Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policies CIT 380: Securing Computer SystemsSlide #1.

Similar presentations


Presentation on theme: "Policies CIT 380: Securing Computer SystemsSlide #1."— Presentation transcript:

1 Policies CIT 380: Securing Computer SystemsSlide #1

2  Codify successful security practices  Standards for backups  Standard anti-virus product throughout the organization  Encryption algorithm  Platform independent  Metric to determine if met CIT 380: Securing Computer Systems2

3  Interpret standards for a particular environment.  Recommendations  Follow tested procedures or best practices  Window Server backups CIT 380: Securing Computer Systems3

4  HIPAA  Medical Privacy - National Standards to Protect the Privacy of Personal Health Information  Sarbanes Oxley  Protecting of financial and accounting information  Federal Information Security Management Act (FISMA)  IT controls and auditing CIT 380: Securing Computer Systems4

5  Have authority commensurate with responsibility  Spaf’s first principle of security administration:  If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong. CIT 380: Securing Computer Systems5

6  Be sure to know you security perimeter  Laptops and PDAs  Wireless networks  Computer used at home  Portable media ▪ Flash drives, CDs, DVDs CIT 380: Securing Computer Systems6

7  Perimeter defines what is within your control.  Historically  Within walls of building or fences of campus.  Within router that connects to ISP.  Modern perimeters are more complex  Laptops, PDAs.  USB keys, CDs, DVDs, portable HDs.  Wireless networks.  Home PCs that connect to your network. CIT 380: Securing Computer SystemsSlide #7

8 1. Decide how important security is for your site. 2. Involve and educate your user community. 3. Devise a plan for making and storing backups of your system data. 4. Stay inquisitive and suspicious. CIT 380: Securing Computer Systems8

9  Formulating policy is not enough by itself. It is important to determine regularly if the policy is being applied correctly, and if the policy is correct and sufficient. CIT 380: Securing Computer Systems9

10  Audit your systems and personnel regularly.  Audit failures may result from  Personnel shortcomings ▪ Insufficient education or overwork  Material shortcomings ▪ Insufficient resources or maintenance  Organizational shortcomings ▪ Lack of authority, conflicting responsibilities  Policy shortcomings ▪ Unforeseen risks, missing or conflicting policies CIT 380: Securing Computer SystemsSlide #10

11  In-house staff  Full-time or part-time consultants  Choosing a vendor ▪ “Reformed hacker” CIT 380: Securing Computer Systems11

12  Policy divides system into  Authorized (secure) states.  Unauthorized (insecure) states.  Policy vs Mechanism  Policy: describes what security is.  Mechanism: how security policy is enforced.  Written policy and enforced policy will differ.  Compliance audits look for those differences.  Security Perimeter  Describes what is within your control.  Defense in depth: defend perimeter and inside. CIT 380: Securing Computer SystemsSlide #12

13 1. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. 2. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O’Reilly, 2003. 3. NKU, Acceptable Use Policy, http://it.nku.edu/itsecurity/docs/acceptabl eusepolicy.pdf, 2009. http://it.nku.edu/itsecurity/docs/acceptabl eusepolicy.pdf 4. SANS, SANS Security Policy Project, http://www.sans.org/resources/policies/ CIT 380: Securing Computer SystemsSlide #13


Download ppt "Policies CIT 380: Securing Computer SystemsSlide #1."

Similar presentations


Ads by Google