© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

Guide to Network Defense and Countermeasures Second Edition
Fundamentals of Information Systems Security
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Separate Domains of IT Infrastructure
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Security Controls – What Works
Information Security Policies and Standards
Guide to Network Defense and Countermeasures Second Edition
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Managing Risk in Information Systems Strategies for Mitigating Risk
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
1 Enabling Secure Internet Access with ISA Server.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Fundamentals of Information Systems Security.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
IS 460 Notes IS Strategic Planning By Thomas Hilton.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Auditing Information Systems (AIS)
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Eliza de Guzman HTM 520 Health Information Exchange.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
IS Network and Telecommunications Risks Chapter Six.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Note1 (Admi1) Overview of administering security.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
© ITT Educational Services, Inc. All rights reserved.Page 1 IS3230 Access Security © ITT Educational Services, Inc. All rights reserved. IS3230 Access.
Module 11: Designing Security for Network Perimeters.
NETWORK INFRASTRUCTURE SECURITY Domain 5. Computer Security “in short, the average computer is about as secure as a wet paper bag, and it is one of the.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 6 Implementing Infrastructure Controls.
Separate Domains of IT Infrastructure CS Domains of IT 1. User Domain 2.Workstation Domain 3.LAN Domain 4.LAN to WAN Domain 5.WAN Domain 6.Remote.
Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.
Configuring Electronic Health Records Privacy and Security in the US Lecture a This material (Comp11_Unit7a) was developed by Oregon Health & Science University.
IS3220 Information Technology Infrastructure Security
Information Security tools for records managers Frank Rankin.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Chapter 7. Identifying Assets and Activities to Be Protected
Cybersecurity - What’s Next? June 2017
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Page 1 Fundamentals of Information Systems.
IS4680 Security Auditing for Compliance
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
IS4680 Security Auditing for Compliance
IS4550 Security Policies and Implementation
IT Vocab IT = information technology Server Client or host
IS4550 Security Policies and Implementation Unit 5 User Policies
IS4680 Security Auditing for Compliance
IS4680 Security Auditing for Compliance
IS4680 Security Auditing for Compliance
How to Mitigate the Consequences What are the Countermeasures?
IT Development Initiative: Status & Next Steps
IS4680 Security Auditing for Compliance
PLANNING A SECURE BASELINE INSTALLATION
Security Policies and Implementation Issues
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues Lesson 5 User Domain and IT Infrastructure Security Policies

Page 2 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Learning Objective  Describe the different information systems security (ISS) policies associated with the User Domain.  Describe the different information security systems (ISS) policies associated with the IT infrastructure.

Page 3 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Key Concepts  Reasons for governing users with policies  Regular and privileged users  Acceptable use policy (AUP) and privileged-level access agreement (PAA)  Security awareness policy (SAP)  Differences between public and private User Domain policies  Elements of an infrastructure security policy  Policies associated with various domains of a typical IT infrastructure  Best practices in creating and maintaining IT policies

Page 4 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: CONCEPTS

Page 5 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Awareness Policy (SAP)  Addresses: Basic principles of information security Awareness of risk and threats Dealing with unexpected risk Reporting suspicious activity, incidents, and breaches Building a culture that is security and risk aware

Page 6 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Acceptable Use Policy (AUP)  Attempts to protect an organization’s computers and network  Addresses password management  Addresses software licenses  Addresses intellectual property management  Describes etiquette  Describes the level of privacy an individual should expect when using an organization’s computer or network  Describes noncompliance consequences

Page 7 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Privileged-Level Access Agreement (PAA)  Acknowledges the risk associated with elevated access in the event the credentials are breached or abused  Asks user to promise to use access only for approved organization business  Asks user to promise not to attempt to “hack” or breach security  Asks user to promise to protect any output from these credentials such as reports, logs, files, and downloads

Page 8 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Policy Organization  Requirements may cross domains − Malware protection − Password/Authentication requirements  Requirements may conflict between domains  Policies will vary among organizations  Use standard document types to identify domain security control requirements

Page 9 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Key Purpose of an IT Infrastructure Policy

Page 10 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Three Ways to Organize Policies

Page 11 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Policy Documents

Page 12 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Seven Domains of a Typical IT Infrastructure

Page 13 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Workstation Domain  Control Standards − Device management − User permissions − Align with functional responsibilities  Baseline Standards − Specific technology requirements for each device − Review standards from vendors or organizations  Procedures − Step-by-step configuration instructions  Guidelines − Acquisitions (e.g., preferred vendors) − Description of threats and countermeasures

Page 14 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Control Standards − Firewalls − Denial of Service − Align with functional responsibilities  Baseline Standards − Specific technology requirements for each device − Review standards from vendors or organizations  Procedures − Step-by-step configuration  Guidelines − Acquisitions (e.g., preferred vendors) − Description of threats and countermeasures LAN Domain

Page 15 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. LAN-to-WAN Domain  Control Standards − Access control to the Internet − Traffic filtering  Baseline Standards − Specific technology requirements for perimeter devices  Procedures − Step-by-step configuration  Guidelines − DMZ, IDS/IPS, content filtering

Page 16 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Control Standards − WAN management, Domain Name Services, router security, protocols, Web services  Baseline Standards − Review standards from vendors or organizations  Procedures − Step-by-step configuration of routers and firewalls − Change management  Guidelines − When and how Web services may be used − DNS management within the LAN and WAN environments WAN Domain

Page 17 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Control Standards − VPN connections − Multi-factor authentication  Baseline Standards − VPN gateway options − VPN client options  Procedures − Step-by-step VPN configuration and debugging  Guidelines − Description of threats − Security of remote computing environments, such as working from home Remote Access Domain

Page 18 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved.  Control Standards − Firewalls − Denial of Service − Align with functional responsibilities  Baseline Standards − Specific technology requirements for each device − Review standards from vendors or organizations  Procedures − Step-by-step configuration  Guidelines − Acquisitions (e.g., preferred vendors) − Description of threats and countermeasures System/Application Domain

Page 19 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: PROCESS

Page 20 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Different Types of Users Within an Organization

Page 21 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Example of User Types

Page 22 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. User Access Requirements

Page 23 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Contingent and System Accounts

Page 24 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Creating Policy Documents  Documents should − Differentiate between core requirements and technological requirements − Follow a standard format − Remain relevant without constant modification − Not contain duplicate content

Page 25 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: ROLES

Page 26 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Who Develops User Policies  Chief financial officer (CFO)  Chief operations officer (COO)  Information security manager  IT manager  Marketing and sales manager  Unit manager  Materials manager  Purchasing manager  Inventory manager

Page 27 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Roles and Responsibilities: Who Need Training?

Page 28 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Roles and Responsibilities  Information Security (IS) Manager − Policy creation, application, and alignment with organizational goals  IT Auditor − Ensuring that controls are in place per policy  System/Application Administrator − Applying controls to Workstation, LAN, and LAN- to-WAN Domains

Page 29 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: CONTEXTS

Page 30 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Differences and Similarities in User Domain Policies Differences Public organizations must follow Sarbanes Oxley Compliance (SOX), Health Insurance Portability and Accountability Act (HIPAA), and other compliance laws Private organizations are often smaller and easier to control from a user standpoint Private organizations may not follow public- compliance laws

Page 31 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Differences and Similarities in User Domain Policies Similarities Private organizations may follow public- compliance laws depending on their governance requirements Public organizations may be small is size and thus have similar control over their user populations

Page 32 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. DISCOVER: RATIONALE

Page 33 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. The User as the Weakest Link in the Security Chain

Page 34 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. The User as the Weakest Link in the Security Chain

Page 35 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Lack of Controls  With lack of controls all of the following and more are possible: Workstations would have different configurations LANs would allow unauthorized traffic WANs would have vulnerabilities Network devices would not be configured the same Users would have access to data they are not directly working with

Page 36 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Summary  Reasons for governing users with policies  Regular and privileged users  Acceptable use policy (AUP) and privileged-level access agreement (PAA)  Security awareness policy (SAP)  Differences between public and private User Domain policies  Elements of an infrastructure security policy  Policies associated with various domains of a typical IT infrastructure  Best practices in creating and maintaining IT policies

Page 37 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. OPTIONAL SLIDES

Page 38 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Roles and Responsibilities: Who Needs Training?

Page 39 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Best Practices for IT Infrastructure Security Policies

Page 40 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Best Practices for IT Infrastructure Security Policies (Continued)

Page 41 Security Policies and Implementation Issues © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Best Practices for IT Infrastructure Security Policies (Continued)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.