Module LVI - Security Policies
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: How to Stop the Grinch...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Access Co...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Evidence Collect...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy
Access...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy (cont’...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy (cont’...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy (cont’...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy (cont’...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy (cont’...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Administrative Security Poli...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Administrative Security Poli...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Administrative Security Poli...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Administrative Security Poli...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Administrative Security Poli...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Audit Trails and Logging Pol...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Audit Trails and Logging Pol...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Audit Trails and Logging Pol...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Audit Trails and Logging Pol...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documentation Policy
Documen...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documentation Policy (cont’d...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documentation Policy (cont’d...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collection and
Pres...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collection and
Pres...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collection and
Pres...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Security Policy
...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Information Security Policy ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
National Information Assuran...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
National Information Assuran...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Personnel Security Policies ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Personnel Security Policies ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Personnel Security Policies ...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Access control polic...
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Upcoming SlideShare
Loading in …5
×

File000169

493 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
493
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

File000169

  1. 1. Module LVI - Security Policies
  2. 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: How to Stop the Grinch from Stealing your Corporate Data Organizations are feeling the effects of data leakage every day: the average cost of a data breach for a publicly traded company is $6.3 million and the stock price drops five percent and it takes a full year to recover. Companies spend millions of dollars each year to protect their information from outside threats, but it is becoming more evident that they need to secure data from within by developing an effective Data Leakage Prevention (DLP) strategy. Safend, a leading provider of enterprise endpoint DLP solutions, has devised the top-five tips for keeping your data safe during the holidays and beyond. These tips include: -- Employ a Sound Auditing Process: Portable storage devices such as iPods, PDAs, smart phones and other mobile devices, have become pervasive in the workplace. Allowing your employees to use their iPods at work may be a good way to increase morale but it also poses a security threat. Knowing what devices are connecting to what endpoints will help administrators monitor and avoid these threats. –Written Data Security Policies: The major concern with portable devices is the fear that the device may be lost or stolen, putting the data it contains at serious risk. In order to truly ensure the security of confidential data stored on portable devices, effective DLP strategies and policies need to be deployed, including written usage policies. -- Access Control: To make sure that users cannot easily circumvent security policies, it is important to first make sure the policies in place are flexible enough that they don't hinder productivity, but strong enough to prevent data leakage threats. -- Encrypt Everything: Many enterprises feel that they have covered all their security bases with the implementation of security policies, employee training and endpoint protection technology and are reluctant to invest in another product or add another level of security. Source: http://www.reuters.com/
  3. 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Access Control Policy • Administrative Security Policies & Procedures • Audit Trails and Logging Policies • Documentation Policy • Evidence Collection Preservation Policies • Information Security Policy • National Information Assurance (IA) Certification and Accreditation ( C&A) Process Policy • Personal Security Policies & Guidance This module will familiarize you with:
  4. 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Evidence Collection and Preservation Policies Information Security Policy National Information Assurance (IA) Certification and Accreditation ( C&A) Process Policy Personnel Security Policies & Guidance Access Control Policy Administrative Security Policies and Procedures Audit Trails and Logging Policies Documentation Policy
  5. 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Access Control Policy Access control policy is a permission for a user to perform a set of actions on set of resources User cannot access a system unless, authorized through one or more access control policies • Users: The one who uses the system • Resources: The objects that are to be protected • Actions: Activities performed by the user on resources • Relationships: Conditions that exists between users and resources Basic elements of an access control policy:
  6. 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Access Control Policy (cont’d) • Access group : Group of users to which the policy applies • Action group : Group of actions performed by the user on resources • Resource group : Resources controlled by the policy • Relationship : Each resource class can have a set of relationships associated with it; each resource can have a set of users that fulfill each relationship Basic elements of an access control policy:
  7. 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Access Control Policy (cont’d) • Access group to which a user belongs • Actions to which the user is permitted to perform on a specific action group • How long the user can satisfy a particular relationship with respect to the resource Access group policy defines: Example: [AllUsers,UpdateDoc,doc,creator] implies that the users can update a document, if they are the creator of the document
  8. 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Access Control Policy (cont’d) • Access groups • Implicit access group • Explicit access group • User groups Member groups: • Action groups Action: • Resources • Controller command resources • Data bean resources • Data resources Resource category: The different sections associated with access control:
  9. 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Access Control Policy (cont’d) • Implicit resource groups • Explicit resource groups Resource groups: • Relationship groups • Relationship chains Relationships:
  10. 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Access Control Policy (cont’d) • Control access to information • Manage the allocation of access rights • Encourage responsible access practices • Control access to computer networks • Restrict access at operating system level • Manage access to application systems • Monitor system access and use • Protect mobile and teleworking assets Steps involved in access control management:
  11. 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Administrative Security Policies and Procedures Administrative security practices describe the resources needed to achieve risk management Specifies the responsibility to manage the information security risk of the organization Organization security policies describes the way of maintaining security within the organization Employees should understand and follow the organizational security policies Policies may not be followed in certain circumstances because of business requirements Policies are ignored in situations where they are difficult to be followed Policies are to be included for the purpose of strong security although they are not followed or ignored every time
  12. 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Administrative Security Policies and Procedures (cont’d) Administrative security policy best practices: • Describes the information sensitivity in an organization • Defines methods of proper storage, transmission, marking to that information Information Policy: • Describes the security configurations and technical controls that are to be implemented on computer systems by the users and administrators Security Policy:
  13. 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Administrative Security Policies and Procedures (cont’d) • Also called an acceptable use policy • Identifies the authenticated uses and penalties for misusing organizational systems • Identifies the standard method of installing software on organizational computers Use Policy: • Describes the frequency of information backups and moving them to off-site storage • These policies identify length of the time backups must be stored prior to reuse Backup Policy:
  14. 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Administrative Security Policies and Procedures (cont’d) Security policies help the employees in performing their duties and identify steps to respond to security incidents The organizational security procedures are defined as follows: • This procedure contains the information who can authorize access to an organization’s computer system • Identifies the Information that is to be maintained by the system administrator to identify users calling for assistance • Defines who has responsibility to inform system administrator to terminate an account Procedure for user management:
  15. 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Administrative Security Policies and Procedures (cont’d) • Defines the procedure to implement security policies in an organization • Defines the procedure to manage patches and apply on systems System administration procedures: • Defines procedures to make changes in production systems • Changes can also include software and hardware upgrades, initializing new systems and removing systems that are no longer used Configuration management procedures:
  16. 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Audit Trails and Logging Policies Audit trails maintain a record of system activities such as computer events, applications, or user activities They help to detect security violations, performance problems and flaws • Audit Data Collector which collects the audit data • Audit Data Analyzer that analyzes the audit data transferred to it by the Audit Data Collector A simple auditing model consists of two parts:
  17. 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Audit Trails and Logging Policies (cont’d) Benefits of Audit trails in the area of computer security: • Tracking Individual’s actions in an audit trail • Users are completely responsible for violating the security policies Individual Accountability: • Audit trails are used for reconstructing events after a problem has occurred • The amount of damage and reasons for occurring a problem can be known through an audit trail Reconstructing Events: • Audit trails can be used as online tools for problem monitoring • This helps to detect disk failures and excess utilization of system resources Problem Monitoring: • Audit trail helps in discovering the route cause of a problem and assessing the damage due to an incident Intrusion Detection:
  18. 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Audit Trails and Logging Policies (cont’d) System activity is examined by checking the logs These logs are generated by systems and major software packages Logs produced can record the users activity on a system or a network Logging policies vary according to environment It is impossible to log every command executed on a computer system Logging policies should define the relevant events that are to be logged
  19. 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Audit Trails and Logging Policies (cont’d) Logging policies should include security relevant events in the logs This could guaranty the forensic information and security violations that required to know how the security violations manifested themselves • Logs should maintain auditing in a way consistent with the system that generates their entries • Logs should provide sufficient information in order to support accountability and traceability for all privilege system commands • Logs should maintain the details regarding user initiated, security-relevant activities • Logs must be able to rebuild production information for databases Other logging policy considerations include:
  20. 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documentation Policy Documentation policy determines the documentation needs of an organization such as network and server documentation Network Documentation defines the documentation about switch ports connected to rooms and computers Server Documentation defines the documentation of configuration information and running services • Who has the authority to access, read and change the network or server documentation • Defines the authorized person to be notified about the changes made in the network or server Both the server and network documentation policies defines:
  21. 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documentation Policy (cont’d) • Name, location, and function of the server • Hardware components of the system • List of software running on the server • Configuration information about the sever • Types of data and the owners of the data stored on the server • Data on the server that is to be backed up • Users or groups having the access to the data stored on server and their authentication process and protocols • Administrators on the server and the authentication process and protocols • Data and Authentication encryption requirements • User accessing data from remote locations • Administrators administrating the server from remote locations In server documentation, the following list of items are to be documented and reviewed :
  22. 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documentation Policy (cont’d) • Locations and IP addresses of all hubs, switches, routers, and firewalls on the network • Various security zones on the network and devices that control access between them • Locations of every network drop and the associated switch and port on the switch supplying that connection • Interrelationship between all network devices showing lines running between the network devices • All subnets on the network and their relationships • All wide area network (WAN) or metropolitan area network (MAN) • Network devices configuration information • DHCP server settings Things to be documented in network documentation are as follows:
  23. 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Collection and Preservation Policies Evidence collection policies are required whenever a security incident occurs A security incident is defined as an event where the security policy is breached • Engage a Law Enforcement personnel holding your site’s security policy • Make a note of time and the dates • Get prepared to be a witness outlining all the actions along with time • Do not minimize or update the collected data • Analysis of data should be done after collection • Adopt a methodical approach Guiding Principles of evidence collection:
  24. 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Collection and Preservation Policies (cont’d) • List out the systems from which evidence is to be collected • Find the data which is relevant and acceptable • Obtain the relevant order of volatility for every system • Note the level of the system's clock drift • Think and guess the further evidences from the collected data • Maintain a clear documentation of every step • Note the witness of the people involved in the incident Steps involved in evidence collection:
  25. 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Collection and Preservation Policies (cont’d) • Evidence collected should be secured properly and the chain of custody should be documented • Use a common storage media than a obscure storage media • Access to the evidence is to be restricted • Document the following details: • Where, when and by whom the evidence was discovered • Where, when and by whom was the evidence handled or examined • Where the evidence was stored • Where and when the shipment of evidence occurred Steps involved in preserving the evidence:
  26. 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Information Security Policy Information security policies strengthens the security of information resources They lay foundation for information security within an organization • Define the integrity, confidentiality, and availability requirements for the information being used • Ensure that these requirements effectively communicate with the individuals who interact with the information • Use, manage, and distribute such information in the way consistent with these requirements The goal of information security policy is to :
  27. 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Information Security Policy (cont’d) Information security is achieved by the security practices such as the management of vulnerable points and securing system files In the case of applications, information security is applied to data input and output by encoding information using electronic keys • Identification of security controls • Input data validation • Control of internal processing • Message integrity • Output data validation • Cryptographic controls use policy • Key management • Operational software control • System test data Protection • Access control to program source code • Security in development and support processes • Vulnerability Management The security requirements of information systems are as follows:
  28. 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited National Information Assurance (IA) Certification & Accreditation (C&A) Process Policy NIACAP setup a standard national process, set of activities, general tasks, and a management structure It certify and recognize systems which maintain information assurance and security posture of a system This process accomplishes the requirements of documented security Accredited security posture is maintained all through the system life cycle The process comprises existing system certifications and product evaluations Process users must arrange the process with their program strategies and incorporate the activities into their enterprise system life cycle
  29. 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited National Information Assurance (IA) Certification & Accreditation (C&A) Process Policy (cont’d) Agreement between the IS program manager, Designated Approving Authority (DAA), certification agent (certifier), and user representative is the main aspect to NIACAP Critical schedule, budget, security, functionality, and performance issues are determined by these individuals System Security Authorization Agreement (SSAA) contains the documentation of NIACAP agreements The results of Certification and Accreditation (C&A) are documented using SSAA The objective is to use the SSAA to establish an evolving yet binding agreement on the level of security required before the system development begins or changes to
  30. 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Personnel Security Policies & Guidance Personnel security policies include the safety measures to be taken regarding company employees It also concerns about the individuals visiting the place for business purposes • Ensure trustworthiness of the people in the posts who require access to official information • Protect the official information before granting them access • Provide the terms and conditions to the employee accessing the official information Manager should implement the personnel security policies to:
  31. 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Personnel Security Policies & Guidance (cont’d) Elements of personnel security: • It is a pre-employment check while recruiting employees which involves the employees background check • This is done as the employee is given access to the official information • While recruiting employee for a permanent staff position, he must be checked for: • Satisfactory character referees • Accuracy of the curriculum vitae and qualifications • Before appointing an employee verify his identity and character through referees and request a criminal background check report from police • Similarly, Employee being recruited for a temporary staff position can be checked through an agency Personal Screening:
  32. 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Personnel Security Policies & Guidance (cont’d) • The authority given to access official information • Chief executives should grant access to the permanent staff to access official information after verifying their credentials through: • Pre-employment checks • Periodic reviews • Approval procedures • Sound terms & conditions of the employment • Avoid granting access to the most sensitive sites as there are chances of indirect exposure by staff or visitors • Access granted individuals must be issued a pass or access or identity card • A basic check can be done further after the pre-employment check, about staff or contractors who needs a frequent access to sensitive sites Granting access:
  33. 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Access control policy is a permission for a user to perform a set of actions on set of resources Administrative security practices describe the resources needed to achieve risk management Backup Policy describes the frequency of information backups and moving them to off- site storage Audit trails maintain a record of system activities like computer events, applications, or user activities Documentation policy determines the requirements for documentation like networks and servers Information security policies strengthens the security of information resources
  34. 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  35. 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

×