Post on 02-Jun-2018
8/11/2019 Organizational Security Policies
1/19
Organizational Security
Policies
PRESENTED BY:ARTI DEEPAK SHINDE
MSC. CS-IIROLL NO.13521
1
8/11/2019 Organizational Security Policies
2/19
8/11/2019 Organizational Security Policies
3/19
Organizational Security Policies
Whocan access whichresources in whatmanner?
That describe as:
Whoshould be allowed access?
Whichsystem and organizational resources should access beallowed?
Whattypes of access should each user be allowed for each
resource?
3
8/11/2019 Organizational Security Policies
4/19
Organizational Security Policies
Security policy -A high-level managementdocument to inform users of the objectives andconstraints on using a system.
The purposeof using the policy document:
Recognise sensitive information assets
Clarifying security responsibilities
Promoting awareness for existing staff
Giving guidelines to new employees.
4
Qu. Define security policy.?
8/11/2019 Organizational Security Policies
5/19
8/11/2019 Organizational Security Policies
6/19
Organizational Security Policies
A security policy must address the following:
The audience
who can access?
Contents which resources?
Characteristics of a good security policy. in what way?
6
8/11/2019 Organizational Security Policies
7/19
Audience
Audience can be classified in four groups: users,
owners,
Beneficiaries (e.g. customers, clients)
Balance Among All Parties
Audience uses the security policy in important butdifferent ways.
For each policy define the degree of confidentiality,integrity, and continuous availability in thecomputing resources provided to them.
7
8/11/2019 Organizational Security Policies
8/19
8/11/2019 Organizational Security Policies
9/19
Audience
Beneficiaries: A business has paying customers orclients; they are beneficiaries of the products and servicesoffered by that business. At the same time the generalpublic may benefit in several ways:
As a source of employment or By provision of infrastructure
Balance Among All Parties: A security policy mustrelate to the needs of users, owners, and beneficiaries.
Unfortunately, the needs of these groups may conflict. Abeneficiary might require immediate access to data, butowners or users might not want to bear the expense orinconvenience of providing access at all hours.
9
8/11/2019 Organizational Security Policies
10/19
Security Policies: Contents
Purpose:The policy should state the purpose of theorganizations security functions, reflecting the requirementsof beneficiaries, user and owners.
o There are typically three to five goals, such as:
Promote efficient business operation.
Facilitate sharing of information throughout the organization.
Safeguard business and personal information.
Ensure that accurate information is available to support business
process. Ensure a safe and productive place to work.
Comply with applicable laws and regulations.
10
8/11/2019 Organizational Security Policies
11/19
Security Policies: Contents
Protected Resources:The risk analysis identified theassets (resources) that are to be protected.
These assets should be listed in the policy document:
The resources can be computers, networks, general data,management data,
Nature of the Protection: The policy should alsoindicate
whoshould have access to the protected resources, howthat access will be ensured and
howunauthorised people will be denied access.
11
8/11/2019 Organizational Security Policies
12/19
Characteristics of a Good security policy
A good security policy should address the followingcharacteristics:
Coverage Comprehensive and general
Durability Survive the system's growth and expansion
Realism
Feasible to implement Usefulness The policy should be concise, clear, and direct.
12
Qu. What are the characteristics of a Good Security Policy ?
8/11/2019 Organizational Security Policies
13/19
Characteristics of a Good security policy
Coverage:A security policy must be comprehensive: Itmust either apply to or explicitly exclude all possiblesituations.
Durability:A security policy must grow and adapt well.In large measure, it will survive the systems growth andexpansion without change. If written in a flexible way, theexisting policy will be applicable to new situations.However there are times when the policy must change, so
the policy must be changeable when it needs to be. Animportant key to durability is keeping the policy free fromties to specific data or protection mechanisms that almostcertainly will change.
13
8/11/2019 Organizational Security Policies
14/19
Realism: The policy must be realistic. That is, it must bepossible to implement the stated security requirementswith existing technology. Moreover, the implementationmust be beneficial in terms of time, cost and convenience;
the policy should not recommend a control that works butprevents the system or its users from performing theiractivities and functions
Usefulness:An obscure or implement security policy
will not be implemented properly, if at all. The policy mustbe written in the language that can be read, understood,and followed by anyone who must implement it or isaffected by it.
Characteristics of a Good security policy
14
8/11/2019 Organizational Security Policies
15/19
Nature of security policies
To understand the nature of security policies, we study aexample
Data Sensitivity Policy: Our first example is form an
organization that decided to classify all its data resourcesinto four levels, based on how severe might be the affect if aresource were damaged.
This levels are listed below..
15
8/11/2019 Organizational Security Policies
16/19
Example: Defined Levels of Data Sensitivity.
Name:Sensitive Description: could damage competitive advantage.
Examples: Audit reports
Operating plans-----------------------------------------------------------------------
Name: Personal or protected
Description: could reveal personal, private, or protectedinformation.
Examples: Personal data:- employees salaries or performance reviews
Private data:- employee lists
Protected data:- data obligated to protect, such as those obtained under anondisclosure agreement
16
8/11/2019 Organizational Security Policies
17/19
Example: Defined Levels of Data Sensitivity.
Name:Company confidential Description: could damage companys public image.
Examples:
Audit reports
Operating plans
-----------------------------------------------------------------------
Name: Open
Description: No harm.
Examples:
Press releases
White paper
Marketing materials
17
8/11/2019 Organizational Security Policies
18/19
Conclusion
An organizational security policy is a document thatspecifies the organizations goals regarding security.
It lists policy elements that are statements of actions
that must or must not be taken to preserve thosegoals.
Policy documents often lead to implementationprocedures.
Also, users education and awareness activities ensurethat users are aware of policy restrictions
18
8/11/2019 Organizational Security Policies
19/19
19