Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Security Controls – What Works
Information Security Policies and Standards
© 2003, Educational Institute Chapter 12 Systems and Security Maintenance Managing Technology in the Hospitality Industry Fourth Edition (469T or 469)
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies
Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Network security policy: best practices
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Security Guidelines and Management
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Incident Response Updated 03/20/2015
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA COMPLIANCE WITH DELL
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
DISCOVER IT PEACE OF MIND Staying HIPAA-Compliant Revised: April 13, 2015.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Chapter 6 of the Executive Guide manual Technology.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.
Information Systems Security Operations Security Domain #9.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
E.Soundararajan R.Baskaran & M.Sai Baba Indira Gandhi Centre for Atomic Research, Kalpakkam.
Note1 (Admi1) Overview of administering security.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Chapter 2 Securing Network Server and User Workstations.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Introduction to Information Security
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Security Awareness – Essential Part of Security Management Ilze Murane.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Security fundamentals Topic 12 Maintaining organisational security.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
CPT 123 Internet Skills Class Notes Internet Security Session B.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Managed IT Services JND Consulting Group LLC
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
LAND RECORDS INFORMATION SYSTEMS DIVISION
Final HIPAA Security Rule
Lesson 16-Windows NT Security Issues
Drew Hunt Network Security Analyst Valley Medical Center
Introduction to the PACS Security
Presentation transcript:

Lesson 9-Information Security Best Practices

Overview Understanding administrative security. Security project plans. Understanding technical security. Making use of ISO

Understanding Administrative Security Administrative security policies: Define the importance of information and information systems to the company and its employees. Define the resources required to accomplish appropriate risk management activities. Identify the individuals responsible for managing the information security risk for the organization.

Understanding Administrative Security Administrative security policies fall under the following areas: Policies and procedures. Resources. Responsibility. Education. Contingency plans.

Policies and Procedures The most important policies that organizations must draft are: Information policy - Defines the level of sensitivity of information assets within the organization. Security policy - Defines the technical controls and security configurations to be implemented on all computer systems.

Policies and Procedures The most important policies that organizations must draft are (continued): Use policy - Identifies the approved uses of organization computer systems and the penalties for misusing such systems. Backup policy - Defines the frequency of information backups and the method of moving backups to an off-site storage.

Policies and Procedures Organizations must define the following procedures: User management - Includes information about individuals who can authorize access to the organization’s computer systems. System administration - Defines the process of implementing the organization’s security policy on various systems. Configuration management - Defines the steps for making changes to production systems.

Resources Determining required resources depends on: The size of the organization. The organization’s business. The risk to the organization. The full risk assessment of the organization. The plan to manage risk.

Resources The project management triangle

Resources The security department staff members should have the following skills: Security administration - A thorough understanding of day- to-day administration of security devices. Policy development - Hands-on experience in the development and maintenance of security policies, procedures, and plans. Architecture - An understanding of network and system architectures and implementation of new systems.

Resources The security department staff members should have the following skills (continued): Research - The examination of new security technologies for risk assessment. Assessment - Experience in conducting risk assessment activities, such as penetration and security testing. Audit - Experience in conducting system and procedure audits.

Resources An organization’s security budget is based on: The scope and time frame of the security project. The capital expenditures, current operations, and cost of training. The security project plans.

Responsibility An executive-level position must own security responsibilities within an organization. They should have the authority to define the organization’s policy and sign off on all security-related policies. They should also have the authority to enforce policy. They should develop metrics to track the progress toward security goals.

Education The best practices for education includes: Preventive measures. Enforcement measures. Incentive measures.

Preventive Measures Preventive measures can be used to explain the importance and need to protect an organization’s information assets. It will make employees comply with policies and procedures. It includes awareness programs, publicity campaigns, electronic mail messages, and pop-up windows.

Enforcement Measures Enforcement measures force employees to abide by the organization’s policies and procedures. It can be enforced in the form of security-awareness training. Employees can also be provided copies of relevant policies. They can also be asked to sign a security statement.

Incentive Programs Incentive programs: Can increase the reporting of security issues. Can be in the form of monetary incentives or verbal encouragement. Can also be used for suggestions on how to improve security.

Contingency Plans Contingency plans include: Incident response - Defines the series of steps to be taken in the event of a compromise. Backup and data archival - Defines how and when backups are to be taken. It also specifies the backup storage and restore mechanisms. Disaster recovery - Identifies the most critical resources and states the need and objectives in the event of a disaster.

Security Project Plans Best practices recommend that the security department must establish the following plans: Improvement plans - Address the risk areas and implement appropriate changes to the environment. Vulnerability assessment - Includes regular scans of the organization’s systems. It also includes regular follow-up with system administrators to ensure corrective actions are being taken.

Security Project Plans Best practices recommend that the security department must establish the following plans (continued): Assessment plans - Frequently assess the risk to the organization. Audit plans - Ensures policy compliance. Training - Includes schedules for awareness training classes and publicity campaigns. Policy evaluation - Includes built-in review schedules.

Understanding Technical Security Network connectivity. Malicious code protection. Authentication. Monitoring.

Understanding Technical Security Encryption. Patching systems. Backup and recovery. Physical security.

Network Connectivity To protect an organization from unwanted intrusions, the following network connectivity practices are recommended: Permanent connections - Network connection to other organizations or the Internet is protected by a firewall. This prevents damage in one network to spread to others. Remote access connections - These connections can be dial-in connections or connections across the Internet. Two-factor authentication, such as dial-back modems or dynamic passwords is recommended.

Malicious Code Protection To protect systems from computer viruses or Trojan horse programs: Use anti-virus programs for servers, desktops, and systems. Allow frequent signature updates and the delivery of updates.

Authentication The following are the recommended best practices for password usage: Passwords must be a minimum of eight characters in length. The last ten passwords should not be reused. It should always be stored in encrypted form, which is inaccessible to normal users. It should not be more than 60 days old. It should be composed of alphanumeric characters.

Authentication The following are the recommended best practices for password usage (continued): Dynamic passwords or other two-factor authentication mechanisms offer added security. Systems should be configured to start a screen saver while the employee is away. The system should require re- authentication to access the system.

Monitoring Auditing is a mechanism of monitoring actions that occur on a computer system. The audit log or files must keep track of the following events: Login/logoff. Failed login attempts. Dial-in connection attempts. Supervisor/administrator/root login. Supervisor/administrator/root privileged functions. Sensitive file access.

Monitoring Intrusion detection systems (IDS) monitor networks or systems. They trigger an alarm when security is compromised. Host-based IDS may be used to examine log files. Network-based IDS helps monitor the network for attacks or unusual traffic.

Encryption Encrypt information while transmitting over unsecured lines or electronic mail. Choose an algorithm that matches the sensitivity of the information being protected. Use well-known and well- tested encryption algorithms.

Encryption Use link encryption for transmission lines between organization facilities. Follow regulatory standards, such as HIPAA while transmitting over open networks.

Patching Systems Patches correct vulnerabilities. Install patches only after testing. Install patches according to the organization’s change control procedures. Check for new patches frequently.

Backup and Recovery Information on servers should be backed up regularly. Verify all backups to determine if the backup successfully copied the important files. Establish regular schedules of tests. Backups must be accessible to restore systems in the event of system failures. Backups should be stored off-site for protection.

Physical Security The following physical security mechanisms are recommended: Physical access - Restrict access to data center, where all sensitive computers are kept. Climate - Configure climate control units to notify administrators if a failure occurs.

Physical Security The following physical security mechanisms are recommended (continued): Fire suppression - Configure fire-suppression systems to prevent any damage to the systems in the data center. Electrical power - Size battery backups to provide sufficient power for computer systems to shut down.

Making Use of ISO The Information Technology - Code of Practice for Information Security Management (ISO 17799) covers the following areas: Security policy - Covers the need for a security policy. It also recommends regular reviews and evaluation of the document.

Making Use of ISO The Information Technology - Code of Practice for Information Security Management (ISO 17799) covers the following areas (continued): Organizational security - Covers how information security functions are managed within an organization. Asset classification and control - Covers the need to properly protect both physical and information assets.

Making Use of ISO ISO key concepts include: Personal security - Discusses the need to manage the risk within the hiring process and ongoing employee education. Physical and environmental security - Discusses the need to protect all physical assets from theft, fire, and other hazards. Communication and operations management- Covers the need for documented management procedures for computers and networks.

Making Use of ISO ISO key concepts include (continued): Access control - Discusses the control of access to information, systems, networks, and applications. Systems development and maintenance - Discusses the inclusion of security in development projects.

Making Use of ISO ISO key concepts include (continued): Business continuity management - Discusses the risks of business interruptions and various alternatives for continuity management. Compliance - Discusses how the organization should enforce policy and check compliance.

Summary Administrative security practices include policies and procedures, resources, responsibility, education, and contingency plans. The security department must establish plans for improvement, assessment, vulnerability assessment, audits, training, and policy evaluation.

Summary Technical security measures deal with the implementation of security controls on computers and networked systems. ISO standards help establish an effective security program.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.