Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Slides:



Advertisements
Similar presentations
Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.
Advertisements

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Woodland Hills School District Computer Network Acceptable Use Policy.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
HIPAA Security Standards What’s happening in your office?
Security Controls – What Works
Firewall Configuration Strategies
Information Security Policies and Standards
Guide to Network Defense and Countermeasures Second Edition
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
NETWORKS Lauren Hickman Patrick McCamy Morgan Pace Noah Ryder.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Computer Security Fundamentals
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Network security policy: best practices
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Understanding VPN Concepts Virtual Private Network (VPN) enables computers to –Communicate securely over insecure channels –Exchange private encrypted.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Information Assurance Policy Tim Shimeall
Chapter 18 Technology in the Workplace Section 18.2 Internet Basics.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Information Systems Security
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Essential Components: Acceptable Use Policy Presenter: John Mendes.
IS Network and Telecommunications Risks Chapter Six.
Note1 (Admi1) Overview of administering security.
Information Security What is Information Security?
Chapter 2 Securing Network Server and User Workstations.
EECS 4482 Fall 2014 Session 8 Slides. IT Security Standards and Procedures An information security policy is at a corporate, high level and generally.
Module 11: Designing Security for Network Perimeters.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Chap1: Is there a Security Problem in Computing?.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
©Dr. Respickius Casmir Network Security Best Practices – Session 2 By Dr. Respickius Casmir.
Module 2: Designing Network Security
Woodland Hills School District Computer Network Acceptable Use Policy.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Computer Security Sample security policy Dr Alexei Vernitski.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Appendix A: Designing an Acceptable Use Policy. Overview Analyzing Risks That Users Introduce Designing Security for Computer Use.
Chapter 7. Identifying Assets and Activities to Be Protected
CompTIA Security+ Study Guide (SY0-401)
Working at a Small-to-Medium Business or ISP – Chapter 8
Chapter 17 Risks, Security and Disaster Recovery
CompTIA Security+ Study Guide (SY0-401)
CompTIA Security+ Study Guide (SY0-501)
How to Mitigate the Consequences What are the Countermeasures?
Firewalls and Security
PLANNING A SECURE BASELINE INSTALLATION
Chapter # 3 COMPUTER AND INTERNET CRIME
Woodland Hills School District
Presentation transcript:

Developing a Security Policy Chapter 2

Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine the goals of your firewall and incorporate them into a security policy Follow the seven steps to building a security policy Account for situations the firewall can’t handle Define responses to security violations Work with administration to make your security policy work

What Is a Security Policy? A set of organization-level rules governing: Acceptable use of computing resources Security practices Operational procedures

Example of a Security Policy

Essential Information in a Security Policy Date last updated Name of office that developed the policies Clear list of policy topics Equal emphasis on positive points (access to information) and negative points (unacceptable policies)

Why Is a Security Policy Important? Essential component of a fully functional firewall Defines what needs to be done when firewall is configured Defines intrusion detection and auditing systems that are needed Minimizes impact of a “hack attack” on: Staff time Data loss Productivity

Setting Goals for an Effective Security Policy Describe a clear vision for a secure networked computing environment Be flexible enough to adapt to changes in the organization Be consistently communicated and implemented throughout the organization Specify how employees can and cannot use the Internet Define appropriate and inappropriate behavior as it pertains to privacy and security

Seven Steps to Building a Security Policy 1.Develop a policy team 2.Determine organization’s overall approach to security 3.Identify assets to be protected 4.Determine what should be audited for security 5.Identify security risks 6.Define acceptable use 7.Provide for remote access

Develop a Policy Team Members (5-10 people) Senior administrator Member of legal staff Representative from rank-and-file employees Member of IT department Editor or writer who can structure and present the policy coherently Identify one person to be the official policy interpreter

Determine Overall Approach to Security Two primary activities for overall approach: Restrictive Permissive Specific security stances: Open Optimistic Cautious Strict Paranoid

Identify Assets to Be Protected Physical assets Actual hardware devices Logical assets Digital information that can be viewed and misused Network assets Routers, cables, bastion hosts, servers, firewall hardware and software System assets Software that runs the system (ie, server software and applications)

Example of Assets to Be Protected

Determine What Should Be Audited for Security Auditing Process of recording which computers are accessing a network and what resources are being accessed Includes recording the information in a log file Specify types of communication to be recorded and how long they will be stored Use Tripwire to audit system resources Use a firewall log to audit security events

Auditing with Tripwire

Auditing with a Firewall Log

Determine What Should Be Audited for Security Auditing log files Auditing object access

Identify Security Risks Specify the kinds of attacks the firewall needs to guard against Denial of service attacks Disclosure of information due to fraud Unauthorized access

Define Acceptable Use Define acceptable computing and communications practices on the part of employees and business partners Aspects News

Provide for Remote Access Specify acceptable protocols Determine use of Telnet or Secure Shell (SSH) access to internal network from Internet Describe use of cable modem, VPN, and DSL connections to access internal network through the firewall Require remote users to have a firewall on their computer

Accounting for What the Firewall Cannot Do A firewall sandwich or load balancing switches can be compromised by: Brute force attack Sending an encrypted message to someone within the network with a virus attached Employees who give out remote access numbers; unauthorized users can access company network Employees who give out passwords

Other Security Policy Topics Passwords Encryption Restrictions on removable media ASPs Acceptable users Secure use of office-owned laptop computers Wireless security Use of VPNs Key policy

Defining Responses to Security Violations Gather information on an incident response form Define disciplinary action to be pursued if employees access the Internet improperly Identify who to contact in case of intrusion

Defining Responses to Security Violations

Overcoming Administrative Obstacles

Educating Employees Security User Awareness program Advise workers of expectations and consequences Make policies available on local network

Presenting and Reviewing the Process Keep reports short and concise Give people ample time to respond after policy statement is issued

Amending the Security Policy Change the security policy when: The organization makes substantial changes in hardware configuration, or The firewall is reconfigured in response to security breaches

Chapter Summary What a security policy is; why they are important Setting goals that govern how a firewall is configured to protect a network Seven steps to building a security policy Defining responses to attacks and other intrusions Guiding your security policy through corporate bureaucracy to gain management support and achieve security policy goals

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.