Information System Security Engineering and Management

Slides:



Advertisements
Similar presentations
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Advertisements

Security Controls – What Works
Information Security Policies and Standards
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Term Project Teams of ~3 students Pick a system (discuss choice with me)  Want simple functionality, security issues, whole system (e. g., client and.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Term Project Pick a system (discuss choice with me)  Want simple functionality, security issues, whole system (e. g., client and server side) Submit a.
Computer Security: Principles and Practice
Stephen S. Yau 1CSE Fall 2006 IA Policies.
Stephen S. Yau CSE , Fall Security Strategies.
کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز
Payment Card Industry (PCI) Data Security Standard
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Information Asset Classification
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
Intranet, Extranet, Firewall. Intranet and Extranet.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Business Computing 550 Lesson 6. 2 Security Threats on Web Sites Issues and vulnerabilities 1.Illegal Access and Use (Hacking the system or users exposing.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
S-vector for Web Application Security Assessment Review of Term Project Requirements and PDR Results CS996 ISM Spring 2005 Dr. William Hery.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.
Engineering Essential Characteristics Security Engineering Process Overview.
Note1 (Admi1) Overview of administering security.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Security Discussion IST Retreat June IT Security Statement definition In the context of computer science, security is the prevention of, or protection.
Chapter 8 Auditing in an E-commerce Environment
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Role Of Network IDS in Network Perimeter Defense.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
Policies and Security for Internet Access
Unit 2 Personal Cyber Security and Social Engineering Part 2.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Appendix A: Designing an Acceptable Use Policy. Overview Analyzing Risks That Users Introduce Designing Security for Computer Use.
Successfully Implementing The Information System Systems Analysis and Design Kendall and Kendall Fifth Edition.
Chapter 7. Identifying Assets and Activities to Be Protected
ISSeG Integrated Site Security for Grids WP2 - Methodology
Critical Security Controls
Chapter 27: System Security
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Security week 1 Introductions Class website Syllabus review
PLANNING A SECURE BASELINE INSTALLATION
Presentation transcript:

Information System Security Engineering and Management Information Security Policies: General Principals Dr. William Hery hery@isis.poly.edu

What a Security Policy Is and Isn’t A security policy is essentially a document stating security goals, and which actions are required, which are permitted and which are allowed. Policies may apply to actions by a system, by management procedures, by employees, by system users. A complete security policy is a collection policies on specific security issues. Do not confuse a policy with an enforcement mechanism Every security policy statement should have a corresponding enforcement mechanism The enforcement mechanism may be a technology (e. g., a firewall), or a process (e. g., security audit)

Examples of Policy Areas Protection of Sensitive Information Addresses the protection goals Defines the way people interact with the data (who gets access, discussing information, printing, storing, etc.) Policy may prescribe the technology used to handle sensitive information (e. g., DoD)--this technology is one of the enforcement mechanisms Audit is usually another enforcement mechanism Acceptable Use Policy for employee internet access on corporate systems Defines what employees can and cannot use the corporate systems for on the Internet. Should define penalties for violations Enforcement: website blocking, activity logging and audit, individual workstation audit

Definitions There is no standard definition of security policy. Some define them as documents for humans to read: The SANS Institute defines a security policy as "a document that outlines specific requirements or rules that must be met...usually point-specific, covering a single area.” SearchSecurity.com: "In business, a security policy is a document that states in writing how a company plans to protect the company's physical and information technology (IT) assets.” ISO17799: “To provide management direction and support for information security”

Definitions (continued) But in other contexts, machine readable instructions are also called policy: The term “firewall policy” is typically used for the firewall rule set Crypto policy (acceptable algorithms, key lengths) are used in IPSec Security Association (SA) negotiations Machine readable policies all derive from text based policies, and should just be machine readable versions of human readable policies (possibly with detail added) Many documents about policy focus on policies for users and employees (e. g., acceptable use policies) This lecture will take the broad view of what a policy is, but focus on “human readable policies”

What is the Basis for Most Security Policies? Broader organizational, corporate or government policies Risk analysis: Often qualitative (even intuitive) analysis Usually only based on analysis of assets at risk and threats Sensitivity of data (both confidentiality and integrity) is a major source for many organizational level policies, which are based on classes of information (e. g., secret, proprietary, SSN, personal medical, etc.) Vulnerabilities may drive lower level policy Concerns about image (corporate, agency, personal)

Security Policy: General Principals Security policies are detailed, written documents There are usually multiple documents describing policy on specific areas; e. g., “Internet usage by employees”, “Security patch installation policy”, “Password selection and handling policy” etc. Top level policies are often determined by management with significant input from IT: they represent the agency or corporate goals and principals It is important that the policies be distributed to those who have to follow the policy and/or implement the policy enforcement method. It is critical that employees be made aware of policies that affect their actions, violations of which may result in reprimand, suspension, or firing. The fact that individual employees have been made aware should be documented, e. g., by having the employee sign a statement that they attended a training session. Every policy must have an enforcement mechanism

Basic Policy Requirements for Employee Policies

Who Should Be Concerned About Security Policy Managers System designers Users: what are the policy’s impacts on their actions, and what are the ramifications of not following policy System administrators, support personnel who manage enforcement technologies and processes Company lawyers: they may have to use the written policies in support of actions taken against employees in violation

Inclusive versus Exclusive Policies Inclusive polices explicitly state what is allowed, and all other actions are prohibited “Employees may only use the Internet from corporate systems for business related email and web browsing” “Employees may only use the Internet from corporate systems for business related email and web browsing. Occasional personal email and browsing are permitted as long as it does not impact employee performance, corporate system performance and does not include any pornography, illegal activities, or other materials detrimental to the corporation or its perception by the public” Exclusive policies explicitly state what is prohibited “Employees may not use email or web browsers from corporate systems for personal use.” “Employees may not use email or web browsers from corporate systems for pornography, illegal activities or other materials detrimental to the corporation or its perception by the public”

Inclusive versus Exclusive Policies (continued) Inclusive policies provide automatic prohibition for new applications, technologies, (some) attacks, etc. without changing policy Downloading copyright material for personal use Instant Messaging Inclusive policies may need to be updated and updates distributed whenever a new application, technology, etc. comes along It is a matter of (high level) corporate policy whether to use inclusive or exclusive policies

Examples of Policy Areas Employee email usage Employee web browsing usage Privacy of user information Password selection and protection Handling of proprietary information Cryptographic policy (what needs to be encrypted, what algorithms/implementations/key lengths to use) Remote Access Protection of employee issued laptops (physical and network connections)

Examples of Policy Areas--System Management Configuration Management Ongoing Security Monitoring Security Patch Management Incident Response Business Continuity Security Audit

Security Policies are at Multiple Levels High level policies are “human readable” High level policies are often at an organizational level and apply to all systems High level policies may be refined into multiple low level policies that are apply to system actions, management processes, and actions by employees/users For example, a top level policy on protection of sensitive information may include lower level policies on access control lists (system actions), determining the sensitivity level of information (management processes), and who an employee may discuss the information with (employee actions) Lower level policies may be specific to individual systems

Security Policies are at Multiple Levels (continued) Multiple levels of a policy may be in a single document, but the development of the complete policy is “top down” This refinement process level policies may be integrated into the system design process For example, you cannot define a firewall policy until you know your system will use a firewall as enforcement mechanism for a higher level policy “High level” and “lower level” policy is not a standard terminology--this is a useful just a way to think about policies Some authors only consider the high level policies as “policies”

Example of Hierarchical Policies High level:“company proprietary information shall be protected from release to unauthorized personnel” Mid level procedural policy All proprietary information shall have a committee responsible for its control A member of that committee must authorize any distribution of that material Enforcement: training, audit Mid level technology policy: Proprietary information may only be stored on protected systems, accessible only to those with authorized access to the proprietary information There shall be no externally initiated, automated means to retrieve information from the protected systems Low level; e. g., a firewall rule blocking incoming traffic on ports 20 (ftp data), 21 (ftp control), and 69 (tftp) The firewall is the enforcement mechanism

Security Policies and Systems Engineering Top level policies are usually at an organizational, not system level Such polices typically exist before a system development process begins They reflect general organizational policies and goals, such as the handling of classes of sensitive data used broadly in the organization, not just in a single system Top level polices lead to top level system requirements in the initial requirements phase All organizational policies should be reviewed for relevancy at the start of the systems engineering process

Security Policies and Systems Engineering (continued) At the start of the system design process proceeds, the top level policies may impact the requirements (and hence architecture and design) As the system design process proceeds, the architecture of the system will lead to system specific policy interpretations of the top level policy, labeled the “system policy” on the next slide The system policy in turn is an input into the system and security design This may be iterated (depending on the systems engineering model used), with policy refinements occurring as the design is refined At what point does this become requirements allocation and not policy refinement? There is no set rule… Conformance with policy is part of the assessment at each iteration

Adding Policy to the Generic SSE Model Mission Need CONOPS Assets at Risk Threat Analysis Functional Rqmts Prelim. Risk Analysis Legal Rqmnts Primary Sec Rqmts System Arch. Assess (incl. policy) Corp/Org Policy Security Arch Other Rqmts Derived Sec Rqmts System Design Risk Analysis Vulner. Analysis System Policy Assess (incl. policy) Security Design

Examples of Corporate Policy for Network Segmentation Multinational enterprises, which may want to segment their networks to comply with the regulatory requirements of the host nation. Manufacturing environments, in which headquarters may need an administrative connection to the plant but the company doesn't want anyone or anything touching the computers running the assembly line. HR and finance departments, which share a lot of sensitive information among themselves and little with other employees and customers. Business partner connections or newly acquired enterprises, where the "other end" of the network is unknown. Enterprises carving out logical networks for users, Web server farms, management backbones, etc., with specific risk thresholds and security requirements.

Source of Sample Policy Documents and Information The SANS (SysAdmin, Audit, Network, Security) Institute has sample security policies available on-line in many areas. These can be downloaded and used as is, or modified to the needs of a specific company http://www.sans.org/resources/policies/ IETF Site Security Handbook (polices for systems admins) http://www.ietf.org/rfc/rfc2196.txt?number=2196 NIST web site: lots of material on security: technology, best practices, policies, regulations, etc. A search for “security policy” on that site got 6090 hits csrc.nist.gov

POSA Policies Top Level: Credit card information should not be disclosed Mid level: All POSA networks and systems will be protected against “snooping” by unauthorized entities The POSA system shall not permit clerks or other customers to see PIN numbers as they are entered by customers Top Level: The POSA system shall not violate the integrity of the authorization process Mid Level: Clerks shall not override a “no” response to a credit authorization request Lower Level: The POSA system shall automatically block completion of a transaction that has been denied (or) Clerk shall be trained to never complete a transaction that has been denied (In practice policies would be more detailed and have more elements)