Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Security Principles and Practices. Security Principles Common Security Principles Security Policies Security Administration Physical Security.

Published byCameron Simon Modified over 9 years ago

Similar presentations

Presentation on theme: "General Security Principles and Practices. Security Principles Common Security Principles Security Policies Security Administration Physical Security."— Presentation transcript:

1 General Security Principles and Practices

2 Security Principles Common Security Principles Security Policies Security Administration Physical Security

3 Common Security Principles Many principles come from: –military –businesses Separation of Privileges Principle –No single person should have enough authority to cause a critical event to happen –Many examples from outside of computing, e.g., two keys needed to launch a missile –Tradeoff between security gained and manpower required to achieve it

4 Common Security Principles Separation of Privileges Principle –CIO should not have access to all systems –DBA should not have access to encryption key –Example: Accountant with privilege to write check as well as balance the businesses account is potential for abuse Numerous instances all over the world on this one aspect only Louisville is no exception

5 Common Security Principles Least Privilege Principle –Allow only the minimum level of access controls necessary to carry out job functions –A common violation of this principle occurs because of administrator inattention Users are placed in groups that are too broad –Another common violation occurs because of privilege creep Users are granted new privileges when they change roles without reviewing existing privileges

6 Common Security Principles Defense in Depth Principle –Defenses should be layered –Layers begin with points of access to a network and continue with cascading security at bottleneck points Security through Obscurity –Secrecy maintained about security that was in place –No longer very effective in a free society

7 Defense in Depth

8 Security Policies Security objectives to: –Design specific controls –Keep users informed of expected behavior A security policy should be a written document –Available to all users of an organizational information system Security policies range from single documents to multiple documents for specialized use or for specific groups of users

9 Acceptable Use Policy Defines allowable uses of an organization’s information resources –Email –Web space Must be specific enough to guide user activity but flexible enough to cover unanticipated situations Should answer key questions –What activities are acceptable? –What activities are not acceptable? –Where can users get more information as needed? –What to do if violations are suspected or have occurred?

10 Acceptable Use Policy Organization thinks: –Anything that is not permitted is prohibited User thinks: –Anything that is not prohibited is permitted

11 Backup Policy Data backups protect against corruption and loss of data –To support the integrity and availability goals of security Backup policy should answer key questions –What data should be backed up and how? –Where should backups be stored? –Who should have access? –How long should backups be retained? –How often can backup media be reused?

12 Backup Policy Backup types: –Cold site –Warm site –Hot site Recovery testing essential Policy governing periodic recovery

13 Confidentiality Policy Outlines procedures used to safeguard sensitive information Should cover all means of information dissemination including telephone, print, verbal, and computer Questions include –What data is confidential and how should it be handled? –How is confidential information released? –What happens if information is released in violation of the policy? Employees may be asked to sign nondisclosure agreements

14 Data Retention Policy Defines categories of data –Different categories may have different protections under the policy For each category, defines minimum retention time –Time may be mandated by law, regulation, or business needs, e.g., financial information related to taxes must be retained for 7 years For each category, defines maximum retention time –This time may also be mandated by law, regulation, or business needs –Common in personal privacy areas

15 Wireless Device Policy Includes mobile phones, PDAs, palm computers Users often bring personal devices to the workplace Policy should define –Types of equipment that can be purchased by the organization –Type of personal equipment that may be brought into the facility –Permissible activities –Approval authorities for exceptions

16 Implementing Policy A major challenge for information security professionals Includes processes of developing and maintaining the policies themselves as well as ensuring their acceptance and use within the organization Activities related to policy implementation are often ongoing within an organization

17 Developing Policies Team approach should be employed –Include members from different departments or functional elements within the organization Develop a high-level list of business objectives Determine the documents that must be written to achieve objectives Revise documents drafts until consensus is achieved

18 Building Consensus ‘buy-in’ from employees is essential Policy implementers are employees. Without buy-in policy enforcement would falter Often the policies are promoted and advertised by senior management

19 Education New policies implementation require sufficient training for employees Users should be aware of their responsibilities with regard to policies Two types of training –One-time initial training to all employees –Periodic training to Remind employees of their responsibilities Provide employees with updates of policies and technologies that affect their responsibilities

20 Enforcement and Maintenance Policies should define responsibilities for –Reporting violations –Procedures when violations occur Policies should be strictly and uniformly enforced Policy changes occur as companies and technologies change Policies should contain provisions for modification through maintenance procedures –Essential to have mandated periodic reviews

21 Security Administration Tools Tools help with –consistent application of policy –enforcement of policy Security checklists –Security professionals should review all checklists used in an organization for compliance with security procedures –Security professionals may develop their own checklists for security-specific tasks Security matrices –Used in development of security policies and implementation of particular procedures –Helps focus amount of attention paid to particular goals

22 Security Matrices

23 Physical Security Ensures that only authorized people gain physical access to a facility Protection from natural disasters such as fires and floods Large organizations outsource physical security Three common categories of physical security issues –Perimeter protection –Electronic emanations –Fire protection

24 Physical Security Addresses security countermeasures using: –Design –Implementation –Maintenance Management responsibility Policy development

25 Perimeter Security Perimeter security includes: –Fences –Walls –Gates –Lighting –Motion detectors –Dogs –Patrols

26 Access Control Locks –Manual –Electronic –Biometric Defense in depth principle –Fences around the facility and biometrics for specific offices within a facility

27 Access Control ID cards and badges Electronic monitoring Mantrap Alarms

28 Fire Safety Fire detection –Thermal detection –Fixed-temperature detection –Rate-of-rise detection –Smoke detection –Photoelectric sensors Fire classes –Class A – less serious –Class B – combustible liquids –Class C – electrical fires –Class D – dangerous chemicals

29 Fire Safety Fire suppression –Water sprinkler Dry pipe Wet pipe Mist sprinkler Deluge system –Halon gas –Inergen gas (nitrogen, argon, carbon dioxide)

30 Electrical Power UPS –Standby –Line-interactive –True-online Emergency shutoff Grounding Power management and conditioning

31 Electronic Surveillance Facility monitoring using surveillance video Check for electromagnetic signals leaking data –Electromagnetic signals can be picked up and interpreted outside facility –Expensive to block electronic eavesdropping Fire protection requires detection and suppression systems –Often dictated by building codes –Suppression systems include sprinklers, chemicals, and fire extinguishers

32 Personnel Security People are the weakest link in a security system Perform background investigations –Can include criminal record checks, reference evaluations Monitor employee activity –Can include monitoring Internet activity, surveillance cameras, telephone recording Mandatory vacations Exit procedures for employees leaving the company –Remind employees of any nondisclosure agreements

33 References Curtis Dalton, “Had a security physical lately?” Business Communications Review, May 2002. “Types of locks” http://www.secmgmt.com/ UPS http://www.pcguide.com/ref/power/ext/ups/types.htm Eric Maiwald and William Sieglein, “Security Planning and Disaster Recovery,” McGraw- Hill/Osborne, NY, 2002.

Download ppt "General Security Principles and Practices. Security Principles Common Security Principles Security Policies Security Administration Physical Security."

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Emergency Action Plans

Emergency Action Plans
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Security and Personnel

Security and Personnel
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.

Physical and Environmental Security Chapter 5 Part 1 Pages 427 to 456.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Physical (Environmental) Security.
Copyright © Center for Systems Security and Information Assurance Lesson Seven Physical Security.

Copyright © Center for Systems Security and Information Assurance Lesson Seven Physical Security.
Contractor Management and ISO 14001:2004

Contractor Management and ISO 14001:2004
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
General Security Principles and Practices Chapter 3.

General Security Principles and Practices Chapter 3.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Fire Protection John Giefer. Statistics In the Drilling Industry In the Drilling Industry 25% of all inspections found violations of 1910.157 (21 inspections.

Fire Protection John Giefer. Statistics In the Drilling Industry In the Drilling Industry 25% of all inspections found violations of (21 inspections.

Similar presentations

Ads by Google