Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Published byEdward Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine."— Presentation transcript:

1 Developing a Security Policy Chapter 2

2 Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine the goals of your firewall and incorporate them into a security policy Follow the seven steps to building a security policy Account for situations the firewall can’t handle Define responses to security violations Work with administration to make your security policy work

3 What Is a Security Policy? A set of organization-level rules governing: Acceptable use of computing resources Security practices Operational procedures

4 Example of a Security Policy

5 Essential Information in a Security Policy Date last updated Name of office that developed the policies Clear list of policy topics Equal emphasis on positive points (access to information) and negative points (unacceptable policies)

6 Why Is a Security Policy Important? Essential component of a fully functional firewall Defines what needs to be done when firewall is configured Defines intrusion detection and auditing systems that are needed Minimizes impact of a “hack attack” on: Staff time Data loss Productivity

7 Setting Goals for an Effective Security Policy Describe a clear vision for a secure networked computing environment Be flexible enough to adapt to changes in the organization Be consistently communicated and implemented throughout the organization Specify how employees can and cannot use the Internet Define appropriate and inappropriate behavior as it pertains to privacy and security

8 Seven Steps to Building a Security Policy 1.Develop a policy team 2.Determine organization’s overall approach to security 3.Identify assets to be protected 4.Determine what should be audited for security 5.Identify security risks 6.Define acceptable use 7.Provide for remote access

9 Develop a Policy Team Members (5-10 people) Senior administrator Member of legal staff Representative from rank-and-file employees Member of IT department Editor or writer who can structure and present the policy coherently Identify one person to be the official policy interpreter

10 Determine Overall Approach to Security Two primary activities for overall approach: Restrictive Permissive Specific security stances: Open Optimistic Cautious Strict Paranoid

11 Identify Assets to Be Protected Physical assets Actual hardware devices Logical assets Digital information that can be viewed and misused Network assets Routers, cables, bastion hosts, servers, firewall hardware and software System assets Software that runs the system (ie, server software and applications)

12 Example of Assets to Be Protected

13 Determine What Should Be Audited for Security Auditing Process of recording which computers are accessing a network and what resources are being accessed Includes recording the information in a log file Specify types of communication to be recorded and how long they will be stored Use Tripwire to audit system resources Use a firewall log to audit security events

14 Auditing with Tripwire

15 Auditing with a Firewall Log

16 Determine What Should Be Audited for Security Auditing log files Auditing object access

17 Identify Security Risks Specify the kinds of attacks the firewall needs to guard against Denial of service attacks Disclosure of information due to fraud Unauthorized access

18 Define Acceptable Use Define acceptable computing and communications practices on the part of employees and business partners Aspects E-mail News

19 Provide for Remote Access Specify acceptable protocols Determine use of Telnet or Secure Shell (SSH) access to internal network from Internet Describe use of cable modem, VPN, and DSL connections to access internal network through the firewall Require remote users to have a firewall on their computer

20 Accounting for What the Firewall Cannot Do A firewall sandwich or load balancing switches can be compromised by: Brute force attack Sending an encrypted e-mail message to someone within the network with a virus attached Employees who give out remote access numbers; unauthorized users can access company network Employees who give out passwords

21 Other Security Policy Topics Passwords Encryption Restrictions on removable media ASPs Acceptable users Secure use of office-owned laptop computers Wireless security Use of VPNs Key policy

22 Defining Responses to Security Violations Gather information on an incident response form Define disciplinary action to be pursued if employees access the Internet improperly Identify who to contact in case of intrusion

23 Defining Responses to Security Violations

24 Overcoming Administrative Obstacles

25 Educating Employees Security User Awareness program Advise workers of expectations and consequences Make policies available on local network

26 Presenting and Reviewing the Process Keep reports short and concise Give people ample time to respond after policy statement is issued

27 Amending the Security Policy Change the security policy when: The organization makes substantial changes in hardware configuration, or The firewall is reconfigured in response to security breaches

28 Chapter Summary What a security policy is; why they are important Setting goals that govern how a firewall is configured to protect a network Seven steps to building a security policy Defining responses to attacks and other intrusions Guiding your security policy through corporate bureaucracy to gain management support and achieve security policy goals

Download ppt "Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine."

Similar presentations

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Woodland Hills School District Computer Network Acceptable Use Policy.

Woodland Hills School District Computer Network Acceptable Use Policy.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Security Controls – What Works

Security Controls – What Works
Firewall Configuration Strategies

Firewall Configuration Strategies
Information Security Policies and Standards

Information Security Policies and Standards
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
NETWORKS Lauren Hickman Patrick McCamy Morgan Pace Noah Ryder.

NETWORKS Lauren Hickman Patrick McCamy Morgan Pace Noah Ryder.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Computer Security Fundamentals

Computer Security Fundamentals
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.

Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google