policies and procedures security+ guide to network security fundamentals chapter 11
TRANSCRIPT
Policies and ProceduresPolicies and Procedures
Security+ Guide to Network Security Security+ Guide to Network Security FundamentalsFundamentals
Chapter 11
2
ObjectivesObjectives
Define the security policy cycleDefine the security policy cycle Explain risk identificationExplain risk identification Design a security policyDesign a security policy Define types of security policiesDefine types of security policies Define compliance monitoring and Define compliance monitoring and
evaluationevaluation
3
Understanding the Security Understanding the Security Policy CyclePolicy Cycle
First part of the cycle is risk identificationFirst part of the cycle is risk identification Risk identification seeks to determine the risks Risk identification seeks to determine the risks
that an organization faces against its information that an organization faces against its information assetsassets
That information becomes the basis of developing That information becomes the basis of developing a security policya security policy
A security policy is a document or series of A security policy is a document or series of documents that clearly defines the defense documents that clearly defines the defense mechanisms an organization will employ to keep mechanisms an organization will employ to keep information secureinformation secure
4
Understanding the Security Understanding the Security Policy CyclePolicy Cycle
5
Reviewing Risk IdentificationReviewing Risk Identification
First step in security policy cycle is to First step in security policy cycle is to identify risksidentify risks
Involves the four steps:Involves the four steps:– Inventory the assetsInventory the assets– Determine what threats exist against the assets Determine what threats exist against the assets
and by which threat agentsand by which threat agents– Investigate whether vulnerabilities exist that Investigate whether vulnerabilities exist that
can be exploitedcan be exploited– Decide what to do about the risksDecide what to do about the risks
6
Reviewing Risk IdentificationReviewing Risk Identification
7
Asset IdentificationAsset Identification
An asset is any item with a positive economic An asset is any item with a positive economic valuevalue
Many types of assets, classified as follows:Many types of assets, classified as follows:– Physical assetsPhysical assets– – DataData– SoftwareSoftware– – HardwareHardware– PersonnelPersonnel
Along with the assets, attributes of the assets Along with the assets, attributes of the assets need to be compiledneed to be compiled
8
Asset IdentificationAsset Identification
After an inventory of assets has been After an inventory of assets has been created and their attributes identified, the created and their attributes identified, the next step is to determine each item’s next step is to determine each item’s relative valuerelative value
Factors to be considered in determining the Factors to be considered in determining the relative value are listed on pages 386 and relative value are listed on pages 386 and 387 of the text387 of the text
9
Threat IdentificationThreat Identification
A threat is not limited to those from A threat is not limited to those from attackers, but also includes acts of God, attackers, but also includes acts of God, such as fire or severe weathersuch as fire or severe weather
Threat modeling constructs scenarios of the Threat modeling constructs scenarios of the types of threats that assets can facetypes of threats that assets can face
The goal of threat modeling is to better The goal of threat modeling is to better understand who the attackers are, why they understand who the attackers are, why they attack, and what types of attacks may occurattack, and what types of attacks may occur
10
Threat IdentificationThreat Identification
A valuable tool used in threat modeling is A valuable tool used in threat modeling is the construction of an attack treethe construction of an attack tree
An attack tree provides a visual image of An attack tree provides a visual image of the attacks that may occur against an assetthe attacks that may occur against an asset
11
Threat IdentificationThreat Identification
Access studentgrade system
Steal password Defeat securityUse unattended
computer
Exploit softwaresecurity hole
Look undermouse pad
Watch overshoulder
12
Vulnerability AppraisalVulnerability Appraisal
After assets have been inventoried and After assets have been inventoried and prioritized and the threats have been prioritized and the threats have been explored, the next question becomes, what explored, the next question becomes, what current security weaknesses may expose the current security weaknesses may expose the assets to these threats?assets to these threats?
Vulnerability appraisal takes a current Vulnerability appraisal takes a current snapshot of the security of the organization snapshot of the security of the organization as it now standsas it now stands
13
Vulnerability AppraisalVulnerability Appraisal
To assist with determining vulnerabilities of To assist with determining vulnerabilities of hardware and software assets, use hardware and software assets, use vulnerability scanners vulnerability scanners
These tools, available as free Internet These tools, available as free Internet downloads and as commercial products, downloads and as commercial products, compare the asset against a database of compare the asset against a database of known vulnerabilities and produce a known vulnerabilities and produce a discovery report that exposes the discovery report that exposes the vulnerability and assesses its severityvulnerability and assesses its severity
14
Risk AssessmentRisk Assessment
Final step in identifying risks is to perform a risk Final step in identifying risks is to perform a risk assessmentassessment
Risk assessment involves determining the Risk assessment involves determining the likelihood that the vulnerability is a risk to the likelihood that the vulnerability is a risk to the organizationorganization
Each vulnerability can be ranked by the scale Each vulnerability can be ranked by the scale Sometimes calculating anticipated losses can be Sometimes calculating anticipated losses can be
helpful in determining the impact of a helpful in determining the impact of a vulnerabilityvulnerability
15
Risk AssessmentRisk Assessment
Formulas commonly used to calculate Formulas commonly used to calculate expected losses are:expected losses are:– Single Loss ExpectancySingle Loss Expectancy– Annualized Loss ExpectancyAnnualized Loss Expectancy
An organization has three options when An organization has three options when confronted with a risk:confronted with a risk:– Accept the riskAccept the risk– Diminish the riskDiminish the risk– Transfer the riskTransfer the risk
16
Risk AssessmentRisk Assessment
17
Designing the Security PolicyDesigning the Security Policy
Designing a security policy is the logical Designing a security policy is the logical next step in the security policy cyclenext step in the security policy cycle
After risks are clearly identified, a policy is After risks are clearly identified, a policy is needed to mitigate what the organization needed to mitigate what the organization decides are the most important risksdecides are the most important risks
18
What Is a Security Policy?What Is a Security Policy?
A policy is a document that outlines specific A policy is a document that outlines specific requirements or rules that must be metrequirements or rules that must be met– Has the characteristics listed on page 393 of the textHas the characteristics listed on page 393 of the text
– Correct vehicle for an organization to use when Correct vehicle for an organization to use when establishing information securityestablishing information security
A standard is a collection of requirements specific to A standard is a collection of requirements specific to the system or procedure that must be met by everyonethe system or procedure that must be met by everyone
A guideline is a collection of suggestions that should A guideline is a collection of suggestions that should be implementedbe implemented
19
Balancing Control and TrustBalancing Control and Trust
To create an effective security policy, two To create an effective security policy, two elements must be carefully balanced: trust elements must be carefully balanced: trust and control and control
Three models of trust:Three models of trust:– Trust everyone all of the timeTrust everyone all of the time– Trust no one at any timeTrust no one at any time– Trust some people some of the timeTrust some people some of the time
20
Designing a PolicyDesigning a Policy
When designing a security policy, you can When designing a security policy, you can consider a standard set of principles consider a standard set of principles
These can be divided into what a policy These can be divided into what a policy must do and what a policy should domust do and what a policy should do
21
Designing a PolicyDesigning a Policy
22
Designing a PolicyDesigning a Policy
Security policy design should be the work Security policy design should be the work of a team and not one or two techniciansof a team and not one or two technicians
The team should have these representatives:The team should have these representatives:– Senior level administratorSenior level administrator– Member of management who can enforce the Member of management who can enforce the
policypolicy– Member of the legal staffMember of the legal staff– Representative from the user communityRepresentative from the user community
23
Elements of a Security PolicyElements of a Security Policy
Because security policies are formal Because security policies are formal documents that outline acceptable and documents that outline acceptable and unacceptable employee behavior, legal unacceptable employee behavior, legal elements are often included in these elements are often included in these documentsdocuments
The three most common elements:The three most common elements:– Due careDue care– Separation of dutiesSeparation of duties– Need to knowNeed to know
24
Elements of a Security PolicyElements of a Security Policy
25
Due CareDue Care
Term used frequently in legal and business Term used frequently in legal and business settings settings
Defined as obligations that are imposed on Defined as obligations that are imposed on owners and operators of assets to exercise owners and operators of assets to exercise reasonable care of the assets and take reasonable care of the assets and take necessary precautions to protect themnecessary precautions to protect them
26
Separation of DutiesSeparation of Duties
Key element in internal controlsKey element in internal controls Means that one person’s work serves as a Means that one person’s work serves as a
complementary check on another person’s complementary check on another person’s No one person should have complete No one person should have complete
control over any action from initialization to control over any action from initialization to completioncompletion
27
Need to KnowNeed to Know
One of the best methods to keep One of the best methods to keep information confidential is to restrict who information confidential is to restrict who has access to that informationhas access to that information
Only that employee whose job function Only that employee whose job function depends on knowing the information is depends on knowing the information is provided accessprovided access
28
Types of Security PoliciesTypes of Security Policies
Umbrella term for all of the subpolicies Umbrella term for all of the subpolicies included within itincluded within it
In this section, you examine some common In this section, you examine some common security policies:security policies:– Acceptable use policyAcceptable use policy– Human resource policyHuman resource policy– Password management policyPassword management policy– Privacy policyPrivacy policy– Disposal and destruction policyDisposal and destruction policy– Service-level agreementService-level agreement
29
Types of Security PoliciesTypes of Security Policies
30
Types of Security PoliciesTypes of Security Policies
31
Types of Security PoliciesTypes of Security Policies
32
Acceptable Use Policy (AUP)Acceptable Use Policy (AUP)
Defines what actions users of a system may Defines what actions users of a system may perform while using computing and perform while using computing and networking equipmentnetworking equipment
Should have an overview regarding what is Should have an overview regarding what is covered by this policycovered by this policy
Unacceptable use should also be outlinedUnacceptable use should also be outlined
33
Human Resource PolicyHuman Resource Policy
Policies of the organization that address Policies of the organization that address human resourceshuman resources
Should include statements regarding how an Should include statements regarding how an employee’s information technology employee’s information technology resources will be addressedresources will be addressed
34
Password Management PolicyPassword Management Policy
Although passwords often form the weakest Although passwords often form the weakest link in information security, they are still the link in information security, they are still the most widely usedmost widely used
A password management policy should clearly A password management policy should clearly address how passwords are managedaddress how passwords are managed
In addition to controls that can be implemented In addition to controls that can be implemented through technology, users should be reminded through technology, users should be reminded of how to select and use passwordsof how to select and use passwords
35
Privacy PolicyPrivacy Policy
Privacy is of growing concern among Privacy is of growing concern among today’s consumerstoday’s consumers
Organizations should have a privacy policy Organizations should have a privacy policy that outlines how the organization uses that outlines how the organization uses information it collectsinformation it collects
36
Disposal and Destruction PolicyDisposal and Destruction Policy
A disposal and destruction policy that A disposal and destruction policy that addresses the disposing of resources is addresses the disposing of resources is considered essentialconsidered essential
The policy should cover how long records The policy should cover how long records and data will be retainedand data will be retained
It should also cover how to dispose of themIt should also cover how to dispose of them
37
Service-Level Agreement (SLA) Service-Level Agreement (SLA) PolicyPolicy
Contract between a vendor and an Contract between a vendor and an organization for servicesorganization for services
Typically contains the items listed on page Typically contains the items listed on page 403403
38
Understanding Compliance Understanding Compliance Monitoring and EvaluationMonitoring and Evaluation
The final process in the security policy cycle is The final process in the security policy cycle is compliance monitoring and evaluationcompliance monitoring and evaluation
Some of the most valuable analysis occurs when Some of the most valuable analysis occurs when an attack penetrates the security defensesan attack penetrates the security defenses
A team must respond to the initial attack and A team must respond to the initial attack and reexamine security policies that address the reexamine security policies that address the vulnerability to determine what changes need to vulnerability to determine what changes need to be made to prevent its reoccurrencebe made to prevent its reoccurrence
39
Incidence Response PolicyIncidence Response Policy
Outlines actions to be performed when a Outlines actions to be performed when a security breach occurssecurity breach occurs
Most policies outline composition of an Most policies outline composition of an incidence response team (IRT)incidence response team (IRT)
Should be composed of individuals from:Should be composed of individuals from:– Senior managementSenior management – IT personnel– IT personnel– Corporate counselCorporate counsel – Human resources– Human resources– Public relationsPublic relations
40
Incidence Response PolicyIncidence Response Policy
41
Ethics PolicyEthics Policy
Codes of ethics by external agencies have Codes of ethics by external agencies have encouraged its membership to adhere to strict encouraged its membership to adhere to strict ethical behavior within their professionethical behavior within their profession
Codes of ethics for IT professionals are available Codes of ethics for IT professionals are available from the Institute for Electrical and Electronic from the Institute for Electrical and Electronic Engineers (IEEE) and the Association for Engineers (IEEE) and the Association for Computing Machinery (ACM), among othersComputing Machinery (ACM), among others
Main purpose of an ethics policy is to state the Main purpose of an ethics policy is to state the values, principles, and ideals each member of an values, principles, and ideals each member of an organization must agree toorganization must agree to
42
SummarySummary
The security policy cycle defines the overall The security policy cycle defines the overall process for developing a security policyprocess for developing a security policy
There are four steps in risk identification:There are four steps in risk identification:– Inventory the assets and their attributesInventory the assets and their attributes
– Determine what threats exist against the assets and by Determine what threats exist against the assets and by which threat agentswhich threat agents
– Determine whether vulnerabilities exist that can be Determine whether vulnerabilities exist that can be exploited by surveying the current security exploited by surveying the current security infrastructureinfrastructure
– Make decisions regarding what to do about the risksMake decisions regarding what to do about the risks
43
SummarySummary
A security policy development team should A security policy development team should be formed to create the information security be formed to create the information security policypolicy
An incidence response policy outlines An incidence response policy outlines actions to be performed when a security actions to be performed when a security breach occursbreach occurs
A policy addressing ethics can also be A policy addressing ethics can also be formulated by an organizationformulated by an organization
44
Key TermsKey Terms
Pages 407 – 408Pages 407 – 408 Review QuestionsReview Questions
– Pages 408 – 410Pages 408 – 410
45
Hands-On ProjectsHands-On Projects
Receiving Security Information through Receiving Security Information through RSSRSS– Pages 410 – 413Pages 410 – 413
Wiping Data from a Floppy DiskWiping Data from a Floppy Disk– Pages 413 – 414Pages 413 – 414
Using a Security ScannerUsing a Security Scanner– Page 415Page 415