Upload
wahidmoi
View
228
Download
0
Embed Size (px)
Citation preview
8/13/2019 Policies Procedures Ch5
1/25
Policy & Procedures
1
8/13/2019 Policies Procedures Ch5
2/25
Why is Policy Important?
Policy provides the rules that govern how systems
should be configured.
Policy provides the rules that govern how employees of
an organization should act in normal circumstances and
How employees of an organization should react during
unusual circumstances.
Policy performs 2 primary functions: Policy defines what security should be in an organization.
Policy puts everyone in the know and understands what is
expected.
2
8/13/2019 Policies Procedures Ch5
3/25
8/13/2019 Policies Procedures Ch5
4/25
Defining Various Policies
There are many types of policies & procedures that
can be used by an organization to define how
security should work.
There are 3 aspects of each policy. These are:
PurposeWhy the policy was created?
ScopeWhere is the policy to be used?
ResponsibilityWho should be held accountable?
4
8/13/2019 Policies Procedures Ch5
5/25
Information Policy I
The information policy defines what sensitiveinformation should be protected
The policy is constructed to cover all informationwithin the organization
Each employee is responsible for protectingsensitive information that comes into their
possession.
5
8/13/2019 Policies Procedures Ch5
6/25
Information Policy II
Critical issues include:
Identification of Sensitive Information
Classifications of Sensitive Information
Storing Sensitive Information
Transmitting Sensitive Information
Destroying Sensitive Information
6
8/13/2019 Policies Procedures Ch5
7/25
Security Policy I
The security policy defines the technical
requirements for security on computer systems
& network equipment.
The security policy defines how a system or
network administrator should configure a system
with regards to security.
The primary responsibility for the
implementation of this policy falls on the
Administrator.
7
8/13/2019 Policies Procedures Ch5
8/25
Security Policy II
Critical issues include:
Identification & Authentication
Access Control
Audit (number of logins, logout, failures etc) Network Connectivity
Dial-in Connections
Permanent Connections
Remote Connections Wireless Networks
Malicious CodeWhat security programs to use.
EncryptionWhich encryption algorithms to use.
8
8/13/2019 Policies Procedures Ch5
9/25
Computer Use Policy I
The computer use policy lays out the law as to
WHO may use computer systems and HOW they
may be used and for WHAT purposes.
The Computer Policy covers all computer
resources (internal & external) in an
organization.
All users are responsible for the Computer
Systems that they use (legally or illegally)
9
8/13/2019 Policies Procedures Ch5
10/25
Computer Use Policy II
Critical issues include:
Ownership of Computers
Ownership of Information
Acceptable Use of Computers (no IRQ, MSN etc)
No Expectation of Privacy
10
8/13/2019 Policies Procedures Ch5
11/25
Internet Use Policy
The Internet Use Policy is a general computerpolicy with an organization.
The Internet Use Policy defines appropriateuses of the internet, ie, Business Related
The Internet Use Policy is generally monitoredby Senior Managers, Employers
11
8/13/2019 Policies Procedures Ch5
12/25
E-mail Policy I
E-mail policy serves to limit use of bandwidth
within an organization.
E-mail policy clarifies what is allowable and nonallowable transmission of data or information.
Every E-mail user & the Administrator is
responsible for ensuring Email is not beingexploited.
12
8/13/2019 Policies Procedures Ch5
13/25
E-mail Policy II
Critical issues include:
Internal mail Issues
Harassment
Jokes
Attachments
External mail Issues
Scanning inbound and outbound emails
Virus protection
Key word detection
13
8/13/2019 Policies Procedures Ch5
14/25
User Management Procedures I
Are normally overlooked by organizations.
Are security mechanisms used to protect
systems from unauthorized access. Such mechanisms are useless if they are not
managed properly.
14
8/13/2019 Policies Procedures Ch5
15/25
User Management Procedures II
Critical issues include:
New Employee Procedure
Assigning usernames, passwords
ID Card, Access Card etc
Transferred Employee Procedure
Internal Transfer
External Transfer
Employee Termination Procedure
Removing Accounts details
Backing up user data15
8/13/2019 Policies Procedures Ch5
16/25
System Administration Procedure
Defines how Security & System Administration
will work together to secure the organizations
system.
Defines how and how often various security
related administration tasks will be
accomplished.
16
8/13/2019 Policies Procedures Ch5
17/25
System Administration Procedure
Critical issues include:
Software Upgrades
Vulnerability Scans Policy Reviews
Log Reviews
Regular & Non Regular Monitoring
17
8/13/2019 Policies Procedures Ch5
18/25
Backup Procedure
Defines how system backup are to be performed.
Defines when system backup are to be performed.
Defines the Frequency of system backups.
Defines the media where backups are stored.
Defines how Backups are protected
Defines what system information/data needs to be
backed up.
Defines how often to conduct Restore Testing.
18
8/13/2019 Policies Procedures Ch5
19/25
Incident Response Procedure I
An IRP defines how the organization will react when a
computer security incident occurs.
It should be noted that incidents may be different in
nature, hence:
Different incidents require different IRP
Different incidents may require different people to handle
the situation IRP should specify the objectives when handling
incidents.
19
8/13/2019 Policies Procedures Ch5
20/25
Incident Response Procedure II Critical issues include:
Incident handling initiation (often helpdesk)
Event Identification (malicious or not)
Escalation (response team needed or not)
Information Control (what information to release)
Authority (who initiate the action)
Response (take system offline, shutdown,prosecution)
Documentation (incident should be documented)
Testing of the Procedure (IRP need practice) 20
8/13/2019 Policies Procedures Ch5
21/25
Configuration Management Procedure
This procedure defines the steps that should be
taken to modify the state of the organizations
computer systems, network devices and software
system.
The purpose of this procedure is to identify
appropriate changes so they will not be
misidentified as security incidents.
The Initial System State should be well documented
(version, service patch, etc)
21
8/13/2019 Policies Procedures Ch5
22/25
Disaster Recovery Procedure
Every organization should have a disasterrecovery plan (DRP).
This Plan or Procedure should aim to handle:
Fires
Floods
Storms / Lighting etc
There are various levels of failure, such as: Single System Failure, Multiple System, Site etc
Primary Network Failure
Data Storage Center Failure22
8/13/2019 Policies Procedures Ch5
23/25
Creating Appropriate Policies
Different organizations have different policies.
Policy templates are useful but not enough.
The following is a normal practice:
Step 1Defining which policies are important.
Step 2Identifying Stakeholders
Step 3Defining Appropriate Outlines
Step 4Policy Development
Step 5Policy Deployment
23
8/13/2019 Policies Procedures Ch5
24/25
Policy Deployment
Unlike creating a policy (which requires a small number
of people), Deploying a Policy requires the involvement
of the whole organization.
The normal procedure involves the following:
General Meeting with Everyone
Educating Employees
Providing Documentation Use of the Policy
24
8/13/2019 Policies Procedures Ch5
25/25
Use Policy Effectively
Policy can be used a club but is much more
effective when used as an educational tool.
Keep in mind that most employees have theorganizations best interest at heart.
Some aspects of Policy Use include:
New Systems & Projects (early in the process)
Existing Systems & Projects (compliance testing)
Audits (internal compliance with policies)
Policy Reviews (policies do not last forever)25