1. Lesson 9-Information Security Best Practices

2. OverviewUnderstanding administrative security.Security project plans.Understanding technical security.Making use of ISO 17799. 3. Understanding AdministrativeSecurity Administrative security policies:Define the importance of information and information systemsto the company and its employees.Define the resources required to accomplish appropriate riskmanagement activities.Identify the individuals responsible for managing theinformation security risk for the organization. 4. Understanding AdministrativeSecurity Administrative security policies fall under the following areas:Policies and procedures.Resources.Responsibility.Education.Contingency plans. 5. Policies and ProceduresThe most important policies that organizations must draft are: Information policy - Defines the level of sensitivity of information assets within the organization. Security policy - Defines the technical controls and security configurations to be implemented on all computer systems. 6. Policies and ProceduresThe most important policies that organizations must draftare (continued): Use policy - Identifies the approved uses of organization computer systems and the penalties for misusing such systems. Backup policy - Defines the frequency of information backups and the method of moving backups to an off-site storage. 7. Policies and ProceduresOrganizations must define the following procedures: User management - Includes information about individuals who can authorize access to the organizations computer systems. System administration - Defines the process of implementing the organizations security policy on various systems. Configuration management - Defines the steps for making changes to production systems. 8. ResourcesDetermining required resources depends on: The size of the organization. The organizations business. The risk to the organization. The full risk assessment of the organization. The plan to manage risk. 9. Resources The project management triangle 10. ResourcesThe security department staff members should have thefollowing skills:Security administration - A thorough understanding of day-to-day administration of security devices.Policy development - Hands-on experience in thedevelopment and maintenance of security policies,procedures, and plans.Architecture - An understanding of network and systemarchitectures and implementation of new systems. 11. ResourcesThe security department staff members should have thefollowing skills (continued): Research - The examination of new security technologies for risk assessment. Assessment - Experience in conducting risk assessment activities, such as penetration and security testing. Audit - Experience in conducting system and procedure audits. 12. ResourcesAn organizations security budget is based on: The scope and time frame of the security project. The capital expenditures, current operations, and cost of training. The security project plans. 13. ResponsibilityAn executive-level position must own securityresponsibilities within an organization.They should have the authority to define the organizationspolicy and sign off on all security-related policies.They should also have the authority to enforce policy.They should develop metrics to track the progress towardsecurity goals. 14. EducationThe best practices for education includes: Preventive measures. Enforcement measures. Incentive measures. 15. Preventive MeasuresPreventive measures can be used to explain the importanceand need to protect an organizations information assets.It will make employees comply with policies and procedures.It includes awareness programs, publicity campaigns,electronic mail messages, and pop-up windows. 16. Enforcement MeasuresEnforcement measures force employees to abide by theorganizations policies and procedures.It can be enforced in the form of security-awarenesstraining.Employees can also be provided copies of relevant policies.They can also be asked to sign a security statement. 17. Incentive ProgramsIncentive programs: Can increase the reporting of security issues. Can be in the form of monetary incentives or verbal encouragement. Can also be used for suggestions on how to improve security. 18. Contingency PlansContingency plans include: Incident response - Defines the series of steps to be taken in the event of a compromise. Backup and data archival - Defines how and when backups are to be taken. It also specifies the backup storage and restore mechanisms. Disaster recovery - Identifies the most critical resources and states the need and objectives in the event of a disaster. 19. Security Project PlansBest practices recommend that the security departmentmust establish the following plans:Improvement plans - Address the risk areas and implementappropriate changes to the environment.Vulnerability assessment - Includes regular scans of theorganizations systems. It also includes regular follow-upwith system administrators to ensure corrective actions arebeing taken. 20. Security Project PlansBest practices recommend that the security departmentmust establish the following plans (continued):Assessment plans - Frequently assess the risk to theorganization.Audit plans - Ensures policy compliance.Training - Includes schedules for awareness trainingclasses and publicity campaigns.Policy evaluation - Includes built-in review schedules. 21. Understanding Technical Security Network connectivity.Malicious code protection.Authentication.Monitoring. 22. Understanding Technical Security Encryption.Patching systems.Backup and recovery.Physical security. 23. Network ConnectivityTo protect an organization from unwanted intrusions, thefollowing network connectivity practices are recommended:Permanent connections - Network connection to otherorganizations or the Internet is protected by a firewall. Thisprevents damage in one network to spread to others.Remote access connections - These connections can bedial-in connections or connections across the Internet.Two-factor authentication, such as dial-back modems ordynamic passwords is recommended. 24. Malicious Code ProtectionTo protect systems from computer viruses or Trojan horseprograms: Use anti-virus programs for servers, desktops, and e-mail systems. Allow frequent signature updates and the delivery of updates. 25. AuthenticationThe following are the recommended best practices forpassword usage:Passwords must be a minimum of eight characters inlength.The last ten passwords should not be reused.It should always be stored in encrypted form, which isinaccessible to normal users.It should not be more than 60 days old.It should be composed of alphanumeric characters. 26. AuthenticationThe following are the recommended best practices forpassword usage (continued):Dynamic passwords or other two-factor authenticationmechanisms offer added security.Systems should be configured to start a screen saver whilethe employee is away. The system should require re-authentication to access the system. 27. Monitoring Auditing is a mechanism of monitoring actions that occur on acomputer system. The audit log or files must keep track of thefollowing events:Login/logoff.Failed login attempts.Dial-in connection attempts.Supervisor/administrator/root login.Supervisor/administrator/root privileged functions.Sensitive file access. 28. MonitoringIntrusion detection systems (IDS) monitor networks orsystems.They trigger an alarm when security is compromised.Host-based IDS may be used to examine log files.Network-based IDS helps monitor the network for attacksor unusual traffic. 29. EncryptionEncrypt information while transmitting over unsecured linesor electronic mail.Choose an algorithm that matches the sensitivity of theinformation being protected. Use well-known and well-tested encryption algorithms. 30. EncryptionUse link encryption for transmission lines betweenorganization facilities.Follow regulatory standards, such as HIPAA whiletransmitting over open networks. 31. Patching SystemsPatches correct vulnerabilities.Install patches only after testing.Install patches according to the organizations changecontrol procedures.Check for new patches frequently. 32. Backup and RecoveryInformation on servers should be backed up regularly.Verify all backups to determine if the backup successfullycopied the important files.Establish regular schedules of tests.Backups must be accessible to restore systems in the eventof system failures.Backups should be stored off-site for protection. 33. Physical SecurityThe following physical security mechanisms arerecommended:Physical access - Restrict access to data center, where allsensitive computers are kept.Climate - Configure climate control units to notifyadministrators if a failure occurs. 34. Physical SecurityThe following physical security mechanisms arerecommended (continued):Fire suppression - Configure fire-suppression systems toprevent any damage to the systems in the data center.Electrical power - Size battery backups to provide sufficientpower for computer systems to shut down. 35. Making Use of ISO 17799The Information Technology - Code of Practice forInformation Security Management (ISO 17799) covers thefollowing areas:Security policy - Covers the need for a security policy. Italso recommends regular reviews and evaluation of thedocument. 36. Making Use of ISO 17799The Information Technology - Code of Practice forInformation Security Management (ISO 17799) covers thefollowing areas (continued):Organizational security - Covers how information securityfunctions are managed within an organization.Asset classification and control - Covers the need toproperly protect both physical and information assets. 37. Making Use of ISO 17799ISO 17799 key concepts include: Personal security - Discusses the need to manage the risk within the hiring process and ongoing employee education. Physical and environmental security - Discusses the need to protect all physical assets from theft, fire, and other hazards. Communication and operations management- Covers the need for documented management procedures for computers and networks. 38. Making Use of ISO 17799ISO 17799 key concepts include (continued): Access control - Discusses the control of access to information, systems, networks, and applications. Systems development and maintenance - Discusses the inclusion of security in development projects. 39. Making Use of ISO 17799ISO 17799 key concepts include (continued): Business continuity management - Discusses the risks of business interruptions and various alternatives for continuity management. Compliance - Discusses how the organization should enforce policy and check compliance. 40. SummaryAdministrative security practices include policies andprocedures, resources, responsibility, education, andcontingency plans.The security department must establish plans forimprovement, assessment, vulnerability assessment, audits,training, and policy evaluation. 41. SummaryTechnical security measures deal with the implementationof security controls on computers and networked systems.ISO 17799 standards help establish an effective securityprogram. 42. BS7799 BS7799 Code of Practice forInformation Security 1995 ISO17799