Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Pertemuan 14 Security Policies Matakuliah :A0334/Pengendalian Lingkungan Online

advertisement 
Matakuliah
Tahun
Versi
:A0334/Pengendalian Lingkungan Online
: 2005
: 1/1
Pertemuan 14
Security Policies
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa
akan mampu :
• Mahasiswa dapat menyatakan Security
Policies
2
Outline Materi
• Security as Standard
–
–
–
–
Establishing The Standards
What The International Standard Covers
Benefits
Conclusion
• Adequate Security
– Where To Start Implementing IT Security
– Different Approaches To Security
•
•
•
•
Protecting
Detecting
Responding
Roadmaps and The 80:20 Rule
3
– The ‘Seven Rules’ Approach
•
•
•
•
•
•
•
Have/Create A security Plan
Understand Your Risk Levels
Don’t Depent on Firewalls
Have An Access Policy
Test, Test, tEst
Keep Monitoring
Plan for Disaster
– Conclusion
4
Security as Standard
• ‘Walls have ears’ – this slightly surreal
cautionary wartime note was one of the
first warnings about confidentiality that
most of the British public had ever heard.
• In three decades the battlefront has
moved from the waste bin and the pub to
IT, telemetry and corporate governance.
5
• Of course, the stakes are now so high that
information security has spawned a whole
industry – and a rewarding one. But different
organisations have approached it in different
ways. Perhaps because matters of
confidentiality and security are discussed only
‘on a need to know basis’. Perhaps because the
technology of espionage and counter-espionage
is so precious it’s kept close to the chest. And
perhaps because bosses and IT managers don’t
like to deal with outside authorities on matters so
intimate.
6
• Varying standards of security equipment
are permissible.
7
Establishing The Standards
• Towards the end of the last meillenium the
British Standards Institute knuckled down
to establishing an information security
standard.
8
What The International Standard Covers
• Most organisations will already have some
of these in place, but few will be doing
everything.
9
Benefits
• The benefits are expressed as ‘benefiting
the bottom line’ – that is, supporting the
private sector objectives of efficiency and
profitability – although, clearly, non-profitmaking organisations stand to benefit in
other no less valuable ways.
10
Conclusion
• Over the years, successive boardroom
coups have demonstrated that information
has a tangible value and a very powerful
influence over the fortunes of
organisations and individuals.
11
Adequate Security
• Most UK companies recently surveyed spend
approximately one per cent of their IT budget on
security, well below the recommended spend on
security of three per cent of IT budgets or 10 per
cent of TI budgets in these case of financial
services companies.
• It is important to remember that security spend
needs to be justified in terms of business benefit
and return on investment (ROI) with a
comprehensive cost/risk-benefit analysis,
especially as you need to be sure that any
security spend can be fully explained to your
board members.
12
Where To Start Implementing IT
Security
• Any enterprise wanting to make improvements in
security must take a broad view of its information
assets and understand their value as well as the
threats to these assets and their vulnerabilities.
• The first thing a company should then ascertain
in whether or not there are any existing
company security policy documents. This is a
formal published document that defines roles,
responsibilities, acceptable use and enterprise
security practices.
13
• Companies with existing security policies
generally have a far greater understanding
and appreciation of why they need to
manage the confidentiality, integrity and
availability of their information assets, than
those without such policies.
14
Different Approaches To Security
• Many data security issues are common
sense – just as you wouldn’t drive a car on
the road without brakes, similarly you
shouldn’t put unprotected web servers on
the Internet. The risks are simply too
great.
15
• Adequate IT information security is about
being able to reduce those risks by
continually:
– Protecting
– Detecting
– Responding
– Roadmaps and The 80:20 Rule
16
Protecting
• This means sufficiently
recognising,prioritising and protecting your
organisation’s information assets by
acknowledging the wide abuses they could
be subject to because of their importance,
uses and location – this primarily involves
business issues concerning people,
policies and processes.
17
Detecting
• You must be able to recognise abuses no
matter who or what is responsible for them
– this involves people, policies,
technology, settings and processes.
18
Responding
• You should defend your assets from
misuse either automatically or with rapid
decision-making, or even with manual
intervention, to stop the misuse. The word
‘continually’ is key here. IT security is not
about buying hardware and software,
setting it up and then forgetting about it.
New risks and vulnerabilities occur every
day, especially as hackers get smart to
new technologies and applications.
19
Roadmaps and The 80:20 Rule
• IT security is very much governed by the
same 80:20 rule, or Pareto Principle, used
in marketing, except in this case, whilst 80
per cent of security is people, processes
and documentation,only 20 per cent of
security is the technology. There are quite
a few standard security roadmaps and
guidelines around.
20
The ‘Seven Rules’ Approach
• A rather simplistic yet more pragmatic way of
looking at IT security is the ‘Seven Rules’
approach to website security, which
Computacenter has updated below so it can
also apply to networks:
–
–
–
–
–
–
–
Have/Create A Security Plan
Understand Your Risk Levels
Don’t Depend on Firewalls
Have an Access Policy
Test, Test, Test
Keep Monitoring
Plan for Disaster
21
Have/Create A Security Plan
• Have a solid security plan and adequate
policies in place – ideally before you open
your new systems to real-world users and
hackers! Also, ensure that you conduct
regular vulnerability assessments and
penetration tests on all your systems
22
Understand Your Risk Levels
• Regular assessment lets you set the levels of
risk you are taking and relate them to your
‘adequate’ security protection posture. It is
important to remember that wile security is an
enabler, it also takes both time and money to
implement, so systems should not be made
substantially more complex for end-users. For
instance, you may want a simple password
system to allow users to access low-value
information services but more complex
authentication and authorisation procedures for
more confidential, sensitive or valuable
information.
23
Don’t Depend on Firewalls
• You need them, but there’s more to a
complete security system than just adding
one to external connections to your local
area network. Firewalls are often single
points of failure, so work out the
implications of losing connectivity or
external access to systems.
24
Have An Access Policy
• Have an access policy and ensure that it is
adhered to. As is common is most
environments, you will need different levels of
user access. You want customers to buy goods
online, but you do not want to provide hackers
with an open door to your system and data. You
also want to authenticate remote and
teleworkers more stringently, as well as their
system authorisations and privileges. Access
via wired or wireless connections and devices
needs to be examined to ensure that it is secure.
25
Test, Test, Test
• Get somebody else to test your security
regularly.
26
Keep Monitoring
• Monitor your security regularly, ideally
using software-alerting and management
tools, and ensure that results are
analysed.
27
Plan for Disaster
• Have plans in place for when it all goes
wrong. This should be a natural
progression from the vulnerability
assessment, but it is often forgotten about.
28
Conclusion
• Security is clearly becoming a big issue for
enterprises; however, not all companies
have yet adopted sufficient security
measures.
• There is no great mystery behind
information security, and there are a
number of roadmaps out there to help you,
no matter how basic or sophisticated your
business, to prioritise and create an ROI
for every layer of security you adopt.
29
• The key message is that it’s important to
start considering the risks, build companywide security policies and justify the
deployment and management of security
technology within all your new IT
initiatives.
• User education is also imperative to the
implementation of a successful IT security
solution and should be built into any
security solution.
30
• However, it must be recognised that security is
not an end in itself: it enables businesses to
protect themselves from major threats in their
operating environments and to carry out
processes and transactions that are otherwise
too risky to carry out.
• Importantly, it is a continual process of
assessment and evaluation.
• Businesses change, IT infrastructures change
and, unfortunately, attackers get smarter.
• Deploying, the right security technologies is by
no means an easy task.
31
The End
32
Related documents
Advantages of Using a Network By Ryan Riddell
Advantages of Using a Network By Ryan Riddell
1 March 2016 Statement from Tim Worner, Managing Director and
1 March 2016 Statement from Tim Worner, Managing Director and
Karl Marx (1818-1883)
Karl Marx (1818-1883)
It's The Way You Do IT October 10 2005 The Financial Times
It's The Way You Do IT October 10 2005 The Financial Times
Chief Executive’s statement
Chief Executive’s statement
Advanced Computing Security
Advanced Computing Security
Download
advertisement