final process in the security policy cycle is compliance monitoring and evaluation Some of the most valuable analysis occurs when an attack penetrates the security defenses Some of the most valuable analysis occurs when an attack penetrates the security defenses A team must respond to the initial attack and reexamine security policies that address the vulnerability to determine what changes need to be made to prevent its reoccurrence A team must respond to the initial attack and reexamine security policies that address the vulnerability to determine what changes need to be made to prevent its reoccurrence

39 39 Incidence Response Policy Outlines actions to be performed when a security breach occurs Outlines actions to be performed when a security breach occurs Most policies outline composition of an incidence response team (IRT) Most policies outline composition of an incidence response team (IRT) Should be composed of individuals from: Should be composed of individuals from: –Senior management– IT personnel –Corporate counsel– Human resources –Public relations

40 40 Incidence Response Policy

41 41 Ethics Policy Codes of ethics by external agencies have encouraged its membership to adhere to strict ethical behavior within their profession Codes of ethics by external agencies have encouraged its membership to adhere to strict ethical behavior within their profession Codes of ethics for IT professionals are available from the Institute for Electrical and Electronic Engineers (IEEE) and the Association for Computing Machinery (ACM), among others Codes of ethics for IT professionals are available from the Institute for Electrical and Electronic Engineers (IEEE) and the Association for Computing Machinery (ACM), among others Main purpose of an ethics policy is to state the values, principles, and ideals each member of an organization must agree to Main purpose of an ethics policy is to state the values, principles, and ideals each member of an organization must agree to

42 42 Summary The security policy cycle defines the overall process for developing a security policy The security policy cycle defines the overall process for developing a security policy There are four steps in risk identification: There are four steps in risk identification: –Inventory the assets and their attributes –Determine what threats exist against the assets and by which threat agents –Determine whether vulnerabilities exist that can be exploited by surveying the current security infrastructure –Make decisions regarding what to do about the risks

43 43 Summary A security policy development team should be formed to create the information security policy A security policy development team should be formed to create the information security policy An incidence response policy outlines actions to be performed when a security breach occurs An incidence response policy outlines actions to be performed when a security breach occurs A policy addressing ethics can also be formulated by an organization A policy addressing ethics can also be formulated by an organization

44 44 Key Terms Pages 407 – 408 Pages 407 – 408 Review Questions Review Questions –Pages 408 – 410

45 45 Hands-On Projects Receiving Security Information through RSS Receiving Security Information through RSS –Pages 410 – 413 Wiping Data from a Floppy Disk Wiping Data from a Floppy Disk –Pages 413 – 414 Using a Security Scanner Using a Security Scanner –Page 415

Download ppt "Policies and Procedures Security+ Guide to Network Security Fundamentals Chapter 11."

Similar presentations

CWSP Guide to Wireless Security

CWSP Guide to Wireless Security
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
9-Performing Vulnerability Assessments Dr. John P. Abraham Professor UTPA.

9-Performing Vulnerability Assessments Dr. John P. Abraham Professor UTPA.
Security Controls – What Works

Security Controls – What Works
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Laboratory Personnel Dr/Ehsan Moahmen Rizk.

Laboratory Personnel Dr/Ehsan Moahmen Rizk.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 6 Enterprise Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 6 Enterprise Security.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Management.

Risk Management.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google