Security fundamentals Topic 12 Maintaining organisational security

Agenda Security policies and procedures Organisational risk assessment Security education and training Resolving ethical dilemmas

Policies and procedures Policies and guidelines are stated goals and objectives of an organisation Procedures tell how to go about doing what we have to do to enforce a policy Policies and procedures are fully and clearly documented, regularly reviewed and maintained

Organisational policies and guidelines Security Policy is: – A set of rules that defines how people access technology and the measures for the protection of assets and resources – Often a collection of smaller, more specialised policies, eg Backup Policy – The major purposes are: To inform all users about the requirements for protecting assets and resources To provide guidelines for acquiring, configuring, monitoring and assessing assets, such as computers and other network devices Computer Technology Purchasing Guidelines are: – Used to standardise and provide rules for the acquiring of technology – Prevent the purchase of insecure equipment – Ensure security features are installed

Organisational policies and guidelines Access Policy: – Specifies the rights, privileges and restrictions for users when accessing devices on the network or within the organisation – Could be a login banner that appears to users when they log in – Informs users that they could be monitored Accountability Policy: – Deals with the responsibility of users when they use assets and perform tasks on the network – Informs that auditing will be carried out on assets – User responsibility for company laptops, PDA and mobile phones

Organisational policies and guidelines Authentication Policy: – Defines acceptable authentication methods to be used to access equipment and technology – Includes: The limitations of access Who can perform privileged actions Specialised equipment required for authentication Remote access restrictions Password Policy: – Outlines how passwords should be managed – Includes the necessary password practices that an organisation will apply – Can include length, complexity, character restrictions, how often to change and more

Organisational policies and guidelines Availability Statement: – States the organisations expected, and required availability of resources and assets – Includes: General operational hours, scheduled maintenance times etc Availability of redundant systems Procedures for start up and shut down of the network and other systems IT System and Network Maintenance Policy: – Determines the access requirements, restrictions and abilities of maintenance personnel

Organisational policies and guidelines Violations Reporting Policy: – Outlines what a violation is – Deals with the process and requirements for reporting violations – Could be a breach of privacy rights, improper or improper equipment use – Anonymous reporting system for encouraging use Firewall Policy: – Used to describe the various types of traffic that isn’t allowed to pass through a firewall: defines filter rules – Usually created with the procurement of a new firewall – May need to be several firewall policies for the requirements of different security zones

Organisational policies and guidelines Antivirus Policy: – Minimisation of exposure and damage caused by the spreading of malware, malicious code – Prevention of malicious code incidents – Includes the operations and maintenance of antivirus software – Education of users Privacy Policy: – Defines and explains the rights and expectations for the privacy of clients, users and business partners – Includes: The monitoring and logging of activities The inspection of user files The information that is protected by privacy

Organisational policies and guidelines Acceptable Use Policy: – Clearly defines what is proper, and what is improper, use of equipment and resources within an organisation Incident Response Policy: – Determines how an incident should be dealt with – Includes an actual, attempted or suspected breach or compromise of an IT system – Includes detailed procedures for immediate and correct course of action to take

Service Level Agreements Agreement made between an organisation and a company that outsources a particular, or many services A contract that defines service requirements and expectations Includes penalties for noncompliance

Human Resources Policy A Human Resources Policy, in terms of security, deals with the practices involving HR and IT departments. Includes:- – When a new employee is hired – account provisioning, group membership and training of security policies – When an employee is terminated – deactivating or removing their account and access to systems and resources – What to do when an employee goes on vacation or an extended leave of absence – How to handle an employee change of status – name changes or transfer department – What security employees need education and training in

Documenting system architecture – Systems architecture refers to the hardware and software of a computer system – The architecture of systems configured on a network – Should be fully documented and maintained Including operating systems, hardware and software of each system – Security violations and nonstandard configurations should be dealt with Change and Configuration Management Policy – States is authorised to make changes to the system architecture – The process to apply changes – Includes the justification and documentation required for changes and – Including all personnel who need to be notified in the change management approval process

Privilege Management and De/Centralised Management Privilege Management: – Determines the various access levels and privileges required for access to assets and network resources – How these are applied to users – Can decrease system administration, accounts and network management workload Centralised/Decentralised Management: – Decentralised management = user accounts, groups and privileges created, applied and maintained locally on every server – Centralised management = user accounts, groups and permissions managed centrally, such as ADS

Auditing Auditing deals with monitoring, checking access and usage of assets and resources such as: – What resources a user has accessed – When the resources were accessed – The privileges used to access these resources Audit policies must establish: – What events should be audited – Who will review audit logs – And how and where to store audit logs

Logging and inventories Organisations should retain logs and inventories for: – Tracking equipment and maintenance – Tracking of repair history and maintenance – Troubleshoot issues on the network or identify security issues A log policy contains detailed information about: – What should be logged and how – Who is responsible for maintaining logs – How logs are stored – How logs are correctly disposed

Classification Policies and Due Care Classification Policies: – Describe the appropriate handling and protection of assets – Each classification level should have policies, procedures and handling instructions appropriate to that level Due Care: – Used to describe expected practices that should be used for protecting systems and assets – Not a clearly defined term and can mean different things to different organisations – Should be defined in your security policy, including consequences of not providing due care

Separation of Duties and Need to Know Separation of Duties: – Refers to the splitting of related duties among various people in an attempt to stop a single person from being able to commit unethical, fraudulent or illegal activities – In computer security, separation of duties is often used in the auditing process Need to Know: – A basic security concept that specifies the release and use of confidential information only to people that need to know that information

Organisational risk assessment Calculating risk – Allows the prioritisation of the implementing and maintaining of security controls – Higher risk value represents a higher priority risk – The formula for calculating risk Threat × Vulnerability × Impact = Risk.

Asset ID and threat assessment Asset identification and valuation – First step, identify and assign a value to assets – Asset valuation often includes depreciation and other calculation – Values of assets can be used to assess risk and apply protection to assets Threat assessment – Is done after identification of threats to assets and data – Rank and assign values to each threat, eg rating (1–5)

Assessing impact and vulnerability Assessing impact: – Deals with the monetary costs involved if a threat compromised assets, based on identified threats – Consider the costs of actual damage, downtime, restoration, loss of property, legal costs of liability, loss of operational continuity Assessing vulnerability: – To quantify and measure how vulnerable your organisation is to each threat – Work out the likelihood of experiencing a given threat – Rang and assign values to both, eg rating (1–5)

Security education and training and communication Critical for effective security The training and educating of users is at least as important, as the actual technical configurations and application of security technology Users should be trained in best practices for security, such as secure passwords Communication is critical for the education and training of users in security

User awareness Once communication lines have been established, the first step is to raise security awareness Is all about changing attitudes toward security Increasing knowledge of security practices, policies and procedures Sets the stage for future security training

Education and training Training is more formalised sessions based on security – Relates directly to the roles of employees – Can be delivered through lectures, demos, case studies and hands on training Education is the broader scope of training and awareness – Resulting in the understanding of information, implementation and how security practices and technology are utilised

Ethical dilemmas Deal with ‘grey areas’ or unspecified issues of computer, network and organisational security Ethics for every incident won’t all be covered in formal policies, procedures and the law About the acceptable norms, principles and the correct conduct of staff in decisions made, that is beyond policy and the law

Types of dilemmas Examples: Bending the rules to fix things quickly Pursuing an attacker into someone else’s system Temporarily using illegal copies of software Inappropriate use of the network or inappropriate materials on a co-worker's computer Personally making mistakes Working with inadequate policies

Resolving dilemmas Ethical dilemmas, are not always straight forward Professional judgement and experience can be used to make informed decisions Code of ethics to help define principles and norms and help you make a decision – Written or unwritten – Standards, principles and acceptable behaviour When you encounter a dilemma: Trust your instincts Stall for time Talk to others

Lesson summary What are the key security policies and procedures for organisational security? Steps of organisational risk assessment How to go about security education and training Dealing with and resolving ethical dilemmas