Information Security Policies: User/Employee use policies.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Information Security Awareness:
Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز
Payment Card Industry (PCI) Data Security Standard
ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.
VISD Acceptable Use Policy
INTERNET and CODE OF CONDUCT
Security Policies Group 1 - Week 8 policy for use of technology.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
Course: Introduction to Computers Lecture: 6.  Commercial software is covered by Copyrights.  You have to pay for it and register to have the license.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
Security Awareness Norfolk State University Policies.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
The Technology Partner for Financial Institutions Employee Training Presented By:
Using SWHS: The AUP [Acceptable Use Policy]
 Computer security policy ◦ Defines the goals and elements of an organization's computer systems  Definition can be ◦ Highly formal ◦ Informal  Security.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
Charlotte Greene EDTC 630 A document of set rules by the school district that explains what you can and cannot do with district owned information systems.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
TECHNOLOGY GUIDE THREE Protecting Your Information Assets.
Security Training USAID Information Security.
MMTK Access control. Session overview Introduction to access control Passwords –Computers –Files –Online spaces and networks Firewalls.
Information Systems Security
Ethics in CS CS5493(7493). Work Place Ethics Definition Work place ethics are the rules of personal conduct established by social traditions and the employer.
Acceptable Use Policy by Andrew Breen. What is an Acceptable Use Policy? According to Wikipedia: a set of rules applied by many transit networks which.
Incident Security & Confidentiality Integrity Availability.
Chapter 2 Securing Network Server and User Workstations.
Security fundamentals Topic 9 Securing internet messaging.
By: Christina Anderson EDTC 630. AUP stands for Acceptable Use Policy  The AUP is an outline of procedures/rules to inform all students and employees.
TRUENORTH TECHNOLOGY POLICIES OVERVIEW. This includes but is not limited to : – Games – Non-work related software – Streaming media applications – Mobile.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
ITACS L.L.P. Policy And Procedures Group 1. Objective: To establish companywide policy with regards to personal device usage both on and off of the company.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Policies and Security for Internet Access
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
OCTOBER IS CYBER SECURITY AWARENESS MONTH. October is Cyber Security Awareness Month  Our Cyber Security Awareness Campaign focuses on topics such as.
Computer Security Sample security policy Dr Alexei Vernitski.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Dial-in Access Policy By Matt Lynott. Reasoning The reason for this policy is to define appropriate dial-in access and its use by authorized personnel.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Presented by Chris Backo
TECHNOLOGY GUIDE THREE
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
Chapter 3: Protecting Your Data and Privacy
Information Sensitivity
Student User Agreement and Policy 2022
Introduction to the PACS Security
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

Information Security Policies: User/Employee use policies

2 Overview Format of policies Usage of policies Example of policies Policy cover areas References Homework Questions Format of policies Usage of policies Example of policies Policy cover areas References Homework Questions

3 Format of Policies Purpose The need of the policies Scope Which part of the system is covering Who is applying to the policies Policy What can or can’t use for the system Enforcement Action can be taken once the policy is violated Definitions Define keywords in the policy Revision History Stated when and what have been changed Purpose The need of the policies Scope Which part of the system is covering Who is applying to the policies Policy What can or can’t use for the system Enforcement Action can be taken once the policy is violated Definitions Define keywords in the policy Revision History Stated when and what have been changed

4 Usage of Policies Policy A document that outlines specific requirements or rules that cover a single area Standard A collection of system-specific or procedural- specific requirements that must be met by everyone Guideline A collection of system specific or procedural specific “suggestions” for best practice Not require, but strongly recommended Policy A document that outlines specific requirements or rules that cover a single area Standard A collection of system-specific or procedural- specific requirements that must be met by everyone Guideline A collection of system specific or procedural specific “suggestions” for best practice Not require, but strongly recommended

5 Example of Policies

6

7

8 Policy cover areas Acceptable Use Information Sensitivity Ethics Anti-Virus Password Connection Acceptable Use Information Sensitivity Ethics Anti-Virus Password Connection

9 Acceptable Use Policy General outline for all others policies Protecting employees, partners and companies from illegal or damaging actions Applied to all computer related equipments General use and ownership Security and proprietary information Unacceptable Use General outline for all others policies Protecting employees, partners and companies from illegal or damaging actions Applied to all computer related equipments General use and ownership Security and proprietary information Unacceptable Use

10 Information Sensitivity Policy To determine what information can/can’t be disclosed to non-employee Public Declared for public knowledge Freely be given to anyone without any possible damage Confidential Minimal Sensitivity: General corporate information; some personal and technical information More Sensitive: Business, financial, and most personnel information Most Sensitive: Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of the company To determine what information can/can’t be disclosed to non-employee Public Declared for public knowledge Freely be given to anyone without any possible damage Confidential Minimal Sensitivity: General corporate information; some personal and technical information More Sensitive: Business, financial, and most personnel information Most Sensitive: Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of the company

11 Ethics Policy Defines the means to establish a culture of openness, trust and integrity Executive Commitment Honesty and integrity must be top priority Employee Commitment Treat everyone fairly, have mutual respect Company Awareness Promote a trustworthy and honest atmosphere Maintaining Ethical Practices Reinforce the importance of the integrity message Unethical Behavior Unauthorized use of company information integral to the success of the company will not be tolerated Defines the means to establish a culture of openness, trust and integrity Executive Commitment Honesty and integrity must be top priority Employee Commitment Treat everyone fairly, have mutual respect Company Awareness Promote a trustworthy and honest atmosphere Maintaining Ethical Practices Reinforce the importance of the integrity message Unethical Behavior Unauthorized use of company information integral to the success of the company will not be tolerated

12 Policy General usage To prevent tarnishing the public image Prohibited use Can’t used for any disruptive or offensive messages Personal Use Can/Can’t use for personal usage Monitoring No privacy for store, send or receive massages Monitor without prior notice General usage To prevent tarnishing the public image Prohibited use Can’t used for any disruptive or offensive messages Personal Use Can/Can’t use for personal usage Monitoring No privacy for store, send or receive massages Monitor without prior notice

13 Policy Retention Determine how long for an to retain Four main classifications Administrative correspondence – 4 years Fiscal Correspondence – 4 years General Correspondence – 1 years Ephemeral Correspondence – Until read Instant Messenger Correspondence Only apply to administrative and fiscal correspondence Encrypted Communications Stored in decrypted format Retention Determine how long for an to retain Four main classifications Administrative correspondence – 4 years Fiscal Correspondence – 4 years General Correspondence – 1 years Ephemeral Correspondence – Until read Instant Messenger Correspondence Only apply to administrative and fiscal correspondence Encrypted Communications Stored in decrypted format

14 Policy Automatically Forwarding To prevent unauthorized or inadvertent disclose of sensitive information When Approved by the appropriate manger Sensitive information defined in Information Sensitivity Policy is encrypted in accordance with Acceptable Encryption Policy Automatically Forwarding To prevent unauthorized or inadvertent disclose of sensitive information When Approved by the appropriate manger Sensitive information defined in Information Sensitivity Policy is encrypted in accordance with Acceptable Encryption Policy

15 Anti-Virus Policy To prevent computer virus problems Install anti-virus software Update anti-virus software daily Always maintain anti-virus software in auto- protect stage Scan a storage media for virus before use it Never open any from unknown source Never download files from unknown source Remove virus-infected computers from network until verified as virus-free To prevent computer virus problems Install anti-virus software Update anti-virus software daily Always maintain anti-virus software in auto- protect stage Scan a storage media for virus before use it Never open any from unknown source Never download files from unknown source Remove virus-infected computers from network until verified as virus-free

16 Password Policy A standard for creation of string password Contain both upper and lower case characters Contain digits and punctuation characters At least eight alphanumeric characters long Not based on personal information Not a word in any language Can be easily remembered Frequency of change passwords A standard for creation of string password Contain both upper and lower case characters Contain digits and punctuation characters At least eight alphanumeric characters long Not based on personal information Not a word in any language Can be easily remembered Frequency of change passwords

17 Password Policy Protection of passwords Never written down or stored on-line Don’t reveal a password over the phone Don’t reveal a password in an message Don’t reveal a password to the boss Don’t reveal a password to co-workers Don’t hint at the format of a password Don’t share a password with family members Protection of passwords Never written down or stored on-line Don’t reveal a password over the phone Don’t reveal a password in an message Don’t reveal a password to the boss Don’t reveal a password to co-workers Don’t hint at the format of a password Don’t share a password with family members

18 Connection Policy Remote Access Defines standards for connecting to the company’s network from any host or network externally General Same consideration as on-site connection General Internet access for recreational use for immediate household is permitted Requirement Public/private keys with strong pass-phrases Can’t connect to others network at the same time Can’t provide their login or password to anyone Installed the most up-to-date anti-virus software Remote Access Defines standards for connecting to the company’s network from any host or network externally General Same consideration as on-site connection General Internet access for recreational use for immediate household is permitted Requirement Public/private keys with strong pass-phrases Can’t connect to others network at the same time Can’t provide their login or password to anyone Installed the most up-to-date anti-virus software

19 Connection Policy Analog/ISDN Line Define standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to computer Scenarios & Business Impact Outside attacker attached to trusted network Facsimile Machines Physically disconnect from computer/internal network Computer-to-Analog Line Connections A significant security threat Requesting an Analog/ISDN Line Stated why other secure connections can’t be use Analog/ISDN Line Define standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to computer Scenarios & Business Impact Outside attacker attached to trusted network Facsimile Machines Physically disconnect from computer/internal network Computer-to-Analog Line Connections A significant security threat Requesting an Analog/ISDN Line Stated why other secure connections can’t be use

20 Connection Policy Dial-in Access To protect information from being inadvertently compromised by authorized personnel using a dial-in connection One-time password authentication Connect to Company’s sensitive information Reasonable measure to protect assets Analog and non-GSM digital cellular phones Signals are readily scanned unauthorized individuals Monitor account activity Disable account after no access for six months Dial-in Access To protect information from being inadvertently compromised by authorized personnel using a dial-in connection One-time password authentication Connect to Company’s sensitive information Reasonable measure to protect assets Analog and non-GSM digital cellular phones Signals are readily scanned unauthorized individuals Monitor account activity Disable account after no access for six months

21 Connection Policy Extranet Describes the third party organizations connect to company network for the purpose of transacting business related to the company In best possible way, Least Access Valid business justification Approved by a project manager Point of Contact from Sponsoring Organnization Pertain the Third Party Connection Agreement Establishing Connectivity Provide a complete information of the proposed access Extranet Describes the third party organizations connect to company network for the purpose of transacting business related to the company In best possible way, Least Access Valid business justification Approved by a project manager Point of Contact from Sponsoring Organnization Pertain the Third Party Connection Agreement Establishing Connectivity Provide a complete information of the proposed access

22 Connection Policy Modifying Access Notifying the extranet management group Security and Connectivity evolve accordingly Terminating Access Access is no longer required Terminating the circuit Third Party Connection Agreement Defines the standards and requirements, including legal requirements, needed in order to interconnect a third party organization’s network to the production network. Must be signed by both parties Modifying Access Notifying the extranet management group Security and Connectivity evolve accordingly Terminating Access Access is no longer required Terminating the circuit Third Party Connection Agreement Defines the standards and requirements, including legal requirements, needed in order to interconnect a third party organization’s network to the production network. Must be signed by both parties

23 Connection Policy

24 Connection Policy Virtual Private Network (VPN) Security Define the requirements for Remote Access IPSec or L2TP VPN connections to the company network Force all traffic to and from PC over VPN tunnel Dual tunneling is not allowed 24 hours absolute connection time limit Automatically disconnected with 30 min. inactivity Only approved VPN client can be used Virtual Private Network (VPN) Security Define the requirements for Remote Access IPSec or L2TP VPN connections to the company network Force all traffic to and from PC over VPN tunnel Dual tunneling is not allowed 24 hours absolute connection time limit Automatically disconnected with 30 min. inactivity Only approved VPN client can be used

25 Connection Policy Wireless Communication Defines standards for wireless systems used to connect to the company network Access Points and PC Cards Register and approved by InfoSec Approved Technology Use approved products and security configurations Encryption and Authentication Drop all unauthenticated and unencrypted traffic Setting the SSID Should not contain any identifying informaiton Wireless Communication Defines standards for wireless systems used to connect to the company network Access Points and PC Cards Register and approved by InfoSec Approved Technology Use approved products and security configurations Encryption and Authentication Drop all unauthenticated and unencrypted traffic Setting the SSID Should not contain any identifying informaiton

26 Reference The SANS Security Policy Project Information Security Policies & Computer Security Policy Directory RFC 1244 – Site Security Handbook Google The SANS Security Policy Project Information Security Policies & Computer Security Policy Directory RFC 1244 – Site Security Handbook Google

27 Reference

28 Reference

29 Homework 1. Write an full versions of the policy based on assignment 5 “Acceptable student use of the GTS” with the format that presented 2. Define presented usage of policies Tips: Policy document’s format is located in slide 3 Policy’s usage are located in slide 4 You may find more information in SANS 1. Write an full versions of the policy based on assignment 5 “Acceptable student use of the GTS” with the format that presented 2. Define presented usage of policies Tips: Policy document’s format is located in slide 3 Policy’s usage are located in slide 4 You may find more information in SANS

30 Questions Any questions?