SlideShare une entreprise Scribd logo

Ch06 Policy

P
phanleson
Technologie
1  sur  43
Télécharger pour lire hors ligne
Lesson 6-Policy
Overview Understanding why policy is important. Defining various policies. Creating an appropriate policy. Deploying policies. Using policy effectively.
Understanding Why Policy is Important The two primary functions of a policy are: It defines the scope of security within an organization. It clearly states the expectations from everyone in the organization.
Understanding Why Policy is Important Policy defines how security should be implemented. It includes the system configurations, network configurations, and physical security measures. It defines the mechanisms used to protect information and systems. It defines how organizations should react when security incidents occur.
Understanding Why Policy is Important Policy provides the framework for employees to work together. It defines the common goals and objectives of the organization’s security program. Proper security awareness training helps implement policy initiatives effectively.
Defining Various Policies Information policy. Security policy. Computer use policy. Internet use policy. E-mail policy. User management procedures.
Defining Various Policies System administration procedures. Backup policy. Incident response policy. Configuration management procedures. Design methodology. Disaster recovery plans.
Information Policy Identification of sensitive information. Classifications. Marking and storing sensitive information. Transmission of sensitive information. Destruction of sensitive information.
Identification of Sensitive Information Sensitive information differs depending on the business of the organization. It may include business records, product designs, patent information, and company phone books. It may also include payroll, medical insurance, and any other financial information.
Classifications Only the lowest level of information should be made public. All proprietary, company sensitive, or company confidential information is releasable to employees. All restricted or protected information must be made available to authorized employees only.
Marking and Storing Sensitive Information The policy must mark all sensitive information. It should address the storage mechanism for information on paper or on computer systems. Incase of information stored on computer systems, the policy should specify appropriate levels of protection. Use encryption wherever required.
Transmission of Sensitive Information The policy addresses how sensitive information needs to be transmitted. It specifies the encryption method to be used while transmitting information through electronic mail. Incase of hardcopies of information, request a signed receipt.
Destruction of Sensitive Information To destroy sensitive information: Shred the information on paper. Use cross-cut shredders that provide an added level of protection. PGP desktop and BCWipe can be used to delete documents placed on a desktop.
Security Policy Identification and authentication. Access control. Audit. Network connectivity.
Security Policy Malicious code. Encryption. Waivers. Appendices.
Identification and Authentication The security policy defines how users will be identified. It defines the primary authentication mechanism for users and administrators. It defines stronger mechanism for remote access such as VPN or dial-in access.
Access Control The security policy defines the standard requirement for access control of electronic files. The requirement includes the required mechanism and the default requirements for new files. The mechanism should work with authentication mechanism to allow only authorized users to access the information.
Audit Security policies must frequently audit the following events: Logins (successful and failed). Logouts. Failed access to files or system objects. Remote access (successful and failed). Privileged actions. System events (such as shutdowns and reboots).
Audit Each event should also capture the following information: User ID (if there is one) Date and time Process ID (if there is one) Action performed Success or failure of the event
Network Connectivity The security policy specifies the rules for network connectivity and the protection mechanisms. It includes: Dial-in connections. Permanent connections. Remote access of internal systems. Wireless networks.
Malicious Code The security policy specifies where security programs that look for malicious code need to be placed. Some appropriate locations are file servers, desktop systems, and electronic mail servers. It should specify the requirements for security programs. It should require updates of signatures for such security programs on a periodic basis.
Encryption The security policy should define the acceptable encryption algorithms for use. It can refer to the information policy to choose the appropriate algorithms to protect sensitive information. It should also specify the procedures required for key management.
Waivers The security policy should provide a mechanism for risk assessment and formulating a contingency plan. For each situation, the system designer or project manager should fill a waiver form. The security department reviews the waiver request and provides risk assessment results and recommendations to minimize the risk. The waiver should be approved by the organization’s officer in charge of the project.
Appendices The security policy appendices should have details of: Security configurations for various operating systems. Network devices. Telecommunication equipments.
Computer Use Policy Ownership of computers - States that all computers are owned by the organization. Ownership of information - States that all information stored on or used by the organization’s computers is proprietary to the organization.
Computer Use Policy Acceptable use of computers - States all acceptable and unacceptable use of the organization’s computers. No expectation of privacy - States that the employee have no expectation of privacy for any information stored, sent, or received on the organization’s computers.
Internet Use Policy The Internet use policy is a part of the general computer use policy. It can be a separate policy due to the specific nature of the Internet use. The Internet use policy defines the appropriate uses of the Internet within an organization. It may also define inappropriate uses such as visiting non- business-related web sites.
E-mail Policy Internal mail issues - The electronic mail policy should not be in conflict with other human resource policies. External mail issues - Electronic mail leaving an organization may contain sensitive information. Therefore, it may be monitored.
User Management Procedures New employment procedure - Provides new employees with the proper access to computer resources. Transferred employee procedure - Reviews employee’s computer access when they are transferred within the organization. Employee termination procedure - Ensures removal of users who no longer work for the organization.
System Administration Procedure Software upgrades - Defines how often a system administrator will check for new patches or updates. Vulnerability scans - Defines how often and when the scans will be conducted by security. Policy reviews - Specifies the security requirements for each system.
System Administration Procedure Log reviews - Specifies configuration of automated tools that create log entries and how exceptions must be handled. Regular monitoring - Documents when network traffic monitoring will occur.
Backup Policy Frequency of backups - Identifies how often backups actually occur. Storage of backups - Defines how to store backups in a secure location. It also states the mechanism for requesting and restoring backups. Information to be backed up - Identifies which data needs to be backed up more frequently.
Incident Response Procedure Incident handling objectives - Specifies the objectives of the organization when handling an incident. Event identification - States corrective actions for an intrusion or user mistake. Escalation - Specifies an escalation procedure such as activating an incident response team. Information control - Specifies what information is classified and what can be made public.
Incident Response Procedure Response - Defines the type of response when an incident occurs. Authority - Defines which individual within the organization or the incident response team has the authority to take action. Documentation - Defines how the incident response team should document its actions. Testing of the procedure - Tests the IRP once it is written. It also identifies the loop holes in the procedure and suggests corrective actions.
Configuration Management Procedures Initial system state - Documents the state of a new system when it goes into production. It should include details of the operating system, version, patch level, application details, and configuration details. Change control procedure - Executes a change control procedure when a change is to be made to an existing system.
Design Methodology Requirements definition - Specifies the security requirements that need to be included during the requirement definition phase. Design - Specifies that security should be represented to ensure that the project is secured during the design phase. Test - Specifies that when the project reaches the testing phase, the security requirement should also be tested. Implementation - Specifies that the implementation team should use proper configuration management procedures.
Disaster Recovery Plans Single system or device failures - Includes a network device, disk, motherboard, network interface card, or component failure. Data center events - Provides procedures for a major event within a data center. Site events - Identifies the critical capabilities that need to be restored. Testing the DRP - Identifies key employees and performs walkthroughs of the plan periodically.
Creating an Appropriate Policy To create an appropriate policy: Identify which policies are most relevant and important to an organization. Conduct a risk assessment to identify risk areas. Define all acceptable and unacceptable employee behavior. State all restrictions clearly. Identify individuals and other stakeholders who will be affected by the policy. State expectations clearly.
Creating an Appropriate Policy To create an appropriate policy: Define a set of possible outlines. Draft the policy based on the outline. Include stakeholders during discussions and invite suggestions. Brainstorm before developing the final policy.
Deploying the Policy Every department of the organization that is affected by the policy must accept the underlying concept. Conduct security awareness training where employees are informed of the intended change. Make well-planned transitions rather than radical changes while implementing the policy.
Using Policy Effectively Identify security requirements early in the process. Security should be a part of the design phase of the project. Examine existing systems to ensure it is in compliance to new policies. Conduct periodic audits to ensure compliance with the policy. Review policies regularly to ensure they are still relevant for the organization.
Summary Policies define how security is implemented within an organization. Each policy must have a purpose, scope, and responsibility. An organization must establish information policy, security policy, computer use policy, Internet and e-mail policy, and a backup policy. An organization must also define user management, system administration, incident response, and configuration management procedures.
Summary The disaster recovery plan details recovery action for various levels of failures. While creating a policy ensure that it will be relevant and important to an organization. Involve stakeholders in policy discussions. Conduct security awareness trainings regularly. Include security issues at each development phase of a project.

Recommandé

Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practices
phanleson
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
codka
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
Security Policies
Security PoliciesSecurity Policies
Security Policies
phanleson
 
Implementing security
Implementing securityImplementing security
Implementing security
Dhani Ahmad
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 

Recommandé

Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practices
phanleson
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.com
phanleson
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
codka
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
Piyush Jain
 
Security Policies
Security PoliciesSecurity Policies
Security Policies
phanleson
 
Implementing security
Implementing securityImplementing security
Implementing security
Dhani Ahmad
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
Maganathin Veeraragaloo
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Tammy Clark
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Network security policies
Network security policiesNetwork security policies
Network security policies
Usman Mukhtar
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
Dan Morrill
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
WGroup
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
Divya Tiwari
 
develop security policy
develop security policydevelop security policy
develop security policy
Info-Tech Research Group
 
Testing
TestingTesting
Testing
lorenceman
 
Network security and policies
Network security and policiesNetwork security and policies
Network security and policies
wardjo
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
Daniel Suchy, CPP, MSyI
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
Adetula Bunmi
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information Systems
Guillermo Remache
 
It Audit And Forensics
It Audit And ForensicsIt Audit And Forensics
It Audit And Forensics
JED Consulting Services LLC
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
Hiran Kanishka
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
Jdbc
JdbcJdbc
Jdbc
phanleson
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
phanleson
 

Contenu connexe

Tendances

Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Tammy Clark
 
Network security policies
Network security policiesNetwork security policies
Network security policies
Usman Mukhtar
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
WGroup
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
Priyank Hada
 
develop security policy
develop security policydevelop security policy
develop security policy
Info-Tech Research Group
 
Network security and policies
Network security and policiesNetwork security and policies
Network security and policies
wardjo
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information Systems
Guillermo Remache
 

Tendances (20)

RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
Security policy
Security policySecurity policy
Security policy
 
Network security policies
Network security policiesNetwork security policies
Network security policies
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
develop security policy
develop security policydevelop security policy
develop security policy
 
Testing
TestingTesting
Testing
 
Network security and policies
Network security and policiesNetwork security and policies
Network security and policies
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Physical Security Management System
Physical Security Management SystemPhysical Security Management System
Physical Security Management System
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information Systems
 
It Audit And Forensics
It Audit And ForensicsIt Audit And Forensics
It Audit And Forensics
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 

En vedette

5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
phanleson
 
30 5 Database Jdbc
30 5 Database Jdbc30 5 Database Jdbc
30 5 Database Jdbc
phanleson
 
2.Public Vulnerability Databases
2.Public Vulnerability Databases2.Public Vulnerability Databases
2.Public Vulnerability Databases
phanleson
 
7.Canon & Dt
7.Canon & Dt7.Canon & Dt
7.Canon & Dt
phanleson
 
Ch20 Wireless Security
Ch20 Wireless SecurityCh20 Wireless Security
Ch20 Wireless Security
phanleson
 
Ch18 Internet Security
Ch18 Internet SecurityCh18 Internet Security
Ch18 Internet Security
phanleson
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Risk
phanleson
 
Ch14 Desktop Protection
Ch14 Desktop ProtectionCh14 Desktop Protection
Ch14 Desktop Protection
phanleson
 
7.Trust Management
7.Trust Management7.Trust Management
7.Trust Management
phanleson
 
Ch12 Encryption
Ch12 EncryptionCh12 Encryption
Ch12 Encryption
phanleson
 

En vedette (14)

Jdbc
JdbcJdbc
Jdbc
 
5.Dns Rpc Nfs
5.Dns Rpc Nfs5.Dns Rpc Nfs
5.Dns Rpc Nfs
 
30 5 Database Jdbc
30 5 Database Jdbc30 5 Database Jdbc
30 5 Database Jdbc
 
2.Public Vulnerability Databases
2.Public Vulnerability Databases2.Public Vulnerability Databases
2.Public Vulnerability Databases
 
Thread
ThreadThread
Thread
 
Rmi
RmiRmi
Rmi
 
7.Canon & Dt
7.Canon & Dt7.Canon & Dt
7.Canon & Dt
 
Ch20 Wireless Security
Ch20 Wireless SecurityCh20 Wireless Security
Ch20 Wireless Security
 
Ch18 Internet Security
Ch18 Internet SecurityCh18 Internet Security
Ch18 Internet Security
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Risk
 
Ch14 Desktop Protection
Ch14 Desktop ProtectionCh14 Desktop Protection
Ch14 Desktop Protection
 
Ch11 Vpn
Ch11 VpnCh11 Vpn
Ch11 Vpn
 
7.Trust Management
7.Trust Management7.Trust Management
7.Trust Management
 
Ch12 Encryption
Ch12 EncryptionCh12 Encryption
Ch12 Encryption
 

Similaire à Ch06 Policy

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
abhichowdary16
 
Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting Audits
Information Technology
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
alokkesh
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
jenito21
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
durantheseldine
 

Similaire à Ch06 Policy (20)

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
HIPAA Safeguard Slides
HIPAA Safeguard SlidesHIPAA Safeguard Slides
HIPAA Safeguard Slides
 
Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting Audits
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
 
Cybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptxCybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptx
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crime
 
R.a 1
R.a 1R.a 1
R.a 1
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
Data Security and Compliance in Enterprise Cloud Migration.pdf
Data Security and Compliance in Enterprise Cloud Migration.pdfData Security and Compliance in Enterprise Cloud Migration.pdf
Data Security and Compliance in Enterprise Cloud Migration.pdf
 
internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
How to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docxHow to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docx
 
How to Secure Your Enterprise Network.pdf
How to Secure Your Enterprise Network.pdfHow to Secure Your Enterprise Network.pdf
How to Secure Your Enterprise Network.pdf
 
How to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docxHow to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docx
 
CS-1,2.pdf
CS-1,2.pdfCS-1,2.pdf
CS-1,2.pdf
 
File000169
File000169File000169
File000169
 
SOC 2 Certification Unveiled: Understanding the Core Principles
SOC 2 Certification Unveiled: Understanding the Core PrinciplesSOC 2 Certification Unveiled: Understanding the Core Principles
SOC 2 Certification Unveiled: Understanding the Core Principles
 
SDET UNIT 5.pptx
SDET UNIT 5.pptxSDET UNIT 5.pptx
SDET UNIT 5.pptx
 
Unit Iii
Unit IiiUnit Iii
Unit Iii
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 

Plus de phanleson

Lecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLLecture 1 - Getting to know XML
Lecture 1 - Getting to know XML
phanleson
 

Plus de phanleson (20)

Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacks
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
HBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table designHBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table design
 
HBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - OperationsHBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - Operations
 
Hbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBaseHbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBase
 
Learning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlibLearning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlib
 
Learning spark ch10 - Spark Streaming
Learning spark ch10 - Spark StreamingLearning spark ch10 - Spark Streaming
Learning spark ch10 - Spark Streaming
 
Learning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQLLearning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQL
 
Learning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a ClusterLearning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a Cluster
 
Learning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark ProgrammingLearning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark Programming
 
Learning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your DataLearning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your Data
 
Learning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value PairsLearning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value Pairs
 
Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about LibertagiaHướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
 
Lecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLLecture 1 - Getting to know XML
Lecture 1 - Getting to know XML
 
Lecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the WebLecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the Web
 

Dernier

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Dernier (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Ch06 Policy

  • 2. Overview Understanding why policy is important. Defining various policies. Creating an appropriate policy. Deploying policies. Using policy effectively.
  • 3. Understanding Why Policy is Important The two primary functions of a policy are: It defines the scope of security within an organization. It clearly states the expectations from everyone in the organization.
  • 4. Understanding Why Policy is Important Policy defines how security should be implemented. It includes the system configurations, network configurations, and physical security measures. It defines the mechanisms used to protect information and systems. It defines how organizations should react when security incidents occur.
  • 5. Understanding Why Policy is Important Policy provides the framework for employees to work together. It defines the common goals and objectives of the organization’s security program. Proper security awareness training helps implement policy initiatives effectively.
  • 6. Defining Various Policies Information policy. Security policy. Computer use policy. Internet use policy. E-mail policy. User management procedures.
  • 7. Defining Various Policies System administration procedures. Backup policy. Incident response policy. Configuration management procedures. Design methodology. Disaster recovery plans.
  • 8. Information Policy Identification of sensitive information. Classifications. Marking and storing sensitive information. Transmission of sensitive information. Destruction of sensitive information.
  • 9. Identification of Sensitive Information Sensitive information differs depending on the business of the organization. It may include business records, product designs, patent information, and company phone books. It may also include payroll, medical insurance, and any other financial information.
  • 10. Classifications Only the lowest level of information should be made public. All proprietary, company sensitive, or company confidential information is releasable to employees. All restricted or protected information must be made available to authorized employees only.
  • 11. Marking and Storing Sensitive Information The policy must mark all sensitive information. It should address the storage mechanism for information on paper or on computer systems. Incase of information stored on computer systems, the policy should specify appropriate levels of protection. Use encryption wherever required.
  • 12. Transmission of Sensitive Information The policy addresses how sensitive information needs to be transmitted. It specifies the encryption method to be used while transmitting information through electronic mail. Incase of hardcopies of information, request a signed receipt.
  • 13. Destruction of Sensitive Information To destroy sensitive information: Shred the information on paper. Use cross-cut shredders that provide an added level of protection. PGP desktop and BCWipe can be used to delete documents placed on a desktop.
  • 14. Security Policy Identification and authentication. Access control. Audit. Network connectivity.
  • 16. Identification and Authentication The security policy defines how users will be identified. It defines the primary authentication mechanism for users and administrators. It defines stronger mechanism for remote access such as VPN or dial-in access.
  • 17. Access Control The security policy defines the standard requirement for access control of electronic files. The requirement includes the required mechanism and the default requirements for new files. The mechanism should work with authentication mechanism to allow only authorized users to access the information.
  • 18. Audit Security policies must frequently audit the following events: Logins (successful and failed). Logouts. Failed access to files or system objects. Remote access (successful and failed). Privileged actions. System events (such as shutdowns and reboots).
  • 19. Audit Each event should also capture the following information: User ID (if there is one) Date and time Process ID (if there is one) Action performed Success or failure of the event
  • 20. Network Connectivity The security policy specifies the rules for network connectivity and the protection mechanisms. It includes: Dial-in connections. Permanent connections. Remote access of internal systems. Wireless networks.
  • 21. Malicious Code The security policy specifies where security programs that look for malicious code need to be placed. Some appropriate locations are file servers, desktop systems, and electronic mail servers. It should specify the requirements for security programs. It should require updates of signatures for such security programs on a periodic basis.
  • 22. Encryption The security policy should define the acceptable encryption algorithms for use. It can refer to the information policy to choose the appropriate algorithms to protect sensitive information. It should also specify the procedures required for key management.
  • 23. Waivers The security policy should provide a mechanism for risk assessment and formulating a contingency plan. For each situation, the system designer or project manager should fill a waiver form. The security department reviews the waiver request and provides risk assessment results and recommendations to minimize the risk. The waiver should be approved by the organization’s officer in charge of the project.
  • 24. Appendices The security policy appendices should have details of: Security configurations for various operating systems. Network devices. Telecommunication equipments.
  • 25. Computer Use Policy Ownership of computers - States that all computers are owned by the organization. Ownership of information - States that all information stored on or used by the organization’s computers is proprietary to the organization.
  • 26. Computer Use Policy Acceptable use of computers - States all acceptable and unacceptable use of the organization’s computers. No expectation of privacy - States that the employee have no expectation of privacy for any information stored, sent, or received on the organization’s computers.
  • 27. Internet Use Policy The Internet use policy is a part of the general computer use policy. It can be a separate policy due to the specific nature of the Internet use. The Internet use policy defines the appropriate uses of the Internet within an organization. It may also define inappropriate uses such as visiting non- business-related web sites.
  • 28. E-mail Policy Internal mail issues - The electronic mail policy should not be in conflict with other human resource policies. External mail issues - Electronic mail leaving an organization may contain sensitive information. Therefore, it may be monitored.
  • 29. User Management Procedures New employment procedure - Provides new employees with the proper access to computer resources. Transferred employee procedure - Reviews employee’s computer access when they are transferred within the organization. Employee termination procedure - Ensures removal of users who no longer work for the organization.
  • 30. System Administration Procedure Software upgrades - Defines how often a system administrator will check for new patches or updates. Vulnerability scans - Defines how often and when the scans will be conducted by security. Policy reviews - Specifies the security requirements for each system.
  • 31. System Administration Procedure Log reviews - Specifies configuration of automated tools that create log entries and how exceptions must be handled. Regular monitoring - Documents when network traffic monitoring will occur.
  • 32. Backup Policy Frequency of backups - Identifies how often backups actually occur. Storage of backups - Defines how to store backups in a secure location. It also states the mechanism for requesting and restoring backups. Information to be backed up - Identifies which data needs to be backed up more frequently.
  • 33. Incident Response Procedure Incident handling objectives - Specifies the objectives of the organization when handling an incident. Event identification - States corrective actions for an intrusion or user mistake. Escalation - Specifies an escalation procedure such as activating an incident response team. Information control - Specifies what information is classified and what can be made public.
  • 34. Incident Response Procedure Response - Defines the type of response when an incident occurs. Authority - Defines which individual within the organization or the incident response team has the authority to take action. Documentation - Defines how the incident response team should document its actions. Testing of the procedure - Tests the IRP once it is written. It also identifies the loop holes in the procedure and suggests corrective actions.
  • 35. Configuration Management Procedures Initial system state - Documents the state of a new system when it goes into production. It should include details of the operating system, version, patch level, application details, and configuration details. Change control procedure - Executes a change control procedure when a change is to be made to an existing system.
  • 36. Design Methodology Requirements definition - Specifies the security requirements that need to be included during the requirement definition phase. Design - Specifies that security should be represented to ensure that the project is secured during the design phase. Test - Specifies that when the project reaches the testing phase, the security requirement should also be tested. Implementation - Specifies that the implementation team should use proper configuration management procedures.
  • 37. Disaster Recovery Plans Single system or device failures - Includes a network device, disk, motherboard, network interface card, or component failure. Data center events - Provides procedures for a major event within a data center. Site events - Identifies the critical capabilities that need to be restored. Testing the DRP - Identifies key employees and performs walkthroughs of the plan periodically.
  • 38. Creating an Appropriate Policy To create an appropriate policy: Identify which policies are most relevant and important to an organization. Conduct a risk assessment to identify risk areas. Define all acceptable and unacceptable employee behavior. State all restrictions clearly. Identify individuals and other stakeholders who will be affected by the policy. State expectations clearly.
  • 39. Creating an Appropriate Policy To create an appropriate policy: Define a set of possible outlines. Draft the policy based on the outline. Include stakeholders during discussions and invite suggestions. Brainstorm before developing the final policy.
  • 40. Deploying the Policy Every department of the organization that is affected by the policy must accept the underlying concept. Conduct security awareness training where employees are informed of the intended change. Make well-planned transitions rather than radical changes while implementing the policy.
  • 41. Using Policy Effectively Identify security requirements early in the process. Security should be a part of the design phase of the project. Examine existing systems to ensure it is in compliance to new policies. Conduct periodic audits to ensure compliance with the policy. Review policies regularly to ensure they are still relevant for the organization.
  • 42. Summary Policies define how security is implemented within an organization. Each policy must have a purpose, scope, and responsibility. An organization must establish information policy, security policy, computer use policy, Internet and e-mail policy, and a backup policy. An organization must also define user management, system administration, incident response, and configuration management procedures.
  • 43. Summary The disaster recovery plan details recovery action for various levels of failures. While creating a policy ensure that it will be relevant and important to an organization. Involve stakeholders in policy discussions. Conduct security awareness trainings regularly. Include security issues at each development phase of a project.