Policies Procedures Ch5

  • View
    219

  • Download
    0

Embed Size (px)

Text of Policies Procedures Ch5

  • 8/13/2019 Policies Procedures Ch5

    1/25

    Policy & Procedures

    1

  • 8/13/2019 Policies Procedures Ch5

    2/25

    Why is Policy Important?

    Policy provides the rules that govern how systems

    should be configured.

    Policy provides the rules that govern how employees of

    an organization should act in normal circumstances and

    How employees of an organization should react during

    unusual circumstances.

    Policy performs 2 primary functions: Policy defines what security should be in an organization.

    Policy puts everyone in the know and understands what is

    expected.

    2

  • 8/13/2019 Policies Procedures Ch5

    3/25

  • 8/13/2019 Policies Procedures Ch5

    4/25

    Defining Various Policies

    There are many types of policies & procedures that

    can be used by an organization to define how

    security should work.

    There are 3 aspects of each policy. These are:

    PurposeWhy the policy was created?

    ScopeWhere is the policy to be used?

    ResponsibilityWho should be held accountable?

    4

  • 8/13/2019 Policies Procedures Ch5

    5/25

    Information Policy I

    The information policy defines what sensitiveinformation should be protected

    The policy is constructed to cover all informationwithin the organization

    Each employee is responsible for protectingsensitive information that comes into their

    possession.

    5

  • 8/13/2019 Policies Procedures Ch5

    6/25

    Information Policy II

    Critical issues include:

    Identification of Sensitive Information

    Classifications of Sensitive Information

    Storing Sensitive Information

    Transmitting Sensitive Information

    Destroying Sensitive Information

    6

  • 8/13/2019 Policies Procedures Ch5

    7/25

    Security Policy I

    The security policy defines the technical

    requirements for security on computer systems

    & network equipment.

    The security policy defines how a system or

    network administrator should configure a system

    with regards to security.

    The primary responsibility for the

    implementation of this policy falls on the

    Administrator.

    7

  • 8/13/2019 Policies Procedures Ch5

    8/25

    Security Policy II

    Critical issues include:

    Identification & Authentication

    Access Control

    Audit (number of logins, logout, failures etc) Network Connectivity

    Dial-in Connections

    Permanent Connections

    Remote Connections Wireless Networks

    Malicious CodeWhat security programs to use.

    EncryptionWhich encryption algorithms to use.

    8

  • 8/13/2019 Policies Procedures Ch5

    9/25

    Computer Use Policy I

    The computer use policy lays out the law as to

    WHO may use computer systems and HOW they

    may be used and for WHAT purposes.

    The Computer Policy covers all computer

    resources (internal & external) in an

    organization.

    All users are responsible for the Computer

    Systems that they use (legally or illegally)

    9

  • 8/13/2019 Policies Procedures Ch5

    10/25

    Computer Use Policy II

    Critical issues include:

    Ownership of Computers

    Ownership of Information

    Acceptable Use of Computers (no IRQ, MSN etc)

    No Expectation of Privacy

    10

  • 8/13/2019 Policies Procedures Ch5

    11/25

    Internet Use Policy

    The Internet Use Policy is a general computerpolicy with an organization.

    The Internet Use Policy defines appropriateuses of the internet, ie, Business Related

    The Internet Use Policy is generally monitoredby Senior Managers, Employers

    11

  • 8/13/2019 Policies Procedures Ch5

    12/25

    E-mail Policy I

    E-mail policy serves to limit use of bandwidth

    within an organization.

    E-mail policy clarifies what is allowable and nonallowable transmission of data or information.

    Every E-mail user & the Administrator is

    responsible for ensuring Email is not beingexploited.

    12

  • 8/13/2019 Policies Procedures Ch5

    13/25

    E-mail Policy II

    Critical issues include:

    Internal mail Issues

    Harassment

    Jokes

    Attachments

    External mail Issues

    Scanning inbound and outbound emails

    Virus protection

    Key word detection

    13

  • 8/13/2019 Policies Procedures Ch5

    14/25

    User Management Procedures I

    Are normally overlooked by organizations.

    Are security mechanisms used to protect

    systems from unauthorized access. Such mechanisms are useless if they are not

    managed properly.

    14

  • 8/13/2019 Policies Procedures Ch5

    15/25

    User Management Procedures II

    Critical issues include:

    New Employee Procedure

    Assigning usernames, passwords

    ID Card, Access Card etc

    Transferred Employee Procedure

    Internal Transfer

    External Transfer

    Employee Termination Procedure

    Removing Accounts details

    Backing up user data15

  • 8/13/2019 Policies Procedures Ch5

    16/25

    System Administration Procedure

    Defines how Security & System Administration

    will work together to secure the organizations

    system.

    Defines how and how often various security

    related administration tasks will be

    accomplished.

    16

  • 8/13/2019 Policies Procedures Ch5

    17/25

    System Administration Procedure

    Critical issues include:

    Software Upgrades

    Vulnerability Scans Policy Reviews

    Log Reviews

    Regular & Non Regular Monitoring

    17

  • 8/13/2019 Policies Procedures Ch5

    18/25

    Backup Procedure

    Defines how system backup are to be performed.

    Defines when system backup are to be performed.

    Defines the Frequency of system backups.

    Defines the media where backups are stored.

    Defines how Backups are protected

    Defines what system information/data needs to be

    backed up.

    Defines how often to conduct Restore Testing.

    18

  • 8/13/2019 Policies Procedures Ch5

    19/25

    Incident Response Procedure I

    An IRP defines how the organization will react when a

    computer security incident occurs.

    It should be noted that incidents may be different in

    nature, hence:

    Different incidents require different IRP

    Different incidents may require different people to handle

    the situation IRP should specify the objectives when handling

    incidents.

    19

  • 8/13/2019 Policies Procedures Ch5

    20/25

    Incident Response Procedure II Critical issues include:

    Incident handling initiation (often helpdesk)

    Event Identification (malicious or not)

    Escalation (response team needed or not)

    Information Control (what information to release)

    Authority (who initiate the action)

    Response (take system offline, shutdown,prosecution)

    Documentation (incident should be documented)

    Testing of the Procedure (IRP need practice) 20

  • 8/13/2019 Policies Procedures Ch5

    21/25

    Configuration Management Procedure

    This procedure defines the steps that should be

    taken to modify the state of the organizations

    computer systems, network devices and software

    system.

    The purpose of this procedure is to identify

    appropriate changes so they will not be

    misidentified as security incidents.

    The Initial System State should be well documented

    (version, service patch, etc)

    21

  • 8/13/2019 Policies Procedures Ch5

    22/25

    Disaster Recovery Procedure

    Every organization should have a disasterrecovery plan (DRP).

    This Plan or Procedure should aim to handle:

    Fires

    Floods

    Storms / Lighting etc

    There are various levels of failure, such as: Single System Failure, Multiple System, Site etc

    Primary Network Failure

    Data Storage Center Failure22

  • 8/13/2019 Policies Procedures Ch5

    23/25

    Creating Appropriate Policies

    Different organizations have different policies.

    Policy templates are useful but not enough.

    The following is a normal practice:

    Step 1Defining which policies are important.

    Step 2Identifying Stakeholders

    Step 3Defining Appropriate Outlines

    Step 4Policy Development

    Step 5Policy Deployment

    23

  • 8/13/2019 Policies Procedures Ch5

    24/25

    Policy Deployment

    Unlike creating a policy (which requires a small number

    of people), Deploying a Policy requires the involvement

    of the whole organization.

    The normal procedure involves the following:

    General Meeting with Everyone

    Educating Employees

    Providing Documentation Use of the Policy

    24

  • 8/13/2019 Policies Procedures Ch5

    25/25

    Use Policy Effectively

    Policy can be used a club but is much more

    effective when used as an educational tool.

    Keep in mind that most employees have theorganizations best interest at heart.

    Some aspects of Policy Use include:

    New Systems & Projects (early in the process)

    Existing Systems & Projects (compliance testing)

    Audits (internal compliance with policies)

    Policy Reviews (policies do not last forever)25

Search related