Ch06 Policy


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ch06 Policy

  1. 1. Lesson 6-Policy
  2. 2. Overview Understanding why policy is important. Defining various policies. Creating an appropriate policy. Deploying policies. Using policy effectively.
  3. 3. Understanding Why Policy is Important The two primary functions of a policy are: It defines the scope of security within an organization. It clearly states the expectations from everyone in the organization.
  4. 4. Understanding Why Policy is Important Policy defines how security should be implemented. It includes the system configurations, network configurations, and physical security measures. It defines the mechanisms used to protect information and systems. It defines how organizations should react when security incidents occur.
  5. 5. Understanding Why Policy is Important Policy provides the framework for employees to work together. It defines the common goals and objectives of the organization’s security program. Proper security awareness training helps implement policy initiatives effectively.
  6. 6. Defining Various Policies Information policy. Security policy. Computer use policy. Internet use policy. E-mail policy. User management procedures.
  7. 7. Defining Various Policies System administration procedures. Backup policy. Incident response policy. Configuration management procedures. Design methodology. Disaster recovery plans.
  8. 8. Information Policy Identification of sensitive information. Classifications. Marking and storing sensitive information. Transmission of sensitive information. Destruction of sensitive information.
  9. 9. Identification of Sensitive Information Sensitive information differs depending on the business of the organization. It may include business records, product designs, patent information, and company phone books. It may also include payroll, medical insurance, and any other financial information.
  10. 10. Classifications Only the lowest level of information should be made public. All proprietary, company sensitive, or company confidential information is releasable to employees. All restricted or protected information must be made available to authorized employees only.
  11. 11. Marking and Storing Sensitive Information The policy must mark all sensitive information. It should address the storage mechanism for information on paper or on computer systems. Incase of information stored on computer systems, the policy should specify appropriate levels of protection. Use encryption wherever required.
  12. 12. Transmission of Sensitive Information The policy addresses how sensitive information needs to be transmitted. It specifies the encryption method to be used while transmitting information through electronic mail. Incase of hardcopies of information, request a signed receipt.
  13. 13. Destruction of Sensitive Information To destroy sensitive information: Shred the information on paper. Use cross-cut shredders that provide an added level of protection. PGP desktop and BCWipe can be used to delete documents placed on a desktop.
  14. 14. Security Policy Identification and authentication. Access control. Audit. Network connectivity.
  15. 15. Security Policy Malicious code. Encryption. Waivers. Appendices.
  16. 16. Identification and Authentication The security policy defines how users will be identified. It defines the primary authentication mechanism for users and administrators. It defines stronger mechanism for remote access such as VPN or dial-in access.
  17. 17. Access Control The security policy defines the standard requirement for access control of electronic files. The requirement includes the required mechanism and the default requirements for new files. The mechanism should work with authentication mechanism to allow only authorized users to access the information.
  18. 18. Audit Security policies must frequently audit the following events: Logins (successful and failed). Logouts. Failed access to files or system objects. Remote access (successful and failed). Privileged actions. System events (such as shutdowns and reboots).
  19. 19. Audit Each event should also capture the following information: User ID (if there is one) Date and time Process ID (if there is one) Action performed Success or failure of the event
  20. 20. Network Connectivity The security policy specifies the rules for network connectivity and the protection mechanisms. It includes: Dial-in connections. Permanent connections. Remote access of internal systems. Wireless networks.
  21. 21. Malicious Code The security policy specifies where security programs that look for malicious code need to be placed. Some appropriate locations are file servers, desktop systems, and electronic mail servers. It should specify the requirements for security programs. It should require updates of signatures for such security programs on a periodic basis.
  22. 22. Encryption The security policy should define the acceptable encryption algorithms for use. It can refer to the information policy to choose the appropriate algorithms to protect sensitive information. It should also specify the procedures required for key management.
  23. 23. Waivers The security policy should provide a mechanism for risk assessment and formulating a contingency plan. For each situation, the system designer or project manager should fill a waiver form. The security department reviews the waiver request and provides risk assessment results and recommendations to minimize the risk. The waiver should be approved by the organization’s officer in charge of the project.
  24. 24. Appendices The security policy appendices should have details of: Security configurations for various operating systems. Network devices. Telecommunication equipments.
  25. 25. Computer Use Policy Ownership of computers - States that all computers are owned by the organization. Ownership of information - States that all information stored on or used by the organization’s computers is proprietary to the organization.
  26. 26. Computer Use Policy Acceptable use of computers - States all acceptable and unacceptable use of the organization’s computers. No expectation of privacy - States that the employee have no expectation of privacy for any information stored, sent, or received on the organization’s computers.
  27. 27. Internet Use Policy The Internet use policy is a part of the general computer use policy. It can be a separate policy due to the specific nature of the Internet use. The Internet use policy defines the appropriate uses of the Internet within an organization. It may also define inappropriate uses such as visiting non- business-related web sites.
  28. 28. E-mail Policy Internal mail issues - The electronic mail policy should not be in conflict with other human resource policies. External mail issues - Electronic mail leaving an organization may contain sensitive information. Therefore, it may be monitored.
  29. 29. User Management Procedures New employment procedure - Provides new employees with the proper access to computer resources. Transferred employee procedure - Reviews employee’s computer access when they are transferred within the organization. Employee termination procedure - Ensures removal of users who no longer work for the organization.
  30. 30. System Administration Procedure Software upgrades - Defines how often a system administrator will check for new patches or updates. Vulnerability scans - Defines how often and when the scans will be conducted by security. Policy reviews - Specifies the security requirements for each system.
  31. 31. System Administration Procedure Log reviews - Specifies configuration of automated tools that create log entries and how exceptions must be handled. Regular monitoring - Documents when network traffic monitoring will occur.
  32. 32. Backup Policy Frequency of backups - Identifies how often backups actually occur. Storage of backups - Defines how to store backups in a secure location. It also states the mechanism for requesting and restoring backups. Information to be backed up - Identifies which data needs to be backed up more frequently.
  33. 33. Incident Response Procedure Incident handling objectives - Specifies the objectives of the organization when handling an incident. Event identification - States corrective actions for an intrusion or user mistake. Escalation - Specifies an escalation procedure such as activating an incident response team. Information control - Specifies what information is classified and what can be made public.
  34. 34. Incident Response Procedure Response - Defines the type of response when an incident occurs. Authority - Defines which individual within the organization or the incident response team has the authority to take action. Documentation - Defines how the incident response team should document its actions. Testing of the procedure - Tests the IRP once it is written. It also identifies the loop holes in the procedure and suggests corrective actions.
  35. 35. Configuration Management Procedures Initial system state - Documents the state of a new system when it goes into production. It should include details of the operating system, version, patch level, application details, and configuration details. Change control procedure - Executes a change control procedure when a change is to be made to an existing system.
  36. 36. Design Methodology Requirements definition - Specifies the security requirements that need to be included during the requirement definition phase. Design - Specifies that security should be represented to ensure that the project is secured during the design phase. Test - Specifies that when the project reaches the testing phase, the security requirement should also be tested. Implementation - Specifies that the implementation team should use proper configuration management procedures.
  37. 37. Disaster Recovery Plans Single system or device failures - Includes a network device, disk, motherboard, network interface card, or component failure. Data center events - Provides procedures for a major event within a data center. Site events - Identifies the critical capabilities that need to be restored. Testing the DRP - Identifies key employees and performs walkthroughs of the plan periodically.
  38. 38. Creating an Appropriate Policy To create an appropriate policy: Identify which policies are most relevant and important to an organization. Conduct a risk assessment to identify risk areas. Define all acceptable and unacceptable employee behavior. State all restrictions clearly. Identify individuals and other stakeholders who will be affected by the policy. State expectations clearly.
  39. 39. Creating an Appropriate Policy To create an appropriate policy: Define a set of possible outlines. Draft the policy based on the outline. Include stakeholders during discussions and invite suggestions. Brainstorm before developing the final policy.
  40. 40. Deploying the Policy Every department of the organization that is affected by the policy must accept the underlying concept. Conduct security awareness training where employees are informed of the intended change. Make well-planned transitions rather than radical changes while implementing the policy.
  41. 41. Using Policy Effectively Identify security requirements early in the process. Security should be a part of the design phase of the project. Examine existing systems to ensure it is in compliance to new policies. Conduct periodic audits to ensure compliance with the policy. Review policies regularly to ensure they are still relevant for the organization.
  42. 42. Summary Policies define how security is implemented within an organization. Each policy must have a purpose, scope, and responsibility. An organization must establish information policy, security policy, computer use policy, Internet and e-mail policy, and a backup policy. An organization must also define user management, system administration, incident response, and configuration management procedures.
  43. 43. Summary The disaster recovery plan details recovery action for various levels of failures. While creating a policy ensure that it will be relevant and important to an organization. Involve stakeholders in policy discussions. Conduct security awareness trainings regularly. Include security issues at each development phase of a project.