security awareness: applying practical security in your world chapter 3: chapter 3: organizational...

Security Awareness: Applying Security Awareness: Applying Practical Security in Your Practical Security in Your

WorldWorld

Chapter 3: Chapter 3: Organizational Security

Security Awareness: Applying Practical Security in Your World 2

ObjectivesObjectives

Explain why risk assessment and user responsibilities are part of a security policy

Explain the parts of a business continuity plan

List good practices that the Human Resources (HR) Department should follow to improve information security


Organizational SecurityOrganizational Security

Internet usage in business is an essential tool

A company security policy is an equally essential tool A security policy:

Outlines what an employee may do on company computers

Frequently isn’t followed due to a variety of factors

Must be clearly communicated and strictly enforced


Security PolicySecurity Policy

Security policy Document containing procedures to protect and maintain a company’s information resources Defines daily acceptable use

Establishes security perimeter around company data (See Figure 3-1)


Security Policy (continued)Security Policy (continued)


Security Policy (continued)Security Policy (continued)

Security policy basic guidelines: Security policy team to create and maintain Business decision makers, and representatives from

HR, IT, and legal counsel should be on the team Commitment of senior management should be

obtained Document constantly updated

All security policies are based on risk assessment and will outline user responsibilities


Risk AssessmentRisk Assessment

Risk management Systematic process for identifying, analyzing and controlling risk Risk assessment is an important part of risk

management Determine weaknesses and identify risks

Three steps to risk assessment:

Asset identificationThreat and vulnerability assessment Reduce risk (take action)


Asset IdentificationAsset Identification

Asset identification Identifying the organization’s assets, including computers, data, and programs Once identified, assets must be prioritized:

Replaceable or not?Possible targets of competitors?Halt company’s business if lost?

Some data may be more valuable than other Very important to prioritize data


Threat and Vulnerability Threat and Vulnerability Assessment Assessment

Threat and vulnerability assessment Determining how assets are currently protected and the vulnerabilities of those assets Threat modeling Scenarios of types of threats

Attack tree Visual image of attacks that might occur

(See Figure 3-2 and 3-3)


Threat and Vulnerability Threat and Vulnerability Assessment (continued)Assessment (continued)



Vulnerability assessment Determine if current security could be breached by an attack Vulnerability assessment managed services

(See Figure 3-4)


Reduce RiskReduce Risk

Reducing risk Determining what actions to take to reduce the risk of the security weakness Not all weaknesses can be eliminated; some degree

of risk must always be assumed

Three options:

Accept Diminish Transfer

When developing the security policy, decisions must be made about the risks.


User ResponsibilitiesUser Responsibilities

User responsibilities in the security policy:

Three key areas:

Password policies

E-mail policies

Internet policies


Password PolicyPassword Policy

Password policies Outline the minimum requirements for passwords and how they should be protected

Change passwords every 30 days

Minimum lengthAt least one nonalphabetic characterUpper and lower case letters combinedNo personal informationNo common wordsNever given out over telephone or through e-mailMay not be reused for 12 months


E-Mail PolicyE-Mail Policy

E-mail policies E-mail is a company asset and critical component of the communications system Acceptable and unacceptable use of e-mail systems

May provide examples of e-mail misuse

Deleted e-mail is not necessarily gone Businesses regularly copy and store e-mail

Company e-mail records can be used in legal proceedings


Internet Use Policy Internet Use Policy

Internet use policy Provide lists of certain activities that are unacceptable. Security policy attempts to regulate personal Internet usage. Three primary reasons personal Internet usage is

frowned on:

Impacts employee productivity

Uses bandwidth

Can open doors to viruses and worms


Internet Use Policy (continued)Internet Use Policy (continued)

Typical Internet prohibitions: Accessing downloading, printing or storing sexually

explicit content

Downloading or transmitting fraudulent, threatening…or otherwise unlawful messages or images

Installing or downloading software, programs or executables

Uploading or downloading copyrighted materials or proprietary information without consent


Human Resource ProceduresHuman Resource Procedures

The best security policy is useless if employees are unaware of it

Human Resources (HR) has ongoing jobs: Inform new hires of security policies

Perform ongoing training and updates about changes

Plays a pivotal role when an employee leaves the company


HiringHiring

In-depth information security training is essential for new hires Position about importance of security

User’s responsibility to be aware of importance of security, achieving good security practices, and penalties

At orientation sessions with HR, new users should be assigned Usernames and passwords E-mail and other IT accounts


EducationEducation

Security in an organization continues to evolve Ongoing educational opportunities for all employees

Organization-wide security awareness program Goals:

Heighten awarenessChange attitudes

Influence behavior

Human firewall Any person who prevents any security attacks from passing through them

Continually evaluate progress and results


TerminationTermination

When an employee leaves, it is critical to cancel that employee's access Many attacks have been the result of a disgruntled

ex-employee whose access was not terminated

Passwords and accounts should be cancelled;

E-mail accounts should be disabled and the employee’s hard drive stored in case future reference becomes necessary


Business Continuity PlanBusiness Continuity Plan

Business continuity plan Establishes procedures that will allow the business to continue to function Two key parts to a business continuity plan:

Incident response team

Disaster recovery plan


Incident Response TeamIncident Response Team

Incident response team (IRT) Team of employees whose job is first response after a security incident Different classes of incidents should be outlined in

advance to ensure ready response

Two primary goals of an IRT: Gather and handle digital evidence of the attack

Provide information about the attack to concerned parties


Incident Response Team (Cont.)Incident Response Team (Cont.)

Gather and handle evidence Proper preservation of evidence

Affected hard drives imaged (copied exactly)

Chain of custody

Documents where the evidence has been stored and everyone who has had contact or access to the evidence

Disclose the attack Nature of attack helps determine who should be

notified


Disaster Recovery PlanDisaster Recovery Plan

Disaster recovery plan Designed to outline the procedures necessary for getting the business back to normal after an attack Recovery steps required for different types of

disasters and attacks

Two key parts:

Data backups Alternative sites


Disaster Recovery Plan (Cont.)Disaster Recovery Plan (Cont.)

Data Backups Data regularly copied to another medium and stored in a secure location Media includes:

Optical discs: (CD-R, CD-RW, CD-ROM)Digital Versatile Discs:

(DVD, DVD-R, DVD-RAM, DVD-RW, DVD+RW)Magnetic tapes

Most businesses make two sets of backup tapes: One stored on-site and one off-site


Disaster Recovery Plan (Cont.)Disaster Recovery Plan (Cont.)

Backup Sites Alternative sites that may contain computers, networks, and the equipment necessary to run the business Four types of backup sites:

Mirror siteHot site

Warm site

Cold site


Summary (continued)Summary (continued)

A security policy is a document containing procedures designed to protect and maintain an organization's information resources All security policies are based on a risk assessment

and will outline user responsibilities



Risk assessment: Identify resources

Determine relative value and how they are currently protected

Explore threats

Expose vulnerabilities

Determine actions to reduce risk



When the risk assessment is complete, the next step is to create the security policy. User responsibilities to minimize risks

Key areas to address:Password policies

E-Mail policies Internet policies

It is the HR Department’s job to inform new hires of the security policies, and provide ongoing training and updates of changes.



The Human Resources Department plays a pivotal role in ensuring that an employee who leaves the company can no longer access systems. When a new employee starts, HR must provide in-

depth training regarding information security. Security at organizations continues to evolve as new

attacks, hardware, and goals change. HR must provide ongoing education for all

employees.



Business continuity plan Established procedures that will allow the business to continue functioning Two key parts of a Business Continuity Plan:

Incident Response Team Disaster Recovery Plan