Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle...
-
Upload
damon-anderson -
Category
Documents
-
view
215 -
download
0
Transcript of Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle...
![Page 1: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/1.jpg)
Security Policies and Procedures
![Page 2: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/2.jpg)
cs490ns-cotter 2
Objectives
• Define the security policy cycle
• Explain risk identification
• Design a security policy– Define types of security policies
• Define compliance monitoring and evaluation
![Page 3: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/3.jpg)
Security Policy Cycle
1. Risk Analysis1. Asset Identification
2. Threat Identification
3. Vulnerability Appraisal
4. Risk Assessment
2. Security Policy Generation
3. Compliance Monitoring and Evaluation
cs490ns-cotter 3
![Page 4: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/4.jpg)
cs490ns-cotter 4
Risk Analysis
• First step in security policy cycle is to identify risks
• Involves the four steps:– Inventory the assets– Determine what threats exist against the
assets and by which threat agents– Investigate whether vulnerabilities exist that
can be exploited– Decide what to do about the risks
![Page 5: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/5.jpg)
cs490ns-cotter 5
Asset Identification
• Many different classes of assets.
• Asset Identifiers:– Asset Name– Serial No.– Model No.– Dates of purchase / version– Anything that helps to uniquely identify the
asset
![Page 6: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/6.jpg)
cs490ns-cotter 6
Asset Identification (cont)
• Relative Value of Asset:– How critical is this asset to the organization?– Is it a profit generator?– Is it a revenue generator?– What is its replacement cost?– What is its protection cost?– How long would it take to replace?
![Page 7: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/7.jpg)
cs490ns-cotter 7
Threat Identification
• Types of Threats:– Hardware failures– Acts of God– Human error– Theft– Sabotage– Compromise of Intellectual Property– etc.
![Page 8: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/8.jpg)
cs490ns-cotter 8
Attack Tree
![Page 9: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/9.jpg)
cs490ns-cotter 9
Vulnerability Appraisal
• To assist with determining vulnerabilities of hardware and software assets, use vulnerability scanners
• Examples:– Nessus– nmap– etc.
![Page 10: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/10.jpg)
cs490ns-cotter 10
Risk Assessment
• No Impact
• Small Impact
• Significant Impact
• Major Impact
![Page 11: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/11.jpg)
cs490ns-cotter 11
Risk Assessment (cont)
• Formulas commonly used to calculate expected losses are:– Single Loss Expectancy– Annualized Loss Expectancy
• An organization has three options when confronted with a risk:– Accept the risk– Diminish the risk– Transfer the risk
![Page 12: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/12.jpg)
cs490ns-cotter 12
Risk Identification (Summary)
![Page 13: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/13.jpg)
cs490ns-cotter 13
Designing a Security Policy?
• A policy is a document that outlines specific requirements or rules that must be met– Has standard characteristics– Correct vehicle for an organization to use when
establishing information security
• A standard is a collection of requirements specific to the system or procedure that must be met by everyone
• A guideline is a collection of suggestions that should be implemented
![Page 14: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/14.jpg)
cs490ns-cotter 14
Balancing Control and Trust
• To create an effective security policy, two elements must be carefully balanced: trust and control
• Three models of trust:– Trust everyone all of the time– Trust no one at any time– Trust some people some of the time
![Page 15: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/15.jpg)
cs490ns-cotter 15
Security Policies• Requirements:
– Must be able to implement and enforce the policy– Must be concise and easy to understand– Must Balance protection with productivity
• Recommendations– Should state reasons why the policy is needed– Should Describe what is covered by the policy– Should Outline how violations will be handled.
![Page 16: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/16.jpg)
cs490ns-cotter 16
Security Policy Team
• The team should have these representatives:– Senior level administrator– Member of management who can enforce the
policy– Member of the legal staff– Representative from the user community
![Page 17: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/17.jpg)
cs490ns-cotter 17
Due Care
• Defined as obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them
![Page 18: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/18.jpg)
cs490ns-cotter 18
Separation of Duties
• Means that one person’s work serves as a complementary check on another person’s
• No one person should have complete control over any action from initialization to completion
![Page 19: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/19.jpg)
cs490ns-cotter 19
Need to Know
• One of the best methods to keep information confidential is to restrict who has access to that information
• Only that employee whose job function depends on knowing the information is provided access
![Page 20: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/20.jpg)
cs490ns-cotter 20
Acceptable Use Policy (AUP)
• Defines what actions users of a system may perform while using computing and networking equipment
• Should have an overview regarding what is covered by this policy
• Unacceptable use should also be outlined
![Page 21: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/21.jpg)
cs490ns-cotter 21
Human Resource Policy
• Policies of the organization that address human resources
• Should include statements regarding how an employee’s information technology resources will be addressed– When hired– When fired– For leave-of-absence– Temporary promotions or transfers
![Page 22: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/22.jpg)
cs490ns-cotter 22
Password Management Policy
• Although passwords often form the weakest link in information security, they are still the most widely used
• A password management policy should clearly address how passwords are managed
• In addition to controls that can be implemented through technology, users should be reminded of how to select and use passwords
![Page 23: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/23.jpg)
cs490ns-cotter 23
Privacy Policy
• Privacy is of growing concern among today’s consumers
• Organizations should have a privacy policy that outlines how the organization uses information it collects
![Page 24: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/24.jpg)
cs490ns-cotter 24
Disposal and Destruction Policy
• A disposal and destruction policy that addresses the disposing of resources is considered essential
• The policy should cover how long records and data will be retained
• It should also cover how to dispose of them
![Page 25: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/25.jpg)
cs490ns-cotter 25
Compliance Monitoring and Evaluation
• The final process in the security policy cycle is compliance monitoring and evaluation
• Some of the most valuable analysis occurs when an attack penetrates the security defenses
• A team must respond to the initial attack and reexamine security policies that address the vulnerability to determine what changes need to be made to prevent its reoccurrence
![Page 26: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/26.jpg)
cs490ns-cotter 26
Incidence Response Policy
• Outlines actions to be performed when a security breach occurs
• Most policies outline composition of an incidence response team (IRT)
• Should be composed of individuals from:– Senior management – IT personnel– Corporate counsel – Human resources– Public relations
![Page 27: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/27.jpg)
cs490ns-cotter 27
Ethics Policy
• Codes of ethics by external agencies have encouraged its membership to adhere to strict ethical behavior within their profession
• Codes of ethics for IT professionals are available from the Institute for Electrical and Electronic Engineers (IEEE) and the Association for Computing Machinery (ACM), among others
• Main purpose of an ethics policy is to state the values, principles, and ideals each member of an organization must agree to
![Page 28: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/28.jpg)
cs490ns-cotter 28
Summary
• The security policy cycle defines the overall process for developing a security policy
• There are four steps in risk identification:– Inventory the assets and their attributes– Determine what threats exist – Investigate vulnerabilities – Make decisions regarding what to do about the
risks
![Page 29: Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.](https://reader035.fdocuments.in/reader035/viewer/2022062719/56649ee85503460f94bfa40d/html5/thumbnails/29.jpg)
cs490ns-cotter 29
Summary (cont)
• A security policy development team should be formed to create the information security policy
• An incidence response policy outlines actions to be performed when a security breach occurs
• A policy addressing ethics can also be formulated by an organization