Computer Security Sample security policy Dr Alexei Vernitski.

Slides:

Advertisements

Similar presentations

Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Computer Security set of slides 10 Dr Alexei Vernitski.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

For further information computersecurity.wlu.ca

Mr C Johnston ICT Teacher

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Network Security Testing Techniques Presented By:- Sachin Vador.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

10 Essential Security Measures PA Turnpike Commission.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Information Security Information Technology and Computing Services Information Technology and Computing Services

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Course ILT Security Unit objectives Configure operating system and file system security Install a fingerprint scanner and card reader Manage the human.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Data Security GCSE ICT.

Protecting ICT Systems

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Staying Safe. Files can be added to a computer by:- when users are copying files from a USB stick or CD/DVD - downloading files from the Internet - opening.

Security Awareness ITS SECURITY TRAINING. Why am I here ? Isn’t security an IT problem ?  Technology can address only a small fraction of security risks.

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

1.1 System Performance Security Module 1 Version 5.

IT Security Essentials Lesley A. Bidwell, IT Security Administrator.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Getting a Grip on Mobile Devices. Last year thousands of travellers left personal items in London taxi cabs.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

Year 9 Autumn Assessment Computer system/Information security-Planning, Communicating, Information. By Louis Smith-Lassey 9k 9Y1.

Information Security Awareness Training. Why Information Security? Information is a valuable asset for all kinds of business More and more information.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Types of Electronic Infection

Security at NCAR David Mitchell February 20th, 2007.

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

Physical ways of keeping your system secure. Unit 7 – Assignment 2. (Task1) By, Rachel Fiveash.

Information Systems Security

STARTFINISH DisposePrint & ScanShareStore Protect information and equipment ClassifyProtect.

E- SAFETY GROUP MEMBERS:  MALINI A/P KUMAR  PREMA A/P PARAMASIVAN.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.

Firewalls Priyanka Verma & Jessica Wong. What is it? n A firewall is a collection of security measures designed to prevent unauthorised electronic access.

Protecting Data. Privacy Everyone has a right to privacy Data is held by many organisations –Employers –Shops –Banks –Insurance companies –etc.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

Information Systems Design and Development Security Precautions Computing Science.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Primary/secondary data sources Health and safety Security of Data Data Protection Act.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

8 – Protecting Data and Security

Chapter 40 Internet Security.

Business Risks of Insecure Networks

Answer the questions to reveal the blocks and guess the picture.

Computer Security Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

12 STEPS TO A GDPR AWARE NETWORK

Designing IIS Security (IIS – Internet Information Service)

1.2.2 Security aspects • Show understanding of the security aspects of using the Internet and understand what methods are available to help minimise the.

G061 - Network Security.

6. Application Software Security

Presentation transcript:

Computer Security Sample security policy Dr Alexei Vernitski

Sample security policy part 1: physical and physically mobile systems

Physical security Is physical security adequate? (e.g. for many companies all visitors/employees at a site require identification). Some rooms containing valuable data/resources might need additional security measures.

Disposal Ensure that systems and media are securely disposed when finished with.

Ownership Ownership of: – Equipment – Code – Data Ensure that users are under a contract such that equipment and data/software created are owned by the company and are not “stolen”, and ensure that users understand this (e.g. a contractor might write code for one company and then reuse it for another company - this is probably a form of “theft”). Have a special policy with regard to mobile systems such as laptops (what data can be stored on them, how the systems and the data on them is secured etc.)

Sample security policy part 2: user access systems

Choosing secure passwords Check when users create/change passwords that they are not obviously insecure (e.g. do not allow dictionary words, require passwords to contain a range of character types, do not allow passwords related to login name, disallow passwords that are car registration numbers) Regularly run password cracking programs on your users encrypted passwords looking for possible weak passwords.

Managing passwords Make users change passwords regularly (this stops password cracking programs from having enough time to break intercepted encrypted passwords)

Non-password security For higher security use techniques additional to or instead of password security (e.g. biometric, public key based systems)

Access rights Only give users access to systems/data/information that they really need for their role this requires a database of systems that users can connect to and when controls should be updated (e.g. a shared system password may need to be changed as soon as an employee that knew the password leaves)

Sample security policy part 3: user training

Security training Train all computer users in basic security which could include: – ways to create secure passwords – never writing down system security information (e.g. passwords) – never reveal system/computer information to anyone unless you are sure of their identity and even then only give appropriate information – never install unauthorised software on computers – never share data from sources outside the company until it has been scanned (e.g. never get a document from a USB stick from non- company source) – never connect machines directly to the Internet (many companies ban their users from connecting to the Internet from their laptops or work machines installed in their homes - instead the users have to connect to the company’s secure “virtual private network” VPN)

Personal use of computers restrict use of computer resources for personal use (this may ban users from using for personal use)

Secure configuration require users to have their virus scanners on all of the time (and personal firewalls on)

Encryption require users to send sensitive data over encrypted media

Communication inform users how they can communicate with system administrators

Further training make user computer users get (and read) regular security policy updates and attend regular training

Sample security policy part 4: secure configurations

Updating software All computers must have up to date software installed - this requires some automated updating system. However, it has to be done carefully - e.g. updating some server components can overwrite configuration files in such a way that they may run some “insecure” default configuration.

Restrictions on client machines “Lock down” client machines e.g. many companies give employees machines that have minimal external access (e.g. PCs without: USB data ports, CD-ROM, floppy drive) and configured so the user cannot install any software or configure any system settings. The user is only given the access and utilities that they really need.

Server precautions Configure server machines to only run necessary services. For servers connected to the Internet - increase the “security hardening” and assume they may be compromised and treat them accordingly (i.e. keep them separate from internal networks/computers)

Sample security policy part 5: backup

Backup securely back up data in a timely manner (e.g. daily is probably good enough for most office related tasks, but duplicates of all transactions might be needed for banking data) store backups in a different (and secure) physical location test that the backup system is actually working and storing the necessary data some servers may require backup systems ready to be deployed when needed.

Sample security policy part 6: use preventative security tools

Scanning the system Regularly scan computer systems on the network to test that they are only running necessary (and authorised) services (external security scanner) Regularly scan computer systems with “local security analysers” that check that computers are properly secured (e.g. running automatic software update tools and have reasonable configurations)

Scanning the data Scan all incoming data: remove software or data that might be infected with trojans or viruses. block unsolicited communication e.g. spam

Scanning for permissions filesystems will be scanned checking that files have appropriate permissions (e.g. you might like to check that your home directories are not “world” readable)

Sample security policy part 7: the system administrators

Employing administrators Employ “expert” staff as system administrators (and their managers) and train system administrators to a high standard expert system knowledge is only gained by years of personal experience System administrators regularly check security web-sites for the latest known system exploits. They should regularly read security s from the distributor of each operating system (and major application) that they are supporting.

Sample security policy part 8: review and test policy

Security policy review Regularly check through the site security policy this may be a simple “paper test” of policy as part of a general “quality assurance” review a more rigorous (and literally “intrusive”) technique might involve an analysis by outsider experts

Risk analysis Run a risk analysis to ascertain what parts of the policy need changing