Matakuliah
Tahun
Versi
:A0334/Pengendalian Lingkungan Online
: 2005
: 1/1
Pertemuan 15
Security Policies
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa
akan mampu :
• Mahasiswa dapat menyatakan Security
Policies
2
Outline Materi
• A Multi-Layered Response
–
–
–
–
–
–
–
–
–
–
People controls
Reporting and Recovering from A Scurity Breach
Contractual Controls
Technology Controls
Acts of God or Terrorism
Insurance
Maintaining Effective Security
The Standards-Based Approach
The BS 7799 and ISO 17799 Standards
Conclusion
3
• Managed Security services
– Managed Security pros
– Managed Security Cons
– Moving to The Managed Model
•
•
•
•
•
•
•
Written Service-Level Agreements (SLAs)
Secure Financial Position
Recognised Standards
Global Reach
Vendor Accreditation
Secure NOC (Network Operations Centre)
Customer and industry Testimony
– Conclusion
4
A Multi-Layered Response
• Many of the problems associated with
information security arise from the tendency of
most organisations to take a ‘sticking plaster’
approach to the issue, in that they identify that a
threat exists or that a security incident has
occurred and then determine a specific control in
order to manage or mitigate the particular threat.
The problem with this approach is that it is
generally reactive and inconsistent, and it is
simply not extensive enough as it does not
consider other threats.
5
• A lack of consistency can be a serious
problem, as security incidents can take a
variety of forms.
6
• Incidents originating from outside the
organisation are generally:
– Website defacement
– Denial of service (DOS)
7
• Incidents originating from inside the organisation
are generally:
– Web surfing of non-business-related sites resulting in
loss of productivity (ie revenue)
– Service disruption resulting from unscheduled or
untested changes to the environment
– Illegal activity such as downloading pornographic
material (such as paedophilia)
– Unwittingly introducing some form of virus into into
the environment, typically through email or or file
sharing
– Attempted access to systems or information by
unauthorised persons (either accidental or malicious)
8
– Leaving classified or sensitive information on
screen, visible to unauthorised persons
– Leaving systems logged in, unattended and
accessible to passing persons
– Wrongful disclosure of personal information
(in contravention of the Data Protection Act
1988)
– Accidental deletion of information
9
• The most serious incidents are rare but can
prove very costly, whether they are internally or
externally inspired. Internal staff are better
positioned to exploit situations as they are
typically ‘trusted’, with a good understanding of
the systems, applications and architecture. An
external hacker needs to be highly skilled,using
a combination of analysis skills, code creation
and even social engineering (the manipulation of
people to obtain information).
10
• These rare types of incidents include:
– Theft of information – such as customer details.
– Theft of information – such as credit card details.
– Theft of information – such as ideas,products or
solutions (ie industrial espionage).
– Embezzlement – this requires the perpetrator to
understand how an organisation’s business operates,
specifically in terms of accounting and cash-flow, in
order to divert funds (easier for internal staff)
11
People Controls
• When considering the controls to be used to
address the security issue, we must consider
where and how we can influence behaviour.
• When considering the external threat, an
organisation can exert very little influence over
the behaviour or users entering its website, and
as such are dependent on utilising technology
products or product configurations in order to
either make the environment (internet access,
servers and applications) robust, or to detect,
alert and potentially repel malicious activity.
12
• When considering the internal threat, an
organisation has far more influence over
the behaviour of users utilising internal
systems and information. Users must be
made aware of what is acceptable
behaviour and of the consequences of
unacceptable behaviour.
13
• Another cause of internal security
breaches arises from modifications to
applications, systems or infrastructure,
without adequate consideration for testing,
back-up and back-out where these cause
down-time and cause the risk for security
weaknesses to be brought into the internal
infrastructure. This is adequately
addressed within an effective change
control process that has consideration for
security impact.
14
Reporting and Recovering from a
Security Breach
• In any instance that a security breach
occurs, the training and education process
should ensure that staff recognise an
event and are aware of the process for
reporting the event (who has
responsibility), and that those persons with
responsibility know the process for
handling the event.
15
• These policies and procedures would
entail such elements as:
– Procedures for handling staff who have
contravened company security policies
– Procedures for detecting security breaches
(tools, logs, etc)
– Procedures for recovering from specific types
of incident (rebuild of operating system,
restore from back-up etc)
– Communication procedures
– Management procedures
16
Contractual Controls
• Another element to consider is the
potential threat (either accidental or
malicious) from third parties with whom
there is some formal relationship (such as
trading partners or service providers);
these may in some instances be
considered as trusted, however, the threat
still exists.
17
• With a trading partner a sensible approach is to
make them responsible for their own action, in
addition to providing protective controls.
• A contract may state that they must demonstrate
that ‘reasonable and considered’ controls are
taken relative to the form of communication,
sensitivity of the information and the potential
threat.
• Contractual terms would then seek agreement
on an interpretation of these controls and should
also provide regular opportunities to have the
controls demonstrated to the satisfaction of your
organisation.
18
• At the point that the third party enters an
organisation, controls should also be
implemented.
• With a service provider, a contract should not
only consider those conditions that apply to a
trading partner, but should also consider how
loss of the service provided by them would
impact the service offered to customers and
trading partners. In this respect, the contract
should agree service level commitments that can
be effectively monitored and proven, and should
agree compensation for failure to achieve the
service levels.
19
Technology Controls
• Where technology controls are used, it is
important that they are configured and
maintained as effectively as possible.
• Many organisations will be dependent
upon utilising a specialist security
company in order to ensure effective
security through technology controls.
20
• This will often encompass multi-layer security
(security in depth) to exploit and combine:
–
–
–
–
Tight access controls
Strong authentication
Protection of information in transit (encryption)
Hardened operating systems, services and
applications
– High availability
– Quality of service
– Performance
21
Acts of God or Terrorism
• In the event that an incident occurs that is
considered exceptional, such as flooding,
lightning, vehicle crash, bomb explosion or
significant loss of key staff (to lottery win,
for example), an organisation must have
plans in place to minimise the impact to
the business by restoring a level of service
within a pre-determined time-frame and
managing the communications process
between staff, partners and customers (ie
business continuity).
22
Insurance
• When all reasonable measures have been
taken, an organisation should also consider
insurance. In the case of a significant security
incident, insurance funds will limit the damage to
the business by providing some element of (or
all of) the revenue to recover the business to the
point of normal operation.
• This form of insurance is often referred to as
cyber-liability insurance. Some insurance
companies specialise in such policies, but will
often require some evidence that adequate
controls have been implemented before policy
can be obtained.
23
Maintain Effective Security
• A management process for information
security (policy-based controls) needs to
encompass a mechanism for review. This
mechanism should consist of an audit
process to regularly review the business
opertions, the risks and the controls in
order to ensure the policy-based controls
remain effective.
24
• The technology controls also need to
encompass a mechanism for review. This
mechanism should consist of a regular
audit of the complete technology
infrastructure to review the technology
operations, the risks and controls, and,
importantly, to ensure that the technology
controls remain effective. In addition, this
review should encompass regular
vulnerability and penetration testing.
25
• In both cases the primary purpose is to
refine the controls each time the review is
performed, thus optimising the controls, or
ensuring that the controls are the most
appropriate through experience. The
process also ensures that information
security adapts with changes to the
organisation and changes with the way
business is performed.
26
The Standards-Based Approach
• Any organisation that undertakes an exercise to
implement ‘information security’ using the
management approach to achieve consistent,
extensive and comprehensive security will
normally need to look for guidance.
• An own ‘best efforts approach’ has obvious
limitations; it is far better to utilise an approach
based upon best practice that has some form of
track record – the obvious being an existing
standard that specifically addresses the
requirement. Several such standards exist that
address the requirements to varying degrees.
27
The BS 7799 and ISO 17799 Standards
• The ISO 17799 standard started life as the
British Standard BS 7799 Part I Code of
Practice for Information Security in 1995.
28
Conclusion
• Thismethodology is suitable for any
organisation that aims to utilise a dual
approach to the provision of information
security that is extensive, consistent and
effective – ie ‘security in depth and
security in breadth’.
29
Managed Security Services
• Economic and staff resourcing factors are
further driving the trend for strategic
outsourcing of specialist business areas –
a fact noted by Allan Carey, senior analyst
for IDC: ‘The managed security services
market is being driven primarily by
resource constraints to capital and security
expertise.’
30
• This model however is not new;
companies have previously outsourced
functions such as legal matters, HR,
recruitment, accounting and front desk
security to outside specialists. The
management of a company IT security
infrastructure can be seen simply as an
extension of this.
31
Managed Security Pros
• The benefits of outsourcing managed security
include:
– Leveraging the talents and experience of security and
privacy experts to protect brand, intellectual property
and revenues
– Supplementing existing security resources costeffectively
– Implementing sophisticated security solutions
– Focusing resources on building core business, not on
building a security centre or on trying to constantly
stay on top of changing security threats
32
– Controlling and managing security spending
– Accessing a trusted advisor during security
incidents
– Obtaining third-party validation and
verification of the appropriateness of your
security policies
– Benefiting from cutting-edge security research
and development.
33
Managed Security Cons
• Amongst the disadvantages of outsourcing
security solutions we find:
– Allowing a third party access to the ‘keys to
the safe’
– Long term-inflexible contract terms
– That several companies in the managed
security area are start-ups with an uncertain
economic future
– Trust as the main barrier
34
Moving to The Managed Model
• Once a decision is taken to embrace
managed security how do you select a
service provider?
35
Written Service-Level Agreements
(SLAs)
• The primary objective of a managed
security service is to provide security
services that meet the agreed business
and technical requirements of the client.
To facilitate this, the service provider
needs to understand these requirements
and translate them into measurable
criteria. This allows the service provider to
measure the service.
36
Secure Financial Position
• After taking the time to select a suitable supplier
of managed services, the last thing you want to
happen is that they go bankrupt after a few
months of the contract, leaving you ‘high and
dry’. Secure finances is perhaps the most
important area to consider, even more so in the
current economic climate. Part of the selection
process here should be a check on the customer
base and the length of time the company has
operated within the managed service arena.
37
Recognised Standards
• If a company, particularly a service
provider in this case, is awarded an ISO
9000 certificate, it can demonstrate to its
customers that it is in possession of a
documented quality system that is being
observed and continually followed.
38
Global Reach
• A correctly scaled managed firewall or
VPN (Virtual Private Network) service
allows companies to take advantage of the
inherent benefits of a well-designed,
secure firewall deployment gives us the
flexibility to expand outside of our home
country without the headache of
understanding the creation of a secure
communications platform.
39
Vendor Accreditation
• The vendor accreditation aspect again
links back to an MSP’s investment in the
service they supply.
40
Secure NOC (Network Operations
Centre)
• When outsourcing the management of
your firewalls/intrusion detection systems
to an MSP, a minimum component must
be that they have a secure operations
centre from which they con
monitor,manage and administer your
firewalls.
41
Customer and Industry Testimony
• An MSP that conforms to most, if not all, of
the points raised above is likely to have a
mature installed user base that con vouch
for its competence. Any managed service
organisations that receive glowing
references from both customers and
industry peers are likely to make full use of
them in corporate literature, websites and
advertisements.
42
Conclusion
• Outsourcing security technologies is an
increasing trend and one that seems set to
continue.
43
The End
44