Security Policies Paul Hogan Ward Solutions. Agenda 09:30 10:10 Security Policies 10:10 10:30 Veritas 10:30 10:45Break 10:45 11:55 Securing your Server.

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Paula Kiernan Senior Consultant Ward Solutions
Blended Threats and Layered Defenses Security Protection in Today’s Environment Marshall Taylor
Security Controls – What Works
Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice
Controls for Information Security
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE , Fall Security Strategies.
Payment Card Industry (PCI) Data Security Standard
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Session 3 – Information Security Policies
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Introduction to Network Defense
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Security Guide for Interconnecting Information Technology Systems
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Module 14: Configuring Server Security Compliance
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Chapter 2 Securing Network Server and User Workstations.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Introduction to Information Security
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
IS3220 Information Technology Infrastructure Security
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Risk management.
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
I have many checklists: how do I get started with cyber security?
IS4680 Security Auditing for Compliance
How to Mitigate the Consequences What are the Countermeasures?
Implementing Client Security on Windows 2000 and Windows XP Level 150
Drew Hunt Network Security Analyst Valley Medical Center
Presentation transcript:

Security Policies Paul Hogan Ward Solutions

Agenda 09:30 10:10 Security Policies 10:10 10:30 Veritas 10:30 10:45Break 10:45 11:55 Securing your Server 11:55 12:15 Sybari 12:1513:00

Security Management – The Past 1st Generation: GATES, GUNS & GUARDS Focus on physical vulnerabilities and data confidentiality Tools: locks, burglar alarms, mainframe security Weakness: slow response, no protection from electronic threats 1st Generation: GATES, GUNS & GUARDS Focus on physical vulnerabilities and data confidentiality Tools: locks, burglar alarms, mainframe security Weakness: slow response, no protection from electronic threats 2nd Generation: TACTICAL SECURITY DEPLOYMENTS Focus on electronic vulnerabilities and intrusion Tools: firewalls, anti-virus software & intrusion detection systems Weakness: only protect from known electronic threats; not current 2nd Generation: TACTICAL SECURITY DEPLOYMENTS Focus on electronic vulnerabilities and intrusion Tools: firewalls, anti-virus software & intrusion detection systems Weakness: only protect from known electronic threats; not current

Security Management – Today 1st Generation: GATES, GUNS & GUARDS Focus on physical vulnerabilities and data confidentiality Tools: locks, burglar alarms, mainframe security Weakness: slow response, no protection from electronic threats 1st Generation: GATES, GUNS & GUARDS Focus on physical vulnerabilities and data confidentiality Tools: locks, burglar alarms, mainframe security Weakness: slow response, no protection from electronic threats 2nd Generation: TACTICAL SECURITY DEPLOYMENTS Focus on electronic vulnerabilities and intrusion Tools: firewalls, anti-virus software & intrusion detection systems Weakness: only protect from known electronic threats; not current 2nd Generation: TACTICAL SECURITY DEPLOYMENTS Focus on electronic vulnerabilities and intrusion Tools: firewalls, anti-virus software & intrusion detection systems Weakness: only protect from known electronic threats; not current Next Generation: STRATEGIC SECURITY PROCESSES Assuring Compliance Managing Risk Securing Assets Next Generation: STRATEGIC SECURITY PROCESSES Assuring Compliance Managing Risk Securing Assets

Why Does Network Security Fail? Network security fails in several common areas, including: Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date

Understanding Components of IT Security Process Technology Implementation Documentation Operations Start with policy Build process Apply technology Start with policy Build process Apply technology Security Policy Model Policy

Implementing IT Security Compare each area to standards and best practices Security policy Documented procedures Operations What you must do What you say you do What you really do

Policy Drives Everything Regulatory Sources Policies Management Controls Organisational Controls Technical Controls ActivityProcessesProcedures Risk management Contingency planning Incident response Physical security Personnel security Certification/verification Access control ID & authentication Auditing Encryption Incident detection Networking Information classification Communications Acceptable use Perimeter security Incident response

Core Components Products, Tools, and Automation Consistent and Repeatable Skills, Roles, and Responsibilities Processes People Technology

Security Controls… The management, operational, and technical safeguards and countermeasures prescribed for an information system which, taken together, adequately protect the confidentiality, integrity, and availability of the system and its information…

What Are Information Security Policies? Management instructions (AKA directives) Formal ways to say “This is how we do it here" Tech talk: generalised requirements statements Not systems settings for firewalls & other gear More general than procedures & standards Unlike guidelines, policies are mandatory Unlike architectures, policies are product independent

Real World Cases… Where Policies Made A Big Difference Lazy government clerk fired for downloading pornography IT manager becomes consultant for former employer Joke list circulation causes sexual harassment suit Major newspaper notices rival gets scoop stories Virus hoax message floods computer manufacturer net Stolen disk drive causes severe public relations problem Revealed preference info causes dishonorable discharge

Top 10 Information Security Policies To Protect Your Organisation 6. Install latest patches on systems located on network periphery 7. Install and monitor intrusion detection systems 8. Turn-on minimum level of systems event logging 9.Assign explicit responsibility for information security tasks 10 Perform periodic risk assessments for critical systems

Top 10 Information Security Policies To Protect Your Organisation Against Cyber-Terrorism 1.Perform background checks for all workers 2. Maintain a low profile in the public's eyes 3. Wear a badge when inside company X offices 4. Update & test information systems contingency plans 5. Store critical production data securely at off- site location

The Issues with Policies Today Lack of resources Lack of authority Incomplete & out-of-date No official corporate-wide approval process Mergers & acquisitions Same topic covered in multiple documents Contradictions Un-enforceable

Inside Chernobyl’s I Block Control Room, 1985 Ineffective Controls April hrs  Initial alerts and warnings about overload April hrs.  Without following SOP, operators disconnect Emergency Core Cooling System  No manager approved continued operation April 0100 hrs.  Emergency protection signals suppressed by operators April 0119 hrs.  Excessive radioactivity ignored by operators April 0123:48  Explosion occurs followed by second explosion Chernobyl’s Reactor 4, 1986 Deserted City of Pirpyat, Chernobyl in Background, 1987 Chernobyl Reactor 4 Sarcophagus, 1996 Chernobyl – April 25-26, 1986

Understanding Defense-in-Depth Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Security policies, procedures, and education Policies, procedures, and awareness Guards, locks, tracking devices Physical security Application hardening Application OS hardening, authentication, security update management, antivirus updates, auditing Host Network segments, NIDS Internal network Firewalls, boarder routers, VPNs with quarantine procedures Perimeter Strong passwords, ACLs, backup and restore strategy Data

Reasons To Have Awareness & Training Leverage the power of people to protect your organization Overcome natural impulses & trained politeness Provide substantive instructions instead of simply sensitization Untrained workers now in positions of great responsibility Information security is an unnatural act Create security mindset so workers can act the right way

Reasons To Have Awareness & Training Make it clear that info security is mandatory, not voluntary Force management to recognize that people are part of solution Technology is useless unless properly managed (patches) Make critical role of user crystal clear -- front line of defense!

A Final Consideration: Does Security Awareness Work? Consider… AA Flight 63 Paris – Miami (12/24/01)

Questions and Answers