Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Similar presentations


Presentation on theme: "Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define."— Presentation transcript:

1 Security Policies and Procedures

2 cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define types of security policies Define compliance monitoring and evaluation

3 Security Policy Cycle 1.Risk Analysis 1.Asset Identification 2.Threat Identification 3.Vulnerability Appraisal 4.Risk Assessment 2.Security Policy Generation 3.Compliance Monitoring and Evaluation cs490ns-cotter3

4 4 Risk Analysis First step in security policy cycle is to identify risks Involves the four steps: –Inventory the assets –Determine what threats exist against the assets and by which threat agents –Investigate whether vulnerabilities exist that can be exploited –Decide what to do about the risks

5 cs490ns-cotter5 Asset Identification Many different classes of assets. Asset Identifiers: –Asset Name –Serial No. –Model No. –Dates of purchase / version –Anything that helps to uniquely identify the asset

6 cs490ns-cotter6 Asset Identification (cont) Relative Value of Asset: –How critical is this asset to the organization? –Is it a profit generator? –Is it a revenue generator? –What is its replacement cost? –What is its protection cost? –How long would it take to replace?

7 cs490ns-cotter7 Threat Identification Types of Threats: –Hardware failures –Acts of God –Human error –Theft –Sabotage –Compromise of Intellectual Property –etc.

8 cs490ns-cotter8 Attack Tree

9 cs490ns-cotter9 Vulnerability Appraisal To assist with determining vulnerabilities of hardware and software assets, use vulnerability scanners Examples: –Nessus –nmap –etc.

10 cs490ns-cotter10 Risk Assessment No Impact Small Impact Significant Impact Major Impact

11 cs490ns-cotter11 Risk Assessment (cont) Formulas commonly used to calculate expected losses are: –Single Loss Expectancy –Annualized Loss Expectancy An organization has three options when confronted with a risk: –Accept the risk –Diminish the risk –Transfer the risk

12 cs490ns-cotter12 Risk Identification (Summary)

13 cs490ns-cotter13 Designing a Security Policy? A policy is a document that outlines specific requirements or rules that must be met –Has standard characteristics –Correct vehicle for an organization to use when establishing information security A standard is a collection of requirements specific to the system or procedure that must be met by everyone A guideline is a collection of suggestions that should be implemented

14 cs490ns-cotter14 Balancing Control and Trust To create an effective security policy, two elements must be carefully balanced: trust and control Three models of trust: –Trust everyone all of the time –Trust no one at any time –Trust some people some of the time

15 cs490ns-cotter15 Security Policies Requirements: –Must be able to implement and enforce the policy –Must be concise and easy to understand –Must Balance protection with productivity Recommendations –Should state reasons why the policy is needed –Should Describe what is covered by the policy –Should Outline how violations will be handled.

16 cs490ns-cotter16 Security Policy Team The team should have these representatives: –Senior level administrator –Member of management who can enforce the policy –Member of the legal staff –Representative from the user community

17 cs490ns-cotter17 Due Care Defined as obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them

18 cs490ns-cotter18 Separation of Duties Means that one person’s work serves as a complementary check on another person’s No one person should have complete control over any action from initialization to completion

19 cs490ns-cotter19 Need to Know One of the best methods to keep information confidential is to restrict who has access to that information Only that employee whose job function depends on knowing the information is provided access

20 cs490ns-cotter20 Acceptable Use Policy (AUP) Defines what actions users of a system may perform while using computing and networking equipment Should have an overview regarding what is covered by this policy Unacceptable use should also be outlined

21 cs490ns-cotter21 Human Resource Policy Policies of the organization that address human resources Should include statements regarding how an employee’s information technology resources will be addressed –When hired –When fired –For leave-of-absence –Temporary promotions or transfers

22 cs490ns-cotter22 Password Management Policy Although passwords often form the weakest link in information security, they are still the most widely used A password management policy should clearly address how passwords are managed In addition to controls that can be implemented through technology, users should be reminded of how to select and use passwords

23 cs490ns-cotter23 Privacy Policy Privacy is of growing concern among today’s consumers Organizations should have a privacy policy that outlines how the organization uses information it collects

24 cs490ns-cotter24 Disposal and Destruction Policy A disposal and destruction policy that addresses the disposing of resources is considered essential The policy should cover how long records and data will be retained It should also cover how to dispose of them

25 cs490ns-cotter25 Compliance Monitoring and Evaluation The final process in the security policy cycle is compliance monitoring and evaluation Some of the most valuable analysis occurs when an attack penetrates the security defenses A team must respond to the initial attack and reexamine security policies that address the vulnerability to determine what changes need to be made to prevent its reoccurrence

26 cs490ns-cotter26 Incidence Response Policy Outlines actions to be performed when a security breach occurs Most policies outline composition of an incidence response team (IRT) Should be composed of individuals from: –Senior management– IT personnel –Corporate counsel– Human resources –Public relations

27 cs490ns-cotter27 Ethics Policy Codes of ethics by external agencies have encouraged its membership to adhere to strict ethical behavior within their profession Codes of ethics for IT professionals are available from the Institute for Electrical and Electronic Engineers (IEEE) and the Association for Computing Machinery (ACM), among others Main purpose of an ethics policy is to state the values, principles, and ideals each member of an organization must agree to

28 cs490ns-cotter28 Summary The security policy cycle defines the overall process for developing a security policy There are four steps in risk identification: –Inventory the assets and their attributes –Determine what threats exist –Investigate vulnerabilities –Make decisions regarding what to do about the risks

29 cs490ns-cotter29 Summary (cont) A security policy development team should be formed to create the information security policy An incidence response policy outlines actions to be performed when a security breach occurs A policy addressing ethics can also be formulated by an organization


Download ppt "Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define."

Similar presentations


Ads by Google