SlideShare a Scribd company logo

Network security policies

Download as PPT, PDF
Usman Mukhtar
Usman Mukhtar
Technology
1 of 33
NETWORK SECURITY Presentation
NETWORK SECURITY presentation
Members • Usman mukhtar -046 • Anas Faheem -018 • Umair Mehmood -047 • Qasim zaman -050 • Shahbaz khan -030
Policies and Regulation in Network security • Semester BS(IT) 6th • Submitted to: Sir Kashif Nisar University of Gujrat...!!!
The challenges before us • Define security policies and standards • Measure actual security against policy • Report violations to policy • Correct violations to conform with policy • Summarize policy compliance for the organization
The Foundation of Information Security
The Information Security Functions
Managing Information Security
Policies What are the policies and what are purpose of policies???
The Purpose Provide a framework for the management of security across the enterprise
Definitions • Policies – High level statements that provide guidance to workers who must make present and future decision • Standards – Requirement statements that provide specific technical specifications • Guidelines – Optional but recommended specifications
Security Policy Access to network resource will be granted through a unique user ID and passwordPasswords should include one non-alpha and not found in dictionary Passwords will be 8 characters long
Elements of Policies • Set the tone of Management • Establish roles and responsibility • Define asset classifications • Provide direction for decisions • Establish the scope of authority • Provide a basis for guidelines and procedures • Establish accountability • Describe appropriate use of assets • Establish relationships to legal requirements
Policies should…… Clearly identify and define the information security goals and the goals of the university.
Actions Cabinet Goals Policy Standards Procedures Guidelines Awareness IS Goals Info Security Policy Lifecycle
The Ten-Step Approach
Step 1 – Collect Background Information • Obtain existing policies – Creighton's – Others • Identify what levels of control are needed • Identify who should write the policies
Step 2 – Perform Risk Assessment • Justify the Policies with Risk Assessment – Identify the critical functions – Identify the critical processes – Identify the critical data – Assess the vulnerabilities
Step 3 – Create a Policy Review Board • The Policy Development Process – Write the initial “Draft” – Send to the Review Board for Comments – Incorporate Comments – Resolve Issues Face-to-Face – Submit “Draft” Policy to Cabinet for Approval
Step 4 – Develop the Information Security Plan • Establish goals • Define roles • Define responsibilities • Notify the User community as to the direction • Establish a basis for compliance, risk assessment, and audit of information security
Step 5 – Develop Information Security Policies, Standards, and Guidelines • Policies – High level statements that provide guidance to workers who must make present and future decision • Standards – Requirement statements that provide specific technical specifications • Guidelines – Optional but recommended specifications
Step 6 – Implement Policies and Standards • Distribute Policies. • Obtain agreement with policies before accessing Creighton Systems. • Implement controls to meet or enforce policies.
Step 7 – Awareness and Training • Makes users aware of the expected behavior • Teaches users How & When to secure information • Reduces losses & theft • Reduces the need for enforcement
Step 8 – Monitor for Compliance • Management is responsible for establishing controls • Management should REGULARLY review the status of controls • Enforce “User Contracts” (Code of Conduct) • Establish effective authorization approval • Establish an internal review process • Internal Audit Reviews
Step 9 – Evaluate Policy Effectiveness • Evaluate • Document • Report
Step 10 – Modify the Policy Policies must be modified due to: – New Technology – New Threats – New or changed goals – Organizational changes – Changes in the Law – Ineffectiveness of the existing Policy
HIPAA Security Guidelines • Security Administration • Physical Safeguards • Technical Security Services and Mechanisms
Minimum HIPAA Requirements • Security Administration – Certification Policy (§ .308(a)(1)) – Chain of Trust Policy (§ .308(a)(2)) – Contingency Planning Policy (§ .308(a)(3)) – Data Classification Policy (§ .308(a)(4)) – Access Control Policy (§ .308(a)(5)) – Audit Trail Policy (§ .308(a)(6)) – Configuration Management Policy(§ .308(a)(8)) – Incident Reporting Policy (§ .308(a)(9)) – Security Governance Policy (§ .308(a)(10)) – Access Termination Policy (§ .308(a)(11)) – Security Awareness & Training Policy(§ .308(a)(12))
Minimum HIPAA Requirements • Physical Safeguards – Security Plan (Security Roles and Responsibilities) (§ .308(b)(1)) – Media Control Policy (§ .308(b)(2)) – Physical Access Policy (§ .308(b)(3)) – Workstation Use Policy (§ .308(b)(4)) – Workstation Safeguard Policy (§ .308(b)(5)) – Security Awareness & Training Policy (§ .308(b)(6))
Minimum HIPAA Requirements • Technical Security Services and Mechanisms – Mechanism for controlling system access (§ .308(c)(1)(i)) • “Need-to-know” – Employ event logging on systems that process or store PHI (§ .308(c)(1)(ii)) – Mechanism to authorize the privileged use of PHI (§ .308(c)(3)) • Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle. – Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner (§ .308(c)(4)) • checksums, double keying, message authentication codes, and digital signatures. – Users must be authenticated prior to accessing PHI (§ .308(c)(5)) • Uniquely identify each user and authenticate identity • Implement at least one of the following methods to authenticate a user: – Password; – Biometrics; – Physical token; – Call-back or strong authentication for dial-up remote access users. • Implement automatic log-offs to terminate sessions after set periods of inactivity. – Protection of PHI on networks with connections to external communication systems or public networks (§ .308(d)) • Intrusion detection • Encryption
Creighton Specific Policies • Access Control Policy • Contingency Planning Policy • Data Classification Policy • Change Control Policy • Wireless Policy • Incident Response Policy • Termination of Access Policy • Backup Policy • Virus Policy • Retention Policy • Physical Access Policy • Computer Security Policy • Security Awareness Policy • Audit Trail Policy • Firewall Policy • Network Security Policy • Encryption Policy
Policy Hierarchy Governance Policy Access Control Policy User ID Policy Access Control Authentication Standard Password Construction Standard User ID Naming Standard Strong Password Construction Guidelines
Network security policies

Recommended

Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
Nawanan Theera-Ampornpunt
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 

Recommended

Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
Nawanan Theera-Ampornpunt
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
IT Infrastrucutre Security
IT Infrastrucutre SecurityIT Infrastrucutre Security
IT Infrastrucutre Security
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
Elimity
 
What is Network Security?
What is Network Security?What is Network Security?
What is Network Security?
Faith Zeller
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security
Shreedevi Tharanidharan
 
Network Security ppt
Network Security pptNetwork Security ppt
Network Security ppt
SAIKAT BISWAS
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Security patterns and model driven architecture
Security patterns and model driven architectureSecurity patterns and model driven architecture
Security patterns and model driven architecture
bdemchak
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Kumawat Dharmpal
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
chauhankapil
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
Chapter12 -- troubleshooting networking problems
Chapter12 -- troubleshooting networking problemsChapter12 -- troubleshooting networking problems
Chapter12 -- troubleshooting networking problems
Raja Waseem Akhtar
 
Security threats in social networks
Security threats in social networksSecurity threats in social networks
Security threats in social networks
Tannistho Ghosh
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)
Ali Habeeb
 
Network security
Network securityNetwork security
Network security
Estiak Khan
 
Computer security overview
Computer security overviewComputer security overview
Computer security overview
CAS
 
Information security
Information securityInformation security
Information security
avinashbalakrishnan2
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7
AfiqEfendy Zaen
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
Nabeel Yoosuf
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 

More Related Content

What's hot

Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)
Ali Habeeb
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7
AfiqEfendy Zaen
 

What's hot (20)

Security policies
Security policiesSecurity policies
Security policies
 
IT Infrastrucutre Security
IT Infrastrucutre SecurityIT Infrastrucutre Security
IT Infrastrucutre Security
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 
What is Network Security?
What is Network Security?What is Network Security?
What is Network Security?
 
Introduction to Information Security
Introduction to Information Security Introduction to Information Security
Introduction to Information Security
 
Network Security ppt
Network Security pptNetwork Security ppt
Network Security ppt
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Security patterns and model driven architecture
Security patterns and model driven architectureSecurity patterns and model driven architecture
Security patterns and model driven architecture
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Basics of Information System Security
Basics of Information System SecurityBasics of Information System Security
Basics of Information System Security
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
Chapter12 -- troubleshooting networking problems
Chapter12 -- troubleshooting networking problemsChapter12 -- troubleshooting networking problems
Chapter12 -- troubleshooting networking problems
 
Security threats in social networks
Security threats in social networksSecurity threats in social networks
Security threats in social networks
 
Information System Security(lecture 1)
Information System Security(lecture 1)Information System Security(lecture 1)
Information System Security(lecture 1)
 
Network security
Network securityNetwork security
Network security
 
Computer security overview
Computer security overviewComputer security overview
Computer security overview
 
Information security
Information securityInformation security
Information security
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
 

Similar to Network security policies

Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfSyllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Yoyo Sudaryo
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
Prashant Singh
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Tripwire
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
EnclaveSecurity
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 

Similar to Network security policies (20)

Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesHIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician Practices
 
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfSyllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
SiteFM Managing an Effective Safety Committee
SiteFM Managing an Effective Safety CommitteeSiteFM Managing an Effective Safety Committee
SiteFM Managing an Effective Safety Committee
 
Info.ppt
Info.pptInfo.ppt
Info.ppt
 
Information security
Information securityInformation security
Information security
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
Community IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security Policy
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
 
File000169
File000169File000169
File000169
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
 
How to set up your security policy
How to set up your security policyHow to set up your security policy
How to set up your security policy
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecture
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 

More from Usman Mukhtar

LRA and TORA in MANETS
LRA and TORA in MANETSLRA and TORA in MANETS
LRA and TORA in MANETS
Usman Mukhtar
 
information system of NBP
information system of NBPinformation system of NBP
information system of NBP
Usman Mukhtar
 

More from Usman Mukhtar (6)

Software reliability
Software reliability Software reliability
Software reliability
 
Risk management
Risk managementRisk management
Risk management
 
Ethics in research
Ethics in researchEthics in research
Ethics in research
 
user support system in HCI
user support system in HCIuser support system in HCI
user support system in HCI
 
LRA and TORA in MANETS
LRA and TORA in MANETSLRA and TORA in MANETS
LRA and TORA in MANETS
 
information system of NBP
information system of NBPinformation system of NBP
information system of NBP
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Network security policies

  • 3. Members • Usman mukhtar -046 • Anas Faheem -018 • Umair Mehmood -047 • Qasim zaman -050 • Shahbaz khan -030
  • 4. Policies and Regulation in Network security • Semester BS(IT) 6th • Submitted to: Sir Kashif Nisar University of Gujrat...!!!
  • 5. The challenges before us • Define security policies and standards • Measure actual security against policy • Report violations to policy • Correct violations to conform with policy • Summarize policy compliance for the organization
  • 9. Policies What are the policies and what are purpose of policies???
  • 10. The Purpose Provide a framework for the management of security across the enterprise
  • 11. Definitions • Policies – High level statements that provide guidance to workers who must make present and future decision • Standards – Requirement statements that provide specific technical specifications • Guidelines – Optional but recommended specifications
  • 12. Security Policy Access to network resource will be granted through a unique user ID and passwordPasswords should include one non-alpha and not found in dictionary Passwords will be 8 characters long
  • 13. Elements of Policies • Set the tone of Management • Establish roles and responsibility • Define asset classifications • Provide direction for decisions • Establish the scope of authority • Provide a basis for guidelines and procedures • Establish accountability • Describe appropriate use of assets • Establish relationships to legal requirements
  • 14. Policies should…… Clearly identify and define the information security goals and the goals of the university.
  • 17. Step 1 – Collect Background Information • Obtain existing policies – Creighton's – Others • Identify what levels of control are needed • Identify who should write the policies
  • 18. Step 2 – Perform Risk Assessment • Justify the Policies with Risk Assessment – Identify the critical functions – Identify the critical processes – Identify the critical data – Assess the vulnerabilities
  • 19. Step 3 – Create a Policy Review Board • The Policy Development Process – Write the initial “Draft” – Send to the Review Board for Comments – Incorporate Comments – Resolve Issues Face-to-Face – Submit “Draft” Policy to Cabinet for Approval
  • 20. Step 4 – Develop the Information Security Plan • Establish goals • Define roles • Define responsibilities • Notify the User community as to the direction • Establish a basis for compliance, risk assessment, and audit of information security
  • 21. Step 5 – Develop Information Security Policies, Standards, and Guidelines • Policies – High level statements that provide guidance to workers who must make present and future decision • Standards – Requirement statements that provide specific technical specifications • Guidelines – Optional but recommended specifications
  • 22. Step 6 – Implement Policies and Standards • Distribute Policies. • Obtain agreement with policies before accessing Creighton Systems. • Implement controls to meet or enforce policies.
  • 23. Step 7 – Awareness and Training • Makes users aware of the expected behavior • Teaches users How & When to secure information • Reduces losses & theft • Reduces the need for enforcement
  • 24. Step 8 – Monitor for Compliance • Management is responsible for establishing controls • Management should REGULARLY review the status of controls • Enforce “User Contracts” (Code of Conduct) • Establish effective authorization approval • Establish an internal review process • Internal Audit Reviews
  • 25. Step 9 – Evaluate Policy Effectiveness • Evaluate • Document • Report
  • 26. Step 10 – Modify the Policy Policies must be modified due to: – New Technology – New Threats – New or changed goals – Organizational changes – Changes in the Law – Ineffectiveness of the existing Policy
  • 27. HIPAA Security Guidelines • Security Administration • Physical Safeguards • Technical Security Services and Mechanisms
  • 28. Minimum HIPAA Requirements • Security Administration – Certification Policy (§ .308(a)(1)) – Chain of Trust Policy (§ .308(a)(2)) – Contingency Planning Policy (§ .308(a)(3)) – Data Classification Policy (§ .308(a)(4)) – Access Control Policy (§ .308(a)(5)) – Audit Trail Policy (§ .308(a)(6)) – Configuration Management Policy(§ .308(a)(8)) – Incident Reporting Policy (§ .308(a)(9)) – Security Governance Policy (§ .308(a)(10)) – Access Termination Policy (§ .308(a)(11)) – Security Awareness & Training Policy(§ .308(a)(12))
  • 29. Minimum HIPAA Requirements • Physical Safeguards – Security Plan (Security Roles and Responsibilities) (§ .308(b)(1)) – Media Control Policy (§ .308(b)(2)) – Physical Access Policy (§ .308(b)(3)) – Workstation Use Policy (§ .308(b)(4)) – Workstation Safeguard Policy (§ .308(b)(5)) – Security Awareness & Training Policy (§ .308(b)(6))
  • 30. Minimum HIPAA Requirements • Technical Security Services and Mechanisms – Mechanism for controlling system access (§ .308(c)(1)(i)) • “Need-to-know” – Employ event logging on systems that process or store PHI (§ .308(c)(1)(ii)) – Mechanism to authorize the privileged use of PHI (§ .308(c)(3)) • Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle. – Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner (§ .308(c)(4)) • checksums, double keying, message authentication codes, and digital signatures. – Users must be authenticated prior to accessing PHI (§ .308(c)(5)) • Uniquely identify each user and authenticate identity • Implement at least one of the following methods to authenticate a user: – Password; – Biometrics; – Physical token; – Call-back or strong authentication for dial-up remote access users. • Implement automatic log-offs to terminate sessions after set periods of inactivity. – Protection of PHI on networks with connections to external communication systems or public networks (§ .308(d)) • Intrusion detection • Encryption
  • 31. Creighton Specific Policies • Access Control Policy • Contingency Planning Policy • Data Classification Policy • Change Control Policy • Wireless Policy • Incident Response Policy • Termination of Access Policy • Backup Policy • Virus Policy • Retention Policy • Physical Access Policy • Computer Security Policy • Security Awareness Policy • Audit Trail Policy • Firewall Policy • Network Security Policy • Encryption Policy

Editor's Notes

  1. A policy may have many standards associated. A standard should have only one policy associated. A standard may have many guidelines associated........
  2. Guidelines are used when standards cannot be enforced or management support is lukewarm. Examples: Standard: Passwords must be 8 characters long and expire every 90 days Guideline: Passwords should be constructed using alpha, numeric, upper case, lower case, and special characters.