1 Security Policies CS 397 Computer Security and PowerPoint Presentation, PPT - DocSlides

1 Security   Policies CS 397 Computer Security and PowerPoint Presentation, PPT - DocSlides

2018-12-07 11K 11 0 0

Description

Information Assurance. 2. Outline. . of. . Presentation. •. . Introduction. . to. . Security. . Policy. . –. . Definitions,. . types,. . elements.. •. . The. . necessity. . of. ID: 737744

Embed code:

Download this presentation



DownloadNote - The PPT/PDF document "1 Security Policies CS 397 Computer Se..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentations text content in 1 Security Policies CS 397 Computer Security and

Slide1

1

Security

Policies

CS 397 Computer Security and

Information Assurance

Slide2

2

Outline

of

Presentation

Introduction

to

Security

Policy

Definitions,

types,

elements.

The

necessity

of

a

Security

Policy.

Why

its

needed.

Example:

Email

Use

Policy

Analysis

and

critique

Closing

Comments

Slide3

3

What

is

a

Security

Policy?

A

security policy

is

a

set

of

rules

stating

which

actions

are

permitted

and

which

are

not.

It

is

a

statement

that

partitions

the

states

of

a

system

into

a

set

of

authorized

or

secure

states

and

a

set

of

unauthorized

or

non-secure

states.

Can

be

informal

or

highly

mathematical.

A

secure system

is

a

system

that

starts

in

an

authorized

state

and

cannot

enter

an

unauthorized

state.

A

breach of security

occurs

when

a

system

enters

an

unauthorized

state.

We

expect

a

trusted

system

to

enforce

the

required

security

policies.

Slide4

4

Elements

of

a

Security

Policy

A

security

policy

considers

all

relevant

aspects

of

confidentiality,

integrity

and

availability.

Confidentiality policy:

Identifies

information

leakage

and

controls

information

flow.

Integrity Policy:

Identifies

authorized

ways

in

which

information

may

be

altered.

Enforces

separation

of

duties.

Availability policy:

Describes

what

services

must

be

provided.

For

example,

a

browser

may

download

pages

but

not

Java

applets.

Slide5

5

Types

of

Security

Policies

A

military security policy

(also

called

government

security

policy)

is

a

security

policy

developed

primarily

to

provide

confidentiality.

Not

worried

about

trusting

the

object

as

much

as

disclosing

the

object.

A

commercial security policy

is

a

security

policy

developed

primarily

to

provide

integrity.

Focuses

on

how

much

the

object

can

be

trusted.

Slide6

Mechanism

vs.

Security

Policy

6

Mechanism

should

not

be

confused

with

policy.

A

security

mechanism

is

an

entity

or

procedure

that

enforces

some

part

of

a

security

policy.

MasterCard

has

the

Site

Data

Protection

(SDP)

Program.

(

https://sdp.mastercardintl.com/

)

Firewalls,

access

control,

permissions,

roles.

Logging

facilities,

such

as

syslog.

Spam

and

website

filters,

proxies.

E

nforcement

mechanisms

may

be

technical

or

procedural.

For

example,

a

firewall

may

enforce

certain

rules,

but

part

of

the

enforcement

is

the

procedure

to

set

up

and

maintain

configurations.

On

the

other

side,

tools

that

automatically

log

urls

can

be

used

to

enforce

policies

like

banning

porn

sites

Slide7

7

Is

it

a

Policy,

a

Standard

or aGuideline?•

A

policy is typically a document that outlines specific requirements or rules that must be met. – point-specific, covers a single area

A standard is typically collections of system-specific or

procedural-specific

requirements

that

must

be

met

by

everyone.

A

guideline

is

typically

a

collection

of

system

specific

or

procedural

specific

“suggestions”

for

best

practice.

They

are

not

requirements

to

be

met,

but

are

strongly

recommended.

Effective

security

policies

make

frequent

references

to

standards

and

guidelines

that

exist

within

an

organization.

Slide8

8

Real

World

Problems

Caused

By

Missing

Policies

• At a

local

newspaper... – A local newspaper had no policy requiring the termination of user-ID and password privileges after an employee left.

A senior reporter left the newspaper, and shortly thereafter,

the

newspaper

had

trouble

because

the

competition

consistently

picked-up

on

their

exclusive

stories

(scoops).

An

investigation

of

the

logs

revealed

that

the

former

employee

had

been

consistently

accessing

their

computer

to

get

ideas

for

stories

at

his

new

employer.

Slide9

9

Real

World

Problems

Caused

By

Missing

Policies

(cont’d)• At

a

government agency... – A clerk spent a great deal of time surfing the Internet while on the job. Because there

was no

policy specifying what constituted excessive personal use, management

could

not

discipline

this

employee.

Then

management

discovered

that

the

clerk

had

downloaded

a

great

deal

of

pornography.

Using

this

as

a

reason,

management

fired

him.

The

clerk

chose

to

appeal

the

termination

with

the

Civil

Service

Board,

claiming

that

he

couldn't

be

fired

because

he

had

never

been

told

that

he

couldn't

download

pornography.

After

a

Civil

Service

hearing,

the

Board

ordered

him

to

be

reinstated

with

back

pay.

Slide10

2/26/2004

Polytechnic

University

-

CS996

10

Why

An

Organization NeedsSecurity

Policies

• Security policies are the foundation of your secure infrastructure. Your security policies serve as a guide and a reference

point

to numerous security tasks in your organization• Without

security

policies,

no

enforcement

of

security

configurations

or

standards

can

be

made.

By

establishing

a

policy,

you

are

implying

that

enforcement

can

or

will

follow.

Without

security

policies,

enforcement

of

them

is

not

possible.

Slide11

11

It’s

All

In

The

Details!

The

computer

security policy need to be detailed. The security policy such as “Computer systems are not to be used for personal

use”

needs to be explained. – What constitutes personal use

could

be

interpreted

differently.

A

computer

security

policy

should

provide

guidelines

in

specific

topics

such

as

management’s

position

on:

Downloading

and

viewing

pornography.

Sending

and

forwarding

jokes

(or

other

non-essential

business

correspondence).

Viewing

stock

prices.

Sending

and

viewing

personal

e-mail.

Use

of

computer

for

on

line

shopping

during

break

times.

Slide12

12

Security

Policy:

Clear

Understanding

A

computer

security policy gives

users

a clear understanding of allowed activities.• If an employee is dismissed for inappropriate actions, a computer security policy that

has been

communicated to computer users will save time in

legal

disputes.

Slide13

13

Security

Policy

Basics

All

security

policies

need

to be written down. – Policies that exist in someone's head are not really policies.• When your organization has

finished developing

security policies, and right when you think you

can

breathe

easy,

it

will

be

time

to

update

your

security

policies.

New technology

-

make

sure

your

security

policies

still

make

sense

for

your

new

infrastructure.

Evaluating new equipment

-

make

sure

that

the

new

equipment

can

properly

be

configured

to

meet

your

security

requirements.

if

it

can't,

you

may

want

to

consider

purchasing

alternative

products.

Slide14

15

Where

to

Start?

The

first

issue

revolves around the

content

and structure of the policies themselves: Are they complete? Are they fully up to date? Do they reflect your needs?

The most cost effective way is often to

procure

a

set

of

pre-written policies

,

and

then

tailor

them

as

necessary

to

meet

specific

cultural

and

functional

needs.

Why

re-invent

the

wheel

and

proceed

down

a

more

complex

route

than

is

really

necessary?

Slide15

16

Where

to

Get

a

Good

Security

Policy?

• Good computer

programs

are copied from other good programs.• The skill of a programmer is not how effectively they can write code but

how

well they can incorporate the best routines of other

programs

to

make

a

useful

application.

A

good

security

policy

documents

are

not

written

but

are

copied

from

other

security

policy

documents.

Slide16

17

Formulate

Your

Own

Computer

Security

Policy

The security requirements

of

computer systems owned and operated by one organization will almost certainly differ from the requirements of another organization.• It is

therefore

important that each organization formulates its own Computer Security

Policy.

Slide17

18

Need

an

Example

Policy

or

Template?

Use

http://www.sans.org/resources/policies/What is the SANS Institute? – The SANS (SysAdmin, Audit, Network, Security) Institute was established

in

1989 as a cooperative research and education organization. The

SANS

Institute

enables

more

than

156,000

security

professionals,

auditors,

system

administrators,

and

network

administrators

to

share

the

lessons

they

are

learning

and

find

solutions

to

the

challenges

they

face.

At

the

heart

of

SANS

are

the

many

security

practitioners

in

government

agencies,

corporations,

and

universities

around

the

world

who

invest

hundreds

of

hours

each

year

in

research

and

teaching

to

help

the

entire

information

security

community.

SANS

has

received

permission

to

provide

sanitized

security

policies

from

a

large

organization.

They

should

form

a

good

starting

point

if

you

need

one

of

these

policies.

Slide18

21

Before

looking

into

the

sample

security

policies…

• <angle brackets> should

be

replaced with the appropriate name from your organization.• The term “InfoSec” is used through out these documents to refer the

team

of people responsible for network and information security.

Replace

with

the

appropriate

group

name

from

your

organization.

Any

policy

name

that

is

in

italics

is

a

reference

to

a

policy

that

is

also

available

on

the

SANS

site.

Slide19

22

Example:

Email

Use

Policy

Generally

the

company E-mail systems

are

a high risk area due to their constant availability to the outside world, and the risk is often two-fold.•

Exposes company

mail addresses and (mail) systems to potential attackers.

Number

one

entry

point

from

which

most

of

the

malicious

programs

are

entering

the

company.

E-mail

systems

are

a

potential

way

to

leak

company

proprietary

information,

intentionally

or

accidentally

(and

software

exists

to

flag

such

things).

Also,

because

of

the

risk

to

company

image.

Slide20

23

Example:

Email

Use

Policy

(cont’d)

1.0

Purpose – To

prevent

tarnishing the public image of <COMPANY NAME>. When email goes out from <COMPANY NAME> the general public will tend to

view that

message as an official policy statement from the

<COMPANY

NAME>.

2.0

Scope

This

policy

covers

appropriate

use

of

any

email

sent

from

a

<COMPANY

NAME>

email

address

and

applies

to

all

employees,

vendors,

and

agents

operating

on

behalf

of

<COMPANY

NAME>.

Slide21

24

Example:

Email

Use

Policy

(cont’d)

3.0

Policy –

3.1

Prohibited Use. • The <COMPANY NAME> email system shall not to be used for the creation or distribution of any

disruptive or

offensive messages, including offensive comments about race, gender,

hair

color,

disabilities,

age,

sexual

orientation,

pornography,

religious

beliefs

and

practice,

political

beliefs,

or

national

origin.

Employees

who

receive

any

emails

with

this

content

from

any

<COMPANY

NAME>

employee

should

report

the

matter

to

their

supervisor

immediately.

Slide22

25

Make

An

Addition

to

the

Template!

Prohibited Use: –

Using

email for conducting personal business. – Using email for purposes of political lobbying or campaigning. – Violating copyright laws by

inappropriately distributing

protected works. – Posing as anyone other than

oneself

when

sending

email,

except

when

authorized

to

send

messages

for

another

when

serving

in

an

administrative

support

role.

The

use

of

unauthorized

e-mail

software.

Slide23

26

Don’t

Slow

Down

Network

Communications!

Make

an addition to

the

template: – Prohibited Use: • Sending or forwarding chain letters. • Sending unsolicited messages to large groups except as

required to

conduct agency business. • Sending excessively large messages

Sending

or

forwarding

email

that

is

likely

to

contain

computer

viruses.

Slide24

27

Non-<COMPANY

NAME>

Email

Accounts

for

Confidential

Info?

• Make an

addition

to the template: – Individuals must not send, forward or receive confidential or sensitive <COMPANY NAME> information through non-<COMPANY NAME>

email

accounts. Examples of non- <COMPANY NAME> email accounts include,

but

are

not

limited

to,

Hotmail,

Yahoo

mail,

AOL

mail,

and

email

provided

by

other

Internet

Service

Providers

(ISP).

Slide25

28

Non-<COMPANY

NAME>

Mobile

Devices

for

Confidential

Info?

• Make an

addition

to the template: – Individuals must not send, forward, receive or store confidential or sensitive <COMPANY NAME> information utilizing non-<COMPANY

NAME>

accredited mobile devices. Examples of mobile devices include, but

are

not

limited

to,

Personal

Data

Assistants,

two-way

pagers

and

cellular

telephones.

Slide26

29

Example:

Email

Use

Policy

(cont’d)

3.2 Personal Use.

Using a reasonable amount of <COMPANY NAME> resources for personal emails is acceptable, but non-work related email shall be saved

in a

separate folder from work related email. • Sending

chain

letters

or

joke

emails

from

a

<COMPANY

NAME>

email

account

is

prohibited.

Virus

or

other

malware

warnings

and

mass

mailings

from

<COMPANY

NAME>

shall

be

approved

by

<COMPANY

NAME>

VP

Operations

before

sending.

These

restrictions

also

apply

to

the

forwarding

of

mail

received

by

a

<COMPANY

NAME>

employee.

Slide27

30

Example:

Email

Use

Policy

(cont’d)

3.3 Monitoring •

<COMPANY

NAME> employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.

<COMPANY NAME>

may monitor messages without prior notice. <COMPANY NAME>

is

not

obliged

to

monitor

email

messages.

Slide28

31

Transmitted

Information

Needs

To

Be

Safe!

Make an addition

to

the template: – All sensitive <COMPANY NAME> material transmitted over external networks must be encrypted.

Slide29

32

Example:

Email

Use

Policy

(cont’d)

4.0

Enforcement –

Any

employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Slide30

33

Doesn’t

Handle

Non-Employees

Need

to

change

template:

– 4.0 Enforcement • Violation of this policy may result in disciplinary

action

which may include termination for employees and temporaries;

a

termination

of

employment

relations

in

the

case

of

contractors

or

consultants

;

dismissal

for

interns

and

volunteers

;

or

suspension

or

expulsion

in

the

case

of

a

student

.

Additionally,

individuals

are

subject

to

loss

of

<COMPANY

NAME>

Information

Resources

access

privileges,

civil,

and

criminal

prosecution.

NOTE:

Enforcement

can

also

include

both

identification

of

the

violation

and

a

software

needed

to

look

for

violations,

spot

checking

email,

etc.

Slide31

Example:

Email

Use

Policy

(cont’d)

34

Term

Definitions: – Email:

The

electronic transmission of information through a mail protocol such as SMTP or IMAP. Typical email clients include Eudora and Microsoft

Outlook. –

Forwarded email: Email resent from an internal network to

an

outside

point.

Chain email or letter:

Email

sent

to

successive

people.

Typically

the

body

of

the

note

has

direction

to

send

out

multiple

copies

of

the

note

and

promises

good

luck

or

money

if

the

direction

is

followed.

Sensitive information:

Information

is

considered

sensitive

if

it

can

be

damaging

to

<COMPANY

NAME>

or

its

customers'

reputation

or

market

standing.

Virus warning:

Email

containing

warnings

about

virus

or

malware.

The

overwhelming

majority

of

these

emails

turn

out

to

be

a

hoax

and

contain

bogus

information

usually

intent

only

on

frightening

or

misleading

users.

Unauthorized Disclosure:

The

intentional

or

unintentional

revealing

of

restricted

information

to

people,

both

inside

and

outside

<COMPANY

NAME>,

who

do

not

have

a

need

to

know

that

information.

Slide32

35

Example:

Email

Use

Policy

(cont’d)

6.0

Revision History

Used when revisions are made in the duration of a security policy.

Slide33

47

High-level

to

Low-level

Security

policies

begin

from high

level

statements and flow down to lower level policies, which are more specific and detailed. Example: • High level: Confidential and classified

company information

shall be protected from release to unauthorized personnel.

Mid level:

Classified

information

will

only

be

accessible

from

internal

network

(company

intranet)

via

a

secure

website.

Low level:

The

internal

web-server

will

be

running

HTTPS

(SSL)

and

be

password-protected.

The

perimeter

firewall

will

deny

all

access

to

the

web-

server

from

external

hosts

(outside

the

intranet)

by

blocking

external

traffic

on

port

443.

The

firewall

is

an

enforcement mechanism

.

The

password

protection

is

an

enforcement

mechanism

as

well.

Slide34

48

Applicable

Security

Policies

In

the

previous

example, a company

can

refer to the following security policies: – Firewall – which ports are allowed through. – Password – length of

password, aging,

allowed and required characters. – Intranet – who

belongs

on

the

intranet,

how

information

is

distributed…

Web server

its

configuration,

its

permissions,

and

what

type

of

information

its

allowed

to

contain

(classification

levels).


About DocSlides
DocSlides allows users to easily upload and share presentations, PDF documents, and images.Share your documents with the world , watch,share and upload any time you want. How can you benefit from using DocSlides? DocSlides consists documents from individuals and organizations on topics ranging from technology and business to travel, health, and education. Find and search for what interests you, and learn from people and more. You can also download DocSlides to read or reference later.