SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works
Information Security Policies and Standards
Computer Security: Principles and Practice
Computer Security Fundamentals
RC14001 ® Update GPCA Responsible Care Committee September 23, 2013.
Session 3 – Information Security Policies
Network security policy: best practices
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Security Policies Jim Stracka The Problem Today.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
An Educational Computer Based Training Program CBTCBT.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.
Chapter Three IT Risks and Controls.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Security Architecture
Agency Risk Management & Internal Control Standards (ARMICS)
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.
H UMAN R ESOURCES M ANAGEMENT Beki Webster Director, HR, Intelligence Systems Division Northrop Grumman Information Systems July 31, 2009.
Information Assurance Policy Tim Shimeall
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Environmental Management System Definitions
Roadmap For An Effective Compliance And Ethics Program The Top Ten Things the Board Must Know [Name of Presenter] [Title] [Date]
Engineering Essential Characteristics Security Engineering Process Overview.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
The Internet of Things and Consumer Protection
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
PACB One-Day Cybersecurity Workshop CYBERSECURITY IN YOUR ISP! PRESENTED BY: JON WALDMAN, SBS – CISA, CRISC © Secure Banking Solutions, LLC
Security fundamentals Topic 12 Maintaining organisational security.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
©Dr. Respickius Casmir Network Security Best Practices – Session 2 By Dr. Respickius Casmir.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Information Security tools for records managers Frank Rankin.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Regional Accreditation Workshop For Asia and Eastern Europe Manila, Philippines th March, 2012.
1.  1. Introduction  2. Policy  3. Why Policy should be developed.  4. www policies 2.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Roadmap For An Effective Compliance And Ethics Program
Information Security Policy
Chapter 3: IRS and FTC Data Security Rules
I have many checklists: how do I get started with cyber security?
Security Awareness Training: System Owners
CompTIA Security+ Study Guide (SY0-401)
Cyber security Policy development and implementation
Drew Hunt Network Security Analyst Valley Medical Center
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
GDPR PERSONDATAFORORDNINGEN I PRAKSIS
Presentation transcript:

SECURITY POLICIES Indu Ramachandran

Outline General idea/Importance of security policies When security policies should be developed Who should be involved in this process Cost of security policies Available resources Security policies in detail Failure of Security policies After Security policy is written

About Security Policies Increased level of threats Organization’s attitude towards security policies Establishing Standards More than just “Keeping the bad guys out”! Management and Security policy Policies Not Procedures!!

Importance of Security Policies Establishes Standards Provides basic guidelines Defines appropriate behavior Helps against being sued

Aspects of Security Traditional Ideas of Security Revised Security aspects Confidentiality Protect objects from unauthorized release/use of info Integrity Preserve objects / avoid unauthorized modification

When should Policies be developed Ideal Scenario Often not the case After a Security Breach To mitigate Liability For document compliance To demonstrate quality control processes Customers/Clients requirements

Who should be involved Basically EVERYONE!!!!! System users System support personnel Managers Business lawyers

Importance of Involving Management Funding and Commitment Leadership Authority Responsibility/Support

Do you need Sec. Policies?? Questions to answer this question…  Do workers at your organization handle information that is confidential?  Do workers at your organization access the internet?  Does your organization have trade secrets? Custom questions to suit you!!

The Security Cost Function Cost for security Exponential increase Trade off between cost for security and cost of violations Formula for calculating cost : Total cost for Violations = Cost for a single Violation X frequency of the violation

GOOD NEWS!!!! You are not on your own !!!  Internet Resources  The SANS institute  NIST (National Inst. Of Stds. And Technology)  RFC  Universities

Resources (cont’d)  Books  Guide for Developing Security Policies for Information Technology Systems  Information Security Policies made easy  around security templates  used by several large organizations  Training Sessions  SANS Institute

Types of security policies Administrative Security Policy Examples of Administrative sec policies: Users must change password each quarter Employees must not use dial out modems from their desktops. Technical sec policies Examples Server will be configured to expire password each quarter Accounts must initiate a lockout after four unsuccessful attempts to login

What is in a security policy Three Categories First category – Parameters Section  Introduction  Audience  Definitions

What is in a security policy (cont’d) The Second category  Risk assessments  When this should be done  Benefits  Who should do this  Identifying Assets  Threats to assets

What is in a security policy (cont’d) The Third Category  Actual Policies Examples of policies Physical security

Examples of policies (cont’d) Authentication Password policy Remote Access Policy The Modem Issue

Examples of policies (cont’d) Acceptable Use Policy Examples of AU Policy at Other Policies Examples of policies as well as their templates on the SANS website.

What makes a good security policy Must be usable Must communicate clearly Must not impede/interfere with business Enforceable Update regularly Other factors Interests Laws

Problems with Sec. Policies Increase in tension level Security needs viewed differently Too restrictive/hard to implement Impediments productivity

Conflict and Politics Management concentrates on goals for company Technical Personnel’s agenda So what happens??? What do you do???

Information Security Management Committee Bridge the gap Committee Composition Responsibilities of the committee

Real world problems caused by missing policies At A Government Agency... At A Local Newspaper...

Why Security Policies Fail Security is a barrier to Progress Perceived to have zero benefit Obstacles/Impediment productivity Security is a learned behavior Not instinct Value of assets Not taken seriously

Why Security Policies Fail (cont’d) Complexity Security work is never finished Failure to review Other reasons Lack of stake holder support Organizational Politics

Compliance & Enforcement Training Testing and effectiveness of the policy Monitoring Taking Action

Review The Policy Review Committee Good representation Frequency of review meetings Responsibilities What to Review

References Barham, Scott - Writing information security policies cies/ cies/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.