ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Information Security Policies and Standards
System and Network Security Practices COEN 351 E-Commerce Security.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Factors to be taken into account when designing ICT Security Policies
Installing and Configuring a Secure Web Server COEN 351 David Papay.
Network security policy: best practices
Security Guidelines and Management
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
University of Missouri System 1 Security – Defending your Customers from Themselves StateNets Annual Meeting February, 2004.
Incident Response Updated 03/20/2015
New Data Regulation Law 201 CMR TJX Video.
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Protecting ICT Systems
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Managing Computerised Offices Operating environment
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.
E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Auditing Information Systems (AIS)
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Information Systems Security Operations Security Domain #9.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
E.Soundararajan R.Baskaran & M.Sai Baba Indira Gandhi Centre for Atomic Research, Kalpakkam.
Note1 (Admi1) Overview of administering security.
Chapter 2 Securing Network Server and User Workstations.
Module 11: Designing Security for Network Perimeters.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
INFORMATION SECURITY AND CONTROL. SECURITY: l Deter l Detect l Minimize l Investigate l Recover.
Computer Security Sample security policy Dr Alexei Vernitski.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
UNIT V Security Management of Information Technology.
Blackboard Security System
Review of IT General Controls
Securing Network Servers
Working at a Small-to-Medium Business or ISP – Chapter 8
Chapter 6 Application Hardening
Securing the Network Perimeter with ISA 2004
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Unit 27: Network Operating Systems
IS4680 Security Auditing for Compliance
Lesson 16-Windows NT Security Issues
12 STEPS TO A GDPR AWARE NETWORK
Information Security Awareness
Operating System Security
IS4680 Security Auditing for Compliance
6. Application Software Security
Presentation transcript:

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology Services office

ITS Offsite Workshop 2002 PolyU Systems Security Policy Importance of IT Security Recommendation from auditors PolyU Systems Security Policy by ITS Endorsement of the Policy by ITSC Policy and Guidelines on Web

ITS Offsite Workshop 2002 PolyU Systems Security Policy Physical Security Campus Network and Internet Security Operating System Security Application System Security Personal Computer Security Backup and Recovery

ITS Offsite Workshop 2002 Physical Security Equipment housed in safe environment Access control to computer room Equipment installed in open areas should be attended or fixed

ITS Offsite Workshop 2002 Physical Security (Cont’d) Proper electrical power protection should be employed, e.g. surge protector, UPS Food, liquid or powdery substances should be keep away from equipment University’s health and safety requirements should be observed

ITS Offsite Workshop 2002 Campus Network and Internet Security Security procedures against intrusion should be implemented and maintained Network management and security monitoring should be performed Security control mechanisms should be documented

ITS Offsite Workshop 2002 Campus Network and Internet Security (Cont’d) Proper protection mechanisms should be implemented Non PolyU equipment and external links should not be connected to campus network HARNET Acceptable Use Policy should be observed (URL:

ITS Offsite Workshop 2002 Operating Systems Security Update list of system administrators Scanning programs to detect security bugs Latest system and security patches should be adopted All accounts should be protected by ‘good’ password and changed regularly

ITS Offsite Workshop 2002 Operating Systems Security (Cont’d) Passwords should not be disclosed to others Passwords should not be stored or transmitted in plain text form Users should report security violation to system administrator Accounting, auditing and logging facilities should be adopted for audit trails

ITS Offsite Workshop 2002 Application Systems Security System owner must determine security level required for various kinds of data Only authorised users are allowed to access system and data Production data or files must only be used on production systems

ITS Offsite Workshop 2002 Application Systems Security (Cont’d) Confidential data should be protected by passwords Passwords should not be written down or shared with others, standards on password length, format and frequency of change should be enforced Effective data encryption techniques should be used for storing highly confidential information

ITS Offsite Workshop 2002 Application Systems Security (Cont’d) Changes to production programs should be authorised, controlled and recorded, timestamps, logs and audit trails must be employed Software developers must not access production data without prior approval of system owners

ITS Offsite Workshop 2002 Personal Computer Security Access to standalone and networked personal computer equipment and resources should be restricted to authorised users only Data and programs should be backed up regularly

ITS Offsite Workshop 2002 Personal Computer Security (Cont’d) Preventive and detective measures should be enforced to minimise damages caused by computer viruses Only licensed software should be used Security problems should be reported to system administrators promptly

ITS Offsite Workshop 2002 Backup and Recovery System owners must determine their backup requirements Backup and restoration should be performed by authorised personnel only Backed up should be performed periodically on a transportable media and stored appropriately (onsite or offsite)

ITS Offsite Workshop 2002 Backup and Recovery (Cont’d) Backup and restoration procedures should be test and review regularly Disaster Recovery Plan for mission critical systems should be in place and periodical drilling is required

ITS Offsite Workshop 2002 IT Security Guidelines Physical Security Campus Network and Internet Security Firewall Security Remote Access Security Proxy Server Security Personal Computer Security

ITS Offsite Workshop 2002 IT Security Guidelines (Cont’d) UNIX System Security Web Server Security Novell NetWare and GroupWise Systems Security Student Computing Cluster Security System Security PolyU Administrative Computer Systems Security

ITS Offsite Workshop 2002 Recommendations of Auditor Establish the Internet/Intranet Security Policy with the following contents: What services are allowed User access and privileges Policies for managing web pages Procedures for ensuring no alternate access paths to Internet University’s response to security violation User signing internet usage agreement

ITS Offsite Workshop 2002 Recommendations of Auditor (Cont’d) Establish the Internet/Intranet Security Policy with the following contents (cont’d): Enforcing password requirements Management of increased network traffic resulting from Internet use Hardware, software and client applications Client configuration Frequency of security audit Independent internet assessment

ITS Offsite Workshop 2002 Recommendations of Auditor (Cont’d) Establish Security Procedures for: Granting of users’ access rights Monitoring of users with administrative rights on IS Guidelines on data encryption Computer security policy training and distribution

ITS Offsite Workshop 2002 Recommendations of Auditor (Cont’d) Establish Security Procedures for: Virus protection policy Promote proper usage of internet Sharing of user accounts User accounts housekeeping Utilizing networking scanning tools virus protection

ITS Offsite Workshop 2002 Recommendations of Auditor (Cont’d) Establish Security Procedures for: Door-entry control system Automatic directory listing Banners Vulnerable services World-writeable files System logging

ITS Offsite Workshop 2002 Some Security Tips Always apply security patch on OS and service Remove unnecessary services Review and change default settings Implement a personal firewall Apply encryption on sensitive data Enable auditing & review log

ITS Offsite Workshop 2002 Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.