95752:11-1 Security Policy. 95752:11-2 Policy Set of detailed rules as to what is allowed on the system and what is not allowed. User Policy System Policy.

Slides:



Advertisements
Similar presentations
Chapter 15 Legal & Ethical Issues
Advertisements

A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals
CS CS 5150: Software Engineering Lecture 5 Legal Aspects of Software Engineering 1.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Network security policy: best practices
CHAPTER Section 16.1 Legal Issues Section 16.2 Insurance Protecting Your Business.
CREATIVITY IN BLOOM A trademark of the Public Education Committee of the American Intellectual Property Law Association (AIPLA) Trademark Expo 2010.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
C4- Social, Legal, and Ethical Issues in the Digital Firm
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Eric J. Pritchard One Liberty Place, 46 th Floor 1650 Market Street Philadelphia, Pennsylvania (215)
Information Systems Security Computer System Life Cycle Security.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Responsible Conduct of Research (RCR) Farida Lada October 16, 2013
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
CONFIDENTIAL © 2014 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
IT Professionalism Ethics Modified by Andrew Poon.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
Why the Data Protection Act was brought in  The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give.
Tad and Terry Legal Issues in ILP. 28 CFR Part 23 The federal rule that governs or provides guidance for these issues. § 23.3 Applicability: These policy.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
Is Your Background Check Process Compliant?. 2 © Copyright 2015 ADP, LLC. Proprietary and Confidential Information. Agenda Privileged & Confidential.
1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.
Legal and Ethical Issues in Computer Security Csilla Farkas
XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.
CPT 123 Internet Skills Class Notes Internet Security Session B.
Copyright, Intellectual Property, and Privacy 1 Lesson Plan: BMM A9-4.
DON Code of Privacy Act Fair Information Principles DON has devised a list of principles to be applied when handling Protected Personal Information (PPI).
Welcome to the ICT Department Unit 3_5 Security Policies.
Wisconsin Department of Health Services Purchase of Services Contract Guide Julie Anstett and Lucinda Champion Friday, May 6, 2016 Wisconsin Department.
SOFTWARE PIRACY & WORKPLACE ETHICS. What Is Software Piracy? Unauthorized copying/installation/use Unauthorized distribution or sale.
The Legal Context of Business
The Legal Context of Business

Add video notes to lecture
Intellectual Property Owner’s Manual
Ethical, Social, and Political Issues in E-commerce
Security Standard: “reasonable security”
ETHICAL & SOCIAL IMPACT OF INFORMATION SYSTEMS
Legal and Ethical Issues in E-Commerce
Chapter 3: IRS and FTC Data Security Rules
Unit 7 – Organisational Systems Security
Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,
Cyber Issues Facing Medical Practice Managers
County HIPAA Review All Rights Reserved 2002.
INFORMATION SYSTEMS SECURITY and CONTROL
Health Care: Privacy in a Digital Age
Chapter # 3 COMPUTER AND INTERNET CRIME
Chapter 15 Legal & Ethical Issues
Presentation transcript:

95752:11-1 Security Policy

95752:11-2 Policy Set of detailed rules as to what is allowed on the system and what is not allowed. User Policy System Policy Network Policy US Law Trust

95752:11-3 Policy Making Formulations: –General “catch-all” policy –Specific asset-based policy –General policy, augmented with standards and guidelines Role: –Clarify what and why of protection –State responsibility for protection –Provide basis for interpreting and resolving conflicts –Retain validity over time

95752:11-4 Standards & Guidelines Standards: –Codification of successful security practice –Platform-independent, enforceable –Change over time (slowly) Guidelines: –Interpret standards for particular environment –May be violated if needed

95752:11-5 Building Policy Assign an owner Be positive –Motivate behavior –Allow for error Include education Place authority with responsibility Pick basic philosophy –Paranoid –Prudent –Permissive –Promiscuous Don’t depend on “impossible to break”

95752:11-6 Security Through Obscurity If we don’t tell them, they won’t know (false) –Found by experimentation –Found through other references –Passed around by word of mouth Often used as basis for ignoring risks Local algorithm, unavailable sources - no real security

95752:11-7 Going Public Vendor / CERT/CC Other Administrators (Warning) User community (Danger) Internet community (Infectious Danger)

95752:11-8 User-level Policy Authentication: Method, Protection, Disclosure Importing software: Process, Safeguards, Location File protection: Default, Variations Equipment management: Process, Physical Security Backups: How, When Problem reporting: Who, How, Emergencies

95752:11-9 System-level Policy Default configuration Installed Software Backups Logging Auditing Updates Principle servers or clients

95752:11-10 Network-level Policy Supported services Exported services: Authentication, Protection, Restriction Imported services: Authentication, Protection, Privacy Network security mechanisms

95752:11-11 US Law General advice - not legal counsel Before performing legal actions -- consult a lawyer! Legal Options Legal Hazards Being the target of an investigation General Tips Civil Actions Intellectual Property Liability

95752:11-12 Legal Options Think before you pursue legal action Civil actions Reasons to prosecute: –Filing insurance claim –Involved with privacy data –Avoid being an accessory to later break-ins –Avoid civil suit with punitive damages –Avoid liability from your users

95752:11-13 Legal Hazards Computer-illiterate agents Over-zealous compliance with search order Attitude and behavior of investigators –Work loss –Problems from case –Problems with working relationships Publicity loss Seizure of equipment Positive trend in enforcement community

95752:11-14 Being the Target COOPERATE Individual involvement: –Document level of authorized access –Limit level of seizure, prosecution Officers will seize everything related to unauthorized use Wait for return can be very long Can challenge reasons for search Involve legal help soonest!

95752:11-15 General Tips (1) Replace welcome messages with warning messages Put ownership or copyright notices on each source file Be certain users are notified of usage policy Notify all users on what may be monitored Keep good backups in safe location When you get suspicious, start a diary/journal of observations

95752:11-16 General Tips (2) Define, in writing, authorization of each user and employee & have them sign it Ensure employees return equipment on termination Do not allow users to conduct their own investigations Make contingency plans with lawyer and insurance Identify qualified law enforcement at local, federal

95752:11-17 Lawsuits Can sue anyone for any reasonable claim of damages or injury Caveats: –Very expensive –Long delays –May not win –May not collect anything Vast majority of actions -- settled out of court CONSULT A LAWYER FIRST

95752:11-18 Intellectual Property Copyright infringement –Expression of idea –Derivative work –Outside of fair use Trademark violation –Use of registered words, symbols, phrases –Lack of credit Patent concerns –Application of idea –Based on prior art –Prevents redundant application

95752:11-19 Liability Personal liability Corporate liability Good security helps to limit liabilities

95752:11-20 Trust Tools of computer security are resident on computers Just as mutable as any other information on computers Can we trust our computer? Can we trust our software? Can we trust our suppliers? Can we trust our people? Trust, but verify

95752:11-21 Trusting Our Computer Hardware bugs Hardware features Peripheral bugs/features Microcode problems

95752:11-22 Trusting Our Software Operating system bugs and features System software back-doors Who wrote the software? Who maintains the software? Is GOTS / COTS trustworthy?

95752:11-23 Trusting Our Suppliers Development process Bugs Testing Configuration control Distribution control Hacker challenges

95752:11-24 Trusting Our People Vendors Consultants Employees System administrators Response personnel

95752:11-25 Trust, but Verify Trust with a suspicious attitude Ask questions Do background checks Test code Get written assurances Anticipate problems and attacks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.