Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Network Defense and Countermeasures Second Edition

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Guide to Network Defense and Countermeasures Second Edition"— Presentation transcript:

1 Guide to Network Defense and Countermeasures Second Edition
Chapter 3 Security Policy Implementation

2 Objectives Explain best practices in security policies
Formulate a security policy and identify security policy categories Explain the importance of ongoing risk analysis and define incident-handling procedures Guide to Network Defense and Countermeasures, Second Edition

3 What Makes a Good Security Policy?
Benefits of a security policy Provides a foundation for an organization’s overall security stance Gives employees guidelines on how to handle sensitive information Gives IT staff instructions on what defensive systems to configure Reduces the risk of legal liability A good security policy is comprehensive and flexible It is not a single document but a group of documents Guide to Network Defense and Countermeasures, Second Edition

4 General Security Policy Best Practices
Basic concepts If it is too complex, nobody will follow it If it affects productivity negatively, it will fail It should state clearly what can and cannot be done on company equipment Include generalized clauses People need to know why a policy is important Involve representatives of all departments It should contain clauses stating the specific consequences for violating the policy Guide to Network Defense and Countermeasures, Second Edition

5 General Security Policy Best Practices (continued)
Basic concepts (continued) Needs support from the highest level of the company Employees must sign a document acknowledging the policy And agreement to abide by it Keep it updated with current technologies Policy directives must be consistent with applicable laws Guide to Network Defense and Countermeasures, Second Edition

6 General Security Policy Best Practices (continued)
Considering cyber risk insurance Insurance policy that protects against losses to information assets Insurance and security policies are related Many answers to insurance application questions come directly from the security policy It could even earn your company a break on rates Guide to Network Defense and Countermeasures, Second Edition

7 Guide to Network Defense and Countermeasures, Second Edition

8 General Security Policy Best Practices (continued)
Developing security policies from risk assessment Steps Identify what needs to be protected Define the threats faced by the network Define the probability of those threats and their consequences Propose safeguards and define how to respond to incidents Penalties for violating the policy are stated prominently near the top Policy effectiveness must be monitored Guide to Network Defense and Countermeasures, Second Edition

9 General Security Policy Best Practices (continued)
Teaching employees about acceptable use Issue of trust is an integral part of a security policy Policy should define who to trust And what level of trust should be placed in them Seek for a balance between trust and issuing orders Guide to Network Defense and Countermeasures, Second Edition

10 General Security Policy Best Practices (continued)
Outlining penalties for violations Policy should state what to do and not to do Policy should also contain guidelines for the penalty process Establish flexible methods of punishment Can be applied at management’s discretion Guide to Network Defense and Countermeasures, Second Edition

11 General Security Policy Best Practices (continued)
Criminal computer offenses Policy violations can become criminal offenses Subpoena Order issued by a court demanding that a person appear in court or produce some form of evidence Search warrant Similar to a subpoena Compels you to cooperate with law enforcement officers conducting an investigation Due process Constitutional guarantee to a fair and impartial trial Guide to Network Defense and Countermeasures, Second Edition

12 General Security Policy Best Practices (continued)
Enabling Management to Set Priorities Policy provides a way to identify the most important security priorities Policy lists network resources that managers find most valuable in the organization Guide to Network Defense and Countermeasures, Second Edition

13 General Security Policy Best Practices (continued)
Helping network administrators do their jobs Policy spells out mundane but important information Privileged access policy Policy that covers network administrators Specifies whether they are allowed to Run network-scanning tools Run password-checking software Have root or domain administrator access Guide to Network Defense and Countermeasures, Second Edition

14 General Security Policy Best Practices (continued)
Using security policies to conduct risk analysis Design and implement a security policy Monitor your network behavior Response time Traffic signatures Use this information in further rounds of risk analysis Conduct a risk analysis after a major change occurs Guide to Network Defense and Countermeasures, Second Edition

15 Formulating a Security Policy
Start by analyzing the level of risk to the organization’s assets Identify safeguards to protect the assets Identify potential need for cyber risk insurance Guide to Network Defense and Countermeasures, Second Edition

16 Seven Steps to Creating a Security Policy
Call for the formation of a group that meets to formulate the security policy Determine whether the overall approach to security should be restrictive or permissive Identify the assets you need to protect Determine what needs to be logged and/or audited List the security risks that need to be addressed Define acceptable use of the Internet, office computers, passwords, and other network resources Create the policy Guide to Network Defense and Countermeasures, Second Edition

17 Guide to Network Defense and Countermeasures, Second Edition

18 Components of Security Policies
Acceptable use policy Establishes what is acceptable use of company resources Usually stated at the beginning of a security policy Security user awareness program Gets employees involved and excited about the policy Explains how the policy benefits the employees Guide to Network Defense and Countermeasures, Second Edition

19 Components of Security Policies (continued)
Violations and penalties Specifies what constitutes a violation And how violations are dealt with Can help a company avoid legal problems Guide to Network Defense and Countermeasures, Second Edition

20 Components of Security Policies (continued)
User accounts and password protection Guides how user accounts are to be used Passwords represent a first line of defense Guide to Network Defense and Countermeasures, Second Edition

21 Components of Security Policies (continued)
Remote access policy Spells out the use of role-based authentication Gives users limited access based on their roles and what resources a role is allowed to use Virtual Private Networks (VPNs) VPNs create a tunnel to transport information through public communications media Data are kept safe by the use of tunneling protocols and encryption Guide to Network Defense and Countermeasures, Second Edition

22 Components of Security Policies (continued)
Secure use of the Internet and Covers how employees can access and use the Internet and Prohibits broadcasting any messages Spells out whether users are allowed to download software or streaming media from the Internet Blocks any objectionable Web sites Guide to Network Defense and Countermeasures, Second Edition

23 Components of Security Policies (continued)
LAN security policy Protects information that is processed, stored, and transmitted on the LAN And the LAN itself Guide to Network Defense and Countermeasures, Second Edition

24 Components of Security Policies (continued)
LAN security policy (continued) Should describe the following Applicability Evaluations Responsibilities Commitment Can include the following employees Functional managers Users Local administrators End users Guide to Network Defense and Countermeasures, Second Edition

25 Conducting Ongoing Risk Analysis
Re-evaluate the organization’s security policy on an ongoing basis Decide on a routine reassessment of the risk to the company and its assets Guide to Network Defense and Countermeasures, Second Edition

26 Conducting Routine Security Reviews
Security policies can specify how often risk analyses should be conducted Identifying the people who conduct the analysis Describing the circumstances for a new risk analysis Policy should be flexible enough to allow “emergency” reassessments as needed Guide to Network Defense and Countermeasures, Second Edition

27 Working with Management
Managers usually think in term of ROI They should consider these other factors: How much information systems and data are worth Possible threats they have already encountered and will encounter Chances security threats will result in real losses Guide to Network Defense and Countermeasures, Second Edition

28 Working with Management (continued)
Some business activities affected by intrusions: Costs related to financial loss and disruption Personnel safety and personnel information Legal and regulatory obligations Commercial and economic interests Guide to Network Defense and Countermeasures, Second Edition

29 Working with Management (continued)
Dealing with the approval process Developing a security policy can take several weeks or several months Take the time to do it right and cover all bases Policy needs to be reviewed and approved by upper management You might encounter resistance A security user awareness program can help Guide to Network Defense and Countermeasures, Second Edition

30 Working with Management (continued)
Feeding security information to the security policy team Inform them of any change to the organization’s security configuration Guide to Network Defense and Countermeasures, Second Edition

31 Responding to Security Incidents
Escalation procedures Levels of escalation Level One incidents – least severe Managed within one working day Requires notifying only on-duty security analyst Level Two incidents – moderate seriousness Managed the same day Requires notifying the security architect Level Three incidents – most serious Managed immediately Requires notifying the chief security officer Guide to Network Defense and Countermeasures, Second Edition

32 Responding to Security Incidents (continued)
Incident handling Incident examples Loss of passwords – Level One incident Burglary or other illegal building access – Level Two incident Property loss or theft – Level Two or Level Three incident Guide to Network Defense and Countermeasures, Second Edition

33 Updating the Security Policy
Update your policy Based on the security incidents reported Any changes to the policy should be broadcast to the entire staff By or posting the changes in the intranet Security policy should result in actual physical changes to the organization’s security configuration New hardware or software that makes security tasks easier Better protection means fewer internal or external incidents Guide to Network Defense and Countermeasures, Second Edition

34 Summary Benefits of a security policy are wide ranging
Security policy protects a company’s overall security States what rights employees have and how they should handle company resources Cyber risk insurance is becoming necessary for businesses Good security policy Based on risk assessment Covers acceptable use of system resources Set priorities for the most critical resources Guide to Network Defense and Countermeasures, Second Edition

35 Summary (continued) Legal liabilities should be covered in a security policy Incidents can become legal offenses Understand your legal obligations Security policy comprises a series of several specific policies Seven steps in creating a policy Must present the proposal to management and gain approval Involves explaining the expected ROI and other costs Guide to Network Defense and Countermeasures, Second Edition

36 Summary (continued) Security policy sections
Acceptable use Violations and penalties Incident handling Escalation procedures Security policies should be reviewed and updated regularly Guide to Network Defense and Countermeasures, Second Edition

Download ppt "Guide to Network Defense and Countermeasures Second Edition"

Similar presentations

Hart District Acceptable Use Policy Acceptable Use Policy.

Hart District Acceptable Use Policy Acceptable Use Policy.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Policy 6460 Staff Use of Computerized Information Resources Regulation 6460 R-Staff Use of Computerized Information Resources Regulation 6460 R.2 Staff.

Policy 6460 Staff Use of Computerized Information Resources Regulation 6460 R-Staff Use of Computerized Information Resources Regulation 6460 R.2 Staff.
Acceptable Use Policy (AUP) What does it actually say? Why is it necessary?

Acceptable Use Policy (AUP) What does it actually say? Why is it necessary?
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Systems Analysis and Design 9th Edition

Systems Analysis and Design 9th Edition
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.

Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز 1388 1.

کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز
Acceptable Use Policy (AUP) What does it actually say? Why is it necessary?

Acceptable Use Policy (AUP) What does it actually say? Why is it necessary?
VISD Acceptable Use Policy

VISD Acceptable Use Policy

Similar presentations

Ads by Google