Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Published bySilvester Willis McDaniel Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies."— Presentation transcript:

1 Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies

2 What will be covered today Understanding information assets Capturing core values and security needs Performing risk assessment Formulating security policy Implementing Windows security policy

3 What are Information Assets? Documents, data or information of value Primary components Customer information, history, preferences, etc. Product or service description, content, components, etc. Process & procedure descriptions (“how you run the business”) Anything you don’t want to share, give away or disclose freely to everyone = asset in need of protection

4 Recognizing Risk “Possibility of harm or loss” Probability of experiencing loss resulting from a threat event Risk assessment = associating value or cost with specific loss PURPOSE OF SECURITY IS TO MANAGE RISK!!

5 Risk Assessment Lingo Threat Agent Exposure Factor Single Loss Exposure Value Probability of Loss Annualized Loss Expectancy

6 Managing Risk Removing risk Mitigating risk Transferring risk

7 Performing Risk Assessment – Part 1 What can go wrong? If it happened, how bad would it be? How often might it happen? How sure are answers to preceding questions? What to do to remove, mitigate or transfer risk? How much will it cost? How efficient is it?

8 Performing Risk Assessment – Part 2 Inventory, definition, requirements Vulnerability and threat assessment Evaluation of Controls Analysis, Decision, and Documentation Communication Monitoring Insurance

9 Understanding Security Policy Not technology specific Three primary functions Reduce or eliminate legal liability to employees & 3 rd parties Protect confidential or proprietary information from theft, misuse, unauthorized disclosure, loss or modification Prevent waste of company computing resources Internal policy (inward focus) is key to proper formulation!

10 Security Policy Lifecycle Policy development Policy enforcement Policy monitoring, review, and maintenance

11 Developing Security Policy Identifying key business resources & policies Defining organizational roles Determining capabilities/functionality matrix for each role Important standards ISO 17799 (formerly known as BS 7799) RFCs 2196 and 2504

12 Avoiding Policy Pitfalls Always consider organization culture when creating information security policies Develop realistic policies explicitly endorsed by management Never underestimate the importance of teaching policy awareness Develop policies, compliance monitoring procedures, and define consequences for noncompliance in tandem ld Root Domain

13 Key Security Policy Components Numerous documents make up a security policy, including: Acceptable Use Policy User Account Policy Remote Access Policy Information Protection Policy Firewall Mgmt Policy Special Access Policy Netwk Connection Policy Business Partner Policy Customer Policy Service Provider Policy

14 Procedures Implement Policy Step-by-step technical discussions of how policy will be implemented Important Procedures Configuration Management Backup and Off-site Storage Incident Response Business Continuity and Disaster Recovery

15 Sample Security Policies & Info SANS Security Policy Project CMU Octave Framework Murdoch Univ “Information Technology Security Policy” report UC Davis Security Policies NIH IT Security Policy & related documents Security Policies Made Easy ISO 17799

16 Windows Security Policy No direct mapping from security policy to implementation Requires strong working knowledge of both sides (policy & OS) Applies through numerous controls, consoles, & utilities

17 Windows 2000 Group Policy GPO: Active Directory construct, collection of policies Address user and computer configuration Address security settings defined in security templates Provides controls over many aspects of security

18 Key Group Policy Topics & Tools Group Policy tools GPO components (what can be modified using Group Policy) Using Security Configuration & Analysis tools with Group Policy editors Default Group Policy Objects (GPOs) Local Security Policy, DC Security Policy, Domain Security Policy Group Policy inheritance (how Group Policy applies) Group Policy with Windows NT &/or Windows 9x systems

19 Proper Implementation Strategy Start with non-production test environment Introduce changes slowly & in controlled manner Best use of Group Policy occurs within AD environments Proceed carefully with production deployment Be ready to roll back as needed

20 Key Microsoft Resources Microsoft Security Site Introduction to Microsoft Windows 2000 Group Policy White Paper: Windows 2000 Group Policy Step-by-Step Guide to Understanding the Group Policy Feature Set Windows 2000 Resource Kit: Group Policy Search on “Group Policy” view Best Bets results!

21 Further Information Contact Mandy Andress mandy@arcsec.com References by Mandy Andress

Download ppt "Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.

COMPREHENSIVE APPROACH TO INFORMATION SECURITY IN ADVANCED COMPANIES.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Auditing Computer Systems

Auditing Computer Systems
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >

1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >
کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز 1388 1.

کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.

Security Information Management Firewall Management, Intrusion Detection, and Intrusion Prevention Intrusion Detection Busters Katherine Jackowski Elizabeth.
9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure.

9.1 © 2004 Pearson Education, Inc. Lesson 9: Implementing Group Policy in Windows 2000 Server Exam Microsoft® Windows® 2000 Directory Services Infrastructure.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

Similar presentations

Ads by Google