Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved.

Published byLaurel Payne Modified over 9 years ago

Similar presentations

Presentation on theme: "SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved."— Presentation transcript:

1 SECURITY POLICIES Indu Ramachandran

2 Outline General idea/Importance of security policies When security policies should be developed Who should be involved in this process Cost of security policies Available resources Security policies in detail Failure of Security policies After Security policy is written

3 About Security Policies Increased level of threats Organization’s attitude towards security policies Establishing Standards More than just “Keeping the bad guys out”! Management and Security policy Policies Not Procedures!!

4 Importance of Security Policies Establishes Standards Provides basic guidelines Defines appropriate behavior Helps against being sued

5 Aspects of Security Traditional Ideas of Security Revised Security aspects Confidentiality Protect objects from unauthorized release/use of info Integrity Preserve objects / avoid unauthorized modification

6 When should Policies be developed Ideal Scenario Often not the case After a Security Breach To mitigate Liability For document compliance To demonstrate quality control processes Customers/Clients requirements

7 Who should be involved Basically EVERYONE!!!!! System users System support personnel Managers Business lawyers

8 Importance of Involving Management Funding and Commitment Leadership Authority Responsibility/Support

9 Do you need Sec. Policies?? Questions to answer this question…  Do workers at your organization handle information that is confidential?  Do workers at your organization access the internet?  Does your organization have trade secrets? Custom questions to suit you!!

10 The Security Cost Function Cost for security Exponential increase Trade off between cost for security and cost of violations Formula for calculating cost : Total cost for Violations = Cost for a single Violation X frequency of the violation

11 GOOD NEWS!!!! You are not on your own !!!  Internet Resources  The SANS institute  NIST (National Inst. Of Stds. And Technology)  RFC  Universities

12 Resources (cont’d)  Books  Guide for Developing Security Policies for Information Technology Systems  Information Security Policies made easy  around 1360+ security templates  used by several large organizations  Training Sessions  SANS Institute

13 Types of security policies Administrative Security Policy Examples of Administrative sec policies: Users must change password each quarter Employees must not use dial out modems from their desktops. Technical sec policies Examples Server will be configured to expire password each quarter Accounts must initiate a lockout after four unsuccessful attempts to login

14 What is in a security policy Three Categories First category – Parameters Section  Introduction  Audience  Definitions

15 What is in a security policy (cont’d) The Second category  Risk assessments  When this should be done  Benefits  Who should do this  Identifying Assets  Threats to assets

16 What is in a security policy (cont’d) The Third Category  Actual Policies Examples of policies Physical security

17 Examples of policies (cont’d) Authentication Password policy Remote Access Policy The Modem Issue

18 Examples of policies (cont’d) Acceptable Use Policy Examples of AU Policy at http://www.eff.org/pub/CAF/policies Other Policies Examples of policies as well as their templates on the SANS website. http://www.sans.org/resources/policies/

19 What makes a good security policy Must be usable Must communicate clearly Must not impede/interfere with business Enforceable Update regularly Other factors Interests Laws

20 Problems with Sec. Policies Increase in tension level Security needs viewed differently Too restrictive/hard to implement Impediments productivity

21 Conflict and Politics Management concentrates on goals for company Technical Personnel’s agenda So what happens??? What do you do???

22 Information Security Management Committee Bridge the gap Committee Composition Responsibilities of the committee

23 Real world problems caused by missing policies At A Government Agency... At A Local Newspaper...

24 Why Security Policies Fail Security is a barrier to Progress Perceived to have zero benefit Obstacles/Impediment productivity Security is a learned behavior Not instinct Value of assets Not taken seriously

25 Why Security Policies Fail (cont’d) Complexity Security work is never finished Failure to review Other reasons Lack of stake holder support Organizational Politics

26 Compliance & Enforcement Training Testing and effectiveness of the policy Monitoring Taking Action

27 Review The Policy Review Committee Good representation Frequency of review meetings Responsibilities What to Review

28 References Barham, Scott - Writing information security policies http://dmoz.org/Computers/Security/Policy/Sample_Poli cies/ http://dmoz.org/Computers/Security/Policy/Sample_Poli cies/ http://www.netiq.com/products/pub/ispme_realproblems.asp http://www.netiq.com/products/pub/ispme_realproblems.asp http://www.sans.org/rr/policy/policy.php http://www.networknews.co.uk/Features/1138373 http://irm.cit.nih.gov/security/sec_policy.html http://www.cisco.com/warp/public/126/secpol.html

Download ppt "SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Computer Security Fundamentals

Computer Security Fundamentals
RC14001 ® Update GPCA Responsible Care Committee September 23, 2013.

RC14001 ® Update GPCA Responsible Care Committee September 23, 2013.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,

Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Security Policies Jim Stracka www.pentasafe.com. The Problem Today.

Security Policies Jim Stracka The Problem Today.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Similar presentations

Ads by Google