SlideShare a Scribd company logo

Network security policies

Download as PPT, PDF
Usman Mukhtar
Usman Mukhtar
Technology
1 of 33
NETWORK SECURITY Presentation
NETWORK SECURITY presentation
Members • Usman mukhtar -046 • Anas Faheem -018 • Umair Mehmood -047 • Qasim zaman -050 • Shahbaz khan -030
Policies and Regulation in Network security • Semester BS(IT) 6th • Submitted to: Sir Kashif Nisar University of Gujrat...!!!
The challenges before us • Define security policies and standards • Measure actual security against policy • Report violations to policy • Correct violations to conform with policy • Summarize policy compliance for the organization
The Foundation of Information Security
The Information Security Functions
Managing Information Security
Policies What are the policies and what are purpose of policies???
The Purpose Provide a framework for the management of security across the enterprise
Definitions • Policies – High level statements that provide guidance to workers who must make present and future decision • Standards – Requirement statements that provide specific technical specifications • Guidelines – Optional but recommended specifications
Security Policy Access to network resource will be granted through a unique user ID and passwordPasswords should include one non-alpha and not found in dictionary Passwords will be 8 characters long
Elements of Policies • Set the tone of Management • Establish roles and responsibility • Define asset classifications • Provide direction for decisions • Establish the scope of authority • Provide a basis for guidelines and procedures • Establish accountability • Describe appropriate use of assets • Establish relationships to legal requirements
Policies should…… Clearly identify and define the information security goals and the goals of the university.
Actions Cabinet Goals Policy Standards Procedures Guidelines Awareness IS Goals Info Security Policy Lifecycle
The Ten-Step Approach
Step 1 – Collect Background Information • Obtain existing policies – Creighton's – Others • Identify what levels of control are needed • Identify who should write the policies
Step 2 – Perform Risk Assessment • Justify the Policies with Risk Assessment – Identify the critical functions – Identify the critical processes – Identify the critical data – Assess the vulnerabilities
Step 3 – Create a Policy Review Board • The Policy Development Process – Write the initial “Draft” – Send to the Review Board for Comments – Incorporate Comments – Resolve Issues Face-to-Face – Submit “Draft” Policy to Cabinet for Approval
Step 4 – Develop the Information Security Plan • Establish goals • Define roles • Define responsibilities • Notify the User community as to the direction • Establish a basis for compliance, risk assessment, and audit of information security
Step 5 – Develop Information Security Policies, Standards, and Guidelines • Policies – High level statements that provide guidance to workers who must make present and future decision • Standards – Requirement statements that provide specific technical specifications • Guidelines – Optional but recommended specifications
Step 6 – Implement Policies and Standards • Distribute Policies. • Obtain agreement with policies before accessing Creighton Systems. • Implement controls to meet or enforce policies.
Step 7 – Awareness and Training • Makes users aware of the expected behavior • Teaches users How & When to secure information • Reduces losses & theft • Reduces the need for enforcement
Step 8 – Monitor for Compliance • Management is responsible for establishing controls • Management should REGULARLY review the status of controls • Enforce “User Contracts” (Code of Conduct) • Establish effective authorization approval • Establish an internal review process • Internal Audit Reviews
Step 9 – Evaluate Policy Effectiveness • Evaluate • Document • Report
Step 10 – Modify the Policy Policies must be modified due to: – New Technology – New Threats – New or changed goals – Organizational changes – Changes in the Law – Ineffectiveness of the existing Policy
HIPAA Security Guidelines • Security Administration • Physical Safeguards • Technical Security Services and Mechanisms
Minimum HIPAA Requirements • Security Administration – Certification Policy (§ .308(a)(1)) – Chain of Trust Policy (§ .308(a)(2)) – Contingency Planning Policy (§ .308(a)(3)) – Data Classification Policy (§ .308(a)(4)) – Access Control Policy (§ .308(a)(5)) – Audit Trail Policy (§ .308(a)(6)) – Configuration Management Policy(§ .308(a)(8)) – Incident Reporting Policy (§ .308(a)(9)) – Security Governance Policy (§ .308(a)(10)) – Access Termination Policy (§ .308(a)(11)) – Security Awareness & Training Policy(§ .308(a)(12))
Minimum HIPAA Requirements • Physical Safeguards – Security Plan (Security Roles and Responsibilities) (§ .308(b)(1)) – Media Control Policy (§ .308(b)(2)) – Physical Access Policy (§ .308(b)(3)) – Workstation Use Policy (§ .308(b)(4)) – Workstation Safeguard Policy (§ .308(b)(5)) – Security Awareness & Training Policy (§ .308(b)(6))
Minimum HIPAA Requirements • Technical Security Services and Mechanisms – Mechanism for controlling system access (§ .308(c)(1)(i)) • “Need-to-know” – Employ event logging on systems that process or store PHI (§ .308(c)(1)(ii)) – Mechanism to authorize the privileged use of PHI (§ .308(c)(3)) • Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle. – Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner (§ .308(c)(4)) • checksums, double keying, message authentication codes, and digital signatures. – Users must be authenticated prior to accessing PHI (§ .308(c)(5)) • Uniquely identify each user and authenticate identity • Implement at least one of the following methods to authenticate a user: – Password; – Biometrics; – Physical token; – Call-back or strong authentication for dial-up remote access users. • Implement automatic log-offs to terminate sessions after set periods of inactivity. – Protection of PHI on networks with connections to external communication systems or public networks (§ .308(d)) • Intrusion detection • Encryption
Creighton Specific Policies • Access Control Policy • Contingency Planning Policy • Data Classification Policy • Change Control Policy • Wireless Policy • Incident Response Policy • Termination of Access Policy • Backup Policy • Virus Policy • Retention Policy • Physical Access Policy • Computer Security Policy • Security Awareness Policy • Audit Trail Policy • Firewall Policy • Network Security Policy • Encryption Policy
Policy Hierarchy Governance Policy Access Control Policy User ID Policy Access Control Authentication Standard Password Construction Standard User ID Naming Standard Strong Password Construction Guidelines
Network security policies

Recommended

Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Access Controls
Access ControlsAccess Controls
Access Controls
primeteacher32
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity Fundamentals
Toño Herrera
 
System security
System securitySystem security
System security
invertis university
 
Network management and security
Network management and securityNetwork management and security
Network management and security
Ankit Bhandari
 
Whitman_Ch02.pptx
Whitman_Ch02.pptxWhitman_Ch02.pptx
Whitman_Ch02.pptx
Siphamandla9
 

Recommended

Security policies
Security policiesSecurity policies
Security policies
Nishant Pahad
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Access Controls
Access ControlsAccess Controls
Access Controls
primeteacher32
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Introduction to Cybersecurity Fundamentals
Introduction to Cybersecurity FundamentalsIntroduction to Cybersecurity Fundamentals
Introduction to Cybersecurity Fundamentals
Toño Herrera
 
System security
System securitySystem security
System security
invertis university
 
Network management and security
Network management and securityNetwork management and security
Network management and security
Ankit Bhandari
 
Whitman_Ch02.pptx
Whitman_Ch02.pptxWhitman_Ch02.pptx
Whitman_Ch02.pptx
Siphamandla9
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
elmuhammadmuhammad
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Cia security model
Cia security modelCia security model
Cia security model
Imran Ahmed
 
Network security
Network securityNetwork security
Network security
Simranpreet Singh
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
Network security
Network security Network security
Network security
Vikas Jagtap
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
lalithambiga kamaraj
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
John Ely Masculino
 
Information security
Information securityInformation security
Information security
Lusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
Animesh Roy
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
Ersoy AKSOY
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
Shauna_Cox
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
Directorate of Information Security | Ditjen Aptika
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
Randy Bowman
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network Topology
Karthikeyan Dhayalan
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly
 
System security
System securitySystem security
System security
sommerville-videos
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
Sachin Darekar
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
ADGP, Public Grivences, Bangalore
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
Zefren Edior
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
MLG College of Learning, Inc
 

More Related Content

What's hot

Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
John Ely Masculino
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
Randy Bowman
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 

What's hot (20)

chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Cia security model
Cia security modelCia security model
Cia security model
 
Network security
Network securityNetwork security
Network security
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Network security
Network security Network security
Network security
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Information security
Information securityInformation security
Information security
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
CISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network TopologyCISSP - Chapter 4 - Network Topology
CISSP - Chapter 4 - Network Topology
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
System security
System securitySystem security
System security
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 

Similar to Network security policies

Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfSyllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Yoyo Sudaryo
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
Prashant Singh
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Tripwire
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
EnclaveSecurity
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
Mark Simos
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 

Similar to Network security policies (20)

Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician PracticesHIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician Practices
 
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdfSyllabus CIISA ( Certified Internasional Information System Auditor ).pdf
Syllabus CIISA ( Certified Internasional Information System Auditor ).pdf
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 
CISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdfCISSP -Access Control Domain knowlege.pdf
CISSP -Access Control Domain knowlege.pdf
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
SiteFM Managing an Effective Safety Committee
SiteFM Managing an Effective Safety CommitteeSiteFM Managing an Effective Safety Committee
SiteFM Managing an Effective Safety Committee
 
Info.ppt
Info.pptInfo.ppt
Info.ppt
 
Information security
Information securityInformation security
Information security
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
Community IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security PolicyCommunity IT - Crafting Nonprofit IT Security Policy
Community IT - Crafting Nonprofit IT Security Policy
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
 
File000169
File000169File000169
File000169
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
 
How to set up your security policy
How to set up your security policyHow to set up your security policy
How to set up your security policy
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecture
 

More from Usman Mukhtar

LRA and TORA in MANETS
LRA and TORA in MANETSLRA and TORA in MANETS
LRA and TORA in MANETS
Usman Mukhtar
 
information system of NBP
information system of NBPinformation system of NBP
information system of NBP
Usman Mukhtar
 

More from Usman Mukhtar (6)

Software reliability
Software reliability Software reliability
Software reliability
 
Risk management
Risk managementRisk management
Risk management
 
Ethics in research
Ethics in researchEthics in research
Ethics in research
 
user support system in HCI
user support system in HCIuser support system in HCI
user support system in HCI
 
LRA and TORA in MANETS
LRA and TORA in MANETSLRA and TORA in MANETS
LRA and TORA in MANETS
 
information system of NBP
information system of NBPinformation system of NBP
information system of NBP
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Recently uploaded (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 

Network security policies

  • 3. Members • Usman mukhtar -046 • Anas Faheem -018 • Umair Mehmood -047 • Qasim zaman -050 • Shahbaz khan -030
  • 4. Policies and Regulation in Network security • Semester BS(IT) 6th • Submitted to: Sir Kashif Nisar University of Gujrat...!!!
  • 5. The challenges before us • Define security policies and standards • Measure actual security against policy • Report violations to policy • Correct violations to conform with policy • Summarize policy compliance for the organization
  • 9. Policies What are the policies and what are purpose of policies???
  • 10. The Purpose Provide a framework for the management of security across the enterprise
  • 11. Definitions • Policies – High level statements that provide guidance to workers who must make present and future decision • Standards – Requirement statements that provide specific technical specifications • Guidelines – Optional but recommended specifications
  • 12. Security Policy Access to network resource will be granted through a unique user ID and passwordPasswords should include one non-alpha and not found in dictionary Passwords will be 8 characters long
  • 13. Elements of Policies • Set the tone of Management • Establish roles and responsibility • Define asset classifications • Provide direction for decisions • Establish the scope of authority • Provide a basis for guidelines and procedures • Establish accountability • Describe appropriate use of assets • Establish relationships to legal requirements
  • 14. Policies should…… Clearly identify and define the information security goals and the goals of the university.
  • 17. Step 1 – Collect Background Information • Obtain existing policies – Creighton's – Others • Identify what levels of control are needed • Identify who should write the policies
  • 18. Step 2 – Perform Risk Assessment • Justify the Policies with Risk Assessment – Identify the critical functions – Identify the critical processes – Identify the critical data – Assess the vulnerabilities
  • 19. Step 3 – Create a Policy Review Board • The Policy Development Process – Write the initial “Draft” – Send to the Review Board for Comments – Incorporate Comments – Resolve Issues Face-to-Face – Submit “Draft” Policy to Cabinet for Approval
  • 20. Step 4 – Develop the Information Security Plan • Establish goals • Define roles • Define responsibilities • Notify the User community as to the direction • Establish a basis for compliance, risk assessment, and audit of information security
  • 21. Step 5 – Develop Information Security Policies, Standards, and Guidelines • Policies – High level statements that provide guidance to workers who must make present and future decision • Standards – Requirement statements that provide specific technical specifications • Guidelines – Optional but recommended specifications
  • 22. Step 6 – Implement Policies and Standards • Distribute Policies. • Obtain agreement with policies before accessing Creighton Systems. • Implement controls to meet or enforce policies.
  • 23. Step 7 – Awareness and Training • Makes users aware of the expected behavior • Teaches users How & When to secure information • Reduces losses & theft • Reduces the need for enforcement
  • 24. Step 8 – Monitor for Compliance • Management is responsible for establishing controls • Management should REGULARLY review the status of controls • Enforce “User Contracts” (Code of Conduct) • Establish effective authorization approval • Establish an internal review process • Internal Audit Reviews
  • 25. Step 9 – Evaluate Policy Effectiveness • Evaluate • Document • Report
  • 26. Step 10 – Modify the Policy Policies must be modified due to: – New Technology – New Threats – New or changed goals – Organizational changes – Changes in the Law – Ineffectiveness of the existing Policy
  • 27. HIPAA Security Guidelines • Security Administration • Physical Safeguards • Technical Security Services and Mechanisms
  • 28. Minimum HIPAA Requirements • Security Administration – Certification Policy (§ .308(a)(1)) – Chain of Trust Policy (§ .308(a)(2)) – Contingency Planning Policy (§ .308(a)(3)) – Data Classification Policy (§ .308(a)(4)) – Access Control Policy (§ .308(a)(5)) – Audit Trail Policy (§ .308(a)(6)) – Configuration Management Policy(§ .308(a)(8)) – Incident Reporting Policy (§ .308(a)(9)) – Security Governance Policy (§ .308(a)(10)) – Access Termination Policy (§ .308(a)(11)) – Security Awareness & Training Policy(§ .308(a)(12))
  • 29. Minimum HIPAA Requirements • Physical Safeguards – Security Plan (Security Roles and Responsibilities) (§ .308(b)(1)) – Media Control Policy (§ .308(b)(2)) – Physical Access Policy (§ .308(b)(3)) – Workstation Use Policy (§ .308(b)(4)) – Workstation Safeguard Policy (§ .308(b)(5)) – Security Awareness & Training Policy (§ .308(b)(6))
  • 30. Minimum HIPAA Requirements • Technical Security Services and Mechanisms – Mechanism for controlling system access (§ .308(c)(1)(i)) • “Need-to-know” – Employ event logging on systems that process or store PHI (§ .308(c)(1)(ii)) – Mechanism to authorize the privileged use of PHI (§ .308(c)(3)) • Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle. – Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner (§ .308(c)(4)) • checksums, double keying, message authentication codes, and digital signatures. – Users must be authenticated prior to accessing PHI (§ .308(c)(5)) • Uniquely identify each user and authenticate identity • Implement at least one of the following methods to authenticate a user: – Password; – Biometrics; – Physical token; – Call-back or strong authentication for dial-up remote access users. • Implement automatic log-offs to terminate sessions after set periods of inactivity. – Protection of PHI on networks with connections to external communication systems or public networks (§ .308(d)) • Intrusion detection • Encryption
  • 31. Creighton Specific Policies • Access Control Policy • Contingency Planning Policy • Data Classification Policy • Change Control Policy • Wireless Policy • Incident Response Policy • Termination of Access Policy • Backup Policy • Virus Policy • Retention Policy • Physical Access Policy • Computer Security Policy • Security Awareness Policy • Audit Trail Policy • Firewall Policy • Network Security Policy • Encryption Policy

Editor's Notes

  1. A policy may have many standards associated. A standard should have only one policy associated. A standard may have many guidelines associated........
  2. Guidelines are used when standards cannot be enforced or management support is lukewarm. Examples: Standard: Passwords must be 8 characters long and expire every 90 days Guideline: Passwords should be constructed using alpha, numeric, upper case, lower case, and special characters.