Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training

Security+ Guide to Network Security Fundamentals, Third Edition Objectives Define organizational security policy List the types of security policies Describe how education and training can limit the impact of social engineering 2

Security+ Guide to Network Security Fundamentals, Third Edition Organizational Security Policies Plans and policies must be established by the organization –To ensure that users correctly implement the hardware and software defenses One of the key policies is an organizational security policy 3

Security+ Guide to Network Security Fundamentals, Third Edition What Is a Security Policy? Security policy –A written document that states how an organization plans to protect the company’s information technology assets An organization’s information security policy can serve several functions: –It can be an overall intention and direction –It details specific risks and how to address them –It can create a security-aware organizational culture –It can help to ensure that employee behavior is directed and monitored 4

Security+ Guide to Network Security Fundamentals, Third Edition Balancing Trust and Control An effective security policy must carefully balance two key elements: trust and control Three approaches to trust: –Trust everyone all of the time –Trust no one at any time –Trust some people some of the time Deciding on the level of control for a specific policy is not always clear –The security needs and the culture of the organization play a major role when deciding what level of control is appropriate 5

Security+ Guide to Network Security Fundamentals, Third Edition6 Balancing Trust and Control (continued)

Security+ Guide to Network Security Fundamentals, Third Edition Designing a Security Policy Definition of a policy –Standard A collection of requirements specific to the system or procedure that must be met by everyone –Guideline A collection of suggestions that should be implemented –Policy Document that outlines specific requirements or rules that must be met 7

Security+ Guide to Network Security Fundamentals, Third Edition Designing a Security Policy (continued) A policy generally has these characteristics: –Policies communicate a consensus of judgment –Policies define appropriate behavior for users –Policies identify what tools and procedures are needed –Policies provide directives for Human Resource action in response to inappropriate behavior –Policies may be helpful in the event that it is necessary to prosecute violators 8

Security+ Guide to Network Security Fundamentals, Third Edition Designing a Security Policy (continued) The security policy cycle –The first phase involves a risk management study Asset identification Threat identification Vulnerability appraisal Risk assessment Risk mitigation –The second phase of the security policy cycle is to use the information from the risk management study to create the policy –The final phase is to review the policy for compliance 9

Security+ Guide to Network Security Fundamentals, Third Edition10 Designing a Security Policy (continued)

Security+ Guide to Network Security Fundamentals, Third Edition Designing a Security Policy (continued) Steps in development –When designing a security policy many organizations follow a standard set of principles –It is advisable that the design of a security policy should be the work of a team –The team should first decide on the scope and goals of the policy –Statements regarding due care are often included The obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them 11

Security+ Guide to Network Security Fundamentals, Third Edition12 Designing a Security Policy (continued)

Security+ Guide to Network Security Fundamentals, Third Edition Designing a Security Policy (continued) Many organizations also follow these guidelines while developing a policy: –Notify users in advance that a new security policy is being developed and explain why the policy is needed –Provide a sample of people affected by the policy with an opportunity to review and comment on the policy –Prior to deployment, give all users at least two weeks to review and comment –Allow users the authority to carry out their responsibilities in a given policy 13

Security+ Guide to Network Security Fundamentals, Third Edition Types of Security Policies The term security policy becomes an umbrella term for all of the subpolicies included within it 14

Security+ Guide to Network Security Fundamentals, Third Edition15

Security+ Guide to Network Security Fundamentals, Third Edition Types of Security Policies (continued) Most organizations have security policies that address: –Acceptable use –Security-related human resources –Password management and complexity –Personally identifiable information –Disposal and destruction –Service level agreements –Classification of information –Change management –Ethics 16

Security+ Guide to Network Security Fundamentals, Third Edition Acceptable Use Policy (AUP) Acceptable use policy (AUP) –Defines the actions users may perform while accessing systems and networking equipment –May have an overview regarding what is covered by this policy The AUP usually provides explicit prohibitions regarding security and proprietary information Unacceptable use may also be outlined by the AUP Acceptable use policies are generally considered to be the most important information security policies 17

Security+ Guide to Network Security Fundamentals, Third Edition Security-Related Human Resource Policy Security-related human resource policy –A policy that addresses security as it relates to human resources –Includes statements regarding how an employee’s information technology resources will be addressed Due process –The principle of treating all accused persons in an equal fashion, using established rules and principles Due diligence –Any investigation into suspicious employee conduct will examine all material facts 18

Security+ Guide to Network Security Fundamentals, Third Edition Password Management and Complexity Policy Password management and complexity policy –Can clearly address how passwords are created and managed The policy should also specify what makes up a strong password 19

Security+ Guide to Network Security Fundamentals, Third Edition20 Password Management and Complexity Policy (continued)

Security+ Guide to Network Security Fundamentals, Third Edition21 Password Management and Complexity Policy (continued)

Security+ Guide to Network Security Fundamentals, Third Edition Personally Identifiable Information (PII) Policy Personally identifiable information (PII) policy –Outlines how the organization uses personal information it collects 22

Security+ Guide to Network Security Fundamentals, Third Edition23 Personally Identifiable Information (PII) Policy (continued)

Security+ Guide to Network Security Fundamentals, Third Edition Disposal and Destruction Policy Disposal and destruction policy –Addresses the disposal of resources that are considered confidential –Often covers how long records and data will be retained –Involves how to dispose of equipment 24

Security+ Guide to Network Security Fundamentals, Third Edition Service Level Agreement (SLA) Policy Service level agreement (SLA) –A service contract between a vendor and a client that specifies what services will be provided, the responsibilities of each party, and any guarantees of service Service level agreement (SLA) policy –An organizational policy that governs the conditions to be contained in an SLA Many SLA policies contain tiers of service 25

Security+ Guide to Network Security Fundamentals, Third Edition26 Service Level Agreement (SLA) Policy (continued)

Classification of Information Policy Classification of information policy –Designed to produce a standardized framework for classifying information assets Generally, this involves creating classification categories such as high, medium, or low –And then assigning information into these categories Security+ Guide to Network Security Fundamentals27

Security+ Guide to Network Security Fundamentals, Third Edition Change Management Policy Change management –Refers to a methodology for making changes and keeping track of those changes, often manually –Seeks to approach changes systematically and provide documentation of the changes Change management policy –Outlines how an organization will manage changes in a “rational and predictable” manner so employees and clients can plan accordingly 28

Security+ Guide to Network Security Fundamentals, Third Edition Ethics Policy Values –A person’s fundamental beliefs and principles used to define what is good, right, and just Morals –Values that are attributed to a system of beliefs that help the individual distinguish right from wrong Ethics –The study of what a group of people understand to be good and right behavior and how people make those judgments 29

Security+ Guide to Network Security Fundamentals, Third Edition Ethics Policy (continued) Ethics policy –A written code of conduct intended to be a central guide and reference for employees in support of day- to-day decision making –Intended to clarify an organization’s mission, values, and principles, and link them with standards of professional conduct 30

Security+ Guide to Network Security Fundamentals, Third Edition Education and Training Education and training involve understanding the importance of organizational training –And how it can be used to reduce risks, such as social engineering 31

Security+ Guide to Network Security Fundamentals, Third Edition Organizational Training All computer users in an organization share a responsibility to protect the assets of that organization –Users need training in the importance of securing information, the roles that they play in security, and the steps they need to take to ward off attacks All users need: –Continuous training in the new security defenses –To be reminded of company security policies and procedures 32

Security+ Guide to Network Security Fundamentals, Third Edition Organizational Training (continued) One of the challenges of organizational education and training is to understand the traits of learners 33

Security+ Guide to Network Security Fundamentals, Third Edition Organizational Training (continued) Training style also impacts how people learn Most people are taught using a pedagogical approach –However, for adult learners, an andragogical approach is often preferred There are different learning styles –Visual learners –Auditory learners –Kinesthetic 34

Security+ Guide to Network Security Fundamentals, Third Edition Reducing Risks of Social Engineering Social engineering –Relies on tricking and deceiving someone to provide secure information Phishing –One of the most common forms of social engineering –Involves sending an or displaying a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information –Both the s and the fake Web sites appear to be legitimate 35

Security+ Guide to Network Security Fundamentals, Third Edition36

Security+ Guide to Network Security Fundamentals, Third Edition Reducing Risks of Social Engineering (continued) Variations on phishing attacks: –Spear phishing –Pharming –Google phishing Ways to recognize phishing messages include: –Deceptive Web links – s that look like Web sites –Fake sender’s address –Generic greeting –Pop-up boxes and attachments 37

Security+ Guide to Network Security Fundamentals, Third Edition Reducing Risks of Social Engineering (continued) Ways to recognize phishing messages include: (continued) –Unsafe Web sites –Urgent request Some organizations have turned to creating regular reminders to users regarding phishing attacks 38

Security+ Guide to Network Security Fundamentals, Third Edition39

Security+ Guide to Network Security Fundamentals, Third Edition Reducing Risks of Social Engineering (continued) Dumpster diving –Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away Shoulder surfing –Watching an individual enter a security code or password on a keypad Computer hoax –An message containing a false warning to the recipient of a malicious entity circulating through the Internet 40

Security+ Guide to Network Security Fundamentals, Third Edition Summary A security policy is a written document that states how an organization plans to protect the company’s information technology assets A standard is a collection of requirements specific to the system or procedure that must be met by everyone, while a guideline is a collection of suggestions that should be implemented A policy is a document that outlines specific requirements or rules that must be met, and is the correct means to be used for establishing security 41

Security+ Guide to Network Security Fundamentals, Third Edition Summary (continued) Because a security policy is so comprehensive and often detailed, most organizations choose to break the security policy down into smaller “subpolicies” A personally identifiable information (PII) policy outlines how the organization uses information it collects To provide users with the knowledge and skills necessary to support information security, users need to receive ongoing training Social engineering relies on tricking and deceiving someone to provide secure information 42