Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IT Policy

970 views

Published on

How To Secure your Business Network

Published in: Marketing
  • Be the first to comment

  • Be the first to like this

IT Policy

  1. 1. INFORMATION SECURITY POLICIES & STANDARDS.
  2. 2.  Define security policies and standards.  Measure actual security against policy.  Report violations to policy.  Correct violations to confirm with policy.  Summarize policy compliance for the organization. 2 Challenges before us: BUT Where DO We Start?????
  3. 3.  What assets within the organization need protection?  What are the risks to each of these assets?  How much time, effort, and money is the organization willing to expend to upgrade or obtain new adequate protection against these threats? 3 Basic Risk Assessment
  4. 4.  Physical items  Sensitive data and other information  Computers, laptops, mobiles, etc.  Backups and archives.  Manuals, books, and guides  Communications equipment and wiring.  Personnel records.  Audit records.  Commercial software 4 Identifying the Assets:  Non-physical items  Personnel passwords  Public image and reputation  Processing availability and continuity of operations  Configuration information.  Data integrity  Confidentiality of information
  5. 5.  Component failure  Misuse of software and hardware  Viruses, Trojan horses, or worms  Unauthorized deletion or modification  Unauthorized disclosure of information  Penetration ("hackers" getting into your machines)  Software bugs and flaws  Fires, floods, or earthquakes  Riots 5 The risks:
  6. 6.  Sensitive :- This classification applies to information that needs protection from unauthorized modification or deletion to assure its integrity. It is information that requires a higher than normal assurance of accuracy and completeness. Examples of sensitive information include organizational financial transactions and regulatory actions. 6 Data Sensitivity Classification:
  7. 7.  Confidential :- This classification applies to the most sensitive business information that is intended strictly for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization, its stockholders, its business partners, and/or its customers. Health care-related information should be considered at least confidential. 7 Data Sensitivity Classification:
  8. 8.  Private :- This classification applies to personal information that is intended for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization and/or its employees.  Public :- This classification applies to all other information that does not clearly fit into any of the above three classifications. While its unauthorized disclosure is against policy, it is not expected to impact seriously or adversely affect the organization, its 8 Data Sensitivity Classification:
  9. 9. Types of Security Policies:  Password policies  Administrative Responsibilities  User Responsibilities  E-mail policies  Internet policies 9  Backup and restore policies  Technologies to secure IT Infra:  Firewalls.  Auditing.  System Policies.  IT admin policies.
  10. 10.  The use of e-mail to conduct official business ,which users should adhere to.  The use of e-mail for personal business is strictly prohibited.  Access control and confidential protection of messages.  The management and retention of e-mail messages.  Official email ids should not be subscribed on any sort of websites.  There should not be bulk emailing from any or all of the users within the Organization.  Spam emailing is against official policy and any email user doing any such would be held against criminal offence. 10 E-mail Policies :
  11. 11.  Set of protocols and conventions used to traverse and find information over the Internet which should be followed by all the users.  Browsers also introduce vulnerabilities to an organization which should be strictly prohibited.  Web servers can be attacked directly, or used as jumping off points to attack an organization's internal networks so users should be very careful while surfing and browsing.  Firewalls and proper configuration of routers and the IP protocol can help to fend off denial of service attacks. 11 Internet Policies:
  12. 12.  The backup polices should include plans for:  Regularly scheduled backups.  Types of backups. Most backup systems support, normal backups, incremental backups, and differential backups.  A schedule for backups. The schedule should normally be during the night when the company has the least amount of users.  The information to be backed up.  Type of media used for backups. Tapes, CD-ROMs, other hard drives, and so forth. 12 Backup Policies:
  13. 13.  Firewall configuration.  Audits at regular intervals.  System Policies.  Administrator Policies. 13 Secure Network Connectivity :
  14. 14.  Should block unwanted traffic.  Should direct incoming traffic to more trustworthy internal systems.  Should hide vulnerable systems that cannot easily be secured from the Internet.  Should can log traffic to and from the private network.  Should hide information such as system names, network topology, network device types, and internal user IDs from the Internet.  Should provide more robust authentication than standard applications might be able to do. 14 Firewalls:
  15. 15.  Logon and logoff information  System shutdown and restart information  File and folder access  Password changes  Object access  Policy changes 15 Auditing :
  16. 16.  All the systems should be configured with proper firewall gateway.  Systems should strictly have licensed and only as per use Soft wares installed.  Every system should be allowed to login with complex passwords and authenticated users.  A password must be initially assigned to a user when enrolled on the system.  Users must remember their passwords.  Users must enter their passwords into the system at authentication time. 16 System Policies:
  17. 17.  A user's password must be changed periodically  The system must maintain a "password database.“  All the systems must have user and administrator user roles defined.  Scheduled audits to ensure the IT security policies.  Administrator passwords should not be shared .  No spam and network violating activities within the organization. 17 IT Admin Policies :
  18. 18. PRESENTED BY Senseware IT Admin Responsibilities: Managed IT. 18 Thank you for the time devoted.

×