SlideShare a Scribd company logo

Organizational Security Training and Policies

Download as PPTX, PDF
David Meltzer
David Meltzer

This document discusses organizational security and is divided into three main topics: policies, education and training, and disposal and destruction. It outlines the importance of security and describes policies around acceptable use, privacy, passwords, and disposal. It emphasizes providing security training to educate all staff levels. Finally, it covers securely disposing of or destroying IT equipment and data when no longer needed.

1 of 43
ORGANIZATIONAL SECURITY Dave Meltzer
WHY IS THIS IMPORTANT TO ME? 2  Keeping a job  Protecting your company  Less work to recover from “Ounce of prevention versus a pound of cure” – Benjamin Franklin
OBJECTIVES  Create organizational policies  Identify the educational and training needs of users and administrators  Properly dispose of or destroy IT equipment and data 3
TOPIC A  Topic A: Organizational policies  Topic B: Education and training  Topic C: Disposal and destruction  No Virtuals 4
CIA TRIAD  Triad  Confidentiality  Integrity  Availability 5
CONTROL TYPES  Technical  Authentication systems, anti-malware tools, encryption, firewalls  Management  Security training, policies, review procedures  Operational  Procedures for day to day actions, incident response procedures, data retention and destruction procedures, record keeping, auditing, personnel identification 6
RISK ASSESSMENT  Qualitative vs. quantitative ($$)   Annual Loss Expectancy (ALE)   Quantifiable loss projections help justify security expenditures  Risk strategies  Avoidance  Transference  Acceptance  Deterrence  Mitigation 7
ORGANIZATIONAL POLICIES 1. Security Policy 2. HR Policy 3. Incident response policy 4. Change Management Policy 8
(1) SECURITY POLICY CONTENTS  Acceptable use  Due care  Privacy  Separation of duties  Need-to-know information  Password management  Service-level agreements  Account expiration  Destruction or disposal  Clean Desk Policy (nib) 9
ACCEPTABLE-USE POLICY  Defines how computer and network resources can be used  Protects information and limits liabilities and legal actions  Addresses productivity issues  Employees should read and sign document 10
DUE CARE  Judgment or care exercised in a given circumstance  Identifies risks to organization  Assesses risks and measures to be taken to ensure information security 11
PRIVACY  Privacy of customer and supplier information  Contracts  Sales documents  Financial data  Personally identifiable information  Compromised information causes entities to lose trust 12
SEPARATION OF DUTIES  Avoids one person having all knowledge of a process  Potential for abuse  Knowledge leaves with person  Distribute tasks throughout staff  Document all procedures  Security divided into multiple elements  Each element assigned to different people 13
NEED TO KNOW  Sensitive information accessed only by those who must use it  Give IT team just enough permissions to perform duties  Give explicit access to those who need it 14
PASSWORD MANAGEMENT  Minimum password length  Required characters  Reset interval  Reuse  How users handle  Check for weak passwords 15
SERVICE-LEVEL AGREEMENT  Contract between service provider and end user  Defines levels of support  Documents penalties  Covers disaster recovery plans  Contingency plans 16
DISPOSAL AND DESTRUCTION  Degauss magnetic media  Zeroize (sanitize) drives  Physically destroy media  Lock recycle bins  Shred or burn documents 17
CLEAN DESK POLICY  CDP specifies how employees should leave their working space when they leave the office 18
(2) HUMAN RESOURCES POLICIES  Redundant knowledge, cross-train  Document manual procedures for automated duties  Access policies  ID badges  Keys  Restricted-access areas  Personnel management  Hiring process  Employee review and maintenance  Employee termination 19
HIRING  Background check  Reference checks  Past employer  Criminal check  Verify certifications and degrees 20
EMPLOYEE REVIEW AND MAINTENANCE  Periodic review  Performance  Identify potential security risks  Evaluate security clearances  Job rotation - reduce chance of fraud  Mandatory vacations – avoid burn-out  Separation of duties – no one holds too much power 21
POST-EMPLOYMENT  Exit interview  Threat of security  Disable accounts  Change shared passwords 22
CODE OF ETHICS  Defines organization’s information security policies  Employees act  Responsibly  Legally  Honestly  Provide proficient service  Act ethically  Prove reliability of organization  Customers  Suppliers  Other employees 23
(3) INCIDENT RESPONSE POLICY  Details how to deal with security breach or disaster  Incident  Event that adversely affects the network  Virus  System failure  Unauthorized access  Service disruption  Violation of security policies  Legal consequences 24
INCIDENT RESPONSE POLICY CONTENTS a) Preparation b) Detection c) Containment d) Eradication e) Recovery f) Follow-up 25
(A) PREPARATION  Plan ahead - allows quick, efficient response  Balance easy access with effective controls to prevent incidents  Identify steps that incident response team should take  List of Incident Response team members  Document acceptable risks  Identify hardware and software used for analysis and forensics of incident  Document contingency plan 26
(B) DETECTION  Assess the state of affairs  Figure out what caused the incident  Estimate scope of incident  Number of systems affected  Number of networks affected  How far intruder got  Level of privileges accessed  Information or systems at risk  Paths of attack  Who knows of incident  Extent of vulnerability 27 continued
DETECTION (CONTINUED)  Document the incident  Share with  CIO  Affected personnel  PR department  Incident response team  Legal department  Law enforcement, government agencies  Include  Fundamental details  Incident type  Resources used to deal with incident  Source of incident  Consequences  Sensitivity of compromised information 28
(C) CONTAINMENT  Specific to different types of incidents  Increase monitoring levels  Malicious attack  Stop using compromised equipment or data until incident is resolved  Alert appropriate individuals  Gather information to identify perpetrator 29
(D) ERADICATION  Begins after containment  Eradicate cause of incident  Clean or delete affected files  Restore data  Verify that backups are clean 30
(E) RECOVERY  Document where new equipment can be procured  Quick replacement  Borrow  Vendor-sponsored  Full system restore  Change passwords 31
(F) FOLLOW-UP  Learn from what occurred  Document the entire process  Justify expense of implementing security policy and incident response team  Use as training  Use for legal proceedings 32
(4) CHANGE MANAGEMENT  Procedures for network changes  Initiated with RFC document  RFC sent for approval  Priority is set  Assigned to whoever makes the change  Document decisions  RFC scheduled  Complete when change owner and requester verify successful implementation  Review of RFC 33
TOPIC B  Topic A: Organizational policies  Topic B: Education and training  Topic C: Disposal and destruction 34
EDUCATION  Educate staff about security  Network administrators  End-users  Enables regular users to see potential security problems or security violations  Customize to provide level of knowledge needed by students  Big picture for end-users  Detailed knowledge for administrative users  Exhaustive knowledge for security administrators 35
COMMUNICATION  Identify what information can be shared and with whom  Identify what information can never be shared  Prove identity inside company  Training should include social engineering threats 36
SECURITY TRAINING INCLUDES:  Reason for training  Whom to contact about security incidents  Policies about system account use – password policies  Policies about personally owned devices  Policies regarding disclosure of sensitive information including personally identifiable information  Compliance with laws, best practices, and standards  Internet, e-mail, social networking, and P2P policies  Threat awareness including viruses, social engineering attacks, tailgating, phishing 37
TYPES OF TRAINING  On-the-job  Learn from the experience  Document what was done  Classroom  Online 38
TOPIC C  Topic A: Organizational policies  Topic B: Education and training  Topic C: Disposal and destruction 39
DISPOSAL  Data and equipment  Implement policies and procedures to prevent loss of data  Determine value of data  Actual data  Configuration and settings that might reveal security controls  Intrinsic properties – brand, model 40
DATA SECURITY AND DESTRUCTION  Data destruction utilities  Paper documents  Configuration destruction – reset to default settings or just destroy equipment  Intrinsic properties destruction – probably not necessary unless for national defense 41
DISPOSAL OF ELECTRONICS  Cost of upgrading or repairing vs. replacing  Disruption to user  Cost of IT time  Factors specific to your organization  Recycling  Hazardous materials cannot be sent to landfill  MSDS indicate how to handle and dispose of 42
DISPOSAL OF COMPUTER EQUIPMENT  Batteries cannot be sent to landfill – recycler  CRTs contain lead and phosphorus – recycler  LCD monitors – recycler  Computers  Circuit boards - recycler  Storage disks – erase completely  Reuse equipment OR Repurpose equipment 43

Recommended

information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)Rois Solihin
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionBen Rothke
 
Comp tia security sy0 601 domain 3 implementation
Comp tia security sy0 601 domain 3 implementationComp tia security sy0 601 domain 3 implementation
Comp tia security sy0 601 domain 3 implementationShivamSharma909
 

Recommended

information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)Rois Solihin
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
E5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionE5 rothke - deployment strategies for effective encryption
E5 rothke - deployment strategies for effective encryptionBen Rothke
 
Comp tia security sy0 601 domain 3 implementation
Comp tia security sy0 601 domain 3 implementationComp tia security sy0 601 domain 3 implementation
Comp tia security sy0 601 domain 3 implementationShivamSharma909
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
1973-16 Tackling the challenges of cyber security_19_03_15
1973-16 Tackling the challenges of cyber security_19_03_151973-16 Tackling the challenges of cyber security_19_03_15
1973-16 Tackling the challenges of cyber security_19_03_15shed59
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMatthew Rosenquist
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-FundamentalsGary Hayslip CISSP, CISA, CRISC, CCSK
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessGary Hayslip CISSP, CISA, CRISC, CCSK
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
 
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthProtecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthPECB
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.IGN MANTRA
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
SULE OMOTAYO AKEEM
SULE OMOTAYO AKEEMSULE OMOTAYO AKEEM
SULE OMOTAYO AKEEMsule omotayo akeem
 
Cyber security standards
Cyber security standardsCyber security standards
Cyber security standardsVaughan Olufemi ACIB, AICEN, ANIM
 

More Related Content

What's hot

M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionBen Rothke
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
1973-16 Tackling the challenges of cyber security_19_03_15
1973-16 Tackling the challenges of cyber security_19_03_151973-16 Tackling the challenges of cyber security_19_03_15
1973-16 Tackling the challenges of cyber security_19_03_15shed59
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMatthew Rosenquist
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSJohn Gilligan
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
 
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthProtecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthPECB
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.IGN MANTRA
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 

What's hot (20)

M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
 
Rothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryptionRothke rsa 2013 - deployment strategies for effective encryption
Rothke rsa 2013 - deployment strategies for effective encryption
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
 
1973-16 Tackling the challenges of cyber security_19_03_15
1973-16 Tackling the challenges of cyber security_19_03_151973-16 Tackling the challenges of cyber security_19_03_15
1973-16 Tackling the challenges of cyber security_19_03_15
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of Interest
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best Practices
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
 
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHSCybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
 
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in DepthProtecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in Depth
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
Risk Management
Risk ManagementRisk Management
Risk Management
 

Viewers also liked

Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Securitymtvvvv
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkgUmang Gupta
 
Information ethics
Information ethicsInformation ethics
Information ethicsSTCC Library
 
Intruders
IntrudersIntruders
Intruderstechn
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
Chapter 4 Computer Ethics and Security
Chapter 4 Computer Ethics and Security Chapter 4 Computer Ethics and Security
Chapter 4 Computer Ethics and Security Fizaril Amzari Omar
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9koolkampus
 
Ethics in Information Technology
Ethics in Information TechnologyEthics in Information Technology
Ethics in Information TechnologyAtul Kumar Pandey
 

Viewers also liked (14)

SULE OMOTAYO AKEEM
SULE OMOTAYO AKEEMSULE OMOTAYO AKEEM
SULE OMOTAYO AKEEM
 
Cyber security standards
Cyber security standardsCyber security standards
Cyber security standards
 
Ethics in-information-security
Ethics in-information-securityEthics in-information-security
Ethics in-information-security
 
Ethics in IT Security
Ethics in IT SecurityEthics in IT Security
Ethics in IT Security
 
Intruders
IntrudersIntruders
Intruders
 
intruders types ,detection & prevention
intruders types ,detection & preventionintruders types ,detection & prevention
intruders types ,detection & prevention
 
23 network security threats pkg
23 network security threats pkg23 network security threats pkg
23 network security threats pkg
 
Information ethics
Information ethicsInformation ethics
Information ethics
 
Intruders
IntrudersIntruders
Intruders
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
Chapter 4 Computer Ethics and Security
Chapter 4 Computer Ethics and Security Chapter 4 Computer Ethics and Security
Chapter 4 Computer Ethics and Security
 
Malaysia's National Cyber Security Policy
Malaysia's National Cyber Security PolicyMalaysia's National Cyber Security Policy
Malaysia's National Cyber Security Policy
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
 
Ethics in Information Technology
Ethics in Information TechnologyEthics in Information Technology
Ethics in Information Technology
 

Similar to Organizational Security Training and Policies

Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Isa Prog Need L
Isa Prog Need LIsa Prog Need L
Isa Prog Need LR_Yanus
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
 
Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Md Shaifullar Rabbi
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxsoulscout02
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...Jacqueline Fick
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityEryk Budi Pratama
 
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxSecurity ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxbagotjesusa
 
Applying Security Control to Implement EFG FCU Standards
Applying Security Control to Implement EFG FCU Standards Applying Security Control to Implement EFG FCU Standards
Applying Security Control to Implement EFG FCU Standards Lillian Ekwosi-Egbulem
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdfSECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdfJohnRicos
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Tammy Clark
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?Lumension
 
Security and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptxSecurity and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptxTRSrinidi
 
Master Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolMaster Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolHernan Huwyler, MBA CPA
 

Similar to Organizational Security Training and Policies (20)

Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
Isa Prog Need L
Isa Prog Need LIsa Prog Need L
Isa Prog Need L
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)
 
Legal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptxLegal and Ethical Implications of Cybersecurity.pptx
Legal and Ethical Implications of Cybersecurity.pptx
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
Prevention Is Better Than Prosecution: Deepening the defence against cyber c...
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
 
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docxSecurity ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
Security ConceptsDr. Y. ChuCIS3360 Security in Computing.docx
 
Applying Security Control to Implement EFG FCU Standards
Applying Security Control to Implement EFG FCU Standards Applying Security Control to Implement EFG FCU Standards
Applying Security Control to Implement EFG FCU Standards
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
CCA study group
CCA study groupCCA study group
CCA study group
 
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdfSECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
SECO 406100422-ISF-Sample-Exam-en-v1-0.pdf
 
Information security
Information securityInformation security
Information security
 
Microsoft 365 Compliance
Microsoft 365 ComplianceMicrosoft 365 Compliance
Microsoft 365 Compliance
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
 
Security and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptxSecurity and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptx
 
Master Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines SchoolMaster Class Cyber Compliance IE Law School IE Busines School
Master Class Cyber Compliance IE Law School IE Busines School
 

Organizational Security Training and Policies

  • 2. WHY IS THIS IMPORTANT TO ME? 2  Keeping a job  Protecting your company  Less work to recover from “Ounce of prevention versus a pound of cure” – Benjamin Franklin
  • 3. OBJECTIVES  Create organizational policies  Identify the educational and training needs of users and administrators  Properly dispose of or destroy IT equipment and data 3
  • 4. TOPIC A  Topic A: Organizational policies  Topic B: Education and training  Topic C: Disposal and destruction  No Virtuals 4
  • 5. CIA TRIAD  Triad  Confidentiality  Integrity  Availability 5
  • 6. CONTROL TYPES  Technical  Authentication systems, anti-malware tools, encryption, firewalls  Management  Security training, policies, review procedures  Operational  Procedures for day to day actions, incident response procedures, data retention and destruction procedures, record keeping, auditing, personnel identification 6
  • 7. RISK ASSESSMENT  Qualitative vs. quantitative ($$)   Annual Loss Expectancy (ALE)   Quantifiable loss projections help justify security expenditures  Risk strategies  Avoidance  Transference  Acceptance  Deterrence  Mitigation 7
  • 8. ORGANIZATIONAL POLICIES 1. Security Policy 2. HR Policy 3. Incident response policy 4. Change Management Policy 8
  • 9. (1) SECURITY POLICY CONTENTS  Acceptable use  Due care  Privacy  Separation of duties  Need-to-know information  Password management  Service-level agreements  Account expiration  Destruction or disposal  Clean Desk Policy (nib) 9
  • 10. ACCEPTABLE-USE POLICY  Defines how computer and network resources can be used  Protects information and limits liabilities and legal actions  Addresses productivity issues  Employees should read and sign document 10
  • 11. DUE CARE  Judgment or care exercised in a given circumstance  Identifies risks to organization  Assesses risks and measures to be taken to ensure information security 11
  • 12. PRIVACY  Privacy of customer and supplier information  Contracts  Sales documents  Financial data  Personally identifiable information  Compromised information causes entities to lose trust 12
  • 13. SEPARATION OF DUTIES  Avoids one person having all knowledge of a process  Potential for abuse  Knowledge leaves with person  Distribute tasks throughout staff  Document all procedures  Security divided into multiple elements  Each element assigned to different people 13
  • 14. NEED TO KNOW  Sensitive information accessed only by those who must use it  Give IT team just enough permissions to perform duties  Give explicit access to those who need it 14
  • 15. PASSWORD MANAGEMENT  Minimum password length  Required characters  Reset interval  Reuse  How users handle  Check for weak passwords 15
  • 16. SERVICE-LEVEL AGREEMENT  Contract between service provider and end user  Defines levels of support  Documents penalties  Covers disaster recovery plans  Contingency plans 16
  • 17. DISPOSAL AND DESTRUCTION  Degauss magnetic media  Zeroize (sanitize) drives  Physically destroy media  Lock recycle bins  Shred or burn documents 17
  • 18. CLEAN DESK POLICY  CDP specifies how employees should leave their working space when they leave the office 18
  • 19. (2) HUMAN RESOURCES POLICIES  Redundant knowledge, cross-train  Document manual procedures for automated duties  Access policies  ID badges  Keys  Restricted-access areas  Personnel management  Hiring process  Employee review and maintenance  Employee termination 19
  • 20. HIRING  Background check  Reference checks  Past employer  Criminal check  Verify certifications and degrees 20
  • 21. EMPLOYEE REVIEW AND MAINTENANCE  Periodic review  Performance  Identify potential security risks  Evaluate security clearances  Job rotation - reduce chance of fraud  Mandatory vacations – avoid burn-out  Separation of duties – no one holds too much power 21
  • 22. POST-EMPLOYMENT  Exit interview  Threat of security  Disable accounts  Change shared passwords 22
  • 23. CODE OF ETHICS  Defines organization’s information security policies  Employees act  Responsibly  Legally  Honestly  Provide proficient service  Act ethically  Prove reliability of organization  Customers  Suppliers  Other employees 23
  • 24. (3) INCIDENT RESPONSE POLICY  Details how to deal with security breach or disaster  Incident  Event that adversely affects the network  Virus  System failure  Unauthorized access  Service disruption  Violation of security policies  Legal consequences 24
  • 25. INCIDENT RESPONSE POLICY CONTENTS a) Preparation b) Detection c) Containment d) Eradication e) Recovery f) Follow-up 25
  • 26. (A) PREPARATION  Plan ahead - allows quick, efficient response  Balance easy access with effective controls to prevent incidents  Identify steps that incident response team should take  List of Incident Response team members  Document acceptable risks  Identify hardware and software used for analysis and forensics of incident  Document contingency plan 26
  • 27. (B) DETECTION  Assess the state of affairs  Figure out what caused the incident  Estimate scope of incident  Number of systems affected  Number of networks affected  How far intruder got  Level of privileges accessed  Information or systems at risk  Paths of attack  Who knows of incident  Extent of vulnerability 27 continued
  • 28. DETECTION (CONTINUED)  Document the incident  Share with  CIO  Affected personnel  PR department  Incident response team  Legal department  Law enforcement, government agencies  Include  Fundamental details  Incident type  Resources used to deal with incident  Source of incident  Consequences  Sensitivity of compromised information 28
  • 29. (C) CONTAINMENT  Specific to different types of incidents  Increase monitoring levels  Malicious attack  Stop using compromised equipment or data until incident is resolved  Alert appropriate individuals  Gather information to identify perpetrator 29
  • 30. (D) ERADICATION  Begins after containment  Eradicate cause of incident  Clean or delete affected files  Restore data  Verify that backups are clean 30
  • 31. (E) RECOVERY  Document where new equipment can be procured  Quick replacement  Borrow  Vendor-sponsored  Full system restore  Change passwords 31
  • 32. (F) FOLLOW-UP  Learn from what occurred  Document the entire process  Justify expense of implementing security policy and incident response team  Use as training  Use for legal proceedings 32
  • 33. (4) CHANGE MANAGEMENT  Procedures for network changes  Initiated with RFC document  RFC sent for approval  Priority is set  Assigned to whoever makes the change  Document decisions  RFC scheduled  Complete when change owner and requester verify successful implementation  Review of RFC 33
  • 34. TOPIC B  Topic A: Organizational policies  Topic B: Education and training  Topic C: Disposal and destruction 34
  • 35. EDUCATION  Educate staff about security  Network administrators  End-users  Enables regular users to see potential security problems or security violations  Customize to provide level of knowledge needed by students  Big picture for end-users  Detailed knowledge for administrative users  Exhaustive knowledge for security administrators 35
  • 36. COMMUNICATION  Identify what information can be shared and with whom  Identify what information can never be shared  Prove identity inside company  Training should include social engineering threats 36
  • 37. SECURITY TRAINING INCLUDES:  Reason for training  Whom to contact about security incidents  Policies about system account use – password policies  Policies about personally owned devices  Policies regarding disclosure of sensitive information including personally identifiable information  Compliance with laws, best practices, and standards  Internet, e-mail, social networking, and P2P policies  Threat awareness including viruses, social engineering attacks, tailgating, phishing 37
  • 38. TYPES OF TRAINING  On-the-job  Learn from the experience  Document what was done  Classroom  Online 38
  • 39. TOPIC C  Topic A: Organizational policies  Topic B: Education and training  Topic C: Disposal and destruction 39
  • 40. DISPOSAL  Data and equipment  Implement policies and procedures to prevent loss of data  Determine value of data  Actual data  Configuration and settings that might reveal security controls  Intrinsic properties – brand, model 40
  • 41. DATA SECURITY AND DESTRUCTION  Data destruction utilities  Paper documents  Configuration destruction – reset to default settings or just destroy equipment  Intrinsic properties destruction – probably not necessary unless for national defense 41
  • 42. DISPOSAL OF ELECTRONICS  Cost of upgrading or repairing vs. replacing  Disruption to user  Cost of IT time  Factors specific to your organization  Recycling  Hazardous materials cannot be sent to landfill  MSDS indicate how to handle and dispose of 42
  • 43. DISPOSAL OF COMPUTER EQUIPMENT  Batteries cannot be sent to landfill – recycler  CRTs contain lead and phosphorus – recycler  LCD monitors – recycler  Computers  Circuit boards - recycler  Storage disks – erase completely  Reuse equipment OR Repurpose equipment 43