security awareness: applying practical security in your world chapter 3: chapter 3: organizational...
Post on 18-Dec-2015
215 views
TRANSCRIPT
Security Awareness: Applying Security Awareness: Applying Practical Security in Your Practical Security in Your
WorldWorld
Chapter 3: Chapter 3: Organizational Security
Security Awareness: Applying Practical Security in Your World 2
ObjectivesObjectives
Explain why risk assessment and user responsibilities are part of a security policy
Explain the parts of a business continuity plan
List good practices that the Human Resources (HR) Department should follow to improve information security
Security Awareness: Applying Practical Security in Your World 3
Organizational SecurityOrganizational Security
Internet usage in business is an essential tool
A company security policy is an equally essential tool A security policy:
Outlines what an employee may do on company computers
Frequently isn’t followed due to a variety of factors
Must be clearly communicated and strictly enforced
Security Awareness: Applying Practical Security in Your World 4
Security PolicySecurity Policy
Security policy Document containing procedures to protect and maintain a company’s information resources Defines daily acceptable use
Establishes security perimeter around company data (See Figure 3-1)
Security Awareness: Applying Practical Security in Your World 5
Security Policy (continued)Security Policy (continued)
Security Awareness: Applying Practical Security in Your World 6
Security Policy (continued)Security Policy (continued)
Security policy basic guidelines: Security policy team to create and maintain Business decision makers, and representatives from
HR, IT, and legal counsel should be on the team Commitment of senior management should be
obtained Document constantly updated
All security policies are based on risk assessment and will outline user responsibilities
Security Awareness: Applying Practical Security in Your World 7
Risk AssessmentRisk Assessment
Risk management Systematic process for identifying, analyzing and controlling risk Risk assessment is an important part of risk
management Determine weaknesses and identify risks
Three steps to risk assessment:
Asset identificationThreat and vulnerability assessment Reduce risk (take action)
Security Awareness: Applying Practical Security in Your World 8
Asset IdentificationAsset Identification
Asset identification Identifying the organization’s assets, including computers, data, and programs Once identified, assets must be prioritized:
Replaceable or not?Possible targets of competitors?Halt company’s business if lost?
Some data may be more valuable than other Very important to prioritize data
Security Awareness: Applying Practical Security in Your World 9
Threat and Vulnerability Threat and Vulnerability Assessment Assessment
Threat and vulnerability assessment Determining how assets are currently protected and the vulnerabilities of those assets Threat modeling Scenarios of types of threats
Attack tree Visual image of attacks that might occur
(See Figure 3-2 and 3-3)
Security Awareness: Applying Practical Security in Your World 10
Threat and Vulnerability Threat and Vulnerability Assessment (continued)Assessment (continued)
Security Awareness: Applying Practical Security in Your World 11
Threat and Vulnerability Threat and Vulnerability Assessment (continued)Assessment (continued)
Security Awareness: Applying Practical Security in Your World 12
Threat and Vulnerability Threat and Vulnerability Assessment (continued)Assessment (continued)
Vulnerability assessment Determine if current security could be breached by an attack Vulnerability assessment managed services
(See Figure 3-4)
Security Awareness: Applying Practical Security in Your World 13
Threat and Vulnerability Threat and Vulnerability Assessment (continued)Assessment (continued)
Security Awareness: Applying Practical Security in Your World 14
Reduce RiskReduce Risk
Reducing risk Determining what actions to take to reduce the risk of the security weakness Not all weaknesses can be eliminated; some degree
of risk must always be assumed
Three options:
Accept Diminish Transfer
When developing the security policy, decisions must be made about the risks.
Security Awareness: Applying Practical Security in Your World 15
User ResponsibilitiesUser Responsibilities
User responsibilities in the security policy:
Three key areas:
Password policies
E-mail policies
Internet policies
Security Awareness: Applying Practical Security in Your World 16
Password PolicyPassword Policy
Password policies Outline the minimum requirements for passwords and how they should be protected
Change passwords every 30 days
Minimum lengthAt least one nonalphabetic characterUpper and lower case letters combinedNo personal informationNo common wordsNever given out over telephone or through e-mailMay not be reused for 12 months
Security Awareness: Applying Practical Security in Your World 17
E-Mail PolicyE-Mail Policy
E-mail policies E-mail is a company asset and critical component of the communications system Acceptable and unacceptable use of e-mail systems
May provide examples of e-mail misuse
Deleted e-mail is not necessarily gone Businesses regularly copy and store e-mail
Company e-mail records can be used in legal proceedings
Security Awareness: Applying Practical Security in Your World 18
Internet Use Policy Internet Use Policy
Internet use policy Provide lists of certain activities that are unacceptable. Security policy attempts to regulate personal Internet usage. Three primary reasons personal Internet usage is
frowned on:
Impacts employee productivity
Uses bandwidth
Can open doors to viruses and worms
Security Awareness: Applying Practical Security in Your World 19
Internet Use Policy (continued)Internet Use Policy (continued)
Typical Internet prohibitions: Accessing downloading, printing or storing sexually
explicit content
Downloading or transmitting fraudulent, threatening…or otherwise unlawful messages or images
Installing or downloading software, programs or executables
Uploading or downloading copyrighted materials or proprietary information without consent
Security Awareness: Applying Practical Security in Your World 20
Human Resource ProceduresHuman Resource Procedures
The best security policy is useless if employees are unaware of it
Human Resources (HR) has ongoing jobs: Inform new hires of security policies
Perform ongoing training and updates about changes
Plays a pivotal role when an employee leaves the company
Security Awareness: Applying Practical Security in Your World 21
HiringHiring
In-depth information security training is essential for new hires Position about importance of security
User’s responsibility to be aware of importance of security, achieving good security practices, and penalties
At orientation sessions with HR, new users should be assigned Usernames and passwords E-mail and other IT accounts
Security Awareness: Applying Practical Security in Your World 22
EducationEducation
Security in an organization continues to evolve Ongoing educational opportunities for all employees
Organization-wide security awareness program Goals:
Heighten awarenessChange attitudes
Influence behavior
Human firewall Any person who prevents any security attacks from passing through them
Continually evaluate progress and results
Security Awareness: Applying Practical Security in Your World 23
TerminationTermination
When an employee leaves, it is critical to cancel that employee's access Many attacks have been the result of a disgruntled
ex-employee whose access was not terminated
Passwords and accounts should be cancelled;
E-mail accounts should be disabled and the employee’s hard drive stored in case future reference becomes necessary
Security Awareness: Applying Practical Security in Your World 24
Business Continuity PlanBusiness Continuity Plan
Business continuity plan Establishes procedures that will allow the business to continue to function Two key parts to a business continuity plan:
Incident response team
Disaster recovery plan
Security Awareness: Applying Practical Security in Your World 25
Incident Response TeamIncident Response Team
Incident response team (IRT) Team of employees whose job is first response after a security incident Different classes of incidents should be outlined in
advance to ensure ready response
Two primary goals of an IRT: Gather and handle digital evidence of the attack
Provide information about the attack to concerned parties
Security Awareness: Applying Practical Security in Your World 26
Incident Response Team (Cont.)Incident Response Team (Cont.)
Gather and handle evidence Proper preservation of evidence
Affected hard drives imaged (copied exactly)
Chain of custody
Documents where the evidence has been stored and everyone who has had contact or access to the evidence
Disclose the attack Nature of attack helps determine who should be
notified
Security Awareness: Applying Practical Security in Your World 27
Disaster Recovery PlanDisaster Recovery Plan
Disaster recovery plan Designed to outline the procedures necessary for getting the business back to normal after an attack Recovery steps required for different types of
disasters and attacks
Two key parts:
Data backups Alternative sites
Security Awareness: Applying Practical Security in Your World 28
Disaster Recovery Plan (Cont.)Disaster Recovery Plan (Cont.)
Data Backups Data regularly copied to another medium and stored in a secure location Media includes:
Optical discs: (CD-R, CD-RW, CD-ROM)Digital Versatile Discs:
(DVD, DVD-R, DVD-RAM, DVD-RW, DVD+RW)Magnetic tapes
Most businesses make two sets of backup tapes: One stored on-site and one off-site
Security Awareness: Applying Practical Security in Your World 29
Disaster Recovery Plan (Cont.)Disaster Recovery Plan (Cont.)
Backup Sites Alternative sites that may contain computers, networks, and the equipment necessary to run the business Four types of backup sites:
Mirror siteHot site
Warm site
Cold site
Security Awareness: Applying Practical Security in Your World 30
Summary (continued)Summary (continued)
A security policy is a document containing procedures designed to protect and maintain an organization's information resources All security policies are based on a risk assessment
and will outline user responsibilities
Security Awareness: Applying Practical Security in Your World 31
Summary (continued)Summary (continued)
Risk assessment: Identify resources
Determine relative value and how they are currently protected
Explore threats
Expose vulnerabilities
Determine actions to reduce risk
Security Awareness: Applying Practical Security in Your World 32
Summary (continued)Summary (continued)
When the risk assessment is complete, the next step is to create the security policy. User responsibilities to minimize risks
Key areas to address:Password policies
E-Mail policies Internet policies
It is the HR Department’s job to inform new hires of the security policies, and provide ongoing training and updates of changes.
Security Awareness: Applying Practical Security in Your World 33
Summary (continued)Summary (continued)
The Human Resources Department plays a pivotal role in ensuring that an employee who leaves the company can no longer access systems. When a new employee starts, HR must provide in-
depth training regarding information security. Security at organizations continues to evolve as new
attacks, hardware, and goals change. HR must provide ongoing education for all
employees.
Security Awareness: Applying Practical Security in Your World 34
Summary (continued)Summary (continued)
Business continuity plan Established procedures that will allow the business to continue functioning Two key parts of a Business Continuity Plan:
Incident Response Team Disaster Recovery Plan