The document discusses security planning and policies. It begins by defining a security policy and information security management system (ISMS). It then discusses the importance of security planning, which involves risk assessment to identify assets, threats, and risks. The key aspects of risk assessment covered are identifying assets, risks to assets, and risk sources. It also discusses identifying security threats and contingency planning. Finally, it discusses different types of security policies an organization can implement, including password, email, internet, backup and access policies. The overall document provides guidance on developing a comprehensive security program through planning, policies and procedures.
The presentation is about information risk management. It covers information threats, risks, vulnerabilities and importance of risk assessment for information security for software companies in India.
http://www.ifour-consultancy.com
Risk Management and Security in Strategic PlanningKeyaan Williams
This content was originally presented to the DFW chapter of the Society for Information Management. The presentation evaluates the role of risk management and security in the strategic planning process that defines the direction and prioritization of resources used by an organization.
An IT risk assessment does more than just tell you about the state of security of your IT infrastructure; it can facilitate decision-making on your organizational security strategy. Some of the benefits of conducting an IT risk assessment are:
Risk Management Strategy is an approach to dealing with global risks focused to anticipate the events, designing and implementing procedures to minimize the occurrence of the event or its impact if it occurs.
In era of globalization and interconnected world the task to protect the company from global risks became complicated. Any kind of internally or externally risk can cause distortion to its usual business activities. The source of potential risk can be human being, technology failure, sabotage or Mother Nature. All the risks must be considered individually since they overlap to a large degree. Then our Global Risk Management consulting focuses on: terrorism, internal sabotage, external espionage, technology failure.
The presentation is about information risk management. It covers information threats, risks, vulnerabilities and importance of risk assessment for information security for software companies in India.
http://www.ifour-consultancy.com
Risk Management and Security in Strategic PlanningKeyaan Williams
This content was originally presented to the DFW chapter of the Society for Information Management. The presentation evaluates the role of risk management and security in the strategic planning process that defines the direction and prioritization of resources used by an organization.
An IT risk assessment does more than just tell you about the state of security of your IT infrastructure; it can facilitate decision-making on your organizational security strategy. Some of the benefits of conducting an IT risk assessment are:
Risk Management Strategy is an approach to dealing with global risks focused to anticipate the events, designing and implementing procedures to minimize the occurrence of the event or its impact if it occurs.
In era of globalization and interconnected world the task to protect the company from global risks became complicated. Any kind of internally or externally risk can cause distortion to its usual business activities. The source of potential risk can be human being, technology failure, sabotage or Mother Nature. All the risks must be considered individually since they overlap to a large degree. Then our Global Risk Management consulting focuses on: terrorism, internal sabotage, external espionage, technology failure.
Risk management is one of the main concepts that have been used by most of the organisations to protect their assets and data. One such example would be INSURANCE. Most of the insurance like Life, Health, and Auto etc have been formulated to help people protect their assets against losses. Risk management has also extended its roots to physical devices, such as locks and doors to protect homes and automobiles, password protected vaults to protect money and jewels, police, fire, security to protect against other physical risks. Dr. C. Umarani | Shriniketh D "Risk Management" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37916.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37916/risk-management/dr-c-umarani
Insider Threats: Out of Sight, Out of Mind?ObserveIT
Insider Threats represent a major security blind-spot where an increasing number of today’s security incidents occur. Highly publicized insider data theft, such as the recent Morgan Stanley breach or AT&T call center incident, highlight the increasing need for better security practices and solutions to reduce the risks posed by insider threats.
Detecting insider threats has become increasingly difficult with the large volume of data generated through normal user activities and lack of visibility into actual user behavior. Most organizations rely on system logs from applications and devices that typically contain hundreds or thousands of discrete events in obscure technical language, making it nearly impossible to determine what a user actually did.
Watch our webinar “Insider Threats: Out of Sight, Out of Mind?” to learn about the most popular tactics to combat insider threats and how to identify indicators of insiders becoming threats. This webinar will share best practices and how to adopt an early warning system to reduce your risk and strengthen your security posture.
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
Cybersecurity risk assessments help organizations identify, manage and mitigate all forms of cyber risk. It is a critical component of any comprehensive data protection strategy.
This is about the lessons in Information, Assurance and Security. Complete module 3of lesson 7 are there so you could learn more about it. And may found helpful with your assignments, activities or etc.
Risk management is one of the main concepts that have been used by most of the organisations to protect their assets and data. One such example would be INSURANCE. Most of the insurance like Life, Health, and Auto etc have been formulated to help people protect their assets against losses. Risk management has also extended its roots to physical devices, such as locks and doors to protect homes and automobiles, password protected vaults to protect money and jewels, police, fire, security to protect against other physical risks. Dr. C. Umarani | Shriniketh D "Risk Management" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37916.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37916/risk-management/dr-c-umarani
Insider Threats: Out of Sight, Out of Mind?ObserveIT
Insider Threats represent a major security blind-spot where an increasing number of today’s security incidents occur. Highly publicized insider data theft, such as the recent Morgan Stanley breach or AT&T call center incident, highlight the increasing need for better security practices and solutions to reduce the risks posed by insider threats.
Detecting insider threats has become increasingly difficult with the large volume of data generated through normal user activities and lack of visibility into actual user behavior. Most organizations rely on system logs from applications and devices that typically contain hundreds or thousands of discrete events in obscure technical language, making it nearly impossible to determine what a user actually did.
Watch our webinar “Insider Threats: Out of Sight, Out of Mind?” to learn about the most popular tactics to combat insider threats and how to identify indicators of insiders becoming threats. This webinar will share best practices and how to adopt an early warning system to reduce your risk and strengthen your security posture.
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
Cybersecurity risk assessments help organizations identify, manage and mitigate all forms of cyber risk. It is a critical component of any comprehensive data protection strategy.
This is about the lessons in Information, Assurance and Security. Complete module 3of lesson 7 are there so you could learn more about it. And may found helpful with your assignments, activities or etc.
Steps to Consider When Conducting IT Risk Assessment360factors
Predict360 IT Risk Assessment solution can help improve the IT risk assessment process by automating and simplifying IT risk management. This leads to a proactive, compliant, and resilient IT security environment.
Explore more features: https://bit.ly/47gyhRj
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxjoellemurphey
RISK MITIGATION AND THREAT IDENTIFICATION
Introduction
Information security in a modern organization exists primarily to manage information technology
(IT) risk. Managing risk is one of the key responsibilities of every manager within an
organization. In any well-developed risk management program, two formal processes are at
work. The first, risk identification and assessment, is discussed in this chapter; the second,
risk control, is the subject of the next chapter.
Each manager in the organization, regardless of his or her affiliation with one of the three
communities of interest, should focus on reducing risk as follows:
● General management must structure the IT and information security functions in ways
that will result in the successful defense of the organization’s information assets,
including data, hardware, software, procedures, and people.
● IT management must serve the information technology needs of the broader organization
and at the same time exploit the special skills and insights of the information
security community.
● Information security management must lead the way with skill, professionalism, and
flexibility as it works with the other communities of interest to balance the constant
trade-offs between information system utility and security.
Risk Management
If you know the enemy and know yourself, you need not fear the result of a hundred
battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you
will succumb in every battle.1
Accountability for Risk Management
All three communities of interest bear responsibility for the management of risks, and each
has a particular strategic role to play.
● Information security: Because members of the information security community best
understand the threats and attacks that introduce risk, they often take a leadership
role in addressing risk.
● Information technology: This group must help to build secure systems and ensure their
safe operation. For example, IT builds and operates information systems that are mindful
of operational risks and have proper controls implemented to reduce risk.
Management and users: When properly trained and kept aware of the threats faced by
the organization, this group plays a part in the early detection and response process.
Members of this community also ensure that sufficient resources (money and personnel)
are allocated to the information security and information technology groups to
meet the security needs of the organization. For example, business managers must
ensure that supporting records for orders remain intact in case of data entry error
or transaction corruption. Users must be made aware of threats to data and systems,
and educated on practices that minimize those threats.
All three communities of interest must work together to address every level of risk, ranging
from full-scale disasters (whether natural or human-made) to the smallest mistake ...
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
Cyber-attacks are an alarming threat to all types of businesses & organizations.The risk of a cyber-attack is not just a risk to your company but also to your privacy.Hence, cybersecurity is crucial for every business. Cybersecurity protects critical data from cyber attackers. This includes sensitive data, governmental and industry information, personal information, personally identifiable information (PII), intellectual property, and protected health information (PHI). If you are looking for tools to fight against cyber threats, then Techwave’s tools & technologies with adequate controls will help your organization stay protected.
7 Practices To Safeguard Your Business From Security Breaches!Caroline Johnson
Cybercriminals are out to get your business, and they're doing it in a big way. It's no secret that though cybercriminals often target large businesses, smaller organizations are also attractive to them. The logic is simple: small businesses usually follow a standard "not much to steal" mindset using fewer controls and easy-to-breach data protection strategies.
Here are the seven best practices every small business should implement immediately to protect their organization from cyberattacks and keep their data safe from thieves and hackers. To know about it visit: https://bit.ly/3G96FDr
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
The CompTIA Cybersecurity Analyst (CySA+) certification is the industry standard for demonstrating that cybersecurity professionals can analyze data and interpret the results to detect vulnerabilities, threats, and risks to an organization.
Protecting the Portals - Strengthening Data Security.pdfkelyn Technology
Dive deep into the reservoir of security knowledge and emerge with strategies tailor-made for your organization’s unique needs with Kelyntech’s agile enterprise data storage service.
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
Hundreds of companies, and the most demanding Federal agencies rely on DMI for Mobile Security services and solutions. And with more than 500,000 devices under management, we know how to do it right.
Now we’ve distilled 9 years of Mobile Security best practices into a white paper you can download. The paper lays out a smart, sensible approach to managing mobile risk without unnecessary cost and business disruption.
Please be our guest and check out the white paper. You’ll learn:
How to identify and protect against the threats that matter the most
What to do about “the hottest new technologies”
How to get the most protection for the least cost and disruption
The key differences and similarities between Mobile and traditional cybersecurity
- See more at: http://dminc.com/solutions/enterprise-mobility-services/mobilesecuritywp/#sthash.yTptNZRw.dpuf
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
2. 1. SECURITY PLANNING AND POLICY
A security policy is a document which lists plans to protect the physical and information
technology (IT) assets and is continuously updated as technology and requirements change. It may
include an acceptable use policy, a description of how to educate employees, security
measurements to enforce and a procedure for evaluating the effectiveness of the security policy to
ensure that necessary corrections will be made.
An information security management system (ISMS) is a collection of policies and procedures for
management of crucial data. The aim is to minimize risk and ensure business continuity by pro-
actively limiting the impact of a security and data breach. An ISMS is usually focused on employee
behavior and processes as well as particular type of data, such as customer data. ISO 27001 is a
specification for creating an ISMS which does not mandate specific actions, but includes
suggestions for documentation, internal audits, continual improvement, and corrective and
preventive action.
Any good system of governance should be resilient to attacks by frauds, inadvertent virus, and a
variety of motivated cyber crimes through unauthorized access and even to a nation-sponsored
cyber war and in the scenarios of disaster and warfare.
1.1. Security Planning
In a world where conducting business online isn’t optional, organizations can protect themselves by
making a comprehensive security plan and seeing it through–just like they do for any other aspects
of the operation.
Planning involves risk assessment f organization, identifying assets and their risks, enlisting threats
and attacks to assets and planning to address the same.
Basic Risk Assessment
Risk assessment is a very important part of computer security planning. No plan of action can be
put into place before a risk assessment has been performed. The risk assessment provides a
baseline for implementing security plans to protect assets against various threats. There are three
basic questions one needs to ask in order to improve the security of a system:
What assets within the organization need protection?
What are the risks to each of these assets?
How much time, effort, and money is the organization willing to expend to upgrade or obtain
new adequate protection against these threats?
You cannot protect your assets if you do not know what to protect against. Computers need
protection against risks, but what are risks? In simple terms, a risk is realized when a threat takes
advantage of a vulnerability to cause harm to your system. After you know your risks, you can then
create policies and plans to reduce those risks.
3. Certified Network Security Professional
www.vskills.in Page 2
There are many ways to go about identifying all the risks to your assets. One way is to gather
personnel from within your organization and have a brainstorming session where you list the
various assets and the risks to those assets. This will also help to increase security awareness within
your organization.
Risks can come from three sources: natural disaster risks, intentional risks, and unintentional risks.
These sources are illustrated in the following figure.
Companies are dynamic, and your security plan must be too. Update your risk assessment
periodically. In addition, redo the risk assessment whenever you have a significant change in
operation or structure. Thus, if you reorganize, move to a new building, switch vendors, or
undergo other major changes, you should reassess the risks and potential losses.
Identifying the Assets
One important step toward determining the risks to assets is performing an information asset
inventory by identify the various items you need to protect within your organization. The inventory
should be based on your business plan and the sensitivity of those items. Consider, for example, a
server versus a workstation. A server has a higher level of sensitivity than a typical user's
workstation. Organizations should store the inventory online and categorize each item by its
importance. The inventory should include everything that the organization would consider to be
valuable. To determine if something is valuable, consider what the loss or damage of the item
might be in terms of lost revenue, lost time, or the cost of repair or replacement. Some of the
items that should be on your item inventory are:
Physical items
Sensitive data and other information
Computers, laptops, palmtops, etc.
Backups and archives
Manuals, books, and guides
Communications equipment and wiring
Personnel records
4. Certified Network Security Professional
www.vskills.in Page 3
Audit records
Commercial software distribution media
Non-physical items
Personnel passwords
Public image and reputation
Processing availability and continuity of operations
Configuration information.
Data integrity
Confidentiality of information
For each asset, the following information should be defined:
Type: hardware, software, data
General support system or a critical application system
Designated owner of the information
Physical or logical location
Inventory item number where applicable
Service levels, warranties, key contacts, where it fits in to supplying availability and or security,
and replacement process
Identifying Risks to the Assets
After identifying the assets, it is necessary to determine all the risks that can affect each asset. One
way of doing this is by identifying all the different ways an asset can be damaged, altered, stolen, or
destroyed. For example:
The asset:
Financial information stored on a database system
The risks:
Component failure
Misuse of software and hardware
Viruses, Trojan horses, or worms
Unauthorized deletion or modification
Unauthorized disclosure of information
Penetration ("hackers" getting into your machines)
Software bugs and flaws
Fires, floods, or earthquakes
Riots
In order to develop an effective information security policy, the information produced or
processed during the risk analysis should be categorized according to its sensitivity to loss or
disclosure. Most organizations use some set of information categories, such as Proprietary, For
Internal Use Only, or Organization Sensitive. The categories used in the security policy should be
consistent with any existing categories. Data should be broken into four sensitivity classifications
with separate handling requirements: sensitive, confidential, private, and public. This standard data
5. Certified Network Security Professional
www.vskills.in Page 4
sensitivity classification system should be used throughout the organization. These classifications
are defined as follows:
Sensitive. This classification applies to information that needs protection from unauthorized
modification or deletion to assure its integrity. It is information that requires a higher than
normal assurance of accuracy and completeness. Examples of sensitive information include
organizational financial transactions and regulatory actions.
Confidential. This classification applies to the most sensitive business information that is
intended strictly for use within the organization. Its unauthorized disclosure could seriously and
adversely impact the organization, its stockholders, its business partners, and/or its customers.
Health care-related information should be considered at least confidential.
Private. This classification applies to personal information that is intended for use within the
organization. Its unauthorized disclosure could seriously and adversely impact the organization
and/or its employees.
Public. This classification applies to all other information that does not clearly fit into any of
the above three classifications. While its unauthorized disclosure is against policy, it is not
expected to impact seriously or adversely affect the organization, its employees, and/or its
customers.
After identifying the risks and the sensitivity of data, estimate the likelihood of each risk occurring.
Quantifying the threat of a risk is hard work. Some ways to estimate risk include:
Obtaining estimates from third parties, such as insurance companies.
Basing estimates on your records, if the event happens on a regular basis.
Investigating collected statistics or published reports from industry organizations.
Basing estimates on educated guesses extrapolated from past experience. For instance:
Your power company can provide an official estimate of the likelihood that your building
will experience a power outage in the next year.
Past experience and best guess can be used to estimate the probability of a serious bug
being discovered in your vendor software.
Once all the risks have been realized for each asset, it is necessary to identify whether the damage
caused will be intentional or accidental.
Identifying Type of Threat and Method of Attack
A threat is any action or incident with the potential to cause harm to an organization through the
disclosure, modification, or destruction of information, or by the denial of critical services. Security
threats can be divided into human threats and natural disaster threats, as the following picture
illustrates.
6. Certified Network Security Professional
www.vskills.in Page 5
Human threats can be further divided into malicious (intentional) threats and non-malicious
(unintentional) threats. A malicious threat exploits vulnerabilities in security policies and controls
to launch an attack. Malicious threats can range from opportunistic attacks to well-planned attacks.
Non-malicious human threats can occur through employee error or ignorance. These employees
may accidentally cause data corruption, deletion, or modification while trying to capture data or
change information. (Hardware or software failures, while not a human threat, are other non-
malicious threats.)
In understanding these various threats, it is possible to determine which vulnerabilities may be
exploited and which assets are targeted during an attack. Some methods of attack include:
Social engineering
Viruses, worms, and Trojan horses
Denial of service attack tools
Packet replaying
Packet modification
IP spoofing
Password cracking
Proactive Security Planning
After assessing your risk, the next step is proactive planning. Proactive planning involves
developing security policies and controls and implementing tools and techniques to aid in security.
As with security strategies, it is necessary to define a plan for proactive and reactive security
planning. The proactive plan is developed to protect assets by preventing attacks and employee
mistakes. The reactive plan is a contingency plan to implement when proactive plans have failed.
7. Certified Network Security Professional
www.vskills.in Page 6
Reactive Security Planning
In reactive planning the goal is to get the business back to normal operations as fast as possible in
the event of a disaster. By having efficient and well thought out contingency plans, this goal can be
achieved.
Contingency Plan - A contingency plan is an alternative plan that should be developed in case an
attack causes damage to data or any other assets, stopping normal business operations and
productivity, and requiring time to restore them. The ultimate goal of the contingency plan is to
maintain the availability, integrity, and confidentiality of data. It is the proverbial "Plan B." There
should be a plan per type of attack and/or per type of threat. A contingency plan is a set of steps
that should be taken in case an attack breaks through the security policies and controls. The plan
should address who must do what, when, and where to keep the organization functional. For
example:
Moving productivity to another location or site
Implementing disaster recovery plans.
Contacting vendors and consultants
Contacting clients
Rehearsed the plan periodically to keep staff up to date with current contingency steps.
The following points outline the various tasks to develop a contingency plan:
Address the organization's current emergency plan and procedures and how they are integrated
into the contingency plan.
8. Certified Network Security Professional
www.vskills.in Page 7
The current emergency response procedures should be evaluated and their effect on
continuous operation of business.
Planned responses to attacks and whether they are adequate to limit damage and minimize the
impact on data processing operations should be developed and integrated into the contingency
plan.
Backup procedures, including the most recent documentation and disaster recovery tests.
Disaster recovery plans should be added to provide a temporary or longer operating
environment. Disaster recovery plans should cover the required levels of security to see if they
continue to enforce security throughout the process of recovery, temporary operations, and
when the organization moves back to its original processing site or to the new processing site.
Draw up a detailed document outlining the various findings in the above tasks. The document
should list:
Any scenarios to test the contingency plan.
The impact that any dependencies, assistance outside the organization, and difficulties in
obtaining essential resources will have on the plan.
A list of priorities observed in the recovery operations and the rationale in establishing those
priorities.
A contingency plan should be tested and revised by someone other than the person who created
and wrote it. This should be done to test whether the contingency plan is clearly outlined so that
anybody who reads it can implement the plan.
Security Policy
A company's security plan consists of security policies. Security policies give specific guidelines for
areas of responsibility, and consist of plans that provide steps to take and rules to follow to
implement the policies.
Policies should define what you consider valuable, and should specify what steps should be taken
to safeguard those assets. Policies can be drafted in many ways. One example is a general policy of
only a few pages that covers most possibilities. Another example is a draft policy for different sets
of assets, including e-mail policies, password policies, Internet access policies, and remote access
policies.
Two common problems with organizational policies are:
The policy is a platitude rather than a decision or direction.
The policy is not really used by the organization. Instead it is a piece of paper to show to
auditors, lawyers, other organizational components, or customers, but it does not affect
behavior.
1.2. Security Policies and Guidelines
A security policy is driven by the corporate decisions regarding risk based on the business context.
It is the result of determining what is at risk, and how to reduce that risk. The same set of threats
and risks may be viewed as less severe by a more risk accepting organization. A security policy is a
9. Certified Network Security Professional
www.vskills.in Page 8
layers of policies, on top of procedures and practices. It is akin to a pyramid, with the top layer of
being corporate security policy. It sets the high-level direction for the organization. It’s scope is
organization wide and represents a general statement of the security goals. This corporate policy is
both static, and non-technical, being goal driven and not specifying technologies. It provides broad
guidance for the organization, leaving more dynamic and technical details to lower policy layers.
Standards take the general goals and restates them in terms of specific technology areas. Below this
are practices and procedures, the most technical and dynamic layers of policies. These represent
the details needed to implement the overall security policy. Practices are detailed steps to
implement the technology. Procedures are steps used to interface the technology with the
environment (users, operators, and so on). At this layer the procedures may specify products and
specific processes to be used. A standard would state a more specific requirement stating that a
single sign-on technology is needed across all applications and systems. The practices and
procedures would specify identity management and access control products, as well as processes to
populate and manage users.
Types of Security Policies
Policies can be defined for any area of security. It is up to the security administrator and IT
manager to classify what policies need to be defined and who should plan the policies. There
could be policies for the whole company or policies for various sections within the company. The
various types of policies that could be included are:
Password policies with administrative responsibilities and user responsibilities
E-mail policies
Internet policies
Backup and restore policies
Password Policies - The security provided by a password system depends on the passwords being
kept secret at all times. Thus, a password is vulnerable to compromise whenever it is used, stored,
or even known. In a password-based authentication mechanism implemented on a system,
passwords are vulnerable to compromise due to five essential aspects of the password system:
A password must be initially assigned to a user when enrolled on the system.
A user's password must be changed periodically.
The system must maintain a "password database."
Users must remember their passwords.
Users must enter their passwords into the system at authentication time.
Employees may not disclose their passwords to anyone. This includes administrators and IT
managers.
Password policies can be set depending on the needs of the organization. For example, it is
possible to specify minimum password length, no blank passwords, and maximum and minimum
password age. It is also possible to prevent users from reusing passwords and ensure that users use
specific characters in their passwords making passwords more difficult to crack.
Administrative Responsibilities - Many systems come from the vendor with a few standard user
logins already enrolled in the system. Change the passwords for all standard user logins before
10. Certified Network Security Professional
www.vskills.in Page 9
allowing the general user population to access the system. For example, change administrator
password when installing the system.
The administrator is responsible for generating and assigning the initial password for each user
login. The user must then be informed of this password. In some areas, it may be necessary to
prevent exposure of the password to the administrator. In other cases, the user can easily nullify
this exposure. To prevent the exposure of a password, it is possible to use smart card encryption in
conjunction with the user's username and password. Even if the administrator knows the password,
he or she will be unable to use it without the smart card. When a user's initial password must be
exposed to the administrator, this exposure may be nullified by having the user immediately
change the password by the normal procedure.
Occasionally, a user will forget the password or the administrator may determine that a user's
password may have been compromised. To be able to correct these problems, it is recommended
that the administrator be permitted to change the password of any user by generating a new one.
The administrator should not have to know the user's password in order to do this, but should
follow the same rules for distributing the new password that apply to initial password assignment.
Positive identification of the user by the administrator is required when a forgotten password must
be replaced.
User Responsibilities - Users should understand their responsibility to keep passwords private and
to report changes in their user status, suspected security violations, and so forth. To assure security
awareness among the user population, we recommend that each user be required to sign a
statement to acknowledge understanding these responsibilities.
The simplest way to recover from the compromise of a password is to change it. Therefore,
passwords should be changed on a periodic basis to counter the possibility of undetected password
compromise. They should be changed often enough so that there is an acceptably low probability
of compromise during a password's lifetime. To avoid needless exposure of users' passwords to the
administrator, users should be able to change their passwords without intervention by the
administrator.
E-mail Policies - E-mail is increasingly critical to the normal conduct of business. Organizations
need policies for e-mail to help employees use e-mail properly, to reduce the risk of intentional or
inadvertent misuse, and to assure that official records transferred via e-mail are properly handled.
Similar to policies for appropriate use of the telephone, organizations need to define appropriate
use of e-mail. Organizational polices are needed to establish general guidance in such areas as:
The use of e-mail to conduct official business
The use of e-mail for personal business
Access control and confidential protection of messages
The management and retention of e-mail messages
It is easy to have e-mail accidents. E-mail folders can grow until the e-mail system crashes. Badly
configured discussion group software can send messages to the wrong groups. Errors in e-mail lists
can flood the subscribers with hundreds of error messages. Sometime errors messages will bounce
back and forth between e-mail servers. Some ways to prevent accidents are to:
11. Certified Network Security Professional
www.vskills.in Page 10
Train users what to do when things go wrong, as well as how to do it right.
Configure e-mail software so that the default behavior is the safest behavior.
Use software that follows Internet e-mail protocols and conventions religiously. Every time an
online service gateways its proprietary e-mail system to the Internet, there are howls of protest
because of the flood of error messages that result from the online service's misbehaving e-mail
servers.
Using encryption algorithms to digitally sign the e-mail message can prevent impersonation.
Encrypting the contents of the message or the channel that it's transmitted over can prevent
eavesdropping. Using public locations like Internet cafes and chat rooms to access e-mail can lead
to the user leaving valuable information cached or downloaded on to internet computers. Users
need to clean up the computer after they use it, so no important documents are left behind. This is
often a problem in places like airport lounges.
Internet Policies - The World Wide Web has a body of software and a set of protocols and
conventions used to traverse and find information over the Internet. Through the use hypertext
and multimedia techniques, the Web is easy for anyone to roam, browse, and contribute to.
Web clients, also known as Web browsers, provide a user interface to navigate through
information by pointing and clicking. Browsers also introduce vulnerabilities to an organization,
although generally less severe than the threat posed by servers. Various settings can set on Internet
Explorer browsers by using Group Policy in Windows 2000.
Web servers can be attacked directly, or used as jumping off points to attack an organization's
internal networks. There are many areas of Web servers to secure: the underlying operating
system, the Web server software, server scripts and other software, and so forth. Firewalls and
proper configuration of routers and the IP protocol can help to fend off denial of service attacks.
Backup and Restore Policies - Backups are important only if the information stored on the system
is of value and importance. Backups are important for a number of reasons:
Computer hardware failure. In case certain hardware devices such as hard drives or RAID
systems fail.
Software Failure. Some software applications could have flaws in them whereby information is
interpreted or stored incorrectly.
User Error. Users often delete or modify files accidentally. Making regular backups can help
restore deleted or modified files.
Administrator Error. Sometimes administrators also make mistakes such as accidentally
deleting active user accounts.
Hacking and vandalism. Computer hackers sometimes alter or delete data.
Theft. Computers are expensive and usually easily to sell. Sometimes a thief will steal just the
hardware inside the computer, such as hard drives, video cards, and sound drivers.
Natural disasters. Floods, earthquakes, fires, and hurricanes can cause disastrous effects on
computer systems. Building can be demolished or washed away.
Other disasters. Unforeseeable accidents can cause damage. Some examples are if a plane
crashes into buildings or if gas pipes leak and cause explosions.
12. Certified Network Security Professional
www.vskills.in Page 11
Information that should be backed up includes:
Important information that is sensitive to the organization and to the continuity of operations.
This includes databases, mail servers, and any user files.
System databases, such as registries and user account databases.
13. Certified Network Security Professional
www.vskills.in Page 2
There are many ways to go about identifying all the risks to your assets. One way is to gather
personnel from within your organization and have a brainstorming session where you list the
various assets and the risks to those assets. This will also help to increase security awareness within
your organization.
Risks can come from three sources: natural disaster risks, intentional risks, and unintentional risks.
These sources are illustrated in the following figure.
Companies are dynamic, and your security plan must be too. Update your risk assessment
periodically. In addition, redo the risk assessment whenever you have a significant change in
operation or structure. Thus, if you reorganize, move to a new building, switch vendors, or
undergo other major changes, you should reassess the risks and potential losses.
Identifying the Assets
One important step toward determining the risks to assets is performing an information asset
inventory by identify the various items you need to protect within your organization. The inventory
should be based on your business plan and the sensitivity of those items. Consider, for example, a
server versus a workstation. A server has a higher level of sensitivity than a typical user's
workstation. Organizations should store the inventory online and categorize each item by its
importance. The inventory should include everything that the organization would consider to be
valuable. To determine if something is valuable, consider what the loss or damage of the item
might be in terms of lost revenue, lost time, or the cost of repair or replacement. Some of the
items that should be on your item inventory are:
Physical items
Sensitive data and other information
Computers, laptops, palmtops, etc.
Backups and archives
Manuals, books, and guides
Communications equipment and wiring
Personnel records