Download presentation
Presentation is loading. Please wait.
Published byRoderick Richard Modified over 9 years ago
1
کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز 1388 1
2
2 Objectives Describe the concepts of security policies. Examine the standards of Security Policy Design. Describe the individual policies in a security policy. Examine a detailed complete policy template. Describe the policy procedures for Incident Handling and Escalation.
3
3 Concepts of Security Policies A security policy is nothing more than a well- written strategy on protecting and maintaining availability to your network and it’s resources. Most organizations do not have a security policy Excuses are rampant!
4
4 Policy Benefits Categories They lower the legal liability to employees and 3rd party users of resources They prevent waste on resources They protect proprietary and confidential information from theft, unauthorized access or modification, or internal misuse of resources
5
5 How to Start Policy Design policy committee works together to develop an overall strategy for the policy Enforcement mechanisms to ensure the policy is enforced Monitoring tracking the performance of the policy and its effectiveness, or lack thereof
6
6 A graphical representation of the components of the security policy.
7
7 A Question of Trust The level of trust varies by the organization Balancing is the key too little trust impacts functionality too much trust affects security
8
8 Trust Options Trust all the people all the time Trust none of the people none of the time Trust some of the people some of the time
9
9 Policy Committee Security Policy Committee Upper & Middle Management Local & Remote Users Human Resources Legal Professionals Security Professionals IT Users
10
10 Security Policy Scenario Organization Overview Physical Building Overview Network & Computer Overview Extranet Overview
11
11 Are Policies Political? Resistance A person who doesn’t like change A person who is convinced the policy will hinder their work performance A person who believes the organization is akin to “big-brother”
12
12
13
13 The Policy Design Choosing a leader strong project management skills excellent communicator Goals Formulating the policy
14
14 Policy Standards BS7799 www.securityauditor.net ISO17799 www.iso.ch .ch = Switzerland. (Switzerland is also known as ‘Confoederatio Helvetica’, hence ‘ch’)
15
15 BS7799 Business continuity planning System access control System development and maintenance Physical and environmental security Compliance
16
16 BS7799 Personnel security Security Organization Computer and network management Asset classification and control Security policy
17
17 ISO17799 Sections Business Continuity Planning System Access Control System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organization
18
18 ISO17799 Computer and Network Management Asset Classification and Control Security Polilcy
19
19 Important RFCs RFC 2196: The Site Security Handbook RFC 2504: The User’s Security Handbook
20
20
21
21 The Policies The Acceptable Use Policy The User Account Policy The Remote Access Policy The Information Protection Policy The Network Connection Policy The Strategic Partner Policy The Privileged Access Policy
22
22 The Policies The Password Policy The Internet Policy Individual policies per technology i.e. firewall policy or IDS policy
23
23 The Acceptable Use Policy Considerations Are users allowed to share user accounts? Are users allowed to install software without approval? Are users allowed to copy software for archive or other purposes? Are users allowed to read and/or copy files that they do not own. but have access to?
24
24 The Acceptable Use Policy Are users allowed to make copies of any OS files Are users allowed to modify files they do not own, but have write abilities? Are users required to use password-protected screensavers?
25
25 The User Account Policy Considerations Are users allowed to share their user accounts with coworkers? Are users allowed to share their user accounts with family members or friends? Are users allowed to have multiple accounts on a computer? Are users allowed to have multiple accounts in the network?
26
26 The User Account Policy Considerations Who in the organization has the right to approve requests for new user accounts? How long are accounts to remain inactive befor they are disabled?
27
27 The Remote Access Policy Considerations Which users in the organization are authorized for remote access? What is the process for becoming authorized for remote access? What methods of remote access are allowed? Is the entire network accessible remotely?
28
28 The Remote Access Policy Can remote users use remote management to their computers in the office? Are users family members allowed to access the organization’s network remotely? Are users allowed to install modems to dial out of the network? Will the organization place requirements on the software of computers performing remote access?
29
29 The Information Protection Policy Considerations How are the different levels of data classification labeled? Which users have access to the different levels of data classification? How are users informed of their levels of access? What is the default level of access that is to be applied to all information?
30
30 The Information Protection Policy Is information that is classified at the top level allowed to be printed on common printers? Are all computers in the network able to store information that has the top level of classification? Will computers that do store top-level information require special security controls? How is information to be disposed of?
31
31 The Network Connection Policy Considerations Are users allowed to install networking hardware into their computers? Which users are authorized to install networking devices into their computers? Who in the organization has the authority to approve of networking component installation?
32
32 The Network Connection Policy What is the process of documentation for new networking components? What is the procedure in the event that the network is disabled? What is the process in the event an unauthorized network component is found on the network or in a computer?
33
33 The Strategic Partner Policy Considerations Are strategic partners required to have written security policies? Are strategic partners required to provide copied of their policies? Are strategic partners required to disclose their perimeter and internal security measures?
34
34 The Strategic Partner Policy Will strategic partners be allowed to connect via a VPN? How are those VPNs to be configured? What type of access shall be granted to Strategic Partners?
35
35 The Privileged Access Policy Considerations Who hires the network administration personnel Who may be allowed root, or domain administrator, or enterprise administrator access? What is the process for requesting privileged access?
36
36 The Privileged Access Policy Who has the authority to create the privileged access user account? Are administrators allowed to run network- scanning tools? Are administrators allowed to access any file on any computer? What is the process of determining which files administrators do have access to?
37
37 The Privileged Access Policy Are administrators allowed to run password checking tools? Are privileged accounts allowed to access the network remotely? Can a family member or visitor share a privileged account?
38
38 The Password Policy Considerations Will the Security Administrator have the right to run password-checking tools? What is the minimum length that users passwords must be? How often must users change their passwords? Can a user re-use a password? What are the restrictions on how a password must be created?
39
39 The Password Policy What are the penalties for passwords that do not meet the criteria? Are passwords required to be of a different strength for privileged accounts? How many incorrect passwords are required for an account lockout? What is the process of unlocking a locked account?
40
40 The Password Policy Are screen-savers required to be password protected? Does a user have to log on to the system in order to change a password?
41
41 The Internet Policy Considerations Are all users allowed to access the Internet? Are all users allowed to access Web sites? Are users allowed to access remote email servers? Are there limits on the size of Internet downloads?
42
42 The Internet Policy Are there controls in place to restrict access to objectionable Web sites? Are users aware of the controls on access? Will the organization monitor users access to Web sites? Are users allowed to use organizational email resources for personal use? What level of privacy will users be granted with their email
43
43 Miscellaneous Policies Considerations Are users able to install PDA software on their components? Who in the organization is going to support the user-installed application? Will administrators be able to review the content stored on the PDA?
44
44
45
45 Sample Escalation Procedures for Security Incidents Computer security incidents Loss of personal information Suspected sharing of User accounts Unfriendly employee termination Suspected violations of specials access Suspected computer break-in or computer virus
46
46 Sample Escalation Procedures for Security Incidents Physical Security Incidents Illegal building access Property damage or personal theft
47
47 Incident Handling The steps of incident handling must be discussed before an incident occurs
48
48 Sample Incident Handling Procedure Introduction General procedures Specific procedures
49
49
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.