Download presentation
Presentation is loading. Please wait.
1
Security Awareness: Applying Practical Security in Your World
Chapter 3: Organizational Security
2
Objectives Explain why risk assessment and user responsibilities are part of a security policy Explain the parts of a business continuity plan List good practices that the Human Resources (HR) Department should follow to improve information security Security Awareness: Applying Practical Security in Your World
3
Organizational Security
Internet usage in business is an essential tool A company security policy is an equally essential tool A security policy: Outlines what an employee may do on company computers Frequently isn’t followed due to a variety of factors Must be clearly communicated and strictly enforced Security Awareness: Applying Practical Security in Your World
4
Security Policy Security policy Document containing procedures to protect and maintain a company’s information resources Defines daily acceptable use Establishes security perimeter around company data (See Figure 3-1) Security Awareness: Applying Practical Security in Your World
5
Security Policy (continued)
Security Awareness: Applying Practical Security in Your World
6
Security Policy (continued)
Security policy basic guidelines: Security policy team to create and maintain Business decision makers, and representatives from HR, IT, and legal counsel should be on the team Commitment of senior management should be obtained Document constantly updated All security policies are based on risk assessment and will outline user responsibilities Security Awareness: Applying Practical Security in Your World
7
Risk Assessment Risk management Systematic process for identifying, analyzing and controlling risk Risk assessment is an important part of risk management Determine weaknesses and identify risks Three steps to risk assessment: Asset identification Threat and vulnerability assessment Reduce risk (take action) Security Awareness: Applying Practical Security in Your World
8
Asset Identification Asset identification Identifying the organization’s assets, including computers, data, and programs Once identified, assets must be prioritized: Replaceable or not? Possible targets of competitors? Halt company’s business if lost? Some data may be more valuable than other Very important to prioritize data Security Awareness: Applying Practical Security in Your World
9
Threat and Vulnerability Assessment
Threat and vulnerability assessment Determining how assets are currently protected and the vulnerabilities of those assets Threat modeling Scenarios of types of threats Attack tree Visual image of attacks that might occur (See Figure 3-2 and 3-3) Security Awareness: Applying Practical Security in Your World
10
Threat and Vulnerability Assessment (continued)
Security Awareness: Applying Practical Security in Your World
11
Threat and Vulnerability Assessment (continued)
Security Awareness: Applying Practical Security in Your World
12
Threat and Vulnerability Assessment (continued)
Vulnerability assessment Determine if current security could be breached by an attack Vulnerability assessment managed services (See Figure 3-4) Security Awareness: Applying Practical Security in Your World
13
Threat and Vulnerability Assessment (continued)
Security Awareness: Applying Practical Security in Your World
14
Reduce Risk Reducing risk Determining what actions to take to reduce the risk of the security weakness Not all weaknesses can be eliminated; some degree of risk must always be assumed Three options: Accept Diminish Transfer When developing the security policy, decisions must be made about the risks. Security Awareness: Applying Practical Security in Your World
15
User Responsibilities
User responsibilities in the security policy: Three key areas: Password policies policies Internet policies Security Awareness: Applying Practical Security in Your World
16
Password Policy Password policies Outline the minimum requirements for passwords and how they should be protected Change passwords every 30 days Minimum length At least one nonalphabetic character Upper and lower case letters combined No personal information No common words Never given out over telephone or through May not be reused for 12 months Security Awareness: Applying Practical Security in Your World
17
Policy policies is a company asset and critical component of the communications system Acceptable and unacceptable use of systems May provide examples of misuse Deleted is not necessarily gone Businesses regularly copy and store Company records can be used in legal proceedings Security Awareness: Applying Practical Security in Your World
18
Internet Use Policy Internet use policy Provide lists of certain activities that are unacceptable. Security policy attempts to regulate personal Internet usage. Three primary reasons personal Internet usage is frowned on: Impacts employee productivity Uses bandwidth Can open doors to viruses and worms Security Awareness: Applying Practical Security in Your World
19
Internet Use Policy (continued)
Typical Internet prohibitions: Accessing downloading, printing or storing sexually explicit content Downloading or transmitting fraudulent, threatening…or otherwise unlawful messages or images Installing or downloading software, programs or executables Uploading or downloading copyrighted materials or proprietary information without consent Security Awareness: Applying Practical Security in Your World
20
Human Resource Procedures
The best security policy is useless if employees are unaware of it Human Resources (HR) has ongoing jobs: Inform new hires of security policies Perform ongoing training and updates about changes Plays a pivotal role when an employee leaves the company Security Awareness: Applying Practical Security in Your World
21
Hiring In-depth information security training is essential for new hires Position about importance of security User’s responsibility to be aware of importance of security, achieving good security practices, and penalties At orientation sessions with HR, new users should be assigned Usernames and passwords and other IT accounts Security Awareness: Applying Practical Security in Your World
22
Education Security in an organization continues to evolve
Ongoing educational opportunities for all employees Organization-wide security awareness program Goals: Heighten awareness Change attitudes Influence behavior Human firewall Any person who prevents any security attacks from passing through them Continually evaluate progress and results Security Awareness: Applying Practical Security in Your World
23
Termination When an employee leaves, it is critical to cancel that employee's access Many attacks have been the result of a disgruntled ex-employee whose access was not terminated Passwords and accounts should be cancelled; accounts should be disabled and the employee’s hard drive stored in case future reference becomes necessary Security Awareness: Applying Practical Security in Your World
24
Business Continuity Plan
Business continuity plan Establishes procedures that will allow the business to continue to function Two key parts to a business continuity plan: Incident response team Disaster recovery plan Security Awareness: Applying Practical Security in Your World
25
Incident Response Team
Incident response team (IRT) Team of employees whose job is first response after a security incident Different classes of incidents should be outlined in advance to ensure ready response Two primary goals of an IRT: Gather and handle digital evidence of the attack Provide information about the attack to concerned parties Security Awareness: Applying Practical Security in Your World
26
Incident Response Team (Cont.)
Gather and handle evidence Proper preservation of evidence Affected hard drives imaged (copied exactly) Chain of custody Documents where the evidence has been stored and everyone who has had contact or access to the evidence Disclose the attack Nature of attack helps determine who should be notified Security Awareness: Applying Practical Security in Your World
27
Disaster Recovery Plan
Disaster recovery plan Designed to outline the procedures necessary for getting the business back to normal after an attack Recovery steps required for different types of disasters and attacks Two key parts: Data backups Alternative sites Security Awareness: Applying Practical Security in Your World
28
Disaster Recovery Plan (Cont.)
Data Backups Data regularly copied to another medium and stored in a secure location Media includes: Optical discs: (CD-R, CD-RW, CD-ROM) Digital Versatile Discs: (DVD, DVD-R, DVD-RAM, DVD-RW, DVD+RW) Magnetic tapes Most businesses make two sets of backup tapes: One stored on-site and one off-site Security Awareness: Applying Practical Security in Your World
29
Disaster Recovery Plan (Cont.)
Backup Sites Alternative sites that may contain computers, networks, and the equipment necessary to run the business Four types of backup sites: Mirror site Hot site Warm site Cold site Security Awareness: Applying Practical Security in Your World
30
Summary (continued) A security policy is a document containing procedures designed to protect and maintain an organization's information resources All security policies are based on a risk assessment and will outline user responsibilities Security Awareness: Applying Practical Security in Your World
31
Summary (continued) Risk assessment: Identify resources
Determine relative value and how they are currently protected Explore threats Expose vulnerabilities Determine actions to reduce risk Security Awareness: Applying Practical Security in Your World
32
Summary (continued) When the risk assessment is complete, the next step is to create the security policy. User responsibilities to minimize risks Key areas to address: Password policies policies Internet policies It is the HR Department’s job to inform new hires of the security policies, and provide ongoing training and updates of changes. Security Awareness: Applying Practical Security in Your World
33
Summary (continued) The Human Resources Department plays a pivotal role in ensuring that an employee who leaves the company can no longer access systems. When a new employee starts, HR must provide in-depth training regarding information security. Security at organizations continues to evolve as new attacks, hardware, and goals change. HR must provide ongoing education for all employees. Security Awareness: Applying Practical Security in Your World
34
Summary (continued) Business continuity plan Established procedures that will allow the business to continue functioning Two key parts of a Business Continuity Plan: Incident Response Team Disaster Recovery Plan Security Awareness: Applying Practical Security in Your World
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.