Appendix B: Designing Policies for Managing Networks.

Slides:

Advertisements

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

Advertisements

COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.

Audit Issues regarding Passwords on Elevated Privilege Accounts Gene Scheckel Global Internal Audit.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Mr C Johnston ICT Teacher

Access Control Methodologies

Module 4: Implementing User, Group, and Computer Accounts

Information Security Policies and Standards

Security+ Guide to Network Security Fundamentals

Chapter 1  Introduction 1 Overview  What is a secure computer system?  Concerns of a secure system o Data: Privacy, Integrity, Availability o Users:

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Computer Security: Principles and Practice

Factors to be taken into account when designing ICT Security Policies

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.

Project Execution.

Network security policy: best practices

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Module 8: Implementing Administrative Templates and Audit Policy.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

1 Chapter Overview Planning an Audit Policy Implementing an Audit Policy Using Event Viewer.

Security Awareness Norfolk State University Policies.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Chapter 13 Planning & Organizing

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

Intrusion Detection MIS ALTER 0A234 Lecture 11.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.

Designing Active Directory for Security

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Chapter 6 of the Executive Guide manual Technology.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,

Information Systems Security Operational Control for Information Security.

Mobile Banking By: Chenyu Gong, Jalal Hafidi, Harika Malineni.

Lecture 11 Managing Project Execution. Project Execution The phase of a project in which work towards direct achievement of the project’s objectives and.

UNIT 15 WEEK 9 CLASS 1 LESSON OVERVIEW Pete Lawrence BTEC National Diploma Organisational System Security.

Appendix C: Designing an Operations Framework to Manage Security.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

.  Define privilege audits  Describe how usage audits can protect security  List the methodologies used for monitoring to detect security-related.

Chapter 2 Securing Network Server and User Workstations.

Small Business Security Keith Slagle April 24, 2007.

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

Granbury I.S.D. Acceptable Use Policy for Technology Resources

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Module 10: Implementing Administrative Templates and Audit Policy.

Understand Audit Policies LESSON Security Fundamentals.

Module 7: Designing Security for Accounts and Services.

Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Technological Awareness for Teens and Young Adults.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

Appendix A: Designing an Acceptable Use Policy. Overview Analyzing Risks That Users Introduce Designing Security for Computer Use.

LAND RECORDS INFORMATION SYSTEMS DIVISION

Module 1: Introduction to Designing Security

Forensics Week 11.

Lesson 16-Windows NT Security Issues

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

Delegation of Control Manage Active Directory Objects 3.7

Anuj Dube Jimmy Lambert Michael McClendon

Presentation transcript:

Appendix B: Designing Policies for Managing Networks

Overview Analyzing Risks to Managing Networks Designing Security for Network Administrators

Lesson 1: Analyzing Risks to Managing Networks What Is a Network Management Policy? Why Network Management Policies Are Important Common Threats to Network Management

A network management policy defines: What Is a Network Management Policy? Tools for managing the network Users who can manage a network Procedures for managing the network Tools for managing the network Users who can manage a network Procedures for managing the network Policy Administrator Tools Procedures

Why Network Management Policies Are Important External Attacker Internal Attacker AttackerThreatExample External Social engineering An attacker calls the helpdesk of a company posing as a newly hired network administrator who needs to reset the password of a company official. The attacker uses the official’s account to steal company secrets. Internal Unlocked workstation An administrator logs on to a computer by using his administrator account, then leaves the computer unlocked before going to a meeting. An attacker uses the administrator’s computer to attack the network.

Common Threats to Network Management AreaVulnerabilities Network management model Poor decisions about security Accounts that have excessive administrative rights Incomplete background checks of a prospective administrator Access to information Social engineering attacks that manipulate administrators Sensitive information found by sifting through garbage Diligence Failure to lock unattended workstations and servers Critical resources in unsecured physical locations Failure to perform security tasks in a timely manner Tools Use of unapproved tools to manage a network Failure to secure communication channels that are used to manage a network

Lesson 2: Designing Security for Network Administrators Process for Designing Secure Management of Networks Common Network Management Models Guidelines for Delegating Administrative Control Guidelines for Acceptable Use of Network Management Tools Guidelines for Network Management Security Guidelines for Protecting Against Social Engineering

When planning an audit policy, you must: Optimize the network management model. Determine who can manage the network. Predict threats to managing the network. Create a list of approved tools and techniques. Design and create policies and procedures for managing the network. Optimize the network management model. Determine who can manage the network. Predict threats to managing the network. Create a list of approved tools and techniques. Design and create policies and procedures for managing the network Process for Designing Secure Management of Networks 5 5

Common Network Management Models ModelCharacteristics Centralized A small group makes all network management decisions Network administration is performed from a central location Strong security is provided at the expense of flexibility Decentralized Autonomous groups make many network management decisions Network administration is performed at multiple locations May be required by medium and large-sized networks that have geographical, geopolitical, or language complexities Outsourced Trusted third parties perform network management Outsourcing can provide expertise that your organization may lack Hybrid Centralize, decentralized, or outsourced models are combined The most common network management model

Guidelines for Delegating Administrative Control TaskGuideline Before you delegate administrative control to a new administrator Perform a background check on the administrator during the hiring process Educate the administrator about how to carry out the required administrative tasks Ensure that the administrator understands the security policies and procedures of your organization When you delegate administrative control Always delegate the fewest privileges necessary to complete administrator tasks Always audit network administration and review audit logs regularly Consider job rotation and mandatory vacations for administrators who have Access to sensitive data

Define: Which tools will be used to manage the network. How the tools will be used. How the network will be managed remotely. Which tools will be used to manage the network. How the tools will be used. How the network will be managed remotely. Guidelines for Acceptable Use of Network Management Tools

Guidelines for Network Management Security FunctionGuideline Use of Administrator accounts Place limits on administrator authority Prohibit use of administrator account for daily use Prohibit use of administrator rights to monitor employees Use of administration tools Specify how to use remote administration tools securely Prohibit using attacker tools on the network without approval Performance of daily tasks Follow policies and procedures when completing frequently occurring tasks Create and update log files for change management

Guidelines for Protecting Against Social Engineering Ensure that administrators: Follow defined processes and procedures. Are on alert for suspicious or unusual events. Use caution when working with other employees whom they do no know personally. Follow defined processes and procedures. Are on alert for suspicious or unusual events. Use caution when working with other employees whom they do no know personally.

Security Policy Checklist Create policies and procedures for determining: Network management models. Who can manage the network. Tools to manage the network. How personnel will manage the network. Network management models. Who can manage the network. Tools to manage the network. How personnel will manage the network.