Anuj Dube Jimmy Lambert Michael McClendon

Slides:

Advertisements

Similar presentations

Northside I.S.D. Acceptable Use Policy

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

Appendix B: Designing Policies for Managing Networks.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.

For Students of Humble ISD

Yusuf İ slam Ş EFLEK 11 TM/A 85.  An acceptable use policy is a set of rules applied by the owner/manager of a network, website or large computer system.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

 All employees will be able to communicate with other people in the district, schools, colleges, and various organizations.  Access is provided to hundreds.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

BUS1MIS Management Information Systems Semester 1, 2012 Week 7 Lecture 1.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Liam Bradford.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Chapter 12 by Lisa Reeves Bertin Securing Information in a Network.

Security considerations for mobile devices in GoRTT

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

Information Systems Security Operational Control for Information Security.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Note1 (Admi1) Overview of administering security.

AUP, Netiquette, Copyright & Fair Use Wilkes University – Internet Literacy for Educators Cathy W. Dowd Spring 2009.

Chapter 2 Securing Network Server and User Workstations.

Topic 5: Basic Security.

Security fundamentals Topic 12 Maintaining organisational security.

Computer Security By Duncan Hall.

? Moral principles of right and wrong Used by individuals/organisations To guide behaviour.

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

Information Security Everyday Best Practices Lock your workstation when you walk away – Hit Ctrl + Alt + Delete Store your passwords securely and don’t.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

INSIDER THREATS BY: DENZEL GAY COSC 356. ROAD MAP What makes the insider threat important Types of Threats Logic bombs Ways to prevent.

Appendix A: Designing an Acceptable Use Policy. Overview Analyzing Risks That Users Introduce Designing Security for Computer Use.

Chapter 40 Internet Security.

Advanced Endpoint Security Data Connectors-Charlotte January 2016

Why is this called “the ostrich effect”?

Deployment Planning Services

CompTIA Security+ Study Guide (SY0-401)

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

Insiders are Today’s Biggest Security Threat

CHAPTER FOUR OVERVIEW SECTION ETHICS

Common Methods Used to Commit Computer Crimes

Systems Security Keywords Protecting Systems

ETHICAL & SOCIAL IMPACT OF INFORMATION SYSTEMS

University of west Alabama Ed 505 Tasha Vaughn

IS4680 Security Auditing for Compliance

Lecture 14: Business Information Systems - ICT Security

Answer the questions to reveal the blocks and guess the picture.

Forensics Week 11.

Chapter 3: IRS and FTC Data Security Rules

Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek

Unit 1.6 Systems security Lesson 3

Internet Safety and Acceptable Use Policies.

Advanced Services Cyber Security 101 © ABB February, | Slide 1.

Malware, Phishing and Network Policies

CompTIA Security+ Study Guide (SY0-501)

Red Flags Rule An Introduction County College of Morris

Clemson University Red Flags Rule Training

CHAPTER FOUR OVERVIEW SECTION ETHICS

IS4680 Security Auditing for Compliance

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

Handling information 14 Standard.

6. Application Software Security

Guidelines for building security policies. Building a successful set of security policies will ensure that your business stands the best possible chance.

COMP2221 Networks in Organisations

Presentation transcript:

Anuj Dube Jimmy Lambert Michael McClendon Security Policy Anuj Dube Jimmy Lambert Michael McClendon

Clean Desk Policy First line of defense General : Clear desk of papers Extreme: Clean entire workspace

Account Management Policies Centralized - Database Decentralized – Individual workstations and servers Two account rule

Account Management Policies Disabling/Deleting accounts Termination Leave of absence Time-of-day

Portable Device Policies General: USB/Flash drives Extreme: Mobile phones

Internet Usage Policy Goal: ensure maximum employee productivity and to limit potential liability to the organization from inappropriate use of the Internet in a workplace

Password Policy Components: Password construction Reuse restrictions Duration Protection of passwords Consequences

Insider Threat Top network security risk!!! What is it? Damage by current or former employees. The insider threat is often discussed among the top information security risks facing organizations. In fact, for the first time in seven years of doing the study, the 2012 Ponemon Data Loss survey listed internal mistakes by insiders is the number one cause of data breaches. What is an insider threat? This term is loosely used to describe current or former employees doing damage to the organization. These can be malicious actions, such as stealing confidential information, or accidental, such as sending confidential information in an email attachment.

Personnel Policies Acceptable Usage Policy Mandatory Vacation Policy Separation of Duties Policy Job Rotation Policy Personnel security is an extremely challenging area of security. In order to function, an organization must allow access to sensitive data. But in an instant, a trusted employee can become an attacker. So in order to keep a check on any such harmful advances there are certain personnel policies that an organization must follow.

Acceptable Usage Policy (AUP) What? Set of rules Why? Reduce the potential for legal action How? New members sign AUP before provided with restricted information An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager of a network, website or large computer system that restrict the ways in which the network, website or system may be used. AUP documents are written for corporations,[1] businesses, universities,[2] schools,[3] internet service providers,[4] and website owners,[5] often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement. Acceptable use policies are an integral part of the framework of information security policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems. For this reason, an AUP must be concise and clear, while at the same time covering the most important points about what users are, and are not, allowed to do with the IT systems of an organization.

Mandatory Vacations Policy What? Use vacations at specific times of the year Why? Detect security issues with employees How? Someone else perform same duties Mandatory vacation policy requires employees to use their vacations at specific times of the year or use all of their vacation days allotted for a single year. This policy helps detect security issues with employees, such as fraud or other internal hacking activities, because the anomalies might surface while the user is away. For a mandatory vacation to be effective as a fraud deterrent and detection tool, someone else must be cross-trained and must perform the work during the mandated vacation. An employee who never takes a day off may be a red flag for fraud. Employees who engage in fraud may resist taking a vacation, fearing that someone else doing their job in their absence may discover the irregularities.

Separation of Duties Policy What? Restrict power to prevent fraud by an individual Why? Principle of least priviledge How? Information flow diagram Separation of duties is a classic security method to manage conflict of interest, the appearance of conflict of interest, and fraud. It restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual. The technology group should understand the basic separation of duties issues within the technology area as well as the principle of least privilege. To be certain that you have identified all separation of duties issues, you will first need to create an information flow diagram for every function within each area of the organization.dividual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual.

Job Rotation Policy What? Systematic movement Why? Orientating, training, prevent burnout, prevention from fraud How? Information not isolated just one employee Job Rotation is the systematic movement of employees from one job to another within the organization as a way to achieve many different human resources objectives such as orienting new employees, training employees, enhancing career development and preventing job boredom or burnout.