1 / 20

Basic Security Policy

FORE SEC Academy Security Essentials (II). Basic Security Policy. Preface.

siusan
Télécharger la présentation

Basic Security Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FORESEC AcademySecurity Essentials (II) Basic Security Policy

  2. Preface It never ceases to amaze me - fact that you can’t take a class in Information Security without being told to do this or that in accordance with “your security policy," butnobody ever explains what the policy is, let alone how to write or evaluate it. That is why we undertook this research and education project on basic security policy. We hope you will find this module useful and that you will participate in its evolution. Consensus is a powerful tool. We need the ideas and criticisms from the information security community in order to make this, “The Roadmap,” a usable and effective policy. Thank you!

  3. Objectives • Defining Security Policy • Using Security Policy to Manage Risk • Identifying Security Policy • Evaluating Security Policy • Issue-specific Security Policy • Exercise: Writing a Personal Security Policy • Contingency Planning within your Policy

  4. Documentation is Critical • If it is not in writing it never happened. • You must clearly document: - What is expected of users - What you plan on doing - How you plan on doing it - What other people are required to do

  5. Defining a Policy • Policies direct the accomplishment of objectives - Program Policy - Issue-specific Policy - System-specific Policy An effective and realistic Security Policy is the key to effective and achievable security.

  6. Defining a Policy (2) • What makes up a policy? -Purpose -Related documents -Cancellation -Background -Scope -Policy statement -Action - Responsibility

  7. Defining a Policy (3) • Who can sign the policy? • What process is used to: - draft a policy - approve a policy - implement a policy

  8. Risk Assessment • What do you do? - The “important bid” story -When is it okay to violate or change policy? -Who has the authority to do it? -What are the risks involved?

  9. Managing Risks in Your Job • Identify risks • Communicate your findings • Update (create) policy as needed • Develop metrics to measure compliance

  10. Identifying Security Policy • Who does the procedure? • What is the procedure? • When is the procedure done? • Where is the procedure done? • Why is the procedure done?

  11. Roles and Responsibilities • Formal organizational structure - Who has the title - Who is listed at the top of the organizational chart • Informal organizational structure - Who gets things done - Who really makes decisions

  12. Levels of Policy • Recognize that policies can exist on different levels - Enterprise-wide/corporate policy - Division-wide policy - Local policy - Issue-specific policy - Procedures and checklists

  13. Checkpoint:Procedure Guidance • Policies address the who, what, and why. • Procedures address the how, where, and when.

  14. Evaluating Security Policy • What if your existing policy is confusing and hard to read? • What if it doesn’t cover all the bases? • Use a checklist to evaluate your policy.

  15. Evaluating Security Policy (2) • Use a checklist: - Does it contain the expected elements? - Is it clear? - Is it concise? - Is it realistic? - Does it provide sufficient guidance?

  16. Evaluating Security Policy (3) • Checklist, continued... - Is it consistent? - Is it forward-looking? - Are there means to keep it current? - Is the policy readily available to those who need it?

  17. Issue-Specific Security Policy • Anti-Virus • Password Assessment • Backups • Proprietary Information • Personal Security Policy

  18. Anti-virus Policy • Define the problem - Various practices risk the introduction of viruses into systems and networks • Develop a solution - Define the scope - Layer the defense strategy - Identify responsibilities - Measure the effectiveness

  19. Password Assessment Policy • Define the problem - Password assessment is a necessary part of security, but may appear illegal if carried out without proper authority/safeguards • Develop a solution - Identify the risks - Enumerate the countermeasures - Enable administrators to legally assess passwords - Escrow passwords for use during incidents

  20. Data Backup Policy • Define the problem - Backups are critical to protect information and allow disaster recovery, but are often performed sporadically • Develop a solution - Identify backups as critical - Empower system administrators - Provide for exceptions when necessary - Make sure the policy is implemented

More Related