Download
security policies n.
Skip this Video
Loading SlideShow in 5 Seconds..
SECURITY POLICIES PowerPoint Presentation
Download Presentation
SECURITY POLICIES

SECURITY POLICIES

4 Views Download Presentation
Download Presentation

SECURITY POLICIES

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. SECURITY POLICIES Indu Ramachandran

  2. Outline • General idea/Importance of security policies • When security policies should be developed • Who should be involved in this process • Cost of security policies • Available resources • Security policies in detail • Failure of Security policies • After Security policy is written

  3. About Security Policies • Increased level of threats • Organization’s attitude towards security policies • Establishing Standards • More than just “Keeping the bad guys out”! • Management and Security policy • Policies Not Procedures!!

  4. Importance of Security Policies • Establishes Standards • Provides basic guidelines • Defines appropriate behavior • Helps against being sued

  5. Aspects of Security • Traditional Ideas of Security • Revised Security aspects • Confidentiality • Protect objects from unauthorized release/use of info • Integrity • Preserve objects / avoid unauthorized modification

  6. When should Policies be developed • Ideal Scenario • Often not the case • After a Security Breach • To mitigate Liability • For document compliance • To demonstrate quality control processes • Customers/Clients requirements

  7. Who should be involved • Basically EVERYONE!!!!! • System users • System support personnel • Managers • Business lawyers

  8. Importance of Involving Management • Funding and Commitment • Leadership • Authority • Responsibility/Support

  9. Do you need Sec. Policies?? Questions to answer this question… • Do workers at your organization handle information that is confidential? • Do workers at your organization access the internet? • Does your organization have trade secrets? Custom questions to suit you!!

  10. The Security Cost Function • Cost for security • Exponential increase • Trade off between cost for security and cost of violations • Formula for calculating cost : Total cost for Violations = Cost for a single Violation X frequency of the violation

  11. GOOD NEWS!!!! You are not on your own !!! • Internet Resources • The SANS institute • NIST (National Inst. Of Stds. And Technology) • RFC • Universities

  12. Resources (cont’d) • Books • Guide for Developing Security Policies for Information Technology Systems • Information Security Policies made easy • around 1360+ security templates • used by several large organizations • Training Sessions • SANS Institute

  13. Types of security policies • Administrative Security Policy • Examples of Administrative sec policies: • Users must change password each quarter • Employees must not use dial out modems from their desktops. • Technical sec policies • Examples • Server will be configured to expire password each quarter • Accounts must initiate a lockout after four unsuccessful attempts to login

  14. What is in a security policy Three Categories First category – Parameters Section • Introduction • Audience • Definitions

  15. What is in a security policy (cont’d) The Second category • Risk assessments • When this should be done • Benefits • Who should do this • Identifying Assets • Threats to assets

  16. What is in a security policy (cont’d) The Third Category • Actual Policies Examples of policies • Physical security

  17. Examples of policies (cont’d) • Authentication • Password policy • Remote Access Policy • The Modem Issue

  18. Examples of policies (cont’d) • Acceptable Use Policy Examples of AU Policy at http://www.eff.org/pub/CAF/policies • Other Policies Examples of policies as well as their templates on the SANS website. http://www.sans.org/resources/policies/

  19. What makes a good security policy • Must be usable • Must communicate clearly • Must not impede/interfere with business • Enforceable • Update regularly • Other factors • Interests • Laws

  20. Problems with Sec. Policies • Increase in tension level • Security needs viewed differently • Too restrictive/hard to implement • Impediments productivity

  21. Conflict and Politics • Management concentrates on goals for company • Technical Personnel’s agenda So what happens??? What do you do???

  22. Information Security Management Committee • Bridge the gap • Committee Composition • Responsibilities of the committee

  23. Real world problems caused by missing policies • At A Government Agency... • At A Local Newspaper...

  24. Why Security Policies Fail • Security is a barrier to Progress • Perceived to have zero benefit • Obstacles/Impediment productivity • Security is a learned behavior • Not instinct • Value of assets • Not taken seriously

  25. Why Security Policies Fail (cont’d) • Complexity • Security work is never finished • Failure to review • Other reasons • Lack of stake holder support • Organizational Politics

  26. Compliance & Enforcement • Training • Testing and effectiveness of the policy • Monitoring • Taking Action

  27. Review The Policy • Review Committee • Good representation • Frequency of review meetings • Responsibilities • What to Review

  28. References • Barham, Scott - Writing information security policies • http://dmoz.org/Computers/Security/Policy/Sample_Policies/ • http://www.netiq.com/products/pub/ispme_realproblems.asp • http://www.sans.org/rr/policy/policy.php • http://www.networknews.co.uk/Features/1138373 • http://irm.cit.nih.gov/security/sec_policy.html • http://www.cisco.com/warp/public/126/secpol.html