Presentation is loading. Please wait.

Presentation is loading. Please wait.

95752:11-1 Security Policy. 95752:11-2 Policy Set of detailed rules as to what is allowed on the system and what is not allowed. User Policy System Policy.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "95752:11-1 Security Policy. 95752:11-2 Policy Set of detailed rules as to what is allowed on the system and what is not allowed. User Policy System Policy."— Presentation transcript:

1 95752:11-1 Security Policy

2 95752:11-2 Policy Set of detailed rules as to what is allowed on the system and what is not allowed. User Policy System Policy Network Policy US Law Trust

3 95752:11-3 Policy Making Formulations: –General “catch-all” policy –Specific asset-based policy –General policy, augmented with standards and guidelines Role: –Clarify what and why of protection –State responsibility for protection –Provide basis for interpreting and resolving conflicts –Retain validity over time

4 95752:11-4 Standards & Guidelines Standards: –Codification of successful security practice –Platform-independent, enforceable –Change over time (slowly) Guidelines: –Interpret standards for particular environment –May be violated if needed

5 95752:11-5 Building Policy Assign an owner Be positive –Motivate behavior –Allow for error Include education Place authority with responsibility Pick basic philosophy –Paranoid –Prudent –Permissive –Promiscuous Don’t depend on “impossible to break”

6 95752:11-6 Security Through Obscurity If we don’t tell them, they won’t know (false) –Found by experimentation –Found through other references –Passed around by word of mouth Often used as basis for ignoring risks Local algorithm, unavailable sources - no real security

7 95752:11-7 Going Public Vendor / CERT/CC Other Administrators (Warning) User community (Danger) Internet community (Infectious Danger)

8 95752:11-8 User-level Policy Authentication: Method, Protection, Disclosure Importing software: Process, Safeguards, Location File protection: Default, Variations Equipment management: Process, Physical Security Backups: How, When Problem reporting: Who, How, Emergencies

9 95752:11-9 System-level Policy Default configuration Installed Software Backups Logging Auditing Updates Principle servers or clients

10 95752:11-10 Network-level Policy Supported services Exported services: Authentication, Protection, Restriction Imported services: Authentication, Protection, Privacy Network security mechanisms

11 95752:11-11 US Law General advice - not legal counsel Before performing legal actions -- consult a lawyer! Legal Options Legal Hazards Being the target of an investigation General Tips Civil Actions Intellectual Property Liability

12 95752:11-12 Legal Options Think before you pursue legal action Civil actions Reasons to prosecute: –Filing insurance claim –Involved with privacy data –Avoid being an accessory to later break-ins –Avoid civil suit with punitive damages –Avoid liability from your users

13 95752:11-13 Legal Hazards Computer-illiterate agents Over-zealous compliance with search order Attitude and behavior of investigators –Work loss –Problems from case –Problems with working relationships Publicity loss Seizure of equipment Positive trend in enforcement community

14 95752:11-14 Being the Target COOPERATE Individual involvement: –Document level of authorized access –Limit level of seizure, prosecution Officers will seize everything related to unauthorized use Wait for return can be very long Can challenge reasons for search Involve legal help soonest!

15 95752:11-15 General Tips (1) Replace welcome messages with warning messages Put ownership or copyright notices on each source file Be certain users are notified of usage policy Notify all users on what may be monitored Keep good backups in safe location When you get suspicious, start a diary/journal of observations

16 95752:11-16 General Tips (2) Define, in writing, authorization of each user and employee & have them sign it Ensure employees return equipment on termination Do not allow users to conduct their own investigations Make contingency plans with lawyer and insurance Identify qualified law enforcement at local, federal

17 95752:11-17 Lawsuits Can sue anyone for any reasonable claim of damages or injury Caveats: –Very expensive –Long delays –May not win –May not collect anything Vast majority of actions -- settled out of court CONSULT A LAWYER FIRST

18 95752:11-18 Intellectual Property Copyright infringement –Expression of idea –Derivative work –Outside of fair use Trademark violation –Use of registered words, symbols, phrases –Lack of credit Patent concerns –Application of idea –Based on prior art –Prevents redundant application

19 95752:11-19 Liability Personal liability Corporate liability Good security helps to limit liabilities

20 95752:11-20 Trust Tools of computer security are resident on computers Just as mutable as any other information on computers Can we trust our computer? Can we trust our software? Can we trust our suppliers? Can we trust our people? Trust, but verify

21 95752:11-21 Trusting Our Computer Hardware bugs Hardware features Peripheral bugs/features Microcode problems

22 95752:11-22 Trusting Our Software Operating system bugs and features System software back-doors Who wrote the software? Who maintains the software? Is GOTS / COTS trustworthy?

23 95752:11-23 Trusting Our Suppliers Development process Bugs Testing Configuration control Distribution control Hacker challenges

24 95752:11-24 Trusting Our People Vendors Consultants Employees System administrators Response personnel

25 95752:11-25 Trust, but Verify Trust with a suspicious attitude Ask questions Do background checks Test code Get written assurances Anticipate problems and attacks

Download ppt "95752:11-1 Security Policy. 95752:11-2 Policy Set of detailed rules as to what is allowed on the system and what is not allowed. User Policy System Policy."

Similar presentations

Chapter 15 Legal & Ethical Issues

Chapter 15 Legal & Ethical Issues
A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.

A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.

Peter Brudenall & Caroline Evans- Simmons & Simmons Marsh Technology Conference 2005 Zurich, Switzerland. Managing the Security Landscape – Legal and Risk.
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
CS 5150 1 CS 5150: Software Engineering Lecture 5 Legal Aspects of Software Engineering 1.

CS CS 5150: Software Engineering Lecture 5 Legal Aspects of Software Engineering 1.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Network security policy: best practices

Network security policy: best practices
CHAPTER Section 16.1 Legal Issues Section 16.2 Insurance Protecting Your Business.

CHAPTER Section 16.1 Legal Issues Section 16.2 Insurance Protecting Your Business.

Similar presentations

Ads by Google