1. MSIA 711 1 Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation

2. MSIA 711 2 Information Systems Security Purpose: Confidentiality Integrity Availability Also:Authenticity Non-Repudiation Full security is achieved through: physical, administrative, and technical safeguards common sense

3. MSIA 711 3 Who Should Be Trained? Management End Users (First Line of Defense) InfoSec Staff (ISSPM, ISSM, NSM, ISSO, TASO, NSO) System Administrators Infrastructure Support Services Who Should Be Trained?

4. MSIA 711 4 Awareness Training Secure Password Selection Password Security “Least Privilege” Policy Understanding Workstation security - Terminal Timeout How to Report Incidents for appropriate action WARNING Banner Pages Roles for Contingency Actions Anti-Virus Precautions and Reactions Regular Backups and Off-Site Storage Review and Act upon CERT/CIRT Alerts Event Reporting Chain “Social Engineering” Awareness

5. MSIA 711 5 Advanced Training Apply as required for the group. Management need to understand the risks, and the need for advance capabilities toward Protection, Detection Response and recovery. SysAdmins on Patches, Security Log config and review, OS config, Least Priviledge, etc. Security Staff keep up to date on advanced issues

6. MSIA 711 6 Computer Incident/Emergency Response Centers/Teams, and occasionally vendors, responsibly send out Alerts or Advisories to warn activities and agencies of identified vulnerabilities that may be exploited, and how to proceed to “close the hole”. Examples include: CERT-CCFEDCIRCFIRST Government CERTS Keep up on Patches Often, you can learn of new exploits before the CERTs warn subscribers by getting on SecurityFocus e-mail lists (Bugtraq, VulnDev, etc) ‚„ ‚‚„„ ‚‚„„

7. MSIA 711 7 Key Issues to Effective Network Security  Management support  Personnel training  Cost-effective, planned, security measures Network Security Policy Adopt “Defense-in-Depth”  Roles and responsibilities  Processes and procedures

8. MSIA 711 8 Security Policy “The first step is to conduct a risk assessment” “best protect your most valuable assets” “evaluate each security threat” “compare the measures taken to protect that asset and ensure the measures do not cost more than…” Slide Comments taken from: Network Security Policy – A Manager’s Perspective Ernest D. Hernandez November 22, 2000

9. MSIA 711 9 “The security-related decisions you make, or fail to make, as administrator largely determines how secure or insecure your network is, how much functionality your network offers, and how easy your network is to use. However, you cannot make good decisions about security without first determining what your security goals are. Until you determine what your security goals are, you cannot make effective use of any collection of security tools because you simply will not know what to check for and what restrictions to impose.” Security Policy Guide to Writing Network Security Policy: ~ Site Security Handbook http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2196.html

10. MSIA 711 10 Network Security Plan What are we trying to protect? - Assets? From whom are we trying to protect? What are our Threats? What are our Vulnerabilities? What is likelihood of Threat occurrence? What is the detrimental impact from occurrence? What Safeguards do we have/do we need? How do we implement security policy cost-effectively?

11. MSIA 711 11 DESIGN DEVEL IMPLE-MENT OPERATEOPERATE Test Security Features, Train Identify & Include Security Features Risk Analysis ST&E Security Procedures Disaster Recovery Plan Train Patch Emerging Problems Identify Addn’l Needs Audit for Compliance Review/Update Train Risk Management For our purposes “accredit” means “approve for operation/connection/use”

12. MSIA 711 12 What are some Policy issues? ??

13. MSIA 711 13 File Backups Scheduling / Impact to normal operations Cost over Speed and Recoverability Off-Site Rotations: Son - Father - Grandfather

14. MSIA 711 14 Asynch Session Readings Discussion: Malicious Software and Hoaxes http://www.sans.org/infosecFAQ/email/protection http://www.sans.org/infosecFAQ/malicious/hoaxes.htm http://www.sans.org/infosecFAQ/malicious/trojan_war.htm Note: 2 are not on syllabus! Little Black Book of Viruses (download from website)