11. A security policy should be economically feasible, understandable, realistic, consistent, procedurally tolerable, and also provide reasonable protection relative to the stated goals and objectives of management.
14. The policy should specify the mechanism through which these requirements can be met
15.
16.
17. They must be enforceable with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible.
18. They must clearly define the areas of responsibility for the users, administrators, and management.
19.
20. Securing the prime, host machines by logically isolating them. In most situations, the network is not the resource at risk rather; it is the endpoint of the network that is threatened.
21. Usually, there are bugs in the program for networks or in the administrator of the system.
22. It is this way with computer security; the attacker just has to trust them in some fashion. It might be therefore a major risk that the intruder can compromise the entire system.
23. He will now be able to attack other systems, either by taking over root, and thence the system’s identity, or by taking over some user account. This is called transitive trust.
35. It helps in security without disturbing a population of users
36.
37. A DMZ is an example of general philosophy of defense in depth. That is multiple layers of security always provide better shield. If an attacker penetrates past the first firewall he or she gains access to the DMZ, but not necessarily to the internal network. Without the DMZ, the first successful penetration could result in a more serious compromise.
39. It is used to encrypt the sensitive information to be sent out making it harder to crack if intercepted
40. Encryption is often consider as the ultimate weapon in the computer security
41. Encryption is based to safe guard file transmission if a key is generated from a type password
42. There are various encryption techniques like symmetric and asymmetric
43.
44. Computer Technology Purchasing Guidelines, which specify required, or preferred security features. Theses should supplement existing purchasing policies and guidelines.
45. A Privacy Policy, which defines reasonable expectations of privacy regarding such issues as monitoring of electronic mail, logging of keystrokes, and access to users files.
46. An Access policy, which defines access rights and privileges to protect assets from loss or disclosure by specifying acceptable use guidelines for external connections, operation staff, and management. It should provide guidelines for external connections, data communication, connecting devices to a network, and adding new software to systems. It should also specify any required notification messages (e.g., connect messages should provide warnings about authorized usage and line monitoring, and adding simply say “Welcome”).
47. An Accountability Policy, which defines the responsibilities of users, operation staff, and management. It should specify an audit capability, and provide incident handling guidelines (i.e., what to do and who to contact if a possible intrusion is detected).
48. An Authentication Policy establishes trust through an effective password policy, and by setting guidelines for remote location authentication and the use of authentication devices (e.g., one-time password and devices that generate them).
49. An Availability statement which sets users expectations for the availability of resources. It should address redundancy and recovery issues, as well as specify operating hours and maintenance downtime periods. It should also include contact information for reporting system and network failures.
50. An Information Technology System and Network Maintenance Policy which describes how both internal and external maintenance people are allowed to handle and access technology. One important topic to be addressed here is whether remote maintenance is allowed and how such access is controlled. Another area for consideration here is outsourcing and how it is managed.
51. A Violation Reporting Policy that indicates which types of violations (e.g., privacy and security, internal and external) must be reported and to whom the reports are made. A non-treating atmosphere and the possibility of anonymous reporting will result in a greater probability that a violation will be reported if it is detected.
61. The resources you want to protect may include Physical resources like printers, monitors, keyboards, drives, modems etc. and Logical resources include source and object program, data utilities, operating system, application etc.
63. The answer to this is will dictate the host specific measures that are needed. Machines with sensitive files may require extra security measures. Stronger the authentication, keystrokes logging and strict auditing, or even file encryption. If the target of interest is the outgoing connectivity, the administrator may choose to require certain privileges for access to the network.
72. Part of cost of security is directed financial expenditures, such as extra routes, firewalls, software packages, and so on. Often, the administrative costs are overlooked. There is another cost, however a cost in convenience and productivity, and even moderate. Too much security, people get frustrated. Finding the proper balance therefore essential.
75. In a technological era, Computer Security is fundamental to individual privacy. A great deal of personal information is stored on computer. If these computers are not safe prying eyes, neither is the data they hold. Worse yet, some of the most sensitive data-credit histories, bank balances, and the like-lives on machines attached to very large networks.
76. It is a fair school of thought that “I have a right to attack others because someone else has attack me!” No it is not ethical to do so! How can you take the law in your hands? This cannot be treated as “self defense”. Can it be?
77. Computer Security is a matter of good manners. If people want to be left alone, they should be.
78. More and more modem society depends on computers, and on the integrity of the programs and data they contain. These range from obvious (finance industry) to the telephone industry controlled by bugs in such systems can be divesting.
79. The administrator may gain some knowledge, some information about the users, about the organization, by the virtue of his position. Using such information for personal gain is not ethical.
![T.Z.A.S.P.MANDAL’S<br />PRAGATI COLLEGE OF ARTS, COMMERCE, AND SCIENCE<br />A CASE STUDY REPORT ON<br />Security Policy<br />PRESENTED ON:28th AUGUST, 2010<br />ABLY GUIDED BY Madam Snehal Borle<br />T.Y.B.Sc. (IT)<br />SUBMITTED BY<br />,[object Object]](https://image.slidesharecdn.com/securitypolicycasestudy-101204074535-phpapp01/85/Security-policy-case-study-1-320.jpg)
![Ms. Ashwini Godage - Roll No. 02T.Z.A.S.P.MANDAL’S<br />PRAGATI COLLEGE OF ARTS, COMMERCE, AND SCIENCE<br />T.Y.B.Sc. (IT)<br />CERTIFICATE<br />,[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)