IS4550 Security Policies and Implementation Unit 5 User Policies
Class Agenda 7/14/16 Lesson Covers Chapter 9 Learning Objectives 11/14/2018 Class Agenda 7/14/16 Lesson Covers Chapter 9 Learning Objectives Lesson Presentation and Discussions. Practice Quiz 1 Discussion on Assignments. Discussion on Lab Activities. Break Times as per School Regulations. Try to read the text book before class. (c) ITT Educational Services, Inc.
Learning Objective Describe the different ISS policies associated with the user domain.
Key Concepts Reasons for governing users with policies Regular and privileged users Acceptable use policy (AUP) and privileged-level access agreement (PAA) Security awareness policy (SAP) Differences between public and private user domain policies
EXPLORE: CONCEPTS
Discussion Computer Users Metcalfe law
AUP Protecting an organization’s computers and network Managing passwords Managing software licenses Managing intellectual property
AUP (Continued) E-mail etiquette Level of privacy an individual should expect when using an organization’s computer or network Noncompliance consequences
PAA The PAA generally contains the following from the administrator’s perspective: Acknowledgement of the risk associated with elevated access in the event the credentials are breached or abused Promise to only use the access granted for approved organization business Promise not to attempt to “hack” or breach security Promise to protect any output from these credentials such as reports, logs, files, and downloads
Different Types of Users Within an Organization Employees System administrators Security personnel Contractors Auditors or guests and general public
Different User-Access Requirements Each user requires different levels of access to applications and information within the organization Users require information from different systems across the organization to do their jobs The data coming from different systems often has different security controls The different role each user has within the organization can create security challenges
Who Develops User Policies Chief financial officer (CFO) Chief operations officer (COO) Information security manager IT manager Marketing and sales manager
Who Develops User Policies (Continued) Unit manager Materials manager Purchasing manager Inventory manager
Roles and Responsibilities Executive Managers Responsible for governance and compliance requirements, and funding and policy support Program and Functional Managers Responsible for security management, planning, and implementation; also risk management and contingency planning IT Security Program Managers Responsible for broad training in security planning, system and application security management, risk management, and contingency planning
Roles and Responsibilities (Continued) Auditors Responsible for broad training in security planning, system and application security management, risk management, and contingency planning All Users Responsible for basic security
Differences and Similarities in User Domain Policies Public organizations must follow Sarbanes Oxley Compliance (SOX), Health Insurance Portability and Accountability Act (HIPPA), and other compliance laws Private organizations are often smaller and easier to control from a user standpoint Private organizations may not follow public-compliance laws Similarities: Private organizations may follow public-compliance laws depending on their governance requirements Public organizations may be small is size and thus have similar control over their user populations
The User as the Weakest Link in the Security Chain People that use computers have different skill levels, thus have different perceptions on information security Social engineering can occur at any time within any organization Human mistakes often occur and can lead to security breaches One of the most significant threats come from within an organization from an “Insider” Applications have weaknesses that are not known and these weaknesses can be exploited by users either knowingly or unknowingly Security awareness training can remove this weakest link in the security chain
Summary In this presentation, the following were covered: Different user type and user access requirements in an organization AUP and PAA People responsible for developing user policies Roles and responsibilities associated with user policies User policies in public and private organizations
Unit 5 Discussion and Assignments Discussion 5.1 Best Practices for User Policies Assignment 5.3 Create User Policy
Unit 5 Lab Activities Lab is in the lab manual on line Lab 5.2 Craft an Organization-Wide Security Awareness Policy Reading assignment: Read chapter 8 and 9
Class Project-Draft Unit 5-U.S. compliance laws now affecting the firm, and any problems, or questions. Unit 6-DoD policy 1–5, and any problems, or questions. Deliverables or milestone drafts as specified in the project content will be submitted. Final project Due on Week 11