Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policies CIT 380: Securing Computer SystemsSlide #1.

Published byEthan Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "Policies CIT 380: Securing Computer SystemsSlide #1."— Presentation transcript:

1 Policies CIT 380: Securing Computer SystemsSlide #1

2  http://it.nku.edu/itsecurity/docs/acceptableus epolicy.pdf http://it.nku.edu/itsecurity/docs/acceptableus epolicy.pdf CIT 380: Securing Computer Systems2

3  Confidentiality  Integrity  Availability CIT 380: Securing Computer Systems3

4  Keeping information secret  Bank records  Medical records  Student records  Personally identifiable information CIT 380: Securing Computer Systems4

5  Accuracy and reliability of information  You are charged correctly for a purchase  Your bank balance is correct  You register for the correct class CIT 380: Securing Computer Systems5

6  Reliable and timely access  Email is accessible  Can access airline reservation system CIT 380: Securing Computer Systems6

7  National Defense  Confidentiality  Banking  Integrity CIT 380: Securing Computer Systems7

8 1. Planning to address security needs. 2. Risk assessment. 3. Crafting policies to reflect risks and needs. 4. Implementing security. 5. Audit and incident response. CIT 380: Securing Computer SystemsSlide #8

9  Security professionals generally don’t refer to a computer system as being “secure” or “unsecure.”  Trust – level of confidence that a computer system will behave as expected. CIT 380: Securing Computer Systems9

10 1. Identify assets and their value 2. Identify risk to assets 3. Calculate risk CIT 380: Securing Computer Systems10

11 1. What assets are you trying to protect? 2. What are the risks to those assets? 3. How well does each potential security solution mitigate those risks? 4. What other risks does the security solutions impose on me? 5. What costs and trade-offs do the security solutions create? CIT 380: Securing Computer SystemsSlide #11

12  Home computer system  Laptop  E-commerce web server  NKU computer systems CIT 380: Securing Computer Systems12

13 Tangibles  Computers  Data  Backups  Printouts  Software media  HR records Intangibles  Privacy  Passwords  Reputation  Goodwill  Performance CIT 380: Securing Computer SystemsSlide #13

14  Home computer system  Laptop  E-commerce web server  NKU computer systems CIT 380: Securing Computer Systems14

15  Loss of key personnel  Loss of key vendor or service provider  Loss of power  Loss of phone / network  Theft of laptops, USB keys, backups  Introduction of malware  Hardware failure  Software bugs  Network attacks CIT 380: Securing Computer SystemsSlide #15

16  Cost-Benefit Analysis  Cost of Loss  Probability of Loss  Cost of Prevention  Levels of importance  High, Medium, Low  Best Practices CIT 380: Securing Computer Systems16

17 Cost of a Loss  Direct cost of lost hardware.  Cost of idle labor during outage.  Cost of time to recover.  Cost to reputation. Probability of a Loss  Insurance/power companies have some stats.  Records of past experience. Cost of Prevention  Remember that most risks cannot be eliminated. CIT 380: Securing Computer SystemsSlide #17

18 Update your risks regularly  Business, technology changes alter risks. Too many risks to defend against.  Rank risks to decide which ones to mitigate.  Insure against some risks.  Accept other risks. CIT 380: Securing Computer SystemsSlide #18

19  Risk Analysis is difficult and uncertain.  Follow best practices or due care  Firewall require as insurance co. due care.  Update patches, anti-virus.  Organizations differ in what they need.  Combine best practices + risk analysis. CIT 380: Securing Computer SystemsSlide #19

20  Security is not free.  MBA’s understand cost and benefits  MBA’s mistrust technology CIT 380: Securing Computer Systems20

21  Policy helps to define what you consider to be valuable, and it specifies which steps should be taken to safeguard those assets. CIT 380: Securing Computer Systems21

22 1. What is being protected 2. Who is responsible 3. Provides ground on which to interpret and resolve later conflicts. CIT 380: Securing Computer Systems22

23  Should be general and change little over time.  How does the NKU Acceptable Use Policy for Technology Resources meet these roles? CIT 380: Securing Computer SystemsSlide #23

24 Security policy partitions system states into:  Authorized (secure) ▪ These are states the system is allowed to enter.  Unauthorized (nonsecure) ▪ If the system enters any of these states, it’s a security violation. Secure system  Starts in authorized state.  Never enters unauthorized state. CIT 380: Securing Computer SystemsSlide #24

25 Security Policy  Statement that divides system into authorized and unauthorized states. Mechanism  Entity or procedure that enforces some part of a security policy. CIT 380: Securing Computer SystemsSlide #25

26  Assign an owner  Be positive  People respond better to do than don’t.  Remember that employees are people too  They will make mistakes  They value privacy  Concentrate on education  Standards for training and retraining CIT 380: Securing Computer Systems26

27  Privacy  Change control  Employment agreement, ethics  Internet acceptable use  Remote access  Outsourcing  Access control  Data classification CIT 380: Securing Computer Systems27

28  Codify successful security practices  Standards for backups  Standard anti-virus product throughout the organization  Encryption algorithm  Platform independent  Metric to determine if met CIT 380: Securing Computer Systems28

29  Interpret standards for a particular environment.  Recommendations  Follow tested procedures or best practices  Window Server backups CIT 380: Securing Computer Systems29

30  HIPAA  Medical Privacy - National Standards to Protect the Privacy of Personal Health Information  Sarbanes Oxley  Protecting of financial and accounting information  Federal Information Security Management Act (FISMA)  IT controls and auditing CIT 380: Securing Computer Systems30

31  Have authority commensurate with responsibility  Spaf’s first principle of security administration:  If you have responsibility for security, but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong. CIT 380: Securing Computer Systems31

32  Be sure to know you security perimeter  Laptops and PDAs  Wireless networks  Computer used at home  Portable media ▪ Flash drives, CDs, DVDs CIT 380: Securing Computer Systems32

33  Perimeter defines what is within your control.  Historically  Within walls of building or fences of campus.  Within router that connects to ISP.  Modern perimeters are more complex  Laptops, PDAs.  USB keys, CDs, DVDs, portable HDs.  Wireless networks.  Home PCs that connect to your network. CIT 380: Securing Computer SystemsSlide #33

34 1. Decide how important security is for your site. 2. Involve and educate your user community. 3. Devise a plan for making and storing backups of your system data. 4. Stay inquisitive and suspicious. CIT 380: Securing Computer Systems34

35  Formulating policy is not enough by itself. It is important to determine regularly if the policy is being applied correctly, and if the policy is correct and sufficient. CIT 380: Securing Computer Systems35

36  Audit your systems and personnel regularly.  Audit failures may result from  Personnel shortcomings ▪ Insufficient education or overwork  Material shortcomings ▪ Insufficient resources or maintenance  Organizational shortcomings ▪ Lack of authority, conflicting responsibilities  Policy shortcomings ▪ Unforeseen risks, missing or conflicting policies CIT 380: Securing Computer SystemsSlide #36

37  In-house staff  Full-time or part-time consultants  Choosing a vendor ▪ “Reformed hacker” CIT 380: Securing Computer Systems37

38  Policy divides system into  Authorized (secure) states.  Unauthorized (insecure) states.  Policy vs Mechanism  Policy: describes what security is.  Mechanism: how security policy is enforced.  Written policy and enforced policy will differ.  Compliance audits look for those differences.  Security Perimeter  Describes what is within your control.  Defense in depth: defend perimeter and inside. CIT 380: Securing Computer SystemsSlide #38

39 1. Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005. 2. Simson Garfinkel, Gene Spafford, and Alan Schwartz, Practical UNIX and Internet Security, 3/e O’Reilly, 2003. 3. NKU, Acceptable Use Policy, http://it.nku.edu/itsecurity/docs/acceptabl eusepolicy.pdf, 2009. http://it.nku.edu/itsecurity/docs/acceptabl eusepolicy.pdf 4. SANS, SANS Security Policy Project, http://www.sans.org/resources/policies/ CIT 380: Securing Computer SystemsSlide #39

Download ppt "Policies CIT 380: Securing Computer SystemsSlide #1."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 25 & 27 November 2013.
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.
Information Security Policies and Standards

Information Security Policies and Standards
Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.

Personal Data Protection and Security Measures Justin Law IT Services - Information Security Team 18, 20 & 25 March 2015.
Introducing Computer and Network Security

Introducing Computer and Network Security
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
©2011 Kingston Technology Corporation. All rights reserved. All trademarks and registered trademarks are the property of their respective owners. Best.

©2011 Kingston Technology Corporation. All rights reserved. All trademarks and registered trademarks are the property of their respective owners. Best.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Similar presentations

Ads by Google