KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor – Jan McDanolds, MS, Security+ Contact Information: AIM – JMcDanolds Phone: Office Hours: Tuesday, 7:00 PM ET or Thursday, 7:00 PM ET

#1. Name two confidentiality mechanisms #2. How does cryptographic check sum ensure integrity? #3. What is the most basic form of availability? UNIT 3 REVIEW Attack vs. Security Service

UNIT 4 Readings for UNIT 4 Web Readings Network security policy: best practices Producing Your Network Security Policy available at:

Understand Why Policy Is Important Define Various Policies Create Appropriate Policy Deploy Policy Use Policy Effectively UNIT 4 Policy

The two primary functions of a policy are: 1. To define the scope of security within an organization. 2. To clearly state the expectations from everyone in the organization. UNIT 4 Policy

Policy defines how security should be implemented including system configurations, network configurations, and physical security measures. Policy defines the mechanisms used to protect information and systems. Policy defines how organizations should react when security incidents occur and provides the framework for employees to work together. Policy defines the common goals and objectives of the organization’s security program. Proper security awareness training helps implement policy initiatives effectively. UNIT 4 Why is policy important?

Policy example exercise: Describe a household policy step-by-step. (replace paper towel, take out garbage, etc.) Describe how to handle a household accident. Describe the first, second, and third steps after a fender-bender. Describe a policy that impacts a household for five years. UNIT 4 Why is policy important?

Information policy Security policy Computer use policy Internet use policy policy User management procedures System administration procedures Backup policy Incident response policy Configuration management procedures Design methodology Disaster recovery plans UNIT 4 Types of Policies

Policies should have sections outlining the following: Purpose – why the policy was created Scope – what does it apply to (computers, users, etc.) Responsibility – who will be held accountable Other – enforcement, requirements, standards, compliance, monitoring, etc. UNIT 4 Common Parts of a Policy

Docs in Doc Sharing: SAMPLE INFORMATION TECHNOLOGY SECURITY PLAN by Robert H. Spencer PhD A Short Primer for Developing Security Policies – from SANS by Michele D. Guel UNIT 4 Examples of Policies

Audit Policy (subheading under Security Policy) Audit Policy versus policy review The audit section of the security policy defines the types of events to be audited on all systems. For example: Logins (successful and failed), logouts, failed access to files or system objects, remote access (successful and failed), privileged actions (those performed by administrators, both successes and failures), system events (such as shutdowns and reboots) Each event should capture the following information: User ID (if there is one), date and time, process ID (if there is one), action performed and success or failure of the event UNIT 4 Examples of Policies

Audit Policy Purpose: Scope: Responsibility: Other: Who creates the audit policy? Who can change it? Who performs the audits? Who can change the process? What is done with the audit results? UNIT 4 Examples of Policies (cont.)

Internet Use Policy The Internet use policy defines the appropriate use of the Internet within an organization. It may also define inappropriate use such as visiting non-business-related web sites. Requires management to define inappropriate usage and IT personnel to alert management Relies on audit data to verify usage – sites, usage, time, etc. Each event should capture the following information: User ID (if there is one), date and time, process ID (if there is one), action performed and success or failure of the event UNIT 4 Examples of Policies

UNIT 3 Assignments for UNIT 4 Read Chapter 6 and the Web Reading Post to two Discussion questions – 30 points Complete Project Assignments Part A and B - 55 points APA formatting No spelling or grammar errors Must have reference page

UNIT 3 Assignment for UNIT 4 Write a paper creating an IT security policy for the bank.

UNIT 3 Assignment for UNIT 4 You have been hired by KU Bank One, a large bank that has 500 employees, to increase their corporate information security. Your first task is to create an IT security policy for the bank. You must include the following topics in your policy, along with 3 other key topics you feel critical to securing the bank’s assets: - Authentication requirements - Access control requirements - Network connection requirements - Remote access requirements - Encryption requirements This policy needs to be professionally written, cover the key aspects listed and provide three additional areas you feel are critical. This document should be a complete, ready to use, professionally written security plan. The page length should be between 4 and 8 pages.

UNIT 3 Assignment for UNIT 4 RUBRIC Paper is professionally written and includes key information on all 5 topics listed. Points 0-15 Paper includes key information on all 3 topics beyond the key topics above and there are 3 key inclusions for an IT policy for a large bank. Points 0-20 Policy created could be used as written by a large bank with little or no new material added. Points 0-20