0 valutazioniIl 0% ha trovato utile questo documento (0 voti)
149 visualizzazioni38 pagine
Security policies are the basis on which an effective security program can be developed. A security policy is the primary way management's expectations for security are translated. Security policies should be economically feasible, understandable, realistic, consistent, procedurally tolerable.
Security policies are the basis on which an effective security program can be developed. A security policy is the primary way management's expectations for security are translated. Security policies should be economically feasible, understandable, realistic, consistent, procedurally tolerable.
Copyright:
Attribution Non-Commercial (BY-NC)
Formati disponibili
Scarica in formato PPT, PDF, TXT o leggi online su Scribd
Security policies are the basis on which an effective security program can be developed. A security policy is the primary way management's expectations for security are translated. Security policies should be economically feasible, understandable, realistic, consistent, procedurally tolerable.
Copyright:
Attribution Non-Commercial (BY-NC)
Formati disponibili
Scarica in formato PPT, PDF, TXT o leggi online su Scribd
which an effective and comprehensive security program can be developed. This critical component of the overall security architecture, however, is often overlooked. A security policy is the primary way in which management’s expectations for security are translated into specific, measurable, and testable goals and objectives. Security polices It is crucial to take a top down approach based on a well-stated policy in order to develop an effective security architecture. Conversely, if there isn’t a security policy defining and communicating those decisions, then they will be made by the individuals building, installing, and maintaining computer systems; and this will result in a disparate and less than optimal security architecture being implemented. Security polices – The primary purpose of a security policy is to inform users, staff, and managers of those essential requirements for protecting various assets including people, hardware, and software resources, and data assets. The policy should specify the mechanisms through which these requirements can be met. Another purpose is to provide a baseline from which to acquire, configure, and audit computer systems and networks for compliance with the policy. Security polices This also allows for the subsequent development of operational procedures, the establishment of access control rules and various application, system, network, and physical controls and parameters. Security polices • The goal of the security policy is to translate, clarify and communicate management’s position on security as defined in high-level security principles. The security policies act as a bridge between these management objectives and specific security requirements. Security polices A security policy is a formal statement of the rules through which people are given access to an organization’s technology, system and information assets. The security policy defines what business and security goals and objectives management desires, but not how these solutions are engineered and implemented. Security polices A security policy should be economically feasible, understandable, realistic, consistent, procedurally tolerable, and also provide reasonable protection relative to the stated goals and objectives of management. Security policies define the overall security and risk control objectives that an organization endorses Security polices The characteristics of good security policies are: • They must be implementable through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods. • They must be enforceable with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible. Security polices They must clearly define the areas of responsibility for the users, administrators,and management. They must be documented, distributed, and communicated. Security polices • A successful security policy must be flexible. In order for a security policy to be feasible for the long term, a security policy should be independent of specific hardware and software decisions, as specific systems choices change rapidly. • In addition, the mechanisms for updating the policy should be clearly spelled out. Security polices This includes the process, the people involved, and the people who must sign- off on the changes. Security Policy Structure The basic structure of a security policy should contain the following components: • A statement of the issue that policy addresses. • A statement about your position on the policy. Security polices • How the policy applies in the environment. • The roles and responsibilities of those affected by the policy. • What level of compliance to the policy is necessary. Security polices Once you have determined the value of your data, you need to develop a set of policies to help protect it. These policies are called security policies and may apply to users, the IT department, and the organization in general. When writing your policies, consider: What data may a user take home? Security polices • If a user works from home or remote offices and uses the internet to transmit data, how secure must the data be when in transmission across the internet? • What policies, network structure, and levels of defenses are required to secure your data depending on its importance, value and the cost of defending it? Security polices The first items that should be defined are the policies related to the use and and handling of your data. This will help you determine defensive measures and procedures. We have categorized policies into three different areas listed below: User Policies - Define what users can do when using your network or data and also define security settings that affect users such as password policies Security polices • IT Policies - Define the policies of the IT department used to govern the network for maximum security and stability. • General Policies - High level policies defining who is responsible for the policies along with business continuity planning and policies. Security polices • User Policies Define what users can and must do to use your network and organization's computer equipment. It defines what limitations are put on users to keep the network secure such as whether they can install programs on their workstations, types of programs they can use, and how they can access data. Some policies include Security polices Password Policies - This policy is to help keep user accounts secure. It defines how often users must change their passwords, how long they must be, complexity rules (types of characters used such as lower case letters, upper case letters, numbers, and special characters), and other items . Proprietary Information Use - Acceptable use of any proprietary information owned by the company. Security polices Defines where it can be stored and where it may be taken, how and where it can be transmitted. • Internet Usage - Use of internet mail, Use of programs with passwords or unencrypted data sent over the internet. • System Use - Program installation, No Instant Messaging, No file sharing such as Kazaa, Morpheus. Restrictions on use of your account or password (not to be given away). Security polices • VPN and remote user system use (remote access) - Must be checked for viruses/trojans/backdoors. Must have firewall, must have AV. • Acceptable use of hardware such as modems - No use of modems to internet without a personal firewall. Security polices • IT Policies These policies include general policies for the IT department which are intended to keep the network secure and stable. • Virus incident and security incident - Intrusion detection, containment, and removal. 1. prepare (policies, checklists/procedures) 2 identify (get evidence) 3 contain (pull off network, modify passwords) Security polices 4 eradicate (fix, determine cause, improve defenses, test for vulnerablilties) 5 recover (validate the system, monitor for re-infection) 6 lessons learned (make recommendations to prevent a similar incident). Backup policy - Define what to back up, who backs it up, where it is stored Security polices how long it is stored, how to test backups, what program is used to do backups. Client update policies - Update clients how often and using what means or tools. Firewall policies - What ports to block or allow, how to interface to it or manage it, who has access to the control console. Security polices • General Policies High level program policy - Defines who owns other policies, who is responsible for them, scope and purpose of policies, any policy exceptions, related documents or policies. Business continuity plan - Includes the following plans: Security polices Crisis Management - What to do during the (any) crisis which may threaten the organization. • Disaster Recovery –Subfunctions: Server recovery Data recovery End-user recovery Phone system recovery Emergency response plan Workplace recovery Security polices • Policy Levels Policies can exist on many levels of the organization from a group or team level, to department level, plant level, or global organizational level. some policies may only be effective on a local level while others may be enterprise wide throughout the organization. Security polices Security policies are an excellent way to complement the hardware and software security measures of your organization. Security policies can determine the method that both hardware and software are used. The policies will enable everyone in the organization to be on the same track. Security polices Every organization should have a stated security policy. It should be carefully written and checked by an attorney to be sure it does not create unnecessary liability. Security polices • Requirements of the Policy The policy must be consistant to be effective. There must be similar levels of security in multiple areas such as physical security, remote access, internal password policy policies, and other policies. The policy statement should be assessable. Security polices Issues should be clearly defined and when they apply to the policy. Define services affected such as email. Clearly define goals of the policy. Staff and management must find the policy acceptable. This is why it is important to justify each policy. Security polices • Define roles of the staff with respect to the policies and security issues. • The policy must be enforceable from the network and system controls. Policies must be set on servers to be sure domain passwords are reasonably complex, not repeated, changed periodically, etc. • Define consequences of security policy violation. Security polices • Define expected privacy for users. • Provide contact information for those interested in more information about the policy. Security polices User Security Issues : • User Education Use caution opening e-mails. Do not open mail from unknown originators. • Make users aware of ability for hackers to hide executable files as text or other harmless file types. • Users must be educated not to use the same passwords at work that they may use over unsecured connections on the internet. Security polices • Password Policies Logon passwords must be changed at least every 90 days (30-60 days recommended). Minimum password age policy - 5 days. Passwords must be at least 8 characters long and use at least two numbers. Security polices • On Windows Domain networks in the "Domain Security Policy" tool, select "Security Settings", "Account Policies", and "Password Policy". Enable the "passwords must meet complexity requirements" rule. This means at least one character from three of the following categories must be included: • lowercase • uppercase Security polices • numbers • special characters such as !@#$%^&*(){}[] • Passwords must be kept secret and not written down. • Passwords must be kept secret and not written down. • Don't let programs save passwords. • Lock account after 3 failed logon attempts within 15 minutes. • Account lockout should be reset by an administrator. Security polices • No clear text passwords that can allow access to any sensitive information should be sent through any unsecured network such as the internet. • The use of clear text passwords that can allow access to any sensitive information on a secure network should be avoided. This means that the use of FTP programs (unless over VPN) should be avoided. Secure Shell (SSH) programs can be used to perform the same function with encrypted passwords. • Passwords should not be stored using reversible encryption. Security polices Account Policy • Remote users should be disconnected on NT domains after 1-4 hours of inactivity. This keeps users logged off after business hours so attackers can't use an open account to launch an attack from. Also any open files are closed and the tape backup program can backup all files. Open files are not backed up. • Set the account policy "Users must log on in order to change password".