Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:

Published byGriselda Fields Modified over 8 years ago

Similar presentations

Presentation on theme: "CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:"— Presentation transcript:

1 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor: Joseph DiVerdi, Ph.D.

2 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Need for a Security Policy If you don't have a written, published Web Security Policy –You can't know if your Web site is secure –Security is defined by policy A policy is a list of what is & is not permissible Must reflect your organization's –Needs –Values –Political Realities Reflects trade-off between risk & convenience

3 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Issues for Security Policy Who is allowed access? What is the nature of that access? Who authorizes such access? Who is responsible for security? Who is responsible for upgrades? Who is responsible for backups? Who is responsible for maintenance? What kinds of material are allowed on served pages?

4 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Issues for Security Policy Which sites & external users are to be allowed access to pages & data served? What kinds of testing & evaluation must be performed on software and pages before they are installed? How are complaints & requests about the server & page content to be handled? How should the organization react to security incidents?

5 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Issues for Security Policy How and when should the policy itself be updated? Who is allowed to speak to members of the press, law enforcement, and other outside entities in the event of questions or an incident?

6 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy PERSONNEL Access Levels The Web site grants five levels of access: 1. The public - read-only access to all URLs with the exception of the /private directory. 2. Employees of XXX Corporation - read-only access to all URLs including the /private directory. 3. HTML Authors - ability to create, modify, & delete HTML files in the document tree. 4. Site Administrators - ability to modify Web server configuration files, install CGI scripts, & start/stop the Web Server. 5. System Administrators - ability to modify the Web server host configuration, and start/stop the host machine.

7 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy Authorization Procedure For access levels 3, 4, & 5, personnel must obtain written authorization from the Director or Deputy Director of Information Systems. The written authorization must be presented to the system administrator, who will set up the appropriate account & privileges. Access level 2 is granted automatically to all new employees when they receive their e-mail account and LAN password.

8 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy Revocation of Authorization For access levels 2 through 5, authorization may be revoked without warning at the discretion of the Director or Deputy Director of Information Systems. In case of emergency, a system administrator may also revoke access. This action must be reviewed and confirmed within 24 hours by the Director or Deputy Director of Information Systems.

9 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy ACCESS PRIVILEGES Local Login Local (console) login to the Web server host is allowed for system & site administrators only. Logins are for the purpose of site maintenance only. Network Login All forms of network login are forbidden, including file sharing.

10 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy ACCESS PRIVILEGES (con't) Authoring Access HTML authors & site administrators have the right to make changes to the document tree. all authorizing access is via FTP from machines located with the.XXXcorp.com domain. Modifications are time stamped & logged. Except in emergencies, direct modifications to the document tree via local login are forbidden.

11 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy ACCESS PRIVILEGES (con't) Remote Server Administration Not allowed. All server administration is done locally. Browsing Access With the exception of the /private URL, anonymous Web browsing is allowed throughout the site. /private is restricted to computers within the.XXXcorp.com domain.

12 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy ACCESS PRIVILEGES (con't) CGI Script Installation CGI scripts can be installed by site administrators after at least two members of the site administrators group have reviewed & approved the code. CGI scripts for which source code is unavailable cannot be installed without prior approval by the Director of Deputy Director of Information Systems.

13 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy ACCESS PRIVILEGES (con't) Access to the /private Directory The /private directory contains information that is confidential to the XXX Corporation. Access is restricted to host computers in the.XXXcorp.com domain.

14 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy NETWORK SERVICES Web The Web site will serve static HTML documents & the output of CGI scripts. Incoming Web data is limited to customer feedback & discussion groups, whose scripts deposit their information in isolated databases. Neither CGI scripts nor the server itself are to make connections with other databases, files systems, or services on the LAN without prior written authorization by the Director of Information Systems.

15 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy NETWORK SERVICES (con't) FTP Incoming & outgoing FTP are provided for the purpose of updating Web pages only. FTP access is restricted to HTML authors, site & system administrators, and only to computers located within the.XXXcorp.com domain. Anonymous FTP & all access from outside the.XXXcorp.com domain is forbidden. Other Services No other network services are provided by the Web host.

16 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy MAINTENANCE 24 x 7 Operation The site should be accessible 24 hours a day, 7 days a week, except for a 2-hour maintenance period between 7 AM and 9 AM on Sundays. System administrators should be prepared to switch to a backup server in a timely manner in case the primary server develops hardware problems.

17 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy MAINTENANCE (con't) Backups A complete backup of the Web server host will be done weekly, and incremental backups daily.

18 CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Sample XXX Security Policy MAINTENANCE (con't) Monitoring A system administrator is responsible for monitoring the Web server host system logs for errors & other unusual activity. A site administrator has similar responsibility for the Web server logs. Any suspicious activity should be brought to the attention of the Director of Information Systems immediately. A system or site administrator who detects suspicious activity & has reason to believe that the integrity of the system or XXX Corporation confidential is imminently threatened is authorized to take the Web server off-line.

Download ppt "CSU - DCE 0735 - Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:"

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
© Copyright 1997, The University of New Mexico C-1 Internet Service Provider Services What to do once you’re connected.

© Copyright 1997, The University of New Mexico C-1 Internet Service Provider Services What to do once you’re connected.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
LAN Management © Abdou Illia, Spring 2007 School of Business Eastern Illinois University 3/6/2007 Lab.

LAN Management © Abdou Illia, Spring 2007 School of Business Eastern Illinois University 3/6/2007 Lab.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز 1388 1.

کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز
Network security policy: best practices

Network security policy: best practices
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Similar presentations

Ads by Google