INFORMATION
SECURITY POLICIES
& STANDARDS.

 Define security policies and standards.
 Measure actual security against policy.
 Report violations to policy.
 Correct violations to confirm with policy.
 Summarize policy compliance for the organization.
2
Challenges before us:
BUT
Where DO We Start?????

 What assets within the organization need protection?
 What are the risks to each of these assets?
 How much time, effort, and money is the organization willing to
expend to upgrade or obtain new adequate protection against these
threats?
3
Basic Risk Assessment

 Physical items
 Sensitive data and other
information
 Computers, laptops, mobiles,
etc.
 Backups and archives.
 Manuals, books, and guides
 Communications equipment
and wiring.
 Personnel records.
 Audit records.
 Commercial software
4
Identifying the Assets:
 Non-physical items
 Personnel passwords
 Public image and reputation
 Processing availability and
continuity of operations
 Configuration information.
 Data integrity
 Confidentiality of information

 Component failure
 Misuse of software and hardware
 Viruses, Trojan horses, or worms
 Unauthorized deletion or modification
 Unauthorized disclosure of information
 Penetration ("hackers" getting into your machines)
 Software bugs and flaws
 Fires, floods, or earthquakes
 Riots
5
The risks:

 Sensitive :-
This classification applies to information that needs protection
from unauthorized modification or deletion to assure its integrity.
It is information that requires a higher than normal assurance of
accuracy and completeness. Examples of sensitive information
include organizational financial transactions and regulatory
actions.
6
Data Sensitivity Classification:

 Confidential :-
This classification applies to the most sensitive business
information that is intended strictly for use within the
organization. Its unauthorized disclosure could seriously and
adversely impact the organization, its stockholders, its business
partners, and/or its customers. Health care-related information
should be considered at least confidential.
7
Data Sensitivity Classification:

 Private :-
This classification applies to personal information that is
intended for use within the organization. Its unauthorized
disclosure could seriously and adversely impact the
organization and/or its employees.
 Public :-
This classification applies to all other information that does not
clearly fit into any of the above three classifications. While its
unauthorized disclosure is against policy, it is not expected to
impact seriously or adversely affect the organization, its
8
Data Sensitivity Classification:

Types of Security Policies:
 Password policies
 Administrative
Responsibilities
 User Responsibilities
 E-mail policies
 Internet policies
9
 Backup and restore policies
 Technologies to secure IT
Infra:
 Firewalls.
 Auditing.
 System Policies.
 IT admin policies.

 The use of e-mail to conduct official business ,which users should
adhere to.
 The use of e-mail for personal business is strictly prohibited.
 Access control and confidential protection of messages.
 The management and retention of e-mail messages.
 Official email ids should not be subscribed on any sort of websites.
 There should not be bulk emailing from any or all of the users within
the Organization.
 Spam emailing is against official policy and any email user doing
any such would be held against criminal offence.
10
E-mail Policies :

 Set of protocols and conventions used to traverse and find
information over the Internet which should be followed by all the
users.
 Browsers also introduce vulnerabilities to an organization which
should be strictly prohibited.
 Web servers can be attacked directly, or used as jumping off points
to attack an organization's internal networks so users should be
very careful while surfing and browsing.
 Firewalls and proper configuration of routers and the IP protocol can
help to fend off denial of service attacks.
11
Internet Policies:

 The backup polices should include plans for:
 Regularly scheduled backups.
 Types of backups. Most backup systems support, normal backups,
incremental backups, and differential backups.
 A schedule for backups. The schedule should normally be during
the night when the company has the least amount of users.
 The information to be backed up.
 Type of media used for backups. Tapes, CD-ROMs, other hard
drives, and so forth.
12
Backup Policies:

 Firewall configuration.
 Audits at regular intervals.
 System Policies.
 Administrator Policies.
13
Secure Network Connectivity :

 Should block unwanted traffic.
 Should direct incoming traffic to more trustworthy internal systems.
 Should hide vulnerable systems that cannot easily be secured from
the Internet.
 Should can log traffic to and from the private network.
 Should hide information such as system names, network topology,
network device types, and internal user IDs from the Internet.
 Should provide more robust authentication than standard
applications might be able to do.
14
Firewalls:

 Logon and logoff information
 System shutdown and restart information
 File and folder access
 Password changes
 Object access
 Policy changes
15
Auditing :

 All the systems should be configured with proper firewall
gateway.
 Systems should strictly have licensed and only as per use Soft
wares installed.
 Every system should be allowed to login with complex
passwords and authenticated users.
 A password must be initially assigned to a user when enrolled
on the system.
 Users must remember their passwords.
 Users must enter their passwords into the system at
authentication time.
16
System Policies:

 A user's password must be changed periodically
 The system must maintain a "password database.“
 All the systems must have user and administrator user roles
defined.
 Scheduled audits to ensure the IT security policies.
 Administrator passwords should not be shared .
 No spam and network violating activities within the organization.
17
IT Admin Policies :

PRESENTED
BY
Senseware IT Admin
Responsibilities: Managed IT.
18
Thank you for the time devoted.