lesson 6-policy
DESCRIPTION
Lesson 6-Policy. Overview. Understanding why policy is important. Defining various policies. Creating an appropriate policy. Deploying policies. Using policy effectively. Understanding Why Policy is Important. The two primary functions of a policy are: - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/1.jpg)
Lesson 6-Policy
![Page 2: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/2.jpg)
Overview
Understanding why policy is important.
Defining various policies.
Creating an appropriate policy.
Deploying policies.
Using policy effectively.
![Page 3: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/3.jpg)
Understanding Why Policy is Important
The two primary functions of a policy are:
It defines the scope of security within an organization.
It clearly states the expectations from everyone in the
organization.
![Page 4: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/4.jpg)
Understanding Why Policy is Important
Policy defines how security should be implemented.
It includes the system configurations, network
configurations, and physical security measures.
It defines the mechanisms used to protect information and
systems.
It defines how organizations should react when security
incidents occur.
![Page 5: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/5.jpg)
Understanding Why Policy is Important
Policy provides the framework for employees to work
together.
It defines the common goals and objectives of the
organization’s security program.
Proper security awareness training helps implement policy
initiatives effectively.
![Page 6: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/6.jpg)
Defining Various Policies
Information policy.
Security policy.
Computer use policy.
Internet use policy.
E-mail policy.
User management procedures.
![Page 7: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/7.jpg)
Defining Various Policies
System administration procedures.
Backup policy.
Incident response policy.
Configuration management procedures.
Design methodology.
Disaster recovery plans.
![Page 8: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/8.jpg)
Information Policy
Identification of sensitive information.
Classifications.
Marking and storing sensitive information.
Transmission of sensitive information.
Destruction of sensitive information.
![Page 9: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/9.jpg)
Identification of Sensitive Information
Sensitive information differs depending on the business of
the organization.
It may include business records, product designs, patent
information, and company phone books.
It may also include payroll, medical insurance, and any
other financial information.
![Page 10: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/10.jpg)
Classifications
Only the lowest level of information should be made public.
All proprietary, company sensitive, or company confidential
information is releasable to employees.
All restricted or protected information must be made
available to authorized employees only.
![Page 11: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/11.jpg)
Marking and Storing Sensitive Information
The policy must mark all sensitive information.
It should address the storage mechanism for information on
paper or on computer systems.
Incase of information stored on computer systems, the
policy should specify appropriate levels of protection.
Use encryption wherever required.
![Page 12: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/12.jpg)
Transmission of Sensitive Information
The policy addresses how sensitive information needs to be
transmitted.
It specifies the encryption method to be used while
transmitting information through electronic mail.
Incase of hardcopies of information, request a signed
receipt.
![Page 13: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/13.jpg)
Destruction of Sensitive Information
To destroy sensitive information:
Shred the information on paper.
Use cross-cut shredders that provide an added level of
protection.
PGP desktop and BCWipe can be used to delete documents
placed on a desktop.
![Page 14: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/14.jpg)
Security Policy
Identification and authentication.
Access control.
Audit.
Network connectivity.
![Page 15: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/15.jpg)
Security Policy
Malicious code.
Encryption.
Waivers.
Appendices.
![Page 16: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/16.jpg)
Identification and Authentication
The security policy defines how users will be identified.
It defines the primary authentication mechanism for users
and administrators.
It defines stronger mechanism for remote access such as
VPN or dial-in access.
![Page 17: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/17.jpg)
Access Control
The security policy defines the standard requirement for
access control of electronic files.
The requirement includes the required mechanism and the
default requirements for new files.
The mechanism should work with authentication
mechanism to allow only authorized users to access the
information.
![Page 18: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/18.jpg)
Audit
Security policies must frequently audit the following events:
Logins (successful and failed).
Logouts.
Failed access to files or system objects.
Remote access (successful and failed).
Privileged actions.
System events (such as shutdowns and reboots).
![Page 19: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/19.jpg)
Audit
Each event should also capture the following information:
User ID (if there is one)
Date and time
Process ID (if there is one)
Action performed
Success or failure of the event
![Page 20: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/20.jpg)
Network Connectivity
The security policy specifies the rules for network connectivity
and the protection mechanisms. It includes:
Dial-in connections.
Permanent connections.
Remote access of internal systems.
Wireless networks.
![Page 21: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/21.jpg)
Malicious Code
The security policy specifies where security programs that
look for malicious code need to be placed.
Some appropriate locations are file servers, desktop
systems, and electronic mail servers.
It should specify the requirements for security programs.
It should require updates of signatures for such security
programs on a periodic basis.
![Page 22: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/22.jpg)
Encryption
The security policy should define the acceptable encryption
algorithms for use.
It can refer to the information policy to choose the
appropriate algorithms to protect sensitive information.
It should also specify the procedures required for key
management.
![Page 23: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/23.jpg)
Waivers
The security policy should provide a mechanism for risk
assessment and formulating a contingency plan.
For each situation, the system designer or project manager should
fill a waiver form.
The security department reviews the waiver request and provides
risk assessment results and recommendations to minimize the risk.
The waiver should be approved by the organization’s officer in
charge of the project.
![Page 24: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/24.jpg)
Appendices
The security policy appendices should have details of:
Security configurations for various operating systems.
Network devices.
Telecommunication equipments.
![Page 25: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/25.jpg)
Computer Use Policy
Ownership of computers - States that all computers are owned by
the organization.
Ownership of information - States that all information stored on or
used by the organization’s computers is proprietary to the
organization.
![Page 26: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/26.jpg)
Computer Use Policy
Acceptable use of computers - States all acceptable and
unacceptable use of the organization’s computers.
No expectation of privacy - States that the employee have
no expectation of privacy for any information stored, sent,
or received on the organization’s computers.
![Page 27: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/27.jpg)
Internet Use Policy
The Internet use policy is a part of the general computer use
policy.
It can be a separate policy due to the specific nature of the
Internet use.
The Internet use policy defines the appropriate uses of the
Internet within an organization.
It may also define inappropriate uses such as visiting non-
business-related web sites.
![Page 28: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/28.jpg)
E-mail Policy
Internal mail issues - The electronic mail policy should not
be in conflict with other human resource policies.
External mail issues - Electronic mail leaving an
organization may contain sensitive information. Therefore,
it may be monitored.
![Page 29: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/29.jpg)
User Management Procedures
New employment procedure - Provides new employees with
the proper access to computer resources.
Transferred employee procedure - Reviews employee’s
computer access when they are transferred within the
organization.
Employee termination procedure - Ensures removal of users
who no longer work for the organization.
![Page 30: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/30.jpg)
System Administration Procedure
Software upgrades - Defines how often a system administrator will
check for new patches or updates.
Vulnerability scans - Defines how often and when the scans will be
conducted by security.
Policy reviews - Specifies the security requirements for each
system.
![Page 31: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/31.jpg)
System Administration Procedure
Log reviews - Specifies configuration of automated tools
that create log entries and how exceptions must be
handled.
Regular monitoring - Documents when network traffic
monitoring will occur.
![Page 32: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/32.jpg)
Backup Policy
Frequency of backups - Identifies how often backups
actually occur.
Storage of backups - Defines how to store backups in a
secure location. It also states the mechanism for requesting
and restoring backups.
Information to be backed up - Identifies which data needs
to be backed up more frequently.
![Page 33: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/33.jpg)
Incident Response Procedure
Incident handling objectives - Specifies the objectives of the
organization when handling an incident.
Event identification - States corrective actions for an intrusion or
user mistake.
Escalation - Specifies an escalation procedure such as activating
an incident response team.
Information control - Specifies what information is classified and
what can be made public.
![Page 34: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/34.jpg)
Incident Response Procedure
Response - Defines the type of response when an incident occurs.
Authority - Defines which individual within the organization or the
incident response team has the authority to take action.
Documentation - Defines how the incident response team should
document its actions.
Testing of the procedure - Tests the IRP once it is written. It also
identifies the loop holes in the procedure and suggests corrective
actions.
![Page 35: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/35.jpg)
Configuration Management Procedures
Initial system state - Documents the state of a new system
when it goes into production. It should include details of the
operating system, version, patch level, application details,
and configuration details.
Change control procedure - Executes a change control
procedure when a change is to be made to an existing
system.
![Page 36: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/36.jpg)
Design Methodology
Requirements definition - Specifies the security requirements that
need to be included during the requirement definition phase.
Design - Specifies that security should be represented to ensure
that the project is secured during the design phase.
Test - Specifies that when the project reaches the testing phase,
the security requirement should also be tested.
Implementation - Specifies that the implementation team should
use proper configuration management procedures.
![Page 37: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/37.jpg)
Disaster Recovery Plans
Single system or device failures - Includes a network device, disk,
motherboard, network interface card, or component failure.
Data center events - Provides procedures for a major event within
a data center.
Site events - Identifies the critical capabilities that need to be
restored.
Testing the DRP - Identifies key employees and performs
walkthroughs of the plan periodically.
![Page 38: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/38.jpg)
Creating an Appropriate Policy
To create an appropriate policy:
Identify which policies are most relevant and important to an
organization.
Conduct a risk assessment to identify risk areas.
Define all acceptable and unacceptable employee behavior.
State all restrictions clearly.
Identify individuals and other stakeholders who will be affected
by the policy. State expectations clearly.
![Page 39: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/39.jpg)
Creating an Appropriate Policy
To create an appropriate policy:
Define a set of possible outlines.
Draft the policy based on the outline.
Include stakeholders during discussions and invite suggestions.
Brainstorm before developing the final policy.
![Page 40: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/40.jpg)
Deploying the Policy
Every department of the organization that is affected by the
policy must accept the underlying concept.
Conduct security awareness training where employees are
informed of the intended change.
Make well-planned transitions rather than radical changes
while implementing the policy.
![Page 41: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/41.jpg)
Using Policy Effectively
Identify security requirements early in the process. Security
should be a part of the design phase of the project.
Examine existing systems to ensure it is in compliance to new
policies.
Conduct periodic audits to ensure compliance with the policy.
Review policies regularly to ensure they are still relevant for the
organization.
![Page 42: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/42.jpg)
Summary
Policies define how security is implemented within an organization.
Each policy must have a purpose, scope, and responsibility.
An organization must establish information policy, security policy,
computer use policy, Internet and e-mail policy, and a backup policy.
An organization must also define user management, system
administration, incident response, and configuration management
procedures.
![Page 43: Lesson 6-Policy](https://reader036.vdocuments.net/reader036/viewer/2022070405/56813e7b550346895da8a68e/html5/thumbnails/43.jpg)
Summary
The disaster recovery plan details recovery action for various
levels of failures.
While creating a policy ensure that it will be relevant and
important to an organization.
Involve stakeholders in policy discussions. Conduct security
awareness trainings regularly.
Include security issues at each development phase of a project.