Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008.

Published byHillary Garrett Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008."— Presentation transcript:

1 Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008

2 Security Policy Effectiveness  “Documented policies are the foundation upon which the security architecture is built.[1]”  “Security policy should be consistently reviewed and refined.[1]”  Employees must receive education and training for the policy to be effective.

3 Questions [1]  What services are required? (ex Web Portal)  Does business require everyone to access the web?  Do users need remote access?  What are the risks and priorities with a security policy?

4 Sections of a Security Policy Sections That Should Be Refined Early:  Purpose –define goals/ objectives “The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.[2]”  Scope – the divisions or employees that are required to follow the policy. “The scope of this policy includes all personnel who have or are responsible for an account.[2]”  Policy Statement –specific rule that defines who, what, and when “All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months.[2]”

5 Sections of a Security Policy Sections That Change Periodically:  Standards – what is expected of employees “Don't reveal a password over the phone ANYONE.[2]”  Actions “Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment [2].”  Responsibilities – specifically assign actions to a team of employees

6 Sections of a Security Policy  Frequency of Review (ex: every 6 months)  Ways to Request Policy Changes (fill out a form)  List of Assets Includes servers, desktops, laptops, routers Includes servers, desktops, laptops, routers Describe the assets Describe the assets Who administers? Who administers? Who uses? Who uses? How important is the asset to business goals? How important is the asset to business goals?

7 Sections of a Security Policy  Incident Response /Disaster Recovery List Who and When to Call when there is a security breach. List Who and When to Call when there is a security breach. Who is accountable for recovery from breach? Who is accountable for recovery from breach?

8 Educating Employees  User must know that a security policy exists  When changes are made, users must be informed  Social Engineering

9 Revising Security Policy  There are always new threats  Sometimes the business needs change  The team responsible for implementing policy must always be proactive

10 Security Policy Effectiveness  “Documented policies are the foundation upon which the security architecture is built.[1]”  “Security policy should be consistently reviewed and refined.[1]”  Employees must receive education and training for the policy to be effective.

11 References  1. Warkentin & Vaughn Enterprise Information Systems Assurance and System Security Idea Publishing Group, Hershey, 2006  2. Systems Administration and Networking Security Institute (SANS) www.sans.org/resources/policies 3/23/2008www.sans.org/resources/policies 3/23/2008 (good examples) www.sans.org/resources/policies 3/23/2008  3. Network Security Journal www.networksecurityjournal.com/features/security-policy-101- 102307/ 3/23/2008 www.networksecurityjournal.com/features/security-policy-101- 102307/ www.networksecurityjournal.com/features/security-policy-101- 102307/  4. ISO17799 www.iso.org 3/23/2008 (industry standards) www.iso.org

Download ppt "Chapter 3 “A Case Study of Effectively Implemented Information Systems Security Policy[1]” John Doran, CST554, Spring 2008."

Similar presentations

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
The International Security Standard

The International Security Standard
Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.

Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security Fundamentals

Computer Security Fundamentals
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.

Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.

ACCEPTABLE An acceptable use policy (AUP), also known as an acceptable usage policy or fair use policy, is a set of rules applied by the owner or manager.
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer.

Similar presentations

Ads by Google