Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008.

Slides:

Advertisements

Similar presentations

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

Advertisements

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

The International Security Standard

Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Security Controls – What Works

Information Security Policies and Standards

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

Computer Security Fundamentals

Factors to be taken into account when designing ICT Security Policies

Payment Card Industry (PCI) Data Security Standard

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Guidelines 4-6 Developing a file plan for government agencies Tuvalu Government Filing Manual Funafuti, Tuvalu June 2013 There are three guidelines in.

Security Awareness Norfolk State University Policies.

SEC835 Database and Web application security Information Security Architecture.

Information Security Training for Management Complying with the HIPAA Security Law.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Module 3 Develop the Plan Planning for Emergencies – For Small Business –

SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.

An Educational Computer Based Training Program CBTCBT.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Test Security. Objectives Understand principles of secure test administration Understand how to maintain security of printed test materials Learn how.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.

Instructional & Information Technology Services Fall, Activities and Updates Teresa Macklin Information Security Officer Information Security.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

VPN Security Policy By: Fred Cicilioni. VPN, or Virtual Private Network, is a protocol that allows remote access, allowing the user to connect to all.

IS Network and Telecommunications Risks Chapter Six.

E-Michigan Web Development 1. 2 What Is It? A web based collaboration tool that is internal to state government and accessible only from within the state.

Acceptable Use Policy by Andrew Breen. What is an Acceptable Use Policy? According to Wikipedia: a set of rules applied by many transit networks which.

Note1 (Admi1) Overview of administering security.

Network Security Principles & Practices By Saadat Malik Cisco Press 2003.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Information Security IBK3IBV01 College 2 Paul J. Cornelisse.

©Dr. Respickius Casmir Network Security Best Practices – Session 2 By Dr. Respickius Casmir.

Information Security Standards 2015 Update IIPS Security Standards Committee Roderick Brower - Chair.

The Importance of Proper Controls. 5 Network Controls Developing a secure network means developing mechanisms that reduce or eliminate the threats.

Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)

IT Services Model Business Requirements IT Strategies Goals

IDENTITY FINDER TRAINING. What is Identity Finder?  Identity Finder is a program that is installed on your desktop, laptop, or server to locate personally.

Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,

Oncology Patient Enrollment Network OPEN OPEN Documentation Lucille Patrichuk OPEN Implementation Manager OPEN Conference September 18, 2008.

INFORMATION SECURITY AND CONTROL. SECURITY: l Deter l Detect l Minimize l Investigate l Recover.

Information Security tools for records managers Frank Rankin.

Chapter 8 – Administering Security  Security Planning  Risk Analysis  Security Policies  Physical Security.

CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.

1.  1. Introduction  2. Policy  3. Why Policy should be developed.  4. www policies 2.

Dial-in Access Policy By Matt Lynott. Reasoning The reason for this policy is to define appropriate dial-in access and its use by authorized personnel.

BizSmart Lunch & Learn Webinar Information Security and Protecting your business With the increased risk of some sort of cyber- attack over the past few.

Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Security on Peer-to-Peer Networks.

City of Hyattsville City Council IT Briefing October 19, 2015 dataprise.com | #ITinRealLife.

Information Security Policy

Policy & Procedure Writing

Recommending a Security Strategy

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

Level 2 Diploma Unit 11 IT Security

Security week 1 Introductions Class website Syllabus review

Cybersecurity Threat Assessment

Introduction to the PACS Security

Guidelines for building security policies. Building a successful set of security policies will ensure that your business stands the best possible chance.

Presentation transcript:

Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008

Security Policy Effectiveness  “Documented policies are the foundation upon which the security architecture is built.[1]”  “Security policy should be consistently reviewed and refined.[1]”  Employees must receive education and training for the policy to be effective.

Questions [1]  What services are required? (ex Web Portal)  Does business require everyone to access the web?  Do users need remote access?  What are the risks and priorities with a security policy?

Sections of a Security Policy Sections That Should Be Refined Early:  Purpose –define goals/ objectives “The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.[2]”  Scope – the divisions or employees that are required to follow the policy. “The scope of this policy includes all personnel who have or are responsible for an account.[2]”  Policy Statement –specific rule that defines who, what, and when “All user-level passwords (e.g., , web, desktop computer, etc.) must be changed at least every six months.[2]”

Sections of a Security Policy Sections That Change Periodically:  Standards – what is expected of employees “Don't reveal a password over the phone ANYONE.[2]”  Actions “Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment [2].”  Responsibilities – specifically assign actions to a team of employees

Sections of a Security Policy  Frequency of Review (ex: every 6 months)  Ways to Request Policy Changes (fill out a form)  List of Assets Includes servers, desktops, laptops, routers Includes servers, desktops, laptops, routers Describe the assets Describe the assets Who administers? Who administers? Who uses? Who uses? How important is the asset to business goals? How important is the asset to business goals?

Sections of a Security Policy  Incident Response /Disaster Recovery List Who and When to Call when there is a security breach. List Who and When to Call when there is a security breach. Who is accountable for recovery from breach? Who is accountable for recovery from breach?

Educating Employees  User must know that a security policy exists  When changes are made, users must be informed  Social Engineering

Revising Security Policy  There are always new threats  Sometimes the business needs change  The team responsible for implementing policy must always be proactive

Security Policy Effectiveness  “Documented policies are the foundation upon which the security architecture is built.[1]”  “Security policy should be consistently reviewed and refined.[1]”  Employees must receive education and training for the policy to be effective.

References  1. Warkentin & Vaughn Enterprise Information Systems Assurance and System Security Idea Publishing Group, Hershey, 2006  2. Systems Administration and Networking Security Institute (SANS) 3/23/2008www.sans.org/resources/policies 3/23/2008 (good examples) 3/23/2008  3. Network Security Journal / 3/23/ / /  4. ISO /23/2008 (industry standards)