Download
information security policies n.
Skip this Video
Loading SlideShow in 5 Seconds..
Information Security Policies: PowerPoint Presentation
Download Presentation
Information Security Policies:

Information Security Policies:

86 Views Download Presentation
Download Presentation

Information Security Policies:

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Information Security Policies: User/Employee use policies

  2. Overview • Format of policies • Usage of policies • Example of policies • Policy cover areas • References • Homework • Questions

  3. Format of Policies • Purpose • The need of the policies • Scope • Which part of the system is covering • Who is applying to the policies • Policy • What can or can’t use for the system • Enforcement • Action can be taken once the policy is violated • Definitions • Define keywords in the policy • Revision History • Stated when and what have been changed

  4. Usage of Policies • Policy • A document that outlines specific requirements or rules that cover a single area • Standard • A collection of system-specific or procedural-specific requirements that must be met by everyone • Guideline • A collection of system specific or procedural specific “suggestions” for best practice • Not require, but strongly recommended

  5. Example of Policies

  6. Example of Policies

  7. Example of Policies

  8. Policy cover areas • Acceptable Use • Information Sensitivity • Ethics • E-mail • Anti-Virus • Password • Connection

  9. Acceptable Use Policy • General outline for all others policies • Protecting employees, partners and companies from illegal or damaging actions • Applied to all computer related equipments • General use and ownership • Security and proprietary information • Unacceptable Use

  10. Information Sensitivity Policy • To determine what information can/can’t be disclosed to non-employee • Public • Declared for public knowledge • Freely be given to anyone without any possible damage • Confidential • Minimal Sensitivity: • General corporate information; some personal and technical information • More Sensitive: • Business, financial, and most personnel information • Most Sensitive: • Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of the company

  11. Ethics Policy • Defines the means to establish a culture of openness, trust and integrity • Executive Commitment • Honesty and integrity must be top priority • Employee Commitment • Treat everyone fairly, have mutual respect • Company Awareness • Promote a trustworthy and honest atmosphere • Maintaining Ethical Practices • Reinforce the importance of the integrity message • Unethical Behavior • Unauthorized use of company information integral to the success of the company will not be tolerated

  12. E-mail Policy • General usage • To prevent tarnishing the public image • Prohibited use • Can’t used for any disruptive or offensive messages • Personal Use • Can/Can’t use for personal usage • Monitoring • No privacy for store, send or receive massages • Monitor without prior notice

  13. E-mail Policy • Retention • Determine how long for an e-mail to retain • Four main classifications • Administrative correspondence – 4 years • Fiscal Correspondence – 4 years • General Correspondence – 1 years • Ephemeral Correspondence – Until read • Instant Messenger Correspondence • Only apply to administrative and fiscal correspondence • Encrypted Communications • Stored in decrypted format

  14. E-mail Policy • Automatically Forwarding • To prevent unauthorized or inadvertent disclose of sensitive information • When • Approved by the appropriate manger • Sensitive information defined in Information Sensitivity Policy is encrypted in accordance with Acceptable Encryption Policy

  15. Anti-Virus Policy • To prevent computer virus problems • Install anti-virus software • Update anti-virus software daily • Always maintain anti-virus software in auto-protect stage • Scan a storage media for virus before use it • Never open any e-mail from unknown source • Never download files from unknown source • Remove virus-infected computers from network until verified as virus-free

  16. Password Policy • A standard for creation of string password • Contain both upper and lower case characters • Contain digits and punctuation characters • At least eight alphanumeric characters long • Not based on personal information • Not a word in any language • Can be easily remembered • Frequency of change passwords

  17. Password Policy • Protection of passwords • Never written down or stored on-line • Don’t reveal a password over the phone • Don’t reveal a password in an email message • Don’t reveal a password to the boss • Don’t reveal a password to co-workers • Don’t hint at the format of a password • Don’t share a password with family members

  18. Connection Policy • Remote Access • Defines standards for connecting to the company’s network from any host or network externally • General • Same consideration as on-site connection • General Internet access for recreational use for immediate household is permitted • Requirement • Public/private keys with strong pass-phrases • Can’t connect to others network at the same time • Can’t provide their login or e-mail password to anyone • Installed the most up-to-date anti-virus software

  19. Connection Policy • Analog/ISDN Line • Define standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to computer • Scenarios & Business Impact • Outside attacker attached to trusted network • Facsimile Machines • Physically disconnect from computer/internal network • Computer-to-Analog Line Connections • A significant security threat • Requesting an Analog/ISDN Line • Stated why other secure connections can’t be use

  20. Connection Policy • Dial-in Access • To protect information from being inadvertently compromised by authorized personnel using a dial-in connection • One-time password authentication • Connect to Company’s sensitive information • Reasonable measure to protect assets • Analog and non-GSM digital cellular phones • Signals are readily scanned unauthorized individuals • Monitor account activity • Disable account after no access for six months

  21. Connection Policy • Extranet • Describes the third party organizations connect to company network for the purpose of transacting business related to the company • In best possible way, Least Access • Valid business justification • Approved by a project manager • Point of Contact from Sponsoring Organnization • Pertain the Third Party Connection Agreement • Establishing Connectivity • Provide a complete information of the proposed access

  22. Connection Policy • Modifying Access • Notifying the extranet management group • Security and Connectivity evolve accordingly • Terminating Access • Access is no longer required • Terminating the circuit • Third Party Connection Agreement • Defines the standards and requirements, including legal requirements, needed in order to interconnect a third party organization’s network to the production network. • Must be signed by both parties

  23. Connection Policy

  24. Connection Policy • Virtual Private Network (VPN) Security • Define the requirements for Remote Access IPSec or L2TP VPN connections to the company network • Force all traffic to and from PC over VPN tunnel • Dual tunneling is not allowed • 24 hours absolute connection time limit • Automatically disconnected with 30 min. inactivity • Only approved VPN client can be used

  25. Connection Policy • Wireless Communication • Defines standards for wireless systems used to connect to the company network • Access Points and PC Cards • Register and approved by InfoSec • Approved Technology • Use approved products and security configurations • Encryption and Authentication • Drop all unauthenticated and unencrypted traffic • Setting the SSID • Should not contain any identifying informaiton

  26. Reference • The SANS Security Policy Project • http://www.sans.org/resources/policies • Information Security Policies & Computer Security Policy Directory • http://www.information-security-policies-and-standards.com • RFC 1244 – Site Security Handbook • http://www.faqs.org/rfcs/rfc1244.html • Google • http://www.google.com

  27. Reference

  28. Reference

  29. Homework • Write an full versions of the policy based on assignment 5 “Acceptable student use of the GTS” with the format that presented • Define presented usage of policies Tips: • Policy document’s format is located in slide 3 • Policy’s usage are located in slide 4 • You may find more information in SANS

  30. Questions Any questions?