Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Published byDamon Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define."— Presentation transcript:

1 Security Policies and Procedures

2 cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define types of security policies Define compliance monitoring and evaluation

3 Security Policy Cycle 1.Risk Analysis 1.Asset Identification 2.Threat Identification 3.Vulnerability Appraisal 4.Risk Assessment 2.Security Policy Generation 3.Compliance Monitoring and Evaluation cs490ns-cotter3

4 4 Risk Analysis First step in security policy cycle is to identify risks Involves the four steps: –Inventory the assets –Determine what threats exist against the assets and by which threat agents –Investigate whether vulnerabilities exist that can be exploited –Decide what to do about the risks

5 cs490ns-cotter5 Asset Identification Many different classes of assets. Asset Identifiers: –Asset Name –Serial No. –Model No. –Dates of purchase / version –Anything that helps to uniquely identify the asset

6 cs490ns-cotter6 Asset Identification (cont) Relative Value of Asset: –How critical is this asset to the organization? –Is it a profit generator? –Is it a revenue generator? –What is its replacement cost? –What is its protection cost? –How long would it take to replace?

7 cs490ns-cotter7 Threat Identification Types of Threats: –Hardware failures –Acts of God –Human error –Theft –Sabotage –Compromise of Intellectual Property –etc.

8 cs490ns-cotter8 Attack Tree

9 cs490ns-cotter9 Vulnerability Appraisal To assist with determining vulnerabilities of hardware and software assets, use vulnerability scanners Examples: –Nessus –nmap –etc.

10 cs490ns-cotter10 Risk Assessment No Impact Small Impact Significant Impact Major Impact

11 cs490ns-cotter11 Risk Assessment (cont) Formulas commonly used to calculate expected losses are: –Single Loss Expectancy –Annualized Loss Expectancy An organization has three options when confronted with a risk: –Accept the risk –Diminish the risk –Transfer the risk

12 cs490ns-cotter12 Risk Identification (Summary)

13 cs490ns-cotter13 Designing a Security Policy? A policy is a document that outlines specific requirements or rules that must be met –Has standard characteristics –Correct vehicle for an organization to use when establishing information security A standard is a collection of requirements specific to the system or procedure that must be met by everyone A guideline is a collection of suggestions that should be implemented

14 cs490ns-cotter14 Balancing Control and Trust To create an effective security policy, two elements must be carefully balanced: trust and control Three models of trust: –Trust everyone all of the time –Trust no one at any time –Trust some people some of the time

15 cs490ns-cotter15 Security Policies Requirements: –Must be able to implement and enforce the policy –Must be concise and easy to understand –Must Balance protection with productivity Recommendations –Should state reasons why the policy is needed –Should Describe what is covered by the policy –Should Outline how violations will be handled.

16 cs490ns-cotter16 Security Policy Team The team should have these representatives: –Senior level administrator –Member of management who can enforce the policy –Member of the legal staff –Representative from the user community

17 cs490ns-cotter17 Due Care Defined as obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them

18 cs490ns-cotter18 Separation of Duties Means that one person’s work serves as a complementary check on another person’s No one person should have complete control over any action from initialization to completion

19 cs490ns-cotter19 Need to Know One of the best methods to keep information confidential is to restrict who has access to that information Only that employee whose job function depends on knowing the information is provided access

20 cs490ns-cotter20 Acceptable Use Policy (AUP) Defines what actions users of a system may perform while using computing and networking equipment Should have an overview regarding what is covered by this policy Unacceptable use should also be outlined

21 cs490ns-cotter21 Human Resource Policy Policies of the organization that address human resources Should include statements regarding how an employee’s information technology resources will be addressed –When hired –When fired –For leave-of-absence –Temporary promotions or transfers

22 cs490ns-cotter22 Password Management Policy Although passwords often form the weakest link in information security, they are still the most widely used A password management policy should clearly address how passwords are managed In addition to controls that can be implemented through technology, users should be reminded of how to select and use passwords

23 cs490ns-cotter23 Privacy Policy Privacy is of growing concern among today’s consumers Organizations should have a privacy policy that outlines how the organization uses information it collects

24 cs490ns-cotter24 Disposal and Destruction Policy A disposal and destruction policy that addresses the disposing of resources is considered essential The policy should cover how long records and data will be retained It should also cover how to dispose of them

25 cs490ns-cotter25 Compliance Monitoring and Evaluation The final process in the security policy cycle is compliance monitoring and evaluation Some of the most valuable analysis occurs when an attack penetrates the security defenses A team must respond to the initial attack and reexamine security policies that address the vulnerability to determine what changes need to be made to prevent its reoccurrence

26 cs490ns-cotter26 Incidence Response Policy Outlines actions to be performed when a security breach occurs Most policies outline composition of an incidence response team (IRT) Should be composed of individuals from: –Senior management– IT personnel –Corporate counsel– Human resources –Public relations

27 cs490ns-cotter27 Ethics Policy Codes of ethics by external agencies have encouraged its membership to adhere to strict ethical behavior within their profession Codes of ethics for IT professionals are available from the Institute for Electrical and Electronic Engineers (IEEE) and the Association for Computing Machinery (ACM), among others Main purpose of an ethics policy is to state the values, principles, and ideals each member of an organization must agree to

28 cs490ns-cotter28 Summary The security policy cycle defines the overall process for developing a security policy There are four steps in risk identification: –Inventory the assets and their attributes –Determine what threats exist –Investigate vulnerabilities –Make decisions regarding what to do about the risks

29 cs490ns-cotter29 Summary (cont) A security policy development team should be formed to create the information security policy An incidence response policy outlines actions to be performed when a security breach occurs A policy addressing ethics can also be formulated by an organization

Download ppt "Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define."

Similar presentations

CWSP Guide to Wireless Security

CWSP Guide to Wireless Security
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Ethics CS-480b Network Security Dick Steflik. ACM Code of Ethics This Code, consisting of 24 imperatives formulated as statements of personal responsibility,

Ethics CS-480b Network Security Dick Steflik. ACM Code of Ethics This Code, consisting of 24 imperatives formulated as statements of personal responsibility,
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Security Controls – What Works

Security Controls – What Works
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Laboratory Personnel Dr/Ehsan Moahmen Rizk.

Laboratory Personnel Dr/Ehsan Moahmen Rizk.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Purpose of the Standards

Purpose of the Standards

Similar presentations

Ads by Google