security beyond the firewall protecting information in the enterprise
TRANSCRIPT
Security Beyond the Firewall
““Protecting Information in the Enterprise”Protecting Information in the Enterprise”..
2
Security Beyond the Firewall
Most organizations have the following:
Firewall
Antivirus software
Intrusion Detection
Intrusion Prevention
Authentication technologies
3
Security Beyond the Firewall
However the monitoring and assessment responsibilities are either overlooked, under funded or just not done properly or at all!
4
Security Beyond the Firewall
An Information Security Policy is a collaboration of documents that states in writing how a company plans to protect the company’s physical and information technology assets. It is considered to be a “living document”, meaning that the document is continuously updated as technology and employee requirements change.
5
Security Beyond the Firewall
Most policies will include an “Acceptable Use Policy” which is a description of how the company plans to educate its employees about protecting the company’s assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure the necessary corrections will be made.
Source: searchSecurity.com
6
Security Beyond the Firewall
What steps are required in writing an Information Security Policy?
1. Commitment
2. Risk Assessment
3. Risk Mitigation
4. The Policy Document
7
Security Beyond the Firewall
COMMITMENT
•You need commitment from Upper Management.
•They must be made aware of the magnitude of losses in case of a security breach of the company network.
•You must understand the corporate vision and business objectives and how IT fits in with corporate plans.
Analyze the following:
What are the information assets of a company in terms of hardware and software, including network as well as the future investment plan it IT/IS.
What is the company’s dependence on IT in real measurable terms like financial benefits, better service to clients, improved image and market share.
How much the company will suffer due to any loss, leakage or distortion of information.
8
Security Beyond the Firewall
RISK ASSESSMENT
Document every risk
A company may have encountered in the past
Companies in similar business
Companies in the same geographical area
Companies using the same technology
Any other risk that may impact the company’s business
9
Security Beyond the Firewall
RISK MITIGATION
Security can never be achieved through a single tier of defense. We need to have multiple layers to protect our assets. For each security risk that we have tabulated, we should identify the preventive measures that could be used to reduce the risk. The measures for risk mitigations could be:
Administrative measures
Physical Measures
Technical Measures
10
Security Beyond the Firewall
Administrative measures consists of policies, procedures, standards and guidelines; personnel screening, security awareness training.
Physical measures could be perimeter control measures, physical access control, intruder detection, fire protection, environmental monitoring.
Technical measures will include logical access control, network access controls, identification and authentication devices; data encryption.
11
Security Beyond the Firewall
Designing, documenting, implementing and monitoring security policies is a lot of administrative work. In fact, security is 75 percent administrative grind and only 25 percent technical efforts. Not a very glamorous affair, but essential. Policies are the preventive controls.
Source: The importance of having an Information Security policy is now being acknowledged even by top management. But how do you go about writing an Information Security policy? by Avinash Kadam
12
Security Beyond the Firewall
Natural and Environmental Threats: Disaster recovery (*Business Continuity Planning)
Backup and recovery
WAN recovery
Human Threats: Password Security & Controls
Internet access and security
13
Security Beyond the Firewall
Email security:
Technical controls
Logical Access Controls
Program Change Controls
Version Controls
Application Software Security
Database Security:
Network & Telecommunication Security
Administration
Data Access Roles
14
Security Beyond the Firewall
Operating Systems Security:
Firewall Security
Data Classification
Web server Security
Intranet Security
Virus-Protection
E-commerce Security
Data encryption
15
Security Beyond the Firewall
Administrative Controls: Physical Security
Incidence Response management
Punitive actions
16
Security Beyond the Firewall
THE POLICY DOCUMENT
The Information Security Policy has to be understood and followed by all employees. It should be brief but cover all aspects.
17
Security Beyond the Firewall
Policy Statement:
Outline the objective of the policy. Emphasize the actual risks that will be addressed by this policy. Make it as near to the company's business as possible so that the reader is convinced about the necessity of the policy.
Policy Scope:
Specify the areas of concern which the policy will address. This will list the organizational units, individuals and technical system covered by the policy.
Validity:
Define the life-span for the policy and when it will be reviewed next. The review must be done at least once a year to keep the policy current.
18
Security Beyond the Firewall
Owner:
Author of the policy should be a respected IS professional. This will ensure responsibility and accountability. This is even more important while drafting policies of a technical nature.
Review-details:
Record of previous review and the changes therein.
19
Security Beyond the Firewall
Compliance requirements:
Punitive actions that should be taken if the policy is not adhered to. This of course needs clearance from HR, but absence of this will make the polices 'best ignored practices' instead of 'best practices'.Names of the appointed persons who will enforce these policies.
Policy details:
After the above preamble, here is the real policy.
20
Security Beyond the Firewall
Specific issues that the policy is addressing:
Give the background, describe the risks that have been identified, state the security expectations that the policy will fulfill.
Best practices:
Give a detailed list of recommended best practices.
Mandatory practices:
This is the minimum standard which has to be implemented.
21
Security Beyond the Firewall
Procedure for implementation:
A step-by-step procedure which will be followed for implementation of the policy. There will be references to forms, templates, standards, guidelines etc. which could be given as annexure.
Monitoring and reporting mechanism to ensure proper implementation:
How the compliance will be monitored. How non-compliance will be reported and what actions would be taken.
22
Security Beyond the Firewall
Essential Policies:
List the essential policies under various and applicable controls.
Source: The importance of having an Information Security policy is now being acknowledged even by top management. But how do you go about writing an Information Security policy? by Avinash Kadam
23
Security Beyond the Firewall
Example of a Information Security Policy concentrating on e-mail.
The Policy Details section should cover the following:
Confidentiality of information
E-mail should not be used for confidential information exchange
Sender will be totally responsible for the content of the information
No sensitive information like password, PIN, credit card details should ever be sent by e-mail
24
Security Beyond the Firewall
Appropriate Use:
Use of e-mail will be restricted for business use only
No obscene or profane message should be sent
E-mail should not be used for sending spam mail
E-mail should not be used to transmit chain mails, greetings, graphics etc.
E-mails should not be automatically forwarded to addresses outside the company
Size of the e-mail should be restricted within approved limits
25
Security Beyond the Firewall
Management Authority:
Management could use its right to monitor the e-mails
Management could store the e-mails for retrieval at a later date for any legal purpose
Any encryption done to e-mail attachments should be with the company's approval and the encryption key should be stored for retrieval when necessary
26
Security Beyond the Firewall
Disclaimer Notice:
Since e-mail is not a secure medium and it is very easy to read, copy or alter an e-mail, put a disclaimer similar to the one given below. The company can at least protect itself from any misuse.
27
Security Beyond the Firewall
"The information in this mail is confidential and is intended solely for the addressee. Access to this mail by anyone else is unauthorized. Any copying or further distribution beyond the original recipient is not intended and may be unlawful. The opinion expressed in this mail is that of the sender and does not necessarily reflect that of the XXX company."
28
Security Beyond the Firewall
U.S. Federal Security Legislation and Regulations:
http://www.bakernet.com/ecommerce/fedlegis-s.htm
The U.S. National Strategy to Secure Cyberspace
http://www.whitehouse.gov/pipb/
SANS Internet Storm Center
http://isc.incidents.org/
InfraGard
http://www.infragard.org
29
Security Beyond the Firewall
Eric D. Jordan
Ernesto T. Negron