security awareness n.
Skip this Video
Loading SlideShow in 5 Seconds..
Security Awareness PowerPoint Presentation
Download Presentation
Security Awareness

Security Awareness

92 Vues Download Presentation
Télécharger la présentation

Security Awareness

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Security Awareness Chapter 6 Enterprise Security

  2. Objectives After completing this chapter you should be able to do the following: • Define business continuity • Explain how redundancy planning and disaster recovery planning benefit an organization • Explain what a policy is and how it is used • List the different types of security policies Security Awareness, 3rd Edition

  3. Business Continuity • Ability of an organization to maintain its operations and services in the face of a disruptive event • Computer attack • Natural disaster • Many organizations are either unprepared or have not tested their plans • Common elements • Redundancy planning • Disaster recovery procedures • Incident response procedures Security Awareness, 3rd Edition

  4. Redundancy Planning • Building excess capacity in order to protect against failures • Servers • Protect against single point of failure • Redundant servers or parts • May take too long to get back online • Server cluster • Design the network infrastructure so that multiple servers are incorporated into the network • Types: asymmetric and symmetric Security Awareness, 3rd Edition

  5. Redundancy Planning (cont’d.) Figure 6-1 Server cluster Course Technology/Cengage Learning Security Awareness, 3rd Edition

  6. Redundancy Planning (cont’d.) • Storage • Hard disk drives often are the first component of a system to fail • Implement RAID (Redundant Array of Independent Drives) technology • Uses multiple hard disk drives for increased reliability and performance Security Awareness, 3rd Edition

  7. Redundancy Planning (cont’d.) • Networks • Redundant network ensures that network services are always accessible • Virtually all network components can also be duplicated Security Awareness, 3rd Edition

  8. Redundancy Planning (cont’d.) • Power • Uninterruptible power supply (UPS) • Device that maintains power to equipment in the event of an interruption in the primary electrical power source • On-line • Off-line • Backup generator Security Awareness, 3rd Edition

  9. Redundancy Planning (cont’d.) • Sites • Hot site • Run by a commercial disaster recovery service • Allows a business to continue computer and network operations to maintain business continuity • Cold site • Provides office space • Customer must provide and install all the equipment needed to continue operations Security Awareness, 3rd Edition

  10. Redundancy Planning (cont’d.) • Warm site • All of the equipment installed • Does not have active Internet or telecommunications facilities • Does not have current backups of data Security Awareness, 3rd Edition

  11. Disaster Recovery Procedures • Procedures and processes for restoring an organization’s operations following a disaster • Focuses on restoring computing and technology resources to their former state • Planning • Disaster recovery plan (DRP) • Written document • Details the process for restoring computer and technology resources Security Awareness, 3rd Edition

  12. Disaster Recovery Procedures (cont’d.) Table 6-1 Sample educational DRP approach Course Technology/Cengage Learning Security Awareness, 3rd Edition

  13. Disaster Recovery Procedures (cont’d.) • Common features of DRP • Purpose and scope • Recovery team • Preparing for a disaster • Emergency procedures • Restoration procedures Security Awareness, 3rd Edition

  14. Disaster Recovery Procedures (cont’d.) Figure 6-2 Sample from a DRP Course Technology/Cengage Learning Security Awareness, 3rd Edition

  15. Disaster Recovery Procedures (cont’d.) • Disaster exercises • Test the effectiveness of the DRP • Objectives • Test the efficiency of interdepartmental planning and coordination in managing a disaster • Test current procedures of the DRP • Determine the strengths and weaknesses in disaster responses Security Awareness, 3rd Edition

  16. Disaster Recovery Procedures (cont’d.) • Enterprise data backups • Significantly different than those for a home user • Disk to disk (D2D) • Continuous data protection (CDP) Security Awareness, 3rd Edition

  17. Incident Response Procedures • What is forensics? • Forensics • Application of science to questions that are of interest to the legal profession • Computer forensics • Attempt to retrieve information that can be used in the pursuit of the attacker or criminal • Importance of computer forensics is due in part to • High amount of digital evidence • Increased scrutiny by the legal profession • Higher level of computer skill by criminals Security Awareness, 3rd Edition

  18. Incident Response Procedures (cont’d.) • Responding to a computer forensics incident • Secure the crime scene • Response team must be contacted immediately • Document physical surroundings • Take custody of computer • Interview users and document information • Preserve the evidence • First capture any volatile data • Random access memory (RAM) • Mirror image backup or bit-stream backup Security Awareness, 3rd Edition

  19. Incident Response Procedures (cont’d.) • Establish the chain of custody • Documents that the evidence was under strict control at all times • No unauthorized person was given the opportunity to corrupt the evidence • Examine the evidence • Mirror image is examined to reveal evidence • Mine and expose hidden clues • Windows page file • Slack • Metadata Security Awareness, 3rd Edition

  20. Figure 6-3 Slack Course Technology/Cengage Learning Security Awareness, 3rd Edition

  21. Security Policies • Plans and policies must be established by the organization • To ensure that people correctly use the hardware and software defenses • Organizational security policy Security Awareness, 3rd Edition

  22. What Is a Security Policy? • Document that outlines the protections that should be enacted • Functions • Communicates organization’s information security culture and acceptable information security behavior • Detail specific risks and how to address them • Help to create a security-aware organizational culture • Ensure that employee behavior is directed and monitored to ensure compliance with security requirements Security Awareness, 3rd Edition

  23. Balancing Trust and Control • Approaches to trust • Trust everyone all of the time • Trust no one at any time • Trust some people some of the time • Deciding on the level of control for a specific policy is not always clear • Not all users have positive attitudes toward security policies Security Awareness, 3rd Edition

  24. Balancing Trust and Control (cont’d.) Table 6-2 Possible negative attitudes toward security Course Technology/Cengage Learning Security Awareness, 3rd Edition

  25. Designing a Security Policy • Definition of a policy • Characteristics • Communicate a consensus of judgment • Define appropriate behavior for users. • Identify what tools and procedures are needed • Provide directives for Human Resource action in response to inappropriate behavior • May be helpful in the event that it is necessary to prosecute violators Security Awareness, 3rd Edition

  26. Designing a Security Policy (cont’d.) • Due care • Obligations imposed on owners and operators of assets • Exercise reasonable care of the assets and take necessary precautions to protect them • Care that a reasonable person would exercise under the circumstances • Examples Security Awareness, 3rd Edition

  27. Designing a Security Policy (cont’d.) • The security policy cycle • Three-phase cycle • Performing a risk management study • Asset identification • Threat identification • Vulnerability appraisal • Risk assessment • Risk mitigation • Creating a security policy based on the information from the risk management study • Reviewing the policy for compliance Security Awareness, 3rd Edition

  28. Designing a Security Policy (cont’d.) Figure 6-4 Security policy cycle Course Technology/Cengage Learning Security Awareness, 3rd Edition

  29. Types of Security Policies • Acceptable use policy (AUP) • Defines the actions users may perform while accessing systems and networking equipment • Unacceptable use may also be outlined by the AUP • Security-related human resource policy • Include statements regarding how an employee’s information technology resources will be addressed • Presented at an orientation session when the employee is hired • May contain due process statement Security Awareness, 3rd Edition

  30. Table 6-3 Types of security policies Course Technology/Cengage Learning Security Awareness, 3rd Edition

  31. Types of Security Policies (cont’d.) • Personally identifiable information (PII) policy • Outlines how the organization uses personal information it collects • Disposal and destruction policy • Addresses the disposal of resources that are considered confidential Security Awareness, 3rd Edition

  32. Types of Security Policies (cont’d.) Figure 6-5 Sample PII (privacy) policy Course Technology/Cengage Learning Security Awareness, 3rd Edition

  33. Types of Security Policies (cont’d.) • Ethics policy • Refocus attention on ethics in the enterprise • Written code of conduct • Central guide and reference for employees in support of day-to-day decision making Security Awareness, 3rd Edition

  34. Summary • Redundancy planning • Building excess capacity in order to protect against failures • Disaster recovery • Procedures and processes for restoring an organization’s operations following a disaster • Forensic science • Application of science to questions that are of interest to the legal profession Security Awareness, 3rd Edition

  35. Summary (cont’d.) • Security policy • Written document that states how an organization plans to protect the company’s information technology assets Security Awareness, 3rd Edition