Chapter 11: Policies and Procedures

Slides:



Advertisements
Similar presentations
CWSP Guide to Wireless Security
Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer Systems
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
9-Performing Vulnerability Assessments Dr. John P. Abraham Professor UTPA.
Security Controls – What Works
Security Awareness: Applying Practical Security in Your World
Security+ Guide to Network Security Fundamentals, Fourth Edition
Laboratory Personnel Dr/Ehsan Moahmen Rizk.
School Safety Training
Introducing Computer and Network Security
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 6 Enterprise Security.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Auditing A Risk-Based Approach To Conducting A Quality Audit
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Management.
Session 3 – Information Security Policies
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Basics of OHSAS Occupational Health & Safety Management System
HIPAA PRIVACY AND SECURITY AWARENESS.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.
Risk Management (Risk Identification)
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
Security Architecture
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
1 User Policy (slides from Michael Ee and Julia Gideon)
John Carpenter & lecture & Information Security 2008 Lecture 1: Subject Introduction and Security Fundamentals.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.
Introduction to Information Security
Copyright © 2007 Pearson Education Canada 7-1 Chapter 7: Audit Planning and Documentation.
Policies and Procedures Security+ Guide to Network Security Fundamentals Chapter 11.
Security fundamentals Topic 12 Maintaining organisational security.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
ISO/IEC 27001:2013 Annex A.8 Asset management
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
James Fox Shane Stuart Danny Deselle Matt Baldwin Acceptable Use Policies.
Chapter 2 - Ethics for IT Professionals and IT Users1 Ethics for IT Professionals and IT Users 2 Chapter.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Principles of Information Security, Fourth Edition Risk Management Ch4 Part I.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Welcome to the ICT Department Unit 3_5 Security Policies.
CompTIA Security+ Study Guide (SY0-401)
CompTIA Security+ Study Guide (SY0-401)
COMP3357 Managing Cyber Risk
IS4680 Security Auditing for Compliance
Cybersecurity compliance for attorneys
IS4680 Security Auditing for Compliance
Presentation transcript:

Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition

Objectives Define the security policy cycle Explain risk identification Design a security policy Define types of security policies Define compliance monitoring and evaluation

Understanding the Security Policy Cycle First part of the cycle is risk identification Risk identification seeks to determine the risks that an organization faces against its information assets That information becomes the basis of developing a security policy A security policy is a document or series of documents that clearly defines the defense mechanisms an organization will employ to keep information secure

Understanding the Security Policy Cycle Start Here

Reviewing Risk Identification First step in security policy cycle is to identify risks Involves the four steps: Inventory the assets Determine what threats exist against the assets and by which threat agents Investigate whether vulnerabilities exist that can be exploited Decide what to do about the risks

Reviewing Risk Identification

Asset Identification An asset is any item with a positive economic value Many types of assets, classified as follows: Physical assets – Hardware Software – Data Personnel – Employees Along with the assets, attributes of the assets need to be compiled

Asset Identification (continued) After an inventory of assets has been created and their attributes identified, the next step is to determine each item’s relative value Factors to be considered in determining the relative value are listed on pages 386 and 387 of the text

Threat Identification A threat is not limited to those from attackers, but also includes acts of God (forces of nature), such as fire or severe weather – disasters Threat modeling constructs scenarios of the types of threats that assets can face The goal of threat modeling is to better understand who the attackers are, why they attack, and what types of attacks may occur

Threat Identification (continued) A valuable tool used in threat modeling is the construction of an attack tree An attack tree provides a visual image of the attacks that may occur against an asset

Threat Identification (continued) Goal of attack Type of attack How attack may occur

Vulnerability Appraisal After assets have been inventoried and prioritized and the threats have been explored, the next question becomes, what current security weaknesses may expose the assets to these threats? Vulnerability appraisal takes a current snapshot of the security of the organization as it now stands

Vulnerability Appraisal To assist with determining vulnerabilities of hardware and software assets, use vulnerability scanners Nessus, NeWT, GFI LanGuard, MBSA These tools, available as free Internet downloads and as commercial products, compare the asset against a database of known vulnerabilities and produce a discovery report that exposes the vulnerability and assesses its severity

Risk Assessment Final step in identifying risks is to perform a risk assessment Risk assessment involves determining the likelihood that the vulnerability is a risk to the organization Each vulnerability can be ranked by the scale Sometimes calculating anticipated losses can be helpful in determining the impact of a vulnerability

Risk Assessment (continued) Formulas commonly used to calculate expected losses are: Single Loss Expectancy Annualized Loss Expectancy An organization has three options when confronted with a risk: Accept the risk- risk is minimal Diminish the risk – implement security Transfer the risk – insurance, third party Car stereo example

Risk Assessment (continued)

Designing the Security Policy Designing a security policy is the logical next step in the security policy cycle After risks are clearly identified, a policy is needed to mitigate what the organization decides are the most important risks

What Is a Security Policy? A policy is a document that outlines specific requirements or rules that must be met Communicate a consensus of judgment Define what appropriate behavior for users is Identify what tools and procedures are needed Provides a foundation for HR action in response to inappropriate behavior

What Is a Security Policy? (cont.) The security policy should also outline standards and guidelines for network access A standard is a collection of requirements specific to the system or procedure that must be met by everyone Remote access procedures, server installs A guideline is a collection of suggestions that should be implemented Best practices

Balancing Control and Trust To create an effective security policy, two elements must be carefully balanced: trust and control Three models of trust: Trust everyone all of the time Trust no one at any time Trust some people some of the time A security policy attempts to provide the right amount of trust for productivity Too much control (security) may cause users to look for ways to circumvent network usage policies

Designing a Policy When designing a security policy, you can consider a standard set of principles These can be divided into what a policy must do and what a policy should do

Designing a Policy (examples)

Designing a Policy (continued) Security policy design should be the work of a team and not one or two technicians The team should have these representatives: Senior level administrator Member of management who can enforce the policy Member of the legal staff Representative from the user community (where’s the tech???)

Elements of a Security Policy Because security policies are formal documents that outline acceptable and unacceptable employee behavior, legal elements are often included in these documents The three most common elements: Due care Separation of duties Need to know

Elements of a Security Policy

Due Care Defined as obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them Due care is the care that a reasonable person would exercise under the given circumstances For infosec, due care is often used to indicate the reasonable treatment that an employee would exercise when using computer equipment See page 397 for more examples

Separation of Duties Key element in internal controls such that one person’s work serves as a complementary check on another person’s Think of checks and balances No one person should have complete control over any action from initialization to completion Personnel should only perform those duties specified in their job descriptions Given the size of the company and IT staff this may be difficult to implement

Need to Know One of the best methods to keep information confidential is to restrict who has access to that information Only that employee whose job function depends on knowing the information is provided access Access to data is given on a need-to-know basis Need-to-know decisions should be conducted at the management level

Types of Security Policies Umbrella term for all of the subpolicies included within it In this section, you examine some common security policies: Acceptable use policy Human resource policy Password management policy Privacy policy Disposal and destruction policy Service-level agreement http://www.sans.org/resources/policies/ http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf

Types of Security Policies

Types of Security Policies

Types of Security Policies

Acceptable Use Policy (AUP) Defines what actions users of a system may perform while using computing and networking equipment AUPs typically cover all computer use, including Internet usage, email, printing and password security Unacceptable use should also be outlined All users should be required to sign the AUP as part of their employment or education AUPs are generally considered to be the most important information security policies

Human Resource Policy Policies of the organization that address human resources regarding how an employee’s information technology resources will be addressed Should include employee orientation Should also include penalties for policy violation Terms of termination and the guidelines to follow upon employee termination

Password Management Policy Although passwords often form the weakest link in information security, they are still the most widely used A password management policy should clearly address how passwords are managed In addition to controls that can be implemented through technology, password policies should also outline characteristics of weak and strong passwords and provide examples

Privacy Policy Organizations should have a privacy policy that outlines how the organization uses information it collects Privacy statements are also becoming more popular as part of online applications and purchases

Disposal and Destruction Policy One of the classic social engineering techniques used by attackers is to dig through documents or equipment that has been discarded (dumpster diving) The policy should cover how long records and data will be retained It should also cover how to dispose of them This includes both paper and hardware Best practice for giving away equipment is to do so through a third-party or make sure that all proper precautions are met Dismantle equipment, format drives etc…

Service-Level Agreement (SLA) Policy Contract between a vendor and an organization for services Typically contains the items listed on page 403

Understanding Compliance Monitoring and Evaluation The final process in the security policy cycle is compliance monitoring and evaluation Some of the most valuable analysis occurs when an attack penetrates the security defenses A team must respond to the initial attack and reexamine security policies that address the vulnerability to determine what changes need to be made to prevent its reoccurrence

Incidence Response Policy Outlines actions to be performed when a security breach occurs Most policies outline composition of an incidence response team (IRT) Should be composed of individuals from: Senior management – IT personnel, HR Corporate counsel – legal team Public relations – Microsoft http://www.cert.org/csirts/Creating-A-CSIRT.html

Incidence Response Policy

Ethics Policy Codes of ethics by external agencies have encouraged its membership to adhere to strict ethical behavior within their profession Codes of ethics for IT professionals are available from the Institute for Electrical and Electronic Engineers (IEEE) and the Association for Computing Machinery (ACM), among others Main purpose of an ethics policy is to state the values, principles, and ideals each member of an organization must agree to

Summary The security policy cycle defines the overall process for developing a security policy There are four steps in risk identification: Inventory the assets and their attributes Determine what threats exist against the assets and by which threat agents Determine whether vulnerabilities exist that can be exploited by surveying the current security infrastructure Make decisions regarding what to do about the risks

Summary (continued) A security policy development team should be formed to create the information security policy An incidence response policy outlines actions to be performed when a security breach occurs A policy addressing ethics can also be formulated by an organization

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.