Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Awareness: Applying Practical Security in Your World

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Awareness: Applying Practical Security in Your World"— Presentation transcript:

1 Security Awareness: Applying Practical Security in Your World
Chapter 3: Organizational Security

2 Objectives Explain why risk assessment and user responsibilities are part of a security policy Explain the parts of a business continuity plan List good practices that the Human Resources (HR) Department should follow to improve information security Security Awareness: Applying Practical Security in Your World

3 Organizational Security
Internet usage in business is an essential tool A company security policy is an equally essential tool A security policy: Outlines what an employee may do on company computers Frequently isn’t followed due to a variety of factors Must be clearly communicated and strictly enforced Security Awareness: Applying Practical Security in Your World

4 Security Policy Security policy  Document containing procedures to protect and maintain a company’s information resources Defines daily acceptable use Establishes security perimeter around company data (See Figure 3-1) Security Awareness: Applying Practical Security in Your World

5 Security Policy (continued)
Security Awareness: Applying Practical Security in Your World

6 Security Policy (continued)
Security policy basic guidelines: Security policy team to create and maintain Business decision makers, and representatives from HR, IT, and legal counsel should be on the team Commitment of senior management should be obtained Document constantly updated All security policies are based on risk assessment and will outline user responsibilities Security Awareness: Applying Practical Security in Your World

7 Risk Assessment Risk management  Systematic process for identifying, analyzing and controlling risk Risk assessment is an important part of risk management Determine weaknesses and identify risks Three steps to risk assessment: Asset identification Threat and vulnerability assessment Reduce risk (take action) Security Awareness: Applying Practical Security in Your World

8 Asset Identification Asset identification  Identifying the organization’s assets, including computers, data, and programs Once identified, assets must be prioritized: Replaceable or not? Possible targets of competitors? Halt company’s business if lost? Some data may be more valuable than other Very important to prioritize data Security Awareness: Applying Practical Security in Your World

9 Threat and Vulnerability Assessment
Threat and vulnerability assessment  Determining how assets are currently protected and the vulnerabilities of those assets Threat modeling  Scenarios of types of threats Attack tree  Visual image of attacks that might occur (See Figure 3-2 and 3-3) Security Awareness: Applying Practical Security in Your World

10 Threat and Vulnerability Assessment (continued)
Security Awareness: Applying Practical Security in Your World

11 Threat and Vulnerability Assessment (continued)
Security Awareness: Applying Practical Security in Your World

12 Threat and Vulnerability Assessment (continued)
Vulnerability assessment  Determine if current security could be breached by an attack Vulnerability assessment managed services (See Figure 3-4) Security Awareness: Applying Practical Security in Your World

13 Threat and Vulnerability Assessment (continued)
Security Awareness: Applying Practical Security in Your World

14 Reduce Risk Reducing risk  Determining what actions to take to reduce the risk of the security weakness Not all weaknesses can be eliminated; some degree of risk must always be assumed Three options: Accept Diminish Transfer When developing the security policy, decisions must be made about the risks. Security Awareness: Applying Practical Security in Your World

15 User Responsibilities
User responsibilities in the security policy: Three key areas: Password policies policies Internet policies Security Awareness: Applying Practical Security in Your World

16 Password Policy Password policies  Outline the minimum requirements for passwords and how they should be protected Change passwords every 30 days Minimum length At least one nonalphabetic character Upper and lower case letters combined No personal information No common words Never given out over telephone or through May not be reused for 12 months Security Awareness: Applying Practical Security in Your World

17 Policy policies  is a company asset and critical component of the communications system Acceptable and unacceptable use of systems May provide examples of misuse Deleted is not necessarily gone Businesses regularly copy and store Company records can be used in legal proceedings Security Awareness: Applying Practical Security in Your World

18 Internet Use Policy Internet use policy  Provide lists of certain activities that are unacceptable. Security policy attempts to regulate personal Internet usage. Three primary reasons personal Internet usage is frowned on: Impacts employee productivity Uses bandwidth Can open doors to viruses and worms Security Awareness: Applying Practical Security in Your World

19 Internet Use Policy (continued)
Typical Internet prohibitions: Accessing downloading, printing or storing sexually explicit content Downloading or transmitting fraudulent, threatening…or otherwise unlawful messages or images Installing or downloading software, programs or executables Uploading or downloading copyrighted materials or proprietary information without consent Security Awareness: Applying Practical Security in Your World

20 Human Resource Procedures
The best security policy is useless if employees are unaware of it Human Resources (HR) has ongoing jobs: Inform new hires of security policies Perform ongoing training and updates about changes Plays a pivotal role when an employee leaves the company Security Awareness: Applying Practical Security in Your World

21 Hiring In-depth information security training is essential for new hires Position about importance of security User’s responsibility to be aware of importance of security, achieving good security practices, and penalties At orientation sessions with HR, new users should be assigned Usernames and passwords and other IT accounts Security Awareness: Applying Practical Security in Your World

22 Education Security in an organization continues to evolve
Ongoing educational opportunities for all employees Organization-wide security awareness program Goals: Heighten awareness Change attitudes Influence behavior Human firewall  Any person who prevents any security attacks from passing through them Continually evaluate progress and results Security Awareness: Applying Practical Security in Your World

23 Termination When an employee leaves, it is critical to cancel that employee's access Many attacks have been the result of a disgruntled ex-employee whose access was not terminated Passwords and accounts should be cancelled; accounts should be disabled and the employee’s hard drive stored in case future reference becomes necessary Security Awareness: Applying Practical Security in Your World

24 Business Continuity Plan
Business continuity plan  Establishes procedures that will allow the business to continue to function Two key parts to a business continuity plan: Incident response team Disaster recovery plan Security Awareness: Applying Practical Security in Your World

25 Incident Response Team
Incident response team (IRT)  Team of employees whose job is first response after a security incident Different classes of incidents should be outlined in advance to ensure ready response Two primary goals of an IRT: Gather and handle digital evidence of the attack Provide information about the attack to concerned parties Security Awareness: Applying Practical Security in Your World

26 Incident Response Team (Cont.)
Gather and handle evidence Proper preservation of evidence Affected hard drives imaged (copied exactly) Chain of custody Documents where the evidence has been stored and everyone who has had contact or access to the evidence Disclose the attack Nature of attack helps determine who should be notified Security Awareness: Applying Practical Security in Your World

27 Disaster Recovery Plan
Disaster recovery plan  Designed to outline the procedures necessary for getting the business back to normal after an attack Recovery steps required for different types of disasters and attacks Two key parts: Data backups Alternative sites Security Awareness: Applying Practical Security in Your World

28 Disaster Recovery Plan (Cont.)
Data Backups  Data regularly copied to another medium and stored in a secure location Media includes: Optical discs: (CD-R, CD-RW, CD-ROM) Digital Versatile Discs: (DVD, DVD-R, DVD-RAM, DVD-RW, DVD+RW) Magnetic tapes Most businesses make two sets of backup tapes: One stored on-site and one off-site Security Awareness: Applying Practical Security in Your World

29 Disaster Recovery Plan (Cont.)
Backup Sites  Alternative sites that may contain computers, networks, and the equipment necessary to run the business Four types of backup sites: Mirror site Hot site Warm site Cold site Security Awareness: Applying Practical Security in Your World

30 Summary (continued) A security policy is a document containing procedures designed to protect and maintain an organization's information resources All security policies are based on a risk assessment and will outline user responsibilities Security Awareness: Applying Practical Security in Your World

31 Summary (continued) Risk assessment: Identify resources
Determine relative value and how they are currently protected Explore threats Expose vulnerabilities Determine actions to reduce risk Security Awareness: Applying Practical Security in Your World

32 Summary (continued) When the risk assessment is complete, the next step is to create the security policy. User responsibilities to minimize risks Key areas to address: Password policies policies Internet policies It is the HR Department’s job to inform new hires of the security policies, and provide ongoing training and updates of changes. Security Awareness: Applying Practical Security in Your World

33 Summary (continued) The Human Resources Department plays a pivotal role in ensuring that an employee who leaves the company can no longer access systems. When a new employee starts, HR must provide in-depth training regarding information security. Security at organizations continues to evolve as new attacks, hardware, and goals change. HR must provide ongoing education for all employees. Security Awareness: Applying Practical Security in Your World

34 Summary (continued) Business continuity plan  Established procedures that will allow the business to continue functioning Two key parts of a Business Continuity Plan: Incident Response Team Disaster Recovery Plan Security Awareness: Applying Practical Security in Your World

Download ppt "Security Awareness: Applying Practical Security in Your World"

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Systems Availability and Business Continuity Chapter Four Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc. 2007.

Systems Availability and Business Continuity Chapter Four Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Security Controls – What Works

Security Controls – What Works
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 6 Enterprise Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 6 Enterprise Security.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
INTERNET and CODE OF CONDUCT

INTERNET and CODE OF CONDUCT
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Guide to Disaster Recovery

Guide to Disaster Recovery
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Department of Mathematics Computer and Information Science1 Basics of Cyber Security and Computer Forensics Christopher I. G. Lanclos.

Department of Mathematics Computer and Information Science1 Basics of Cyber Security and Computer Forensics Christopher I. G. Lanclos.

Similar presentations

Ads by Google