pertemuan 15 security policies
DESCRIPTION
Pertemuan 15 Security Policies. Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1. Learning Outcomes. Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : Mahasiswa dapat menyatakan Security Policies. Outline Materi. A Multi-Layered Response - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/1.jpg)
1
Pertemuan 15Security Policies
Matakuliah :A0334/Pengendalian Lingkungan Online
Tahun : 2005
Versi : 1/1
![Page 2: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/2.jpg)
2
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa
akan mampu :
• Mahasiswa dapat menyatakan Security Policies
![Page 3: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/3.jpg)
3
Outline Materi
• A Multi-Layered Response– People controls– Reporting and Recovering from A Scurity Breach– Contractual Controls– Technology Controls– Acts of God or Terrorism– Insurance– Maintaining Effective Security– The Standards-Based Approach– The BS 7799 and ISO 17799 Standards– Conclusion
![Page 4: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/4.jpg)
4
• Managed Security services– Managed Security pros– Managed Security Cons– Moving to The Managed Model
• Written Service-Level Agreements (SLAs)• Secure Financial Position• Recognised Standards• Global Reach• Vendor Accreditation• Secure NOC (Network Operations Centre)• Customer and industry Testimony
– Conclusion
![Page 5: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/5.jpg)
5
A Multi-Layered Response
• Many of the problems associated with information security arise from the tendency of most organisations to take a ‘sticking plaster’ approach to the issue, in that they identify that a threat exists or that a security incident has occurred and then determine a specific control in order to manage or mitigate the particular threat. The problem with this approach is that it is generally reactive and inconsistent, and it is simply not extensive enough as it does not consider other threats.
![Page 6: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/6.jpg)
6
• A lack of consistency can be a serious problem, as security incidents can take a variety of forms.
![Page 7: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/7.jpg)
7
• Incidents originating from outside the organisation are generally:– Website defacement– Denial of service (DOS)
![Page 8: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/8.jpg)
8
• Incidents originating from inside the organisation are generally:– Web surfing of non-business-related sites resulting in
loss of productivity (ie revenue)– Service disruption resulting from unscheduled or
untested changes to the environment– Illegal activity such as downloading pornographic
material (such as paedophilia)– Unwittingly introducing some form of virus into into the
environment, typically through email or or file sharing– Attempted access to systems or information by
unauthorised persons (either accidental or malicious)
![Page 9: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/9.jpg)
9
– Leaving classified or sensitive information on screen, visible to unauthorised persons
– Leaving systems logged in, unattended and accessible to passing persons
– Wrongful disclosure of personal information (in contravention of the Data Protection Act 1988)
– Accidental deletion of information
![Page 10: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/10.jpg)
10
• The most serious incidents are rare but can prove very costly, whether they are internally or externally inspired. Internal staff are better positioned to exploit situations as they are typically ‘trusted’, with a good understanding of the systems, applications and architecture. An external hacker needs to be highly skilled,using a combination of analysis skills, code creation and even social engineering (the manipulation of people to obtain information).
![Page 11: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/11.jpg)
11
• These rare types of incidents include:– Theft of information – such as customer details.– Theft of information – such as credit card details.– Theft of information – such as ideas,products or
solutions (ie industrial espionage).– Embezzlement – this requires the perpetrator to
understand how an organisation’s business operates, specifically in terms of accounting and cash-flow, in order to divert funds (easier for internal staff)
![Page 12: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/12.jpg)
12
People Controls
• When considering the controls to be used to address the security issue, we must consider where and how we can influence behaviour.
• When considering the external threat, an organisation can exert very little influence over the behaviour or users entering its website, and as such are dependent on utilising technology products or product configurations in order to either make the environment (internet access, servers and applications) robust, or to detect, alert and potentially repel malicious activity.
![Page 13: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/13.jpg)
13
• When considering the internal threat, an organisation has far more influence over the behaviour of users utilising internal systems and information. Users must be made aware of what is acceptable behaviour and of the consequences of unacceptable behaviour.
![Page 14: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/14.jpg)
14
• Another cause of internal security breaches arises from modifications to applications, systems or infrastructure, without adequate consideration for testing, back-up and back-out where these cause down-time and cause the risk for security weaknesses to be brought into the internal infrastructure. This is adequately addressed within an effective change control process that has consideration for security impact.
![Page 15: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/15.jpg)
15
Reporting and Recovering from a Security Breach
• In any instance that a security breach occurs, the training and education process should ensure that staff recognise an event and are aware of the process for reporting the event (who has responsibility), and that those persons with responsibility know the process for handling the event.
![Page 16: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/16.jpg)
16
• These policies and procedures would entail such elements as:– Procedures for handling staff who have
contravened company security policies– Procedures for detecting security breaches
(tools, logs, etc)– Procedures for recovering from specific types
of incident (rebuild of operating system, restore from back-up etc)
– Communication procedures– Management procedures
![Page 17: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/17.jpg)
17
Contractual Controls
• Another element to consider is the potential threat (either accidental or malicious) from third parties with whom there is some formal relationship (such as trading partners or service providers); these may in some instances be considered as trusted, however, the threat still exists.
![Page 18: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/18.jpg)
18
• With a trading partner a sensible approach is to make them responsible for their own action, in addition to providing protective controls.
• A contract may state that they must demonstrate that ‘reasonable and considered’ controls are taken relative to the form of communication, sensitivity of the information and the potential threat.
• Contractual terms would then seek agreement on an interpretation of these controls and should also provide regular opportunities to have the controls demonstrated to the satisfaction of your organisation.
![Page 19: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/19.jpg)
19
• At the point that the third party enters an organisation, controls should also be implemented.
• With a service provider, a contract should not only consider those conditions that apply to a trading partner, but should also consider how loss of the service provided by them would impact the service offered to customers and trading partners. In this respect, the contract should agree service level commitments that can be effectively monitored and proven, and should agree compensation for failure to achieve the service levels.
![Page 20: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/20.jpg)
20
Technology Controls
• Where technology controls are used, it is important that they are configured and maintained as effectively as possible.
• Many organisations will be dependent upon utilising a specialist security company in order to ensure effective security through technology controls.
![Page 21: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/21.jpg)
21
• This will often encompass multi-layer security (security in depth) to exploit and combine:– Tight access controls– Strong authentication– Protection of information in transit (encryption)– Hardened operating systems, services and
applications– High availability– Quality of service– Performance
![Page 22: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/22.jpg)
22
Acts of God or Terrorism
• In the event that an incident occurs that is considered exceptional, such as flooding, lightning, vehicle crash, bomb explosion or significant loss of key staff (to lottery win, for example), an organisation must have plans in place to minimise the impact to the business by restoring a level of service within a pre-determined time-frame and managing the communications process between staff, partners and customers (ie business continuity).
![Page 23: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/23.jpg)
23
Insurance
• When all reasonable measures have been taken, an organisation should also consider insurance. In the case of a significant security incident, insurance funds will limit the damage to the business by providing some element of (or all of) the revenue to recover the business to the point of normal operation.
• This form of insurance is often referred to as cyber-liability insurance. Some insurance companies specialise in such policies, but will often require some evidence that adequate controls have been implemented before policy can be obtained.
![Page 24: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/24.jpg)
24
Maintain Effective Security
• A management process for information security (policy-based controls) needs to encompass a mechanism for review. This mechanism should consist of an audit process to regularly review the business opertions, the risks and the controls in order to ensure the policy-based controls remain effective.
![Page 25: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/25.jpg)
25
• The technology controls also need to encompass a mechanism for review. This mechanism should consist of a regular audit of the complete technology infrastructure to review the technology operations, the risks and controls, and, importantly, to ensure that the technology controls remain effective. In addition, this review should encompass regular vulnerability and penetration testing.
![Page 26: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/26.jpg)
26
• In both cases the primary purpose is to refine the controls each time the review is performed, thus optimising the controls, or ensuring that the controls are the most appropriate through experience. The process also ensures that information security adapts with changes to the organisation and changes with the way business is performed.
![Page 27: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/27.jpg)
27
The Standards-Based Approach
• Any organisation that undertakes an exercise to implement ‘information security’ using the management approach to achieve consistent, extensive and comprehensive security will normally need to look for guidance.
• An own ‘best efforts approach’ has obvious limitations; it is far better to utilise an approach based upon best practice that has some form of track record – the obvious being an existing standard that specifically addresses the requirement. Several such standards exist that address the requirements to varying degrees.
![Page 28: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/28.jpg)
28
The BS 7799 and ISO 17799 Standards
• The ISO 17799 standard started life as the British Standard BS 7799 Part I Code of Practice for Information Security in 1995.
![Page 29: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/29.jpg)
29
Conclusion
• Thismethodology is suitable for any organisation that aims to utilise a dual approach to the provision of information security that is extensive, consistent and effective – ie ‘security in depth and security in breadth’.
![Page 30: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/30.jpg)
30
Managed Security Services
• Economic and staff resourcing factors are further driving the trend for strategic outsourcing of specialist business areas – a fact noted by Allan Carey, senior analyst for IDC: ‘The managed security services market is being driven primarily by resource constraints to capital and security expertise.’
![Page 31: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/31.jpg)
31
• This model however is not new; companies have previously outsourced functions such as legal matters, HR, recruitment, accounting and front desk security to outside specialists. The management of a company IT security infrastructure can be seen simply as an extension of this.
![Page 32: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/32.jpg)
32
Managed Security Pros
• The benefits of outsourcing managed security include:– Leveraging the talents and experience of security and
privacy experts to protect brand, intellectual property and revenues
– Supplementing existing security resources cost-effectively
– Implementing sophisticated security solutions– Focusing resources on building core business, not on
building a security centre or on trying to constantly stay on top of changing security threats
![Page 33: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/33.jpg)
33
– Controlling and managing security spending– Accessing a trusted advisor during security
incidents– Obtaining third-party validation and
verification of the appropriateness of your security policies
– Benefiting from cutting-edge security research and development.
![Page 34: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/34.jpg)
34
Managed Security Cons
• Amongst the disadvantages of outsourcing security solutions we find:– Allowing a third party access to the ‘keys to
the safe’– Long term-inflexible contract terms– That several companies in the managed
security area are start-ups with an uncertain economic future
– Trust as the main barrier
![Page 35: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/35.jpg)
35
Moving to The Managed Model
• Once a decision is taken to embrace managed security how do you select a service provider?
![Page 36: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/36.jpg)
36
Written Service-Level Agreements (SLAs)
• The primary objective of a managed security service is to provide security services that meet the agreed business and technical requirements of the client. To facilitate this, the service provider needs to understand these requirements and translate them into measurable criteria. This allows the service provider to measure the service.
![Page 37: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/37.jpg)
37
Secure Financial Position
• After taking the time to select a suitable supplier of managed services, the last thing you want to happen is that they go bankrupt after a few months of the contract, leaving you ‘high and dry’. Secure finances is perhaps the most important area to consider, even more so in the current economic climate. Part of the selection process here should be a check on the customer base and the length of time the company has operated within the managed service arena.
![Page 38: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/38.jpg)
38
Recognised Standards
• If a company, particularly a service provider in this case, is awarded an ISO 9000 certificate, it can demonstrate to its customers that it is in possession of a documented quality system that is being observed and continually followed.
![Page 39: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/39.jpg)
39
Global Reach
• A correctly scaled managed firewall or VPN (Virtual Private Network) service allows companies to take advantage of the inherent benefits of a well-designed, secure firewall deployment gives us the flexibility to expand outside of our home country without the headache of understanding the creation of a secure communications platform.
![Page 40: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/40.jpg)
40
Vendor Accreditation
• The vendor accreditation aspect again links back to an MSP’s investment in the service they supply.
![Page 41: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/41.jpg)
41
Secure NOC (Network Operations Centre)
• When outsourcing the management of your firewalls/intrusion detection systems to an MSP, a minimum component must be that they have a secure operations centre from which they con monitor,manage and administer your firewalls.
![Page 42: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/42.jpg)
42
Customer and Industry Testimony
• An MSP that conforms to most, if not all, of the points raised above is likely to have a mature installed user base that con vouch for its competence. Any managed service organisations that receive glowing references from both customers and industry peers are likely to make full use of them in corporate literature, websites and advertisements.
![Page 43: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/43.jpg)
43
Conclusion
• Outsourcing security technologies is an increasing trend and one that seems set to continue.
![Page 44: Pertemuan 15 Security Policies](https://reader035.vdocuments.net/reader035/viewer/2022070401/5681375b550346895d9ee89b/html5/thumbnails/44.jpg)
44
The EndThe End