Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security fundamentals Topic 12 Maintaining organisational security.

Published byFrederica Mosley Modified over 8 years ago

Similar presentations

Presentation on theme: "Security fundamentals Topic 12 Maintaining organisational security."— Presentation transcript:

1 Security fundamentals Topic 12 Maintaining organisational security

2 Agenda Security policies and procedures Organisational risk assessment Security education and training Resolving ethical dilemmas

3 Policies and procedures Policies and guidelines are stated goals and objectives of an organisation Procedures tell how to go about doing what we have to do to enforce a policy Policies and procedures are fully and clearly documented, regularly reviewed and maintained

4 Organisational policies and guidelines Security Policy is: – A set of rules that defines how people access technology and the measures for the protection of assets and resources – Often a collection of smaller, more specialised policies, eg Backup Policy – The major purposes are: To inform all users about the requirements for protecting assets and resources To provide guidelines for acquiring, configuring, monitoring and assessing assets, such as computers and other network devices Computer Technology Purchasing Guidelines are: – Used to standardise and provide rules for the acquiring of technology – Prevent the purchase of insecure equipment – Ensure security features are installed

5 Organisational policies and guidelines Access Policy: – Specifies the rights, privileges and restrictions for users when accessing devices on the network or within the organisation – Could be a login banner that appears to users when they log in – Informs users that they could be monitored Accountability Policy: – Deals with the responsibility of users when they use assets and perform tasks on the network – Informs that auditing will be carried out on assets – User responsibility for company laptops, PDA and mobile phones

6 Organisational policies and guidelines Authentication Policy: – Defines acceptable authentication methods to be used to access equipment and technology – Includes: The limitations of access Who can perform privileged actions Specialised equipment required for authentication Remote access restrictions Password Policy: – Outlines how passwords should be managed – Includes the necessary password practices that an organisation will apply – Can include length, complexity, character restrictions, how often to change and more

7 Organisational policies and guidelines Availability Statement: – States the organisations expected, and required availability of resources and assets – Includes: General operational hours, scheduled maintenance times etc Availability of redundant systems Procedures for start up and shut down of the network and other systems IT System and Network Maintenance Policy: – Determines the access requirements, restrictions and abilities of maintenance personnel

8 Organisational policies and guidelines Violations Reporting Policy: – Outlines what a violation is – Deals with the process and requirements for reporting violations – Could be a breach of privacy rights, improper email or improper equipment use – Anonymous reporting system for encouraging use Firewall Policy: – Used to describe the various types of traffic that isn’t allowed to pass through a firewall: defines filter rules – Usually created with the procurement of a new firewall – May need to be several firewall policies for the requirements of different security zones

9 Organisational policies and guidelines Antivirus Policy: – Minimisation of exposure and damage caused by the spreading of malware, malicious code – Prevention of malicious code incidents – Includes the operations and maintenance of antivirus software – Education of users Privacy Policy: – Defines and explains the rights and expectations for the privacy of clients, users and business partners – Includes: The monitoring and logging of activities The inspection of user files The information that is protected by privacy

10 Organisational policies and guidelines Acceptable Use Policy: – Clearly defines what is proper, and what is improper, use of equipment and resources within an organisation Incident Response Policy: – Determines how an incident should be dealt with – Includes an actual, attempted or suspected breach or compromise of an IT system – Includes detailed procedures for immediate and correct course of action to take

11 Service Level Agreements Agreement made between an organisation and a company that outsources a particular, or many services A contract that defines service requirements and expectations Includes penalties for noncompliance

12 Human Resources Policy A Human Resources Policy, in terms of security, deals with the practices involving HR and IT departments. Includes:- – When a new employee is hired – account provisioning, group membership and training of security policies – When an employee is terminated – deactivating or removing their account and access to systems and resources – What to do when an employee goes on vacation or an extended leave of absence – How to handle an employee change of status – name changes or transfer department – What security employees need education and training in

13 Documenting system architecture – Systems architecture refers to the hardware and software of a computer system – The architecture of systems configured on a network – Should be fully documented and maintained Including operating systems, hardware and software of each system – Security violations and nonstandard configurations should be dealt with Change and Configuration Management Policy – States is authorised to make changes to the system architecture – The process to apply changes – Includes the justification and documentation required for changes and – Including all personnel who need to be notified in the change management approval process

14 Privilege Management and De/Centralised Management Privilege Management: – Determines the various access levels and privileges required for access to assets and network resources – How these are applied to users – Can decrease system administration, accounts and network management workload Centralised/Decentralised Management: – Decentralised management = user accounts, groups and privileges created, applied and maintained locally on every server – Centralised management = user accounts, groups and permissions managed centrally, such as ADS

15 Auditing Auditing deals with monitoring, checking access and usage of assets and resources such as: – What resources a user has accessed – When the resources were accessed – The privileges used to access these resources Audit policies must establish: – What events should be audited – Who will review audit logs – And how and where to store audit logs

16 Logging and inventories Organisations should retain logs and inventories for: – Tracking equipment and maintenance – Tracking of repair history and maintenance – Troubleshoot issues on the network or identify security issues A log policy contains detailed information about: – What should be logged and how – Who is responsible for maintaining logs – How logs are stored – How logs are correctly disposed

17 Classification Policies and Due Care Classification Policies: – Describe the appropriate handling and protection of assets – Each classification level should have policies, procedures and handling instructions appropriate to that level Due Care: – Used to describe expected practices that should be used for protecting systems and assets – Not a clearly defined term and can mean different things to different organisations – Should be defined in your security policy, including consequences of not providing due care

18 Separation of Duties and Need to Know Separation of Duties: – Refers to the splitting of related duties among various people in an attempt to stop a single person from being able to commit unethical, fraudulent or illegal activities – In computer security, separation of duties is often used in the auditing process Need to Know: – A basic security concept that specifies the release and use of confidential information only to people that need to know that information

19 Organisational risk assessment Calculating risk – Allows the prioritisation of the implementing and maintaining of security controls – Higher risk value represents a higher priority risk – The formula for calculating risk Threat × Vulnerability × Impact = Risk.

20 Asset ID and threat assessment Asset identification and valuation – First step, identify and assign a value to assets – Asset valuation often includes depreciation and other calculation – Values of assets can be used to assess risk and apply protection to assets Threat assessment – Is done after identification of threats to assets and data – Rank and assign values to each threat, eg rating (1–5)

21 Assessing impact and vulnerability Assessing impact: – Deals with the monetary costs involved if a threat compromised assets, based on identified threats – Consider the costs of actual damage, downtime, restoration, loss of property, legal costs of liability, loss of operational continuity Assessing vulnerability: – To quantify and measure how vulnerable your organisation is to each threat – Work out the likelihood of experiencing a given threat – Rang and assign values to both, eg rating (1–5)

22 Security education and training and communication Critical for effective security The training and educating of users is at least as important, as the actual technical configurations and application of security technology Users should be trained in best practices for security, such as secure passwords Communication is critical for the education and training of users in security

23 User awareness Once communication lines have been established, the first step is to raise security awareness Is all about changing attitudes toward security Increasing knowledge of security practices, policies and procedures Sets the stage for future security training

24 Education and training Training is more formalised sessions based on security – Relates directly to the roles of employees – Can be delivered through lectures, demos, case studies and hands on training Education is the broader scope of training and awareness – Resulting in the understanding of information, implementation and how security practices and technology are utilised

25 Ethical dilemmas Deal with ‘grey areas’ or unspecified issues of computer, network and organisational security Ethics for every incident won’t all be covered in formal policies, procedures and the law About the acceptable norms, principles and the correct conduct of staff in decisions made, that is beyond policy and the law

26 Types of dilemmas Examples: Bending the rules to fix things quickly Pursuing an attacker into someone else’s system Temporarily using illegal copies of software Inappropriate use of the network or inappropriate materials on a co-worker's computer Personally making mistakes Working with inadequate policies

27 Resolving dilemmas Ethical dilemmas, are not always straight forward Professional judgement and experience can be used to make informed decisions Code of ethics to help define principles and norms and help you make a decision – Written or unwritten – Standards, principles and acceptable behaviour When you encounter a dilemma: Trust your instincts Stall for time Talk to others

28 Lesson summary What are the key security policies and procedures for organisational security? Steps of organisational risk assessment How to go about security education and training Dealing with and resolving ethical dilemmas

Download ppt "Security fundamentals Topic 12 Maintaining organisational security."

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Work-based learning Click on the speaker on each slide to learn more!

Work-based learning Click on the speaker on each slide to learn more!
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Similar presentations

Ads by Google