EE579U/3 #1 Spring 2004 © 2000-2004, Richard A. Stanley EE579U Information Systems Security and Management 3. Policy Examples and Development Professor.

Slides:



Advertisements
Similar presentations
Security and Personnel
Advertisements

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Security Controls – What Works
Information Security Policies and Standards
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
EE579U/2 #1 Spring 2004 © , Richard A. Stanley EE579U Information Systems Security and Management 2. Policy Structure, Implementation, and Development.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.
Network security policy: best practices
IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Auditing for Security Management By Cyril Onwubiko Network Security Analyst at COLT Telecom Invited Guest Lecture delivered at London Metropolitan University,
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Information Systems Security Computer System Life Cycle Security.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
David N. Wozei Systems Administrator, IT Auditor.
Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Centro de Estudos e Sistemas Avançados do Recife PMBOK - Chapter 4 Project Integration Management.
CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
Principles of Information Systems, Sixth Edition Systems Design, Implementation, Maintenance, and Review Chapter 13.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Principles of Information Systems, Sixth Edition Systems Design, Implementation, Maintenance, and Review Chapter 13.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Engineering Essential Characteristics Security Engineering Process Overview.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Information Security What is Information Security?
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Frontline Enterprise Security
Principles of Information Systems, Sixth Edition 1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Business Continuity Planning 101
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Welcome to the ICT Department Unit 3_5 Security Policies.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Information Security Policy
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Project Integration Management
Introduction to the Federal Defense Acquisition Regulation
Unit 7 – Organisational Systems Security
I have many checklists: how do I get started with cyber security?
ISO/IEC 27001:2005 A brief introduction Kaushik Majumder
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
IS4680 Security Auditing for Compliance
IS4680 Security Auditing for Compliance
Presentation transcript:

EE579U/3 #1 Spring 2004 © , Richard A. Stanley EE579U Information Systems Security and Management 3. Policy Examples and Development Professor Richard A. Stanley

EE579U/3 #2 Spring 2004 © , Richard A. Stanley Overview of Today’s Class Review of last class Projects Policy Examples and Development

EE579U/3 #3 Spring 2004 © , Richard A. Stanley Projects? Proposals due today Teams? Topics? Issues?

EE579U/3 #4 Spring 2004 © , Richard A. Stanley Review of Last Class A security policy is essential to a security posture in any information system Policies cannot be ad hoc if they are to be effective; they must be written, sensible, enforceable, and evaluated Enforcement must be part of the policy Regular audits must be undertaken to ensure the effectiveness of the policy and to identify needs for change and updates.

EE579U/3 #5 Spring 2004 © , Richard A. Stanley Example Policies We covered some examples last week. Let’s refresh our memories

EE579U/3 #6 Spring 2004 © , Richard A. Stanley What Might Be In a Policy? Source:

EE579U/3 #7 Spring 2004 © , Richard A. Stanley Another View from the SANS Institute –1 1. Introduction 1.1.1General Information Objectives –1.2 Responsible Organizational Structure Corporate Information Services Business Unit Information Services International Organizations Tenants Security Standards – Confidentiality Integrity Authorization Access Appropriate Use Employee Privacy

EE579U/3 #8 Spring 2004 © , Richard A. Stanley Another View from the SANS Institute – 2 2. Domain Services –2.1.1 Authentication Password Standards Resident Personnel Departure Friendly Terms Unfriendly Terms 3. Systems Authentication Intrusion Protection Physical Access Backups Retention Policy Auditing

EE579U/3 #9 Spring 2004 © , Richard A. Stanley Another View from the SANS Institute – 3 4. Web Servers –4.1.1 Internal External 5. Data Center –5.1.1 Authentication Intrusion Protection Physical Access Backups Retention Policy Auditing Disaster Recovery

EE579U/3 #10 Spring 2004 © , Richard A. Stanley Another View from the SANS Institute – 4 6. LAN/WAN –6.1.1 Authentication Intrusion Protection Physical Access Modems Dial-in Access Dial-out –6.1.4 Backups Retention Policy Content Filtering Auditing Disaster Recovery Network Operations Center Physical Network Layer

EE579U/3 #11 Spring 2004 © , Richard A. Stanley Another View from the SANS Institute – 5 7. Desktop Systems –7.1.1 Authentication Intrusion Protection Physical Access Backups Auditing Disaster Recovery 8. Telecommunication Systems –8.1.1 Authentication Intrusion Protection Physical Access Auditing Backups Retention Policy Disaster Recovery

EE579U/3 #12 Spring 2004 © , Richard A. Stanley Another View from the SANS Institute – 6 9. Strategic Servers –9.1.1 Authentication Intrusion Protection Physical Access Backups Retention Policy Auditing Disaster Recovery 10. Legacy Systems – Authentication Password Standards – Intrusion Protection Physical Access Backups Retention Policy Auditing Disaster Recovery

EE579U/3 #13 Spring 2004 © , Richard A. Stanley Another View from the SANS Institute – Security Services and Procedures 11.1 Auditing 11.2 Monitoring 12. Security Incident Handling –12.1 Preparing and Planning for Incident Handling 12.2 Notification and Points of Contact 12.3 Identifying an Incident 12.4 Handling an Incident 12.5 Aftermath of an Incident 12.6 Forensics and Legal Implications 12.7 Public Relations Contacts 12.8 Key Steps Containment Eradication Recovery Follow-Up Aftermath / Lessons Learned –12.9 Responsibilities

EE579U/3 #14 Spring 2004 © , Richard A. Stanley Another View from the SANS Institute – Ongoing Activities – Incident Warnings – Virus warnings Intrusion Vulnerabilities Security Patches 14. Contacts, Mailing Lists and Other Resources 15. References

EE579U/3 #15 Spring 2004 © , Richard A. Stanley Yet Another Approach Source:

EE579U/3 #16 Spring 2004 © , Richard A. Stanley Is That All? Probably not Should one person produce the policy? Where is the policy about configuring the system elements? –Operating system settings –Audit and logging procedures –…etc. Help is available, and often for free!

EE579U/3 #17 Spring 2004 © , Richard A. Stanley Another Source: the NSA! Source:

EE579U/3 #18 Spring 2004 © , Richard A. Stanley What’s In the Guides?

EE579U/3 #19 Spring 2004 © , Richard A. Stanley But Wait, There’s More!

EE579U/3 #20 Spring 2004 © , Richard A. Stanley More to Think About Other resources for policy help –Search the Web, look at other’s approach to the policy issue –Look at the Web sites of your vendors for suggestions and updates –Free guides, e.g. Start small, and build incrementally –A manageable policy that is understood is better than a comprehensive one that is ignored

EE579U/3 #21 Spring 2004 © , Richard A. Stanley Some Real Policies Univ. of Toronto Network Security Policy SDSC Security Policy HP Policy Solution Guide UC Berkley CISC Policy Univ. of Colorado Security Policy House of Representatives Security Policy

EE579U/3 #22 Spring 2004 © , Richard A. Stanley Now What? Policy is essential, but how do you know if it is working, and how well? You need to do an audit –Not a once in a lifetime event –Need to be regular, but aperiodic –Follow the financial industry guidelines –May want to follow standards

EE579U/3 #23 Spring 2004 © , Richard A. Stanley Audit Types and Purposes  Types of audits  Global security audits  Verification audits  Compliance audits  Intrusive audits, or “Tiger Teams”  Who should perform?  Internal audit staff  Audit performed by a trusted outside party  Accredited external audit team

EE579U/3 #24 Spring 2004 © , Richard A. Stanley Planning an Audit: 1  Policy review and analysis Choosing the methodology and time frame to use for the audit Obtaining senior management approval and consent for the level of the audit and the auditors Contract Legal liabilities Rules of conduct, including forbidden areas Data collection planning Scope of work to be undertaken (e.g., how extensive an audit is to be performed?) Managing expectations Dealing with problems (e.g., what if no issues are found in the allotted time?)

EE579U/3 #25 Spring 2004 © , Richard A. Stanley Planning an Audit: 2  Comparing the system described in the policy to the system that actually exists  How to find the differences  What to do about them?  How will they affect the audit?  The final audit plan  Approval

EE579U/3 #26 Spring 2004 © , Richard A. Stanley Conducting an Audit: 1  Obtain information about the system to be audited  Policy analysis  Actual system scans and evaluations  Collect and protect audit data  Work methodically and professionally at all times  Tools available to help in the audit  Develop and adhere to the data collection plan (e.g., take screen shots)  Keep the customer informed  Reports as agreed in the plan  Immediate reporting if something big is found  The customer’s ability to fix the problem exceeds the auditor’s need to crow about finding it  Keep findings confidential  Don’t leap to conclusions

EE579U/3 #27 Spring 2004 © , Richard A. Stanley Conducting an Audit: 2  Follow-up / retesting  Prepare the audit report  Executive summary  Vulnerabilities and/or problems found  Several small things can add up to a large problem  Business impact  Recommendations

EE579U/3 #28 Spring 2004 © , Richard A. Stanley Evaluating Audit Results  Assess the severity of the findings  Depends on the organizational security policy and business model  Deciding if external help is needed to deal with the findings (e.g., are we able to understand and deal with the findings?)  Do the findings corroborate the perceived threats?  Is a change to the security policy needed?  Does this warrant another audit before proceeding further?  Rank problems: what to fix first; where to stop?  Match vulnerabilities and problems to legal liability issues  Determine if further, perhaps more extensive auditing is warranted  Evaluate what, if any changes to security policy are warranted based on findings

EE579U/3 #29 Spring 2004 © , Richard A. Stanley Dealing With Problems: 1  Workstation problems  Physical access controls  Environmental controls  Object controls  Data validation and auditing  Data file controls  Output controls  Performance

EE579U/3 #30 Spring 2004 © , Richard A. Stanley Dealing With Problems: 2  Software problems  Licensing issues  Version and configuration control  Update control  Business continuity problems  Disaster events and probabilities  Alternative sites  Testing business continuity plan

EE579U/3 #31 Spring 2004 © , Richard A. Stanley Audit Standards & Tools  ISO  Good starting point for policies and audits  Compliance not trivial  Agreed-upon international standard  COBRA tool automates compliance checking  COBIT (Control Objectives for Information and related Technology)  Generally accepted IT control objectives  Developed and recognized by the ISACA (Information Systems Audit and Control Association), the international IT auditors’ professional organization  Includes audit guidelines  Developing your own standards

EE579U/3 #32 Spring 2004 © , Richard A. Stanley ISO Overview Business Continuity Planning System Access Control System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organization Computer & Network Management Asset Classification and Control Security Policy

EE579U/3 #33 Spring 2004 © , Richard A. Stanley Audit Review Necessary element to ensure compliance with security policies Many approaches to performing Standards-based approach has merit, but requires rigorous compliance Recent financial escapades illustrate the need for frequent, thorough system audits

EE579U/3 #34 Spring 2004 © , Richard A. Stanley Summary Policy development is hard work, requiring detailed knowledge of both the system and the risks and threats Audits are essential to ensuring that policy is achieved The “just say no” approach is not a viable policy

EE579U/3 #35 Spring 2004 © , Richard A. Stanley Homework Reading: –Bishop, Chapters 18 & 19 Problem: –Identify a security policy problem in literature or from your own experience. Describe the problem, the consequences resulting from it and what was done to mitigate or repair it. What would you have done if you had the power to prevent or mitigate this event?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.