Policies and ProceduresPolicies and Procedures

Security+ Guide to Network Security Security+ Guide to Network Security FundamentalsFundamentals

Chapter 11

2

ObjectivesObjectives

Define the security policy cycleDefine the security policy cycle Explain risk identificationExplain risk identification Design a security policyDesign a security policy Define types of security policiesDefine types of security policies Define compliance monitoring and Define compliance monitoring and

evaluationevaluation

3

Understanding the Security Understanding the Security Policy CyclePolicy Cycle

First part of the cycle is risk identificationFirst part of the cycle is risk identification Risk identification seeks to determine the risks Risk identification seeks to determine the risks

that an organization faces against its information that an organization faces against its information assetsassets

That information becomes the basis of developing That information becomes the basis of developing a security policya security policy

A security policy is a document or series of A security policy is a document or series of documents that clearly defines the defense documents that clearly defines the defense mechanisms an organization will employ to keep mechanisms an organization will employ to keep information secureinformation secure

4

Understanding the Security Understanding the Security Policy CyclePolicy Cycle

5

Reviewing Risk IdentificationReviewing Risk Identification

First step in security policy cycle is to First step in security policy cycle is to identify risksidentify risks

Involves the four steps:Involves the four steps:– Inventory the assetsInventory the assets– Determine what threats exist against the assets Determine what threats exist against the assets

and by which threat agentsand by which threat agents– Investigate whether vulnerabilities exist that Investigate whether vulnerabilities exist that

can be exploitedcan be exploited– Decide what to do about the risksDecide what to do about the risks

6

Reviewing Risk IdentificationReviewing Risk Identification

7

Asset IdentificationAsset Identification

An asset is any item with a positive economic An asset is any item with a positive economic valuevalue

Many types of assets, classified as follows:Many types of assets, classified as follows:– Physical assetsPhysical assets– – DataData– SoftwareSoftware– – HardwareHardware– PersonnelPersonnel

Along with the assets, attributes of the assets Along with the assets, attributes of the assets need to be compiledneed to be compiled

8

Asset IdentificationAsset Identification

After an inventory of assets has been After an inventory of assets has been created and their attributes identified, the created and their attributes identified, the next step is to determine each item’s next step is to determine each item’s relative valuerelative value

Factors to be considered in determining the Factors to be considered in determining the relative value are listed on pages 386 and relative value are listed on pages 386 and 387 of the text387 of the text

9

Threat IdentificationThreat Identification

A threat is not limited to those from A threat is not limited to those from attackers, but also includes acts of God, attackers, but also includes acts of God, such as fire or severe weathersuch as fire or severe weather

Threat modeling constructs scenarios of the Threat modeling constructs scenarios of the types of threats that assets can facetypes of threats that assets can face

The goal of threat modeling is to better The goal of threat modeling is to better understand who the attackers are, why they understand who the attackers are, why they attack, and what types of attacks may occurattack, and what types of attacks may occur

10

Threat IdentificationThreat Identification

A valuable tool used in threat modeling is A valuable tool used in threat modeling is the construction of an attack treethe construction of an attack tree

An attack tree provides a visual image of An attack tree provides a visual image of the attacks that may occur against an assetthe attacks that may occur against an asset

11

Threat IdentificationThreat Identification

Access studentgrade system

Steal password Defeat securityUse unattended

computer

Exploit softwaresecurity hole

Look undermouse pad

Watch overshoulder

12

Vulnerability AppraisalVulnerability Appraisal

After assets have been inventoried and After assets have been inventoried and prioritized and the threats have been prioritized and the threats have been explored, the next question becomes, what explored, the next question becomes, what current security weaknesses may expose the current security weaknesses may expose the assets to these threats?assets to these threats?

Vulnerability appraisal takes a current Vulnerability appraisal takes a current snapshot of the security of the organization snapshot of the security of the organization as it now standsas it now stands

13

Vulnerability AppraisalVulnerability Appraisal

To assist with determining vulnerabilities of To assist with determining vulnerabilities of hardware and software assets, use hardware and software assets, use vulnerability scanners vulnerability scanners

These tools, available as free Internet These tools, available as free Internet downloads and as commercial products, downloads and as commercial products, compare the asset against a database of compare the asset against a database of known vulnerabilities and produce a known vulnerabilities and produce a discovery report that exposes the discovery report that exposes the vulnerability and assesses its severityvulnerability and assesses its severity

14

Risk AssessmentRisk Assessment

Final step in identifying risks is to perform a risk Final step in identifying risks is to perform a risk assessmentassessment

Risk assessment involves determining the Risk assessment involves determining the likelihood that the vulnerability is a risk to the likelihood that the vulnerability is a risk to the organizationorganization

Each vulnerability can be ranked by the scale Each vulnerability can be ranked by the scale Sometimes calculating anticipated losses can be Sometimes calculating anticipated losses can be

helpful in determining the impact of a helpful in determining the impact of a vulnerabilityvulnerability

15

Risk AssessmentRisk Assessment

Formulas commonly used to calculate Formulas commonly used to calculate expected losses are:expected losses are:– Single Loss ExpectancySingle Loss Expectancy– Annualized Loss ExpectancyAnnualized Loss Expectancy

An organization has three options when An organization has three options when confronted with a risk:confronted with a risk:– Accept the riskAccept the risk– Diminish the riskDiminish the risk– Transfer the riskTransfer the risk

16

Risk AssessmentRisk Assessment

17

Designing the Security PolicyDesigning the Security Policy

Designing a security policy is the logical Designing a security policy is the logical next step in the security policy cyclenext step in the security policy cycle

After risks are clearly identified, a policy is After risks are clearly identified, a policy is needed to mitigate what the organization needed to mitigate what the organization decides are the most important risksdecides are the most important risks

18

What Is a Security Policy?What Is a Security Policy?

A policy is a document that outlines specific A policy is a document that outlines specific requirements or rules that must be metrequirements or rules that must be met– Has the characteristics listed on page 393 of the textHas the characteristics listed on page 393 of the text

– Correct vehicle for an organization to use when Correct vehicle for an organization to use when establishing information securityestablishing information security

A standard is a collection of requirements specific to A standard is a collection of requirements specific to the system or procedure that must be met by everyonethe system or procedure that must be met by everyone

A guideline is a collection of suggestions that should A guideline is a collection of suggestions that should be implementedbe implemented

19

Balancing Control and TrustBalancing Control and Trust

To create an effective security policy, two To create an effective security policy, two elements must be carefully balanced: trust elements must be carefully balanced: trust and control and control

Three models of trust:Three models of trust:– Trust everyone all of the timeTrust everyone all of the time– Trust no one at any timeTrust no one at any time– Trust some people some of the timeTrust some people some of the time

20

Designing a PolicyDesigning a Policy

When designing a security policy, you can When designing a security policy, you can consider a standard set of principles consider a standard set of principles

These can be divided into what a policy These can be divided into what a policy must do and what a policy should domust do and what a policy should do

21

Designing a PolicyDesigning a Policy

22

Designing a PolicyDesigning a Policy

Security policy design should be the work Security policy design should be the work of a team and not one or two techniciansof a team and not one or two technicians

The team should have these representatives:The team should have these representatives:– Senior level administratorSenior level administrator– Member of management who can enforce the Member of management who can enforce the

policypolicy– Member of the legal staffMember of the legal staff– Representative from the user communityRepresentative from the user community

23

Elements of a Security PolicyElements of a Security Policy

Because security policies are formal Because security policies are formal documents that outline acceptable and documents that outline acceptable and unacceptable employee behavior, legal unacceptable employee behavior, legal elements are often included in these elements are often included in these documentsdocuments

The three most common elements:The three most common elements:– Due careDue care– Separation of dutiesSeparation of duties– Need to knowNeed to know

24

Elements of a Security PolicyElements of a Security Policy

25

Due CareDue Care

Term used frequently in legal and business Term used frequently in legal and business settings settings

Defined as obligations that are imposed on Defined as obligations that are imposed on owners and operators of assets to exercise owners and operators of assets to exercise reasonable care of the assets and take reasonable care of the assets and take necessary precautions to protect themnecessary precautions to protect them

26

Separation of DutiesSeparation of Duties

Key element in internal controlsKey element in internal controls Means that one person’s work serves as a Means that one person’s work serves as a

complementary check on another person’s complementary check on another person’s No one person should have complete No one person should have complete

control over any action from initialization to control over any action from initialization to completioncompletion

27

Need to KnowNeed to Know

One of the best methods to keep One of the best methods to keep information confidential is to restrict who information confidential is to restrict who has access to that informationhas access to that information

Only that employee whose job function Only that employee whose job function depends on knowing the information is depends on knowing the information is provided accessprovided access

28

Types of Security PoliciesTypes of Security Policies

Umbrella term for all of the subpolicies Umbrella term for all of the subpolicies included within itincluded within it

In this section, you examine some common In this section, you examine some common security policies:security policies:– Acceptable use policyAcceptable use policy– Human resource policyHuman resource policy– Password management policyPassword management policy– Privacy policyPrivacy policy– Disposal and destruction policyDisposal and destruction policy– Service-level agreementService-level agreement

29

Types of Security PoliciesTypes of Security Policies

30

Types of Security PoliciesTypes of Security Policies

31

Types of Security PoliciesTypes of Security Policies

32

Acceptable Use Policy (AUP)Acceptable Use Policy (AUP)

Defines what actions users of a system may Defines what actions users of a system may perform while using computing and perform while using computing and networking equipmentnetworking equipment

Should have an overview regarding what is Should have an overview regarding what is covered by this policycovered by this policy

Unacceptable use should also be outlinedUnacceptable use should also be outlined

33

Human Resource PolicyHuman Resource Policy

Policies of the organization that address Policies of the organization that address human resourceshuman resources

Should include statements regarding how an Should include statements regarding how an employee’s information technology employee’s information technology resources will be addressedresources will be addressed

34

Password Management PolicyPassword Management Policy

Although passwords often form the weakest Although passwords often form the weakest link in information security, they are still the link in information security, they are still the most widely usedmost widely used

A password management policy should clearly A password management policy should clearly address how passwords are managedaddress how passwords are managed

In addition to controls that can be implemented In addition to controls that can be implemented through technology, users should be reminded through technology, users should be reminded of how to select and use passwordsof how to select and use passwords

35

Privacy PolicyPrivacy Policy

Privacy is of growing concern among Privacy is of growing concern among today’s consumerstoday’s consumers

Organizations should have a privacy policy Organizations should have a privacy policy that outlines how the organization uses that outlines how the organization uses information it collectsinformation it collects

36

Disposal and Destruction PolicyDisposal and Destruction Policy

A disposal and destruction policy that A disposal and destruction policy that addresses the disposing of resources is addresses the disposing of resources is considered essentialconsidered essential

The policy should cover how long records The policy should cover how long records and data will be retainedand data will be retained

It should also cover how to dispose of themIt should also cover how to dispose of them

37

Service-Level Agreement (SLA) Service-Level Agreement (SLA) PolicyPolicy

Contract between a vendor and an Contract between a vendor and an organization for servicesorganization for services

Typically contains the items listed on page Typically contains the items listed on page 403403

38

Understanding Compliance Understanding Compliance Monitoring and EvaluationMonitoring and Evaluation

The final process in the security policy cycle is The final process in the security policy cycle is compliance monitoring and evaluationcompliance monitoring and evaluation

Some of the most valuable analysis occurs when Some of the most valuable analysis occurs when an attack penetrates the security defensesan attack penetrates the security defenses

A team must respond to the initial attack and A team must respond to the initial attack and reexamine security policies that address the reexamine security policies that address the vulnerability to determine what changes need to vulnerability to determine what changes need to be made to prevent its reoccurrencebe made to prevent its reoccurrence

39

Incidence Response PolicyIncidence Response Policy

Outlines actions to be performed when a Outlines actions to be performed when a security breach occurssecurity breach occurs

Most policies outline composition of an Most policies outline composition of an incidence response team (IRT)incidence response team (IRT)

Should be composed of individuals from:Should be composed of individuals from:– Senior managementSenior management – IT personnel– IT personnel– Corporate counselCorporate counsel – Human resources– Human resources– Public relationsPublic relations

40

Incidence Response PolicyIncidence Response Policy

41

Ethics PolicyEthics Policy

Codes of ethics by external agencies have Codes of ethics by external agencies have encouraged its membership to adhere to strict encouraged its membership to adhere to strict ethical behavior within their professionethical behavior within their profession

Codes of ethics for IT professionals are available Codes of ethics for IT professionals are available from the Institute for Electrical and Electronic from the Institute for Electrical and Electronic Engineers (IEEE) and the Association for Engineers (IEEE) and the Association for Computing Machinery (ACM), among othersComputing Machinery (ACM), among others

Main purpose of an ethics policy is to state the Main purpose of an ethics policy is to state the values, principles, and ideals each member of an values, principles, and ideals each member of an organization must agree toorganization must agree to

42

SummarySummary

The security policy cycle defines the overall The security policy cycle defines the overall process for developing a security policyprocess for developing a security policy

There are four steps in risk identification:There are four steps in risk identification:– Inventory the assets and their attributesInventory the assets and their attributes

– Determine what threats exist against the assets and by Determine what threats exist against the assets and by which threat agentswhich threat agents

– Determine whether vulnerabilities exist that can be Determine whether vulnerabilities exist that can be exploited by surveying the current security exploited by surveying the current security infrastructureinfrastructure

– Make decisions regarding what to do about the risksMake decisions regarding what to do about the risks

43

SummarySummary

A security policy development team should A security policy development team should be formed to create the information security be formed to create the information security policypolicy

An incidence response policy outlines An incidence response policy outlines actions to be performed when a security actions to be performed when a security breach occursbreach occurs

A policy addressing ethics can also be A policy addressing ethics can also be formulated by an organizationformulated by an organization

44

Key TermsKey Terms

Pages 407 – 408Pages 407 – 408 Review QuestionsReview Questions

– Pages 408 – 410Pages 408 – 410

45

Hands-On ProjectsHands-On Projects

Receiving Security Information through Receiving Security Information through RSSRSS– Pages 410 – 413Pages 410 – 413

Wiping Data from a Floppy DiskWiping Data from a Floppy Disk– Pages 413 – 414Pages 413 – 414

Using a Security ScannerUsing a Security Scanner– Page 415Page 415