Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security Policy: Case Study March 2008 Copyright 2000-2008, All Rights Reserved.

Published byKelley Griffith Modified over 8 years ago

Similar presentations

Presentation on theme: "IT Security Policy: Case Study March 2008 Copyright 2000-2008, All Rights Reserved."— Presentation transcript:

1 IT Security Policy: Case Study March 2008 Copyright 2000-2008, All Rights Reserved

2 Overview Policy Examples Case Study IT Security Policy Case Study

3 Overview Selected IT Security Policy Examples University of California - Berkeley SANS Institute

4 IT Security Policy Case Study UC – Berkeley IT Security Policy “Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control. Resources to be protected include networks, computers, software, and data. The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise. Activities outsourced to off- campus entities must comply with the same security requirements as in-house activities.”

5 IT Security Policy Case Study UC – Berkeley IT Security Policy “Logical Security: Computers must have the most recently available and appropriate software security patches, commensurate with the identified level of acceptable risk. For example, installations that allow unrestricted access to resources must be configured with extra care to minimize security risks.” Physical Security: Appropriate controls must be employed to protect physical access to resources, commensurate with the identified level of acceptable risk. These may range in scope and complexity from extensive security installations to protect a room or facility where server machines are located, to simple measures taken to protect a User's display screen.

6 IT Security Policy Case Study UC – Berkeley IT Security Policy “Roles and Responsibilities: Responsibilities range in scope from security controls administration for a large system to the protection of one's own access password. A particular individual often has more than one role.” Administrative Officials Providers Users

7 IT Security Policy Case Study SANS Institute – Policy Template

8 IT Security Policy Case Study SANS Institute – Policy Template

9 IT Security Policy Case Study SANS Institute – Policy Template

10 IT Security Policy Case Study SANS Institute – Policy Template

11 IT Security Policy Case Study SANS Institute – Policy Template

12 IT Security Policy Case Study Case Study – Financial Institution A financial services company maintains several physical offices, including a facility in Europe that houses servers and data entry terminals for processing of electronic funds transfers and issuance of credit cards. Initial contact is due to a desire to improve security for the facility, with a focus on securing servers and workstations. No known exploitation of security vulnerabilities at this time. Security audit indicates numerous problems with administration of systems, including no security policy, poor handling of paper records, inadequate physical security, obsolete and unsupported systems. No detection of abnormal activity within the company’s IT systems at this time.

13 IT Security Policy Case Study Case Study – Financial Institution The company receives the results of the audit along with recommendations for upgrading systems, improving architecture, improving records handling, and upgrading physical security. The company hires an independent contractor to design and implement a solution based around the recommendations. An intermediate audit is conducted, approximately half way through completion of the project. Some previous problems still exist, new problems are transient effects from the upgrade process, all known issues are addressed or in the process of being addressed. One new recommendation: have the contractor performing the upgrades provide systems management and security management training courses for company IT admins.

14 IT Security Policy Case Study Case Study – Financial Institution System upgrade and security system upgrade completed. A second auditing firm is brought in to conduct an audit of the systems and certify compliance with industry best practices, independent of the initial audit company and the contractor that designed and installed the new systems. No significant problems are detected Security policies are well defined and implemented All systems are fully patched, with appropriate access controls All activity on the networks is monitored and logged Firewalls are hardened and correctly configured Intrusion detection systems are installed and configured Physical security is improved Administrators are trained to manage and monitor the servers Final Audit Review states “Excellent design and implementation, no significant issues detected.”

15 IT Security Policy Case Study Case Study – Financial Institution Later: Administrators at the company decide to improve security by installing new security software on their workstations and servers. Installation of the product chosen breaks connectivity between mission critical systems. Transactions fail to clear, company loses millions in customer fees in a single day. Unable to implement their desired change, the company turns to the original auditing firm to re-examine their systems and perform the desired installation of security software.

16 IT Security Policy Case Study Case Study – Financial Institution Audit reveals penetration of the company’s network, and complete compromise of all servers and workstations, including intrusion detection systems and firewalls. Probable point of entry was an employee’s workstation, due to unsafe web surfing or opening spam email. Compromise of the network and security appliances spread due to weak passwords among general employees and some administrators, and storage of administrative passwords for security appliances on the desktop of admin workstations in unencrypted files.

17 IT Security Policy Case Study Case Study – Financial Institution Detection of the intrusion and compromise of systems went unnoticed despite the intrusion detection system and logging. Administrators were convinced that the network was a hard target and failed to monitor the intrusion detection system or examine activity logs. This lax approach due to an exaggerated sense of their security precautions also created the conditions in which weak passwords were allowed, and critical passwords were not protected in the event of a single compromised system.

Download ppt "IT Security Policy: Case Study March 2008 Copyright 2000-2008, All Rights Reserved."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
Security Controls – What Works

Security Controls – What Works
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Introduction to PCI DSS

Introduction to PCI DSS
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Security Guidelines and Management

Security Guidelines and Management
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Similar presentations

Ads by Google