Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 14 – Human Factors.

Slides:



Advertisements
Similar presentations
Module N° 4 – ICAO SSP framework
Advertisements

Managing the Health and Safety of Contractors
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Security and Personnel
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
Information Security Policies and Standards
General Security Principles and Practices Chapter 3.
Information Systems Security Officer
Stephen S. Yau 1CSE Fall 2006 Personnel Security.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 8: Developing an Effective Ethics Program.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
Stephen S. Yau 1CSE Fall 2006 IA Policies.
Session 3 – Information Security Policies
Computer Security: Principles and Practice
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Developing an Effective Ethics Program
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Introduction to Security
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
13.6 Legal Aspects Corporate IT Security Policy. Objectives Understand the need for a corporate information technology security policy and its role within.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
UNIT 15 WEEK 9 CLASS 1 LESSON OVERVIEW Pete Lawrence BTEC National Diploma Organisational System Security.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.
Pro-active Security Measures
DATA IT Senate Data Governance Membership IT Senate Data Governance Committee Membership Annie Burgad, Senior Programmer, Central IT Julie Cannon, Director.
Human Resource Security ISO/IEC 27001:2013
Session 8 Confidentiality and disclosure. 1 Contents Part 1: Introduction Part 2: The duty of confidentiality Part 3: The duty of disclosure Part 4: Confidentiality.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
ISO/IEC 27001:2013 Annex A.8 Asset management
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Privacy Act United States Army (Managerial Training)
Chapter 8 Auditing in an E-commerce Environment
? Moral principles of right and wrong Used by individuals/organisations To guide behaviour.
Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
Information Security tools for records managers Frank Rankin.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 16 – IT Security.
Managing Information Security Personnel By Christopher Boehm.
BTEC NAT Unit 15 - Organisational Systems Security ORGANISATIONAL SYSTEMS SECURITY Unit 15 Lecture 7 EMPLOYMENT CONTRACTS & CODES OF CONDUCT.
Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part I.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
HR SECURITY  EGBERT PESHA  ALLOCIOUS RUZIWA  AUTHER MAKUVAZA  SAKARIA IINOLOMBO
INSIDER THREATS BY: DENZEL GAY COSC 356. ROAD MAP What makes the insider threat important Types of Threats Logic bombs Ways to prevent.
Principles of Information Systems Eighth Edition
Information Security Policy
IS4680 Security Auditing for Compliance
Chapter 3: IRS and FTC Data Security Rules
Unit 7 – Organisational Systems Security
People Responsible For Health and Safety
Spencer County Public Schools Responsible Use Policy for Technology and Related Devices Spencer County Public Schools has access to and use of the Internet.
County HIPAA Review All Rights Reserved 2002.
Chapter 8 Developing an Effective Ethics Program
Cyber security Policy development and implementation
Presentation transcript:

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 14 – Human Factors

Human Factors  important, broad area  consider a few key topics: security awareness, training, and education security awareness, training, and education organizational security policy organizational security policy personnel security personnel security and Internet use policies and Internet use policies

Security Awareness, Training, and Education  prominent topic in various standards  provides benefits in: improving employee behavior improving employee behavior increasing employee accountability increasing employee accountability mitigating liability for employee behavior mitigating liability for employee behavior complying with regulations and contractual obligations complying with regulations and contractual obligations

Learning Continuum

Awareness  seeks to inform and focus an employee's attention on security issues threats, vulnerabilities, impacts, responsibility threats, vulnerabilities, impacts, responsibility  must be tailored to organization’s needs  using a variety of means events, promo materials, briefings, policy doc events, promo materials, briefings, policy doc  should have an employee security policy document

Training  teaches what people should do and how they do it to securely perform IS tasks  encompasses a spectrum covering: general users general users good computer security practicesgood computer security practices programmers, developers, maintainers programmers, developers, maintainers security mindset, secure code developmentsecurity mindset, secure code development managers managers tradeoffs involving security risks, costs, benefitstradeoffs involving security risks, costs, benefits executives executives risk management goals, measurement, leadershiprisk management goals, measurement, leadership

Education  most in depth  targeted at security professionals whose jobs require expertise in security  more employee career development  often provided by outside sources college courses college courses specialized training programs specialized training programs

Organizational Security Policy  “formal statement of rules by which people given access to organization's technology and information assets must abide”  also used in other contexts

Organizational Security Policy  need written security policy document  to define acceptable behavior, expected practices, and responsibilities makes clear what is protected and why makes clear what is protected and why articulates security procedures / controls articulates security procedures / controls states responsibility for protection states responsibility for protection provides basis to resolve conflicts provides basis to resolve conflicts  must reflect executive security decisions protect info, comply with law, meet org goals protect info, comply with law, meet org goals

Security Policy Lifecycle

Policy Document Responsibility  security policy needs broad support  especially from top management  should be developed by a team including: site security administrator, IT technical staff, user groups admins, security incident response team, user groups representatives, responsible management, legal counsel site security administrator, IT technical staff, user groups admins, security incident response team, user groups representatives, responsible management, legal counsel

Document Content  what is the reason for the policy?  who developed the policy?  who approved the policy?  whose authority sustains the policy?  which laws / regulations is it based on?  who will enforce the policy?  how will the policy be enforced?  whom does the policy affect?  what information assets must be protected?  what are users actually required to do?  how should security breaches be reported?  what is the effective date / expiration date of it?

Security Policy Topics  principles  organizational reporting structure  physical security  hiring, management, and firing  data protection  communications security  hardware  software  operating systems

Security Policy Topics cont.  technical support  privacy  access  accountability  authentication  availability  maintenance  violations reporting  business continuity  supporting information

Resources  ISO popular international standard popular international standard has a comprehensive set of controls has a comprehensive set of controls a convenient framework for policy authors a convenient framework for policy authors  COBIT business-oriented set of standards business-oriented set of standards includes IT security and control practices includes IT security and control practices  Standard of Good Practice for Information Security  other orgs, e.g. CERT, CIO

Personnel Security  hiring, training, monitoring behavior, and handling departure  employees security violations occur: unwittingly aiding commission of violation unwittingly aiding commission of violation knowingly violating controls or procedures knowingly violating controls or procedures  threats include: gaining unauthorized access, altering data, deleting production and back up data, crashing systems, destroying systems, misusing systems, holding data hostage, stealing strategic or customer data for corporate espionage or fraud schemes gaining unauthorized access, altering data, deleting production and back up data, crashing systems, destroying systems, misusing systems, holding data hostage, stealing strategic or customer data for corporate espionage or fraud schemes

Security in Hiring Process  objective: “ to ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities” “ to ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities”  need appropriate background checks, screening, and employment agreements

Background Checks & Screening  issues: inflated resumes inflated resumes reticence of former employers to give good or bad references due to fear of lawsuits reticence of former employers to give good or bad references due to fear of lawsuits  employers do need to make significant effort to do background checks / screening get detailed employment / education history get detailed employment / education history reasonable checks on accuracy of details reasonable checks on accuracy of details have experienced staff members interview have experienced staff members interview  for some sensitive positions, additional intensive investigation is warranted

Employment Agreements  employees should agree to and sign the terms and conditions of their employment contract, which should include: information on their and the organization’s security responsibilities information on their and the organization’s security responsibilities confidentiality and non-disclosure agreement confidentiality and non-disclosure agreement agreement to abide by organization's security policy agreement to abide by organization's security policy

During Employment  current employee security objectives: ensure employees, contractors, third party users are aware of info security threats & concernsensure employees, contractors, third party users are aware of info security threats & concerns know their responsibilities and liabilitiesknow their responsibilities and liabilities are equipped to support organizational security policy in their work, and reduce human error risksare equipped to support organizational security policy in their work, and reduce human error risks  need security policy and training  security principles: least privilege least privilege separation of duties separation of duties limited reliance on key personnel limited reliance on key personnel

Termination of Employment  termination security objectives: ensure employees, contractors, third party users exit organization or change employment in an orderly mannerensure employees, contractors, third party users exit organization or change employment in an orderly manner that the return of all equipment and the removal of all access rights are completedthat the return of all equipment and the removal of all access rights are completed  critical actions: remove name from authorized access list remove name from authorized access list inform guards that general access not allowed inform guards that general access not allowed remove personal access codes, change lock combinations, reprogram access card systems, etc remove personal access codes, change lock combinations, reprogram access card systems, etc recover all assets recover all assets

& Internet Use Policies  & Internet access for employees is common in office and some factories  increasingly have and Internet use policies in organization's security policy  due to concerns regarding work time lost work time lost computer / comms resources consumed computer / comms resources consumed risk of importing malware risk of importing malware possibility of harm, harassment, bad conduct possibility of harm, harassment, bad conduct

Suggested Policies  business use only  policy scope  content ownership  privacy  standard of conduct  reasonable personal use  unlawful activity prohibited  security policy  company policy  company rights  disciplinary action

Example Policy

Summary  introduced some important topics relating to human factors  security awareness, training & education  organizational security policy  personnel security  and Internet Use Policies