1 Pertemuan 14 Security Policies Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1
2 Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : Mahasiswa dapat menyatakan Security Policies
3 Outline Materi Security as Standard –Establishing The Standards –What The International Standard Covers –Benefits –Conclusion Adequate Security –Where To Start Implementing IT Security –Different Approaches To Security Protecting Detecting Responding Roadmaps and The 80:20 Rule
4 –The ‘Seven Rules’ Approach Have/Create A security Plan Understand Your Risk Levels Don’t Depent on Firewalls Have An Access Policy Test, Test, tEst Keep Monitoring Plan for Disaster –Conclusion
5 Security as Standard ‘Walls have ears’ – this slightly surreal cautionary wartime note was one of the first warnings about confidentiality that most of the British public had ever heard. In three decades the battlefront has moved from the waste bin and the pub to IT, telemetry and corporate governance.
6 Of course, the stakes are now so high that information security has spawned a whole industry – and a rewarding one. But different organisations have approached it in different ways. Perhaps because matters of confidentiality and security are discussed only ‘on a need to know basis’. Perhaps because the technology of espionage and counter-espionage is so precious it’s kept close to the chest. And perhaps because bosses and IT managers don’t like to deal with outside authorities on matters so intimate.
7 Varying standards of security equipment are permissible.
8 Establishing The Standards Towards the end of the last meillenium the British Standards Institute knuckled down to establishing an information security standard.
9 What The International Standard Covers Most organisations will already have some of these in place, but few will be doing everything.
10 Benefits The benefits are expressed as ‘benefiting the bottom line’ – that is, supporting the private sector objectives of efficiency and profitability – although, clearly, non-profit- making organisations stand to benefit in other no less valuable ways.
11 Conclusion Over the years, successive boardroom coups have demonstrated that information has a tangible value and a very powerful influence over the fortunes of organisations and individuals.
12 Adequate Security Most UK companies recently surveyed spend approximately one per cent of their IT budget on security, well below the recommended spend on security of three per cent of IT budgets or 10 per cent of TI budgets in these case of financial services companies. It is important to remember that security spend needs to be justified in terms of business benefit and return on investment (ROI) with a comprehensive cost/risk-benefit analysis, especially as you need to be sure that any security spend can be fully explained to your board members.
13 Where To Start Implementing IT Security Any enterprise wanting to make improvements in security must take a broad view of its information assets and understand their value as well as the threats to these assets and their vulnerabilities. The first thing a company should then ascertain in whether or not there are any existing company security policy documents. This is a formal published document that defines roles, responsibilities, acceptable use and enterprise security practices.
14 Companies with existing security policies generally have a far greater understanding and appreciation of why they need to manage the confidentiality, integrity and availability of their information assets, than those without such policies.
15 Different Approaches To Security Many data security issues are common sense – just as you wouldn’t drive a car on the road without brakes, similarly you shouldn’t put unprotected web servers on the Internet. The risks are simply too great.
16 Adequate IT information security is about being able to reduce those risks by continually: –Protecting –Detecting –Responding –Roadmaps and The 80:20 Rule
17 Protecting This means sufficiently recognising,prioritising and protecting your organisation’s information assets by acknowledging the wide abuses they could be subject to because of their importance, uses and location – this primarily involves business issues concerning people, policies and processes.
18 Detecting You must be able to recognise abuses no matter who or what is responsible for them – this involves people, policies, technology, settings and processes.
19 Responding You should defend your assets from misuse either automatically or with rapid decision-making, or even with manual intervention, to stop the misuse. The word ‘continually’ is key here. IT security is not about buying hardware and software, setting it up and then forgetting about it. New risks and vulnerabilities occur every day, especially as hackers get smart to new technologies and applications.
20 Roadmaps and The 80:20 Rule IT security is very much governed by the same 80:20 rule, or Pareto Principle, used in marketing, except in this case, whilst 80 per cent of security is people, processes and documentation,only 20 per cent of security is the technology. There are quite a few standard security roadmaps and guidelines around.
21 The ‘Seven Rules’ Approach A rather simplistic yet more pragmatic way of looking at IT security is the ‘Seven Rules’ approach to website security, which Computacenter has updated below so it can also apply to networks: –Have/Create A Security Plan –Understand Your Risk Levels –Don’t Depend on Firewalls –Have an Access Policy –Test, Test, Test –Keep Monitoring –Plan for Disaster
22 Have/Create A Security Plan Have a solid security plan and adequate policies in place – ideally before you open your new systems to real-world users and hackers! Also, ensure that you conduct regular vulnerability assessments and penetration tests on all your systems
23 Understand Your Risk Levels Regular assessment lets you set the levels of risk you are taking and relate them to your ‘adequate’ security protection posture. It is important to remember that wile security is an enabler, it also takes both time and money to implement, so systems should not be made substantially more complex for end-users. For instance, you may want a simple password system to allow users to access low-value information services but more complex authentication and authorisation procedures for more confidential, sensitive or valuable information.
24 Don’t Depend on Firewalls You need them, but there’s more to a complete security system than just adding one to external connections to your local area network. Firewalls are often single points of failure, so work out the implications of losing connectivity or external access to systems.
25 Have An Access Policy Have an access policy and ensure that it is adhered to. As is common is most environments, you will need different levels of user access. You want customers to buy goods online, but you do not want to provide hackers with an open door to your system and data. You also want to authenticate remote and teleworkers more stringently, as well as their system authorisations and privileges. Access via wired or wireless connections and devices needs to be examined to ensure that it is secure.
26 Test, Test, Test Get somebody else to test your security regularly.
27 Keep Monitoring Monitor your security regularly, ideally using software-alerting and management tools, and ensure that results are analysed.
28 Plan for Disaster Have plans in place for when it all goes wrong. This should be a natural progression from the vulnerability assessment, but it is often forgotten about.
29 Conclusion Security is clearly becoming a big issue for enterprises; however, not all companies have yet adopted sufficient security measures. There is no great mystery behind information security, and there are a number of roadmaps out there to help you, no matter how basic or sophisticated your business, to prioritise and create an ROI for every layer of security you adopt.
30 The key message is that it’s important to start considering the risks, build company- wide security policies and justify the deployment and management of security technology within all your new IT initiatives. User education is also imperative to the implementation of a successful IT security solution and should be built into any security solution.
31 However, it must be recognised that security is not an end in itself: it enables businesses to protect themselves from major threats in their operating environments and to carry out processes and transactions that are otherwise too risky to carry out. Importantly, it is a continual process of assessment and evaluation. Businesses change, IT infrastructures change and, unfortunately, attackers get smarter. Deploying, the right security technologies is by no means an easy task.
32 The End