کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز 1388 1.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Security Controls – What Works
Information Security Policies and Standards
Guide to Network Defense and Countermeasures Second Edition
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.
Information Asset Classification
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Security Awareness Norfolk State University Policies.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
15 Maintaining a Web Site Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
Module 7: Fundamentals of Administering Windows Server 2008.
CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
1 Chapter Overview Configuring Account Policies Configuring User Rights Configuring Security Options Configuring Internet Options.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.
Chapter 18 Technology in the Workplace Section 18.2 Internet Basics.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Information Systems Security
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Essential Components: Acceptable Use Policy Presenter: John Mendes.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Note1 (Admi1) Overview of administering security.
CHAPTER Creating and Managing Users and Groups. Chapter Objectives Explain the use of Local Users and Groups Tool in the Systems Tools Option to create.
Module 6: Designing Security for Network Hosts
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Chapter 2 Securing Network Server and User Workstations.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.
Network Security & Accounting
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Appendix A: Designing an Acceptable Use Policy. Overview Analyzing Risks That Users Introduce Designing Security for Computer Use.
Review of IT General Controls
Providing Access to Your Data: Handling sensitive data
Utilize Group Policy Terminal Server Settings
IS4680 Security Auditing for Compliance
Information Security Awareness
IS4680 Security Auditing for Compliance
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز

2 Objectives  Describe the concepts of security policies.  Examine the standards of Security Policy Design.  Describe the individual policies in a security policy.  Examine a detailed complete policy template.  Describe the policy procedures for Incident Handling and Escalation.

3 Concepts of Security Policies  A security policy is nothing more than a well- written strategy on protecting and maintaining availability to your network and it’s resources.  Most organizations do not have a security policy  Excuses are rampant!

4 Policy Benefits  Categories  They lower the legal liability to employees and 3rd party users of resources  They prevent waste on resources  They protect proprietary and confidential information from theft, unauthorized access or modification, or internal misuse of resources

5 How to Start  Policy Design  policy committee works together to develop an overall strategy for the policy  Enforcement  mechanisms to ensure the policy is enforced  Monitoring  tracking the performance of the policy and its effectiveness, or lack thereof

6 A graphical representation of the components of the security policy.

7 A Question of Trust  The level of trust varies by the organization  Balancing is the key  too little trust impacts functionality  too much trust affects security

8 Trust Options  Trust all the people all the time  Trust none of the people none of the time  Trust some of the people some of the time

9 Policy Committee  Security Policy Committee  Upper & Middle Management  Local & Remote Users  Human Resources  Legal Professionals  Security Professionals  IT Users

10 Security Policy Scenario  Organization Overview  Physical Building Overview  Network & Computer Overview  Extranet Overview

11 Are Policies Political?  Resistance  A person who doesn’t like change  A person who is convinced the policy will hinder their work performance  A person who believes the organization is akin to “big-brother”

12

13 The Policy Design  Choosing a leader  strong project management skills  excellent communicator  Goals  Formulating the policy

14 Policy Standards  BS7799   ISO17799  .ch = Switzerland.  (Switzerland is also known as ‘Confoederatio Helvetica’, hence ‘ch’)

15 BS7799  Business continuity planning  System access control  System development and maintenance  Physical and environmental security  Compliance

16 BS7799  Personnel security  Security Organization  Computer and network management  Asset classification and control  Security policy

17 ISO17799  Sections  Business Continuity Planning  System Access Control  System Development and Maintenance  Physical and Environmental Security  Compliance  Personnel Security  Security Organization

18 ISO17799  Computer and Network Management  Asset Classification and Control  Security Polilcy

19 Important RFCs  RFC 2196: The Site Security Handbook  RFC 2504: The User’s Security Handbook

20

21 The Policies  The Acceptable Use Policy  The User Account Policy  The Remote Access Policy  The Information Protection Policy  The Network Connection Policy  The Strategic Partner Policy  The Privileged Access Policy

22 The Policies  The Password Policy  The Internet Policy  Individual policies per technology  i.e. firewall policy or IDS policy

23 The Acceptable Use Policy  Considerations  Are users allowed to share user accounts?  Are users allowed to install software without approval?  Are users allowed to copy software for archive or other purposes?  Are users allowed to read and/or copy files that they do not own. but have access to?

24 The Acceptable Use Policy  Are users allowed to make copies of any OS files  Are users allowed to modify files they do not own, but have write abilities?  Are users required to use password-protected screensavers?

25 The User Account Policy  Considerations  Are users allowed to share their user accounts with coworkers?  Are users allowed to share their user accounts with family members or friends?  Are users allowed to have multiple accounts on a computer?  Are users allowed to have multiple accounts in the network?

26 The User Account Policy  Considerations  Who in the organization has the right to approve requests for new user accounts?  How long are accounts to remain inactive befor they are disabled?

27 The Remote Access Policy  Considerations  Which users in the organization are authorized for remote access?  What is the process for becoming authorized for remote access?  What methods of remote access are allowed?  Is the entire network accessible remotely?

28 The Remote Access Policy  Can remote users use remote management to their computers in the office?  Are users family members allowed to access the organization’s network remotely?  Are users allowed to install modems to dial out of the network?  Will the organization place requirements on the software of computers performing remote access?

29 The Information Protection Policy  Considerations  How are the different levels of data classification labeled?  Which users have access to the different levels of data classification?  How are users informed of their levels of access?  What is the default level of access that is to be applied to all information?

30 The Information Protection Policy  Is information that is classified at the top level allowed to be printed on common printers?  Are all computers in the network able to store information that has the top level of classification?  Will computers that do store top-level information require special security controls?  How is information to be disposed of?

31 The Network Connection Policy  Considerations  Are users allowed to install networking hardware into their computers?  Which users are authorized to install networking devices into their computers?  Who in the organization has the authority to approve of networking component installation?

32 The Network Connection Policy  What is the process of documentation for new networking components?  What is the procedure in the event that the network is disabled?  What is the process in the event an unauthorized network component is found on the network or in a computer?

33 The Strategic Partner Policy  Considerations  Are strategic partners required to have written security policies?  Are strategic partners required to provide copied of their policies?  Are strategic partners required to disclose their perimeter and internal security measures?

34 The Strategic Partner Policy  Will strategic partners be allowed to connect via a VPN?  How are those VPNs to be configured?  What type of access shall be granted to Strategic Partners?

35 The Privileged Access Policy  Considerations  Who hires the network administration personnel  Who may be allowed root, or domain administrator, or enterprise administrator access?  What is the process for requesting privileged access?

36 The Privileged Access Policy  Who has the authority to create the privileged access user account?  Are administrators allowed to run network- scanning tools?  Are administrators allowed to access any file on any computer?  What is the process of determining which files administrators do have access to?

37 The Privileged Access Policy  Are administrators allowed to run password checking tools?  Are privileged accounts allowed to access the network remotely?  Can a family member or visitor share a privileged account?

38 The Password Policy  Considerations  Will the Security Administrator have the right to run password-checking tools?  What is the minimum length that users passwords must be?  How often must users change their passwords?  Can a user re-use a password?  What are the restrictions on how a password must be created?

39 The Password Policy  What are the penalties for passwords that do not meet the criteria?  Are passwords required to be of a different strength for privileged accounts?  How many incorrect passwords are required for an account lockout?  What is the process of unlocking a locked account?

40 The Password Policy  Are screen-savers required to be password protected?  Does a user have to log on to the system in order to change a password?

41 The Internet Policy  Considerations  Are all users allowed to access the Internet?  Are all users allowed to access Web sites?  Are users allowed to access remote servers?  Are there limits on the size of Internet downloads?

42 The Internet Policy  Are there controls in place to restrict access to objectionable Web sites?  Are users aware of the controls on access?  Will the organization monitor users access to Web sites?  Are users allowed to use organizational resources for personal use?  What level of privacy will users be granted with their

43 Miscellaneous Policies  Considerations  Are users able to install PDA software on their components?  Who in the organization is going to support the user-installed application?  Will administrators be able to review the content stored on the PDA?

44

45 Sample Escalation Procedures for Security Incidents  Computer security incidents  Loss of personal information  Suspected sharing of User accounts  Unfriendly employee termination  Suspected violations of specials access  Suspected computer break-in or computer virus

46 Sample Escalation Procedures for Security Incidents  Physical Security Incidents  Illegal building access  Property damage or personal theft

47 Incident Handling  The steps of incident handling must be discussed before an incident occurs

48 Sample Incident Handling Procedure  Introduction  General procedures  Specific procedures

49