Uploaded byphanleson
PDF, PPTX561 views

Ch06 Policy

The document discusses the importance of policy in defining an organization's security scope and expectations. It provides examples of key policies around information, security, computer and internet use, and procedures for user management, backups, incident response and disaster recovery. Effective policy creation involves risk assessment, stakeholder input, and regular review to ensure ongoing relevance. Deployment requires security awareness training and compliance audits.

Embed presentation

Download as PDF, PPTX
Lesson 6-Policy
Overview Understanding why policy is important. Defining various policies. Creating an appropriate policy. Deploying policies. Using policy effectively.
Understanding Why Policy is Important The two primary functions of a policy are: It defines the scope of security within an organization. It clearly states the expectations from everyone in the organization.
Understanding Why Policy is Important Policy defines how security should be implemented. It includes the system configurations, network configurations, and physical security measures. It defines the mechanisms used to protect information and systems. It defines how organizations should react when security incidents occur.
Understanding Why Policy is Important Policy provides the framework for employees to work together. It defines the common goals and objectives of the organization’s security program. Proper security awareness training helps implement policy initiatives effectively.
Defining Various Policies Information policy. Security policy. Computer use policy. Internet use policy. E-mail policy. User management procedures.
Defining Various Policies System administration procedures. Backup policy. Incident response policy. Configuration management procedures. Design methodology. Disaster recovery plans.
Information Policy Identification of sensitive information. Classifications. Marking and storing sensitive information. Transmission of sensitive information. Destruction of sensitive information.
Identification of Sensitive Information Sensitive information differs depending on the business of the organization. It may include business records, product designs, patent information, and company phone books. It may also include payroll, medical insurance, and any other financial information.
Classifications Only the lowest level of information should be made public. All proprietary, company sensitive, or company confidential information is releasable to employees. All restricted or protected information must be made available to authorized employees only.
Marking and Storing Sensitive Information The policy must mark all sensitive information. It should address the storage mechanism for information on paper or on computer systems. Incase of information stored on computer systems, the policy should specify appropriate levels of protection. Use encryption wherever required.
Transmission of Sensitive Information The policy addresses how sensitive information needs to be transmitted. It specifies the encryption method to be used while transmitting information through electronic mail. Incase of hardcopies of information, request a signed receipt.
Destruction of Sensitive Information To destroy sensitive information: Shred the information on paper. Use cross-cut shredders that provide an added level of protection. PGP desktop and BCWipe can be used to delete documents placed on a desktop.
Security Policy Identification and authentication. Access control. Audit. Network connectivity.
Security Policy Malicious code. Encryption. Waivers. Appendices.
Identification and Authentication The security policy defines how users will be identified. It defines the primary authentication mechanism for users and administrators. It defines stronger mechanism for remote access such as VPN or dial-in access.
Access Control The security policy defines the standard requirement for access control of electronic files. The requirement includes the required mechanism and the default requirements for new files. The mechanism should work with authentication mechanism to allow only authorized users to access the information.
Audit Security policies must frequently audit the following events: Logins (successful and failed). Logouts. Failed access to files or system objects. Remote access (successful and failed). Privileged actions. System events (such as shutdowns and reboots).
Audit Each event should also capture the following information: User ID (if there is one) Date and time Process ID (if there is one) Action performed Success or failure of the event
Network Connectivity The security policy specifies the rules for network connectivity and the protection mechanisms. It includes: Dial-in connections. Permanent connections. Remote access of internal systems. Wireless networks.
Malicious Code The security policy specifies where security programs that look for malicious code need to be placed. Some appropriate locations are file servers, desktop systems, and electronic mail servers. It should specify the requirements for security programs. It should require updates of signatures for such security programs on a periodic basis.
Encryption The security policy should define the acceptable encryption algorithms for use. It can refer to the information policy to choose the appropriate algorithms to protect sensitive information. It should also specify the procedures required for key management.
Waivers The security policy should provide a mechanism for risk assessment and formulating a contingency plan. For each situation, the system designer or project manager should fill a waiver form. The security department reviews the waiver request and provides risk assessment results and recommendations to minimize the risk. The waiver should be approved by the organization’s officer in charge of the project.
Appendices The security policy appendices should have details of: Security configurations for various operating systems. Network devices. Telecommunication equipments.
Computer Use Policy Ownership of computers - States that all computers are owned by the organization. Ownership of information - States that all information stored on or used by the organization’s computers is proprietary to the organization.
Computer Use Policy Acceptable use of computers - States all acceptable and unacceptable use of the organization’s computers. No expectation of privacy - States that the employee have no expectation of privacy for any information stored, sent, or received on the organization’s computers.
Internet Use Policy The Internet use policy is a part of the general computer use policy. It can be a separate policy due to the specific nature of the Internet use. The Internet use policy defines the appropriate uses of the Internet within an organization. It may also define inappropriate uses such as visiting non- business-related web sites.
E-mail Policy Internal mail issues - The electronic mail policy should not be in conflict with other human resource policies. External mail issues - Electronic mail leaving an organization may contain sensitive information. Therefore, it may be monitored.
User Management Procedures New employment procedure - Provides new employees with the proper access to computer resources. Transferred employee procedure - Reviews employee’s computer access when they are transferred within the organization. Employee termination procedure - Ensures removal of users who no longer work for the organization.
System Administration Procedure Software upgrades - Defines how often a system administrator will check for new patches or updates. Vulnerability scans - Defines how often and when the scans will be conducted by security. Policy reviews - Specifies the security requirements for each system.
System Administration Procedure Log reviews - Specifies configuration of automated tools that create log entries and how exceptions must be handled. Regular monitoring - Documents when network traffic monitoring will occur.
Backup Policy Frequency of backups - Identifies how often backups actually occur. Storage of backups - Defines how to store backups in a secure location. It also states the mechanism for requesting and restoring backups. Information to be backed up - Identifies which data needs to be backed up more frequently.
Incident Response Procedure Incident handling objectives - Specifies the objectives of the organization when handling an incident. Event identification - States corrective actions for an intrusion or user mistake. Escalation - Specifies an escalation procedure such as activating an incident response team. Information control - Specifies what information is classified and what can be made public.
Incident Response Procedure Response - Defines the type of response when an incident occurs. Authority - Defines which individual within the organization or the incident response team has the authority to take action. Documentation - Defines how the incident response team should document its actions. Testing of the procedure - Tests the IRP once it is written. It also identifies the loop holes in the procedure and suggests corrective actions.
Configuration Management Procedures Initial system state - Documents the state of a new system when it goes into production. It should include details of the operating system, version, patch level, application details, and configuration details. Change control procedure - Executes a change control procedure when a change is to be made to an existing system.
Design Methodology Requirements definition - Specifies the security requirements that need to be included during the requirement definition phase. Design - Specifies that security should be represented to ensure that the project is secured during the design phase. Test - Specifies that when the project reaches the testing phase, the security requirement should also be tested. Implementation - Specifies that the implementation team should use proper configuration management procedures.
Disaster Recovery Plans Single system or device failures - Includes a network device, disk, motherboard, network interface card, or component failure. Data center events - Provides procedures for a major event within a data center. Site events - Identifies the critical capabilities that need to be restored. Testing the DRP - Identifies key employees and performs walkthroughs of the plan periodically.
Creating an Appropriate Policy To create an appropriate policy: Identify which policies are most relevant and important to an organization. Conduct a risk assessment to identify risk areas. Define all acceptable and unacceptable employee behavior. State all restrictions clearly. Identify individuals and other stakeholders who will be affected by the policy. State expectations clearly.
Creating an Appropriate Policy To create an appropriate policy: Define a set of possible outlines. Draft the policy based on the outline. Include stakeholders during discussions and invite suggestions. Brainstorm before developing the final policy.
Deploying the Policy Every department of the organization that is affected by the policy must accept the underlying concept. Conduct security awareness training where employees are informed of the intended change. Make well-planned transitions rather than radical changes while implementing the policy.
Using Policy Effectively Identify security requirements early in the process. Security should be a part of the design phase of the project. Examine existing systems to ensure it is in compliance to new policies. Conduct periodic audits to ensure compliance with the policy. Review policies regularly to ensure they are still relevant for the organization.
Summary Policies define how security is implemented within an organization. Each policy must have a purpose, scope, and responsibility. An organization must establish information policy, security policy, computer use policy, Internet and e-mail policy, and a backup policy. An organization must also define user management, system administration, incident response, and configuration management procedures.
Summary The disaster recovery plan details recovery action for various levels of failures. While creating a policy ensure that it will be relevant and important to an organization. Involve stakeholders in policy discussions. Conduct security awareness trainings regularly. Include security issues at each development phase of a project.

More Related Content

PPTX
Logging, monitoring and auditing
byPiyush Jain
 
PDF
Ch09 Information Security Best Practices
byphanleson
 
PDF
Ch08 8 Information Security Process it-slideshares.blogspot.com
byphanleson
 
PPT
Information security policy_2011
bycodka
 
PPTX
Domain 1 - Security and Risk Management
byMaganathin Veeraragaloo
 
PPT
Security Policies
byphanleson
 
PPT
Implementing security
byDhani Ahmad
 
PPTX
Security Policies and Standards
byprimeteacher32
 
Logging, monitoring and auditing
byPiyush Jain
 
Ch09 Information Security Best Practices
byphanleson
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
byphanleson
 
Information security policy_2011
bycodka
 
Domain 1 - Security and Risk Management
byMaganathin Veeraragaloo
 
Security Policies
byphanleson
 
Implementing security
byDhani Ahmad
 
Security Policies and Standards
byprimeteacher32
 

What's hot

PDF
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
byChristina33713
 
PPTX
Domain 5 - Identity and Access Management
byMaganathin Veeraragaloo
 
PPT
Start With A Great Information Security Plan!
byTammy Clark
 
PPT
Security policy
byDhani Ahmad
 
PPT
Network security policies
byUsman Mukhtar
 
PPTX
Understanding the security_organization
byDan Morrill
 
PDF
Chapter 10 security standart
bynewbie2019
 
PDF
Five principles for improving your cyber security
byWGroup
 
PPTX
Security Organization/ Infrastructure
byPriyank Hada
 
PPTX
Security management concepts and principles
byDivya Tiwari
 
PPT
develop security policy
byInfo-Tech Research Group
 
PPT
Testing
bylorenceman
 
PPT
Network security and policies
bywardjo
 
PPT
Information Security Policies and Standards
byDirectorate of Information Security | Ditjen Aptika
 
PDF
Physical Security Management System
byDaniel Suchy, CPP, MSyI
 
PPT
The Importance of Security within the Computer Environment
byAdetula Bunmi
 
PDF
Guide for Applying The Risk Management Framework to Federal Information Systems
byGuillermo Remache
 
PPT
It Audit And Forensics
byJED Consulting Services LLC
 
DOCX
Information security management iso27001
byHiran Kanishka
 
PPTX
Information Security Blueprint
byZefren Edior
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
byChristina33713
 
Domain 5 - Identity and Access Management
byMaganathin Veeraragaloo
 
Start With A Great Information Security Plan!
byTammy Clark
 
Security policy
byDhani Ahmad
 
Network security policies
byUsman Mukhtar
 
Understanding the security_organization
byDan Morrill
 
Chapter 10 security standart
bynewbie2019
 
Five principles for improving your cyber security
byWGroup
 
Security Organization/ Infrastructure
byPriyank Hada
 
Security management concepts and principles
byDivya Tiwari
 
develop security policy
byInfo-Tech Research Group
 
Testing
bylorenceman
 
Network security and policies
bywardjo
 
Information Security Policies and Standards
byDirectorate of Information Security | Ditjen Aptika
 
Physical Security Management System
byDaniel Suchy, CPP, MSyI
 
The Importance of Security within the Computer Environment
byAdetula Bunmi
 
Guide for Applying The Risk Management Framework to Federal Information Systems
byGuillermo Remache
 
It Audit And Forensics
byJED Consulting Services LLC
 
Information security management iso27001
byHiran Kanishka
 
Information Security Blueprint
byZefren Edior
 

Viewers also liked

PPT
Jdbc
byphanleson
 
PPT
5.Dns Rpc Nfs
byphanleson
 
PPT
30 5 Database Jdbc
byphanleson
 
PPT
2.Public Vulnerability Databases
byphanleson
 
PPT
Thread
byphanleson
 
PPT
Rmi
byphanleson
 
PPT
7.Canon & Dt
byphanleson
 
PDF
Ch20 Wireless Security
byphanleson
 
PDF
Ch18 Internet Security
byphanleson
 
PDF
Ch07 Managing Risk
byphanleson
 
PDF
Ch14 Desktop Protection
byphanleson
 
PDF
Ch11 Vpn
byphanleson
 
PDF
7.Trust Management
byphanleson
 
PDF
Ch12 Encryption
byphanleson
 
Jdbc
byphanleson
 
5.Dns Rpc Nfs
byphanleson
 
30 5 Database Jdbc
byphanleson
 
2.Public Vulnerability Databases
byphanleson
 
Thread
byphanleson
 
Rmi
byphanleson
 
7.Canon & Dt
byphanleson
 
Ch20 Wireless Security
byphanleson
 
Ch18 Internet Security
byphanleson
 
Ch07 Managing Risk
byphanleson
 
Ch14 Desktop Protection
byphanleson
 
Ch11 Vpn
byphanleson
 
7.Trust Management
byphanleson
 
Ch12 Encryption
byphanleson
 

Similar to Ch06 Policy

PPTX
12 security policies
bySaqib Raza
 
PDF
Information security policy how to writing
byPasangdolmoTamang
 
PPTX
Information security: importance of having defined policy & process
byInformation Technology Society Nepal
 
PDF
For our discussion question, we focus on recent trends in security t.pdf
byalokkesh
 
DOCX
Cyber_Security_Policy
byMrinal Dutta
 
PDF
Security Policy Checklist
bybackdoor
 
PPT
Lecture3.ppt
byTSampathKumar4
 
PPT
Information security Lecture slides .ppt
byMuhammadAbdullah311866
 
PPT
Information security policy_2011
bycodka
 
PPT
lecture on cyber security_1234567890.ppt
byVijayDSK1
 
PPT
Ch14 Policies and Legislation
byInformation Technology
 
PPTX
Cyber Security unit-4.pptx for computers
by2k24mca2412994
 
PDF
ISO / IEC 27001:2005 – An Intorduction
byn|u - The Open Security Community
 
PPT
Security Management Practices
byamiable_indian
 
PPTX
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
byn|u - The Open Security Community
 
PPT
Ch10 Conducting Audits
byInformation Technology
 
PPTX
IT Policy
bySensewareInfomedia
 
PDF
Building and implementing a successful information security policy
byRossMob1
 
PDF
Security policy.pdf
byMd. Sajjat Hossain
 
PPT
Policy-1.pptznlaldjwodmwlznalpqjdc ktpanV
bywardaabbas1
 
12 security policies
bySaqib Raza
 
Information security policy how to writing
byPasangdolmoTamang
 
Information security: importance of having defined policy & process
byInformation Technology Society Nepal
 
For our discussion question, we focus on recent trends in security t.pdf
byalokkesh
 
Cyber_Security_Policy
byMrinal Dutta
 
Security Policy Checklist
bybackdoor
 
Lecture3.ppt
byTSampathKumar4
 
Information security Lecture slides .ppt
byMuhammadAbdullah311866
 
Information security policy_2011
bycodka
 
lecture on cyber security_1234567890.ppt
byVijayDSK1
 
Ch14 Policies and Legislation
byInformation Technology
 
Cyber Security unit-4.pptx for computers
by2k24mca2412994
 
ISO / IEC 27001:2005 – An Intorduction
byn|u - The Open Security Community
 
Security Management Practices
byamiable_indian
 
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
byn|u - The Open Security Community
 
Ch10 Conducting Audits
byInformation Technology
 
IT Policy
bySensewareInfomedia
 
Building and implementing a successful information security policy
byRossMob1
 
Security policy.pdf
byMd. Sajjat Hossain
 
Policy-1.pptznlaldjwodmwlznalpqjdc ktpanV
bywardaabbas1
 

More from phanleson

PDF
Learning spark ch01 - Introduction to Data Analysis with Spark
byphanleson
 
PPT
Firewall - Network Defense in Depth Firewalls
byphanleson
 
PPT
Mobile Security - Wireless hacking
byphanleson
 
PPT
Authentication in wireless - Security in Wireless Protocols
byphanleson
 
PPT
E-Commerce Security - Application attacks - Server Attacks
byphanleson
 
PPT
Hacking web applications
byphanleson
 
PPTX
HBase In Action - Chapter 04: HBase table design
byphanleson
 
PPT
HBase In Action - Chapter 10 - Operations
byphanleson
 
PPT
Hbase in action - Chapter 09: Deploying HBase
byphanleson
 
PPTX
Learning spark ch11 - Machine Learning with MLlib
byphanleson
 
PPTX
Learning spark ch10 - Spark Streaming
byphanleson
 
PPTX
Learning spark ch09 - Spark SQL
byphanleson
 
PPT
Learning spark ch07 - Running on a Cluster
byphanleson
 
PPTX
Learning spark ch06 - Advanced Spark Programming
byphanleson
 
PPTX
Learning spark ch05 - Loading and Saving Your Data
byphanleson
 
PPTX
Learning spark ch04 - Working with Key/Value Pairs
byphanleson
 
PPTX
Learning spark ch01 - Introduction to Data Analysis with Spark
byphanleson
 
PPT
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
byphanleson
 
PPT
Lecture 1 - Getting to know XML
byphanleson
 
PPTX
Lecture 4 - Adding XTHML for the Web
byphanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
byphanleson
 
Firewall - Network Defense in Depth Firewalls
byphanleson
 
Mobile Security - Wireless hacking
byphanleson
 
Authentication in wireless - Security in Wireless Protocols
byphanleson
 
E-Commerce Security - Application attacks - Server Attacks
byphanleson
 
Hacking web applications
byphanleson
 
HBase In Action - Chapter 04: HBase table design
byphanleson
 
HBase In Action - Chapter 10 - Operations
byphanleson
 
Hbase in action - Chapter 09: Deploying HBase
byphanleson
 
Learning spark ch11 - Machine Learning with MLlib
byphanleson
 
Learning spark ch10 - Spark Streaming
byphanleson
 
Learning spark ch09 - Spark SQL
byphanleson
 
Learning spark ch07 - Running on a Cluster
byphanleson
 
Learning spark ch06 - Advanced Spark Programming
byphanleson
 
Learning spark ch05 - Loading and Saving Your Data
byphanleson
 
Learning spark ch04 - Working with Key/Value Pairs
byphanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
byphanleson
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
byphanleson
 
Lecture 1 - Getting to know XML
byphanleson
 
Lecture 4 - Adding XTHML for the Web
byphanleson
 

Recently uploaded

PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Workflow and decision Automation with Flowable
bychakib ch
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
apidays New York 2025 | AI in Application Security
byapidays
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 

Ch06 Policy

  • 1.
  • 2.
    Overview Understanding why policyis important. Defining various policies. Creating an appropriate policy. Deploying policies. Using policy effectively.
  • 3.
    Understanding Why Policyis Important The two primary functions of a policy are: It defines the scope of security within an organization. It clearly states the expectations from everyone in the organization.
  • 4.
    Understanding Why Policyis Important Policy defines how security should be implemented. It includes the system configurations, network configurations, and physical security measures. It defines the mechanisms used to protect information and systems. It defines how organizations should react when security incidents occur.
  • 5.
    Understanding Why Policyis Important Policy provides the framework for employees to work together. It defines the common goals and objectives of the organization’s security program. Proper security awareness training helps implement policy initiatives effectively.
  • 6.
    Defining Various Policies Informationpolicy. Security policy. Computer use policy. Internet use policy. E-mail policy. User management procedures.
  • 7.
    Defining Various Policies Systemadministration procedures. Backup policy. Incident response policy. Configuration management procedures. Design methodology. Disaster recovery plans.
  • 8.
    Information Policy Identification ofsensitive information. Classifications. Marking and storing sensitive information. Transmission of sensitive information. Destruction of sensitive information.
  • 9.
    Identification of Sensitive Information Sensitive information differs depending on the business of the organization. It may include business records, product designs, patent information, and company phone books. It may also include payroll, medical insurance, and any other financial information.
  • 10.
    Classifications Only the lowestlevel of information should be made public. All proprietary, company sensitive, or company confidential information is releasable to employees. All restricted or protected information must be made available to authorized employees only.
  • 11.
    Marking and StoringSensitive Information The policy must mark all sensitive information. It should address the storage mechanism for information on paper or on computer systems. Incase of information stored on computer systems, the policy should specify appropriate levels of protection. Use encryption wherever required.
  • 12.
    Transmission of Sensitive Information The policy addresses how sensitive information needs to be transmitted. It specifies the encryption method to be used while transmitting information through electronic mail. Incase of hardcopies of information, request a signed receipt.
  • 13.
    Destruction of Sensitive Information To destroy sensitive information: Shred the information on paper. Use cross-cut shredders that provide an added level of protection. PGP desktop and BCWipe can be used to delete documents placed on a desktop.
  • 14.
    Security Policy Identification andauthentication. Access control. Audit. Network connectivity.
  • 15.
  • 16.
    Identification and Authentication The security policy defines how users will be identified. It defines the primary authentication mechanism for users and administrators. It defines stronger mechanism for remote access such as VPN or dial-in access.
  • 17.
    Access Control The securitypolicy defines the standard requirement for access control of electronic files. The requirement includes the required mechanism and the default requirements for new files. The mechanism should work with authentication mechanism to allow only authorized users to access the information.
  • 18.
    Audit Security policies mustfrequently audit the following events: Logins (successful and failed). Logouts. Failed access to files or system objects. Remote access (successful and failed). Privileged actions. System events (such as shutdowns and reboots).
  • 19.
    Audit Each event shouldalso capture the following information: User ID (if there is one) Date and time Process ID (if there is one) Action performed Success or failure of the event
  • 20.
    Network Connectivity The securitypolicy specifies the rules for network connectivity and the protection mechanisms. It includes: Dial-in connections. Permanent connections. Remote access of internal systems. Wireless networks.
  • 21.
    Malicious Code The securitypolicy specifies where security programs that look for malicious code need to be placed. Some appropriate locations are file servers, desktop systems, and electronic mail servers. It should specify the requirements for security programs. It should require updates of signatures for such security programs on a periodic basis.
  • 22.
    Encryption The security policyshould define the acceptable encryption algorithms for use. It can refer to the information policy to choose the appropriate algorithms to protect sensitive information. It should also specify the procedures required for key management.
  • 23.
    Waivers The security policyshould provide a mechanism for risk assessment and formulating a contingency plan. For each situation, the system designer or project manager should fill a waiver form. The security department reviews the waiver request and provides risk assessment results and recommendations to minimize the risk. The waiver should be approved by the organization’s officer in charge of the project.
  • 24.
    Appendices The security policyappendices should have details of: Security configurations for various operating systems. Network devices. Telecommunication equipments.
  • 25.
    Computer Use Policy Ownershipof computers - States that all computers are owned by the organization. Ownership of information - States that all information stored on or used by the organization’s computers is proprietary to the organization.
  • 26.
    Computer Use Policy Acceptableuse of computers - States all acceptable and unacceptable use of the organization’s computers. No expectation of privacy - States that the employee have no expectation of privacy for any information stored, sent, or received on the organization’s computers.
  • 27.
    Internet Use Policy TheInternet use policy is a part of the general computer use policy. It can be a separate policy due to the specific nature of the Internet use. The Internet use policy defines the appropriate uses of the Internet within an organization. It may also define inappropriate uses such as visiting non- business-related web sites.
  • 28.
    E-mail Policy Internal mailissues - The electronic mail policy should not be in conflict with other human resource policies. External mail issues - Electronic mail leaving an organization may contain sensitive information. Therefore, it may be monitored.
  • 29.
    User Management Procedures Newemployment procedure - Provides new employees with the proper access to computer resources. Transferred employee procedure - Reviews employee’s computer access when they are transferred within the organization. Employee termination procedure - Ensures removal of users who no longer work for the organization.
  • 30.
    System Administration Procedure Software upgrades - Defines how often a system administrator will check for new patches or updates. Vulnerability scans - Defines how often and when the scans will be conducted by security. Policy reviews - Specifies the security requirements for each system.
  • 31.
    System Administration Procedure Log reviews - Specifies configuration of automated tools that create log entries and how exceptions must be handled. Regular monitoring - Documents when network traffic monitoring will occur.
  • 32.
    Backup Policy Frequency ofbackups - Identifies how often backups actually occur. Storage of backups - Defines how to store backups in a secure location. It also states the mechanism for requesting and restoring backups. Information to be backed up - Identifies which data needs to be backed up more frequently.
  • 33.
    Incident Response Procedure Incidenthandling objectives - Specifies the objectives of the organization when handling an incident. Event identification - States corrective actions for an intrusion or user mistake. Escalation - Specifies an escalation procedure such as activating an incident response team. Information control - Specifies what information is classified and what can be made public.
  • 34.
    Incident Response Procedure Response- Defines the type of response when an incident occurs. Authority - Defines which individual within the organization or the incident response team has the authority to take action. Documentation - Defines how the incident response team should document its actions. Testing of the procedure - Tests the IRP once it is written. It also identifies the loop holes in the procedure and suggests corrective actions.
  • 35.
    Configuration Management Procedures Initial system state - Documents the state of a new system when it goes into production. It should include details of the operating system, version, patch level, application details, and configuration details. Change control procedure - Executes a change control procedure when a change is to be made to an existing system.
  • 36.
    Design Methodology Requirements definition- Specifies the security requirements that need to be included during the requirement definition phase. Design - Specifies that security should be represented to ensure that the project is secured during the design phase. Test - Specifies that when the project reaches the testing phase, the security requirement should also be tested. Implementation - Specifies that the implementation team should use proper configuration management procedures.
  • 37.
    Disaster Recovery Plans Singlesystem or device failures - Includes a network device, disk, motherboard, network interface card, or component failure. Data center events - Provides procedures for a major event within a data center. Site events - Identifies the critical capabilities that need to be restored. Testing the DRP - Identifies key employees and performs walkthroughs of the plan periodically.
  • 38.
    Creating an AppropriatePolicy To create an appropriate policy: Identify which policies are most relevant and important to an organization. Conduct a risk assessment to identify risk areas. Define all acceptable and unacceptable employee behavior. State all restrictions clearly. Identify individuals and other stakeholders who will be affected by the policy. State expectations clearly.
  • 39.
    Creating an AppropriatePolicy To create an appropriate policy: Define a set of possible outlines. Draft the policy based on the outline. Include stakeholders during discussions and invite suggestions. Brainstorm before developing the final policy.
  • 40.
    Deploying the Policy Everydepartment of the organization that is affected by the policy must accept the underlying concept. Conduct security awareness training where employees are informed of the intended change. Make well-planned transitions rather than radical changes while implementing the policy.
  • 41.
    Using Policy Effectively Identifysecurity requirements early in the process. Security should be a part of the design phase of the project. Examine existing systems to ensure it is in compliance to new policies. Conduct periodic audits to ensure compliance with the policy. Review policies regularly to ensure they are still relevant for the organization.
  • 42.
    Summary Policies define howsecurity is implemented within an organization. Each policy must have a purpose, scope, and responsibility. An organization must establish information policy, security policy, computer use policy, Internet and e-mail policy, and a backup policy. An organization must also define user management, system administration, incident response, and configuration management procedures.
  • 43.
    Summary The disaster recoveryplan details recovery action for various levels of failures. While creating a policy ensure that it will be relevant and important to an organization. Involve stakeholders in policy discussions. Conduct security awareness trainings regularly. Include security issues at each development phase of a project.