Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

SECURITY POLICIES

advertisement 
SECURITY POLICIES
Indu Ramachandran
Outline








General idea/Importance of security policies
When security policies should be developed
Who should be involved in this process
Cost of security policies
Available resources
Security policies in detail
Failure of Security policies
After Security policy is written
About Security Policies






Increased level of threats
Organization’s attitude towards security
policies
Establishing Standards
More than just “Keeping the bad guys out”!
Management and Security policy
Policies Not Procedures!!
Importance of Security Policies

Establishes Standards

Provides basic guidelines

Defines appropriate behavior

Helps against being sued
Aspects of Security

Traditional Ideas of Security

Revised Security aspects

Confidentiality


Protect objects from unauthorized release/use of
info
Integrity

Preserve objects / avoid unauthorized modification
When should Policies be
developed

Ideal Scenario






Often not the case
After a Security Breach
To mitigate Liability
For document compliance
To demonstrate quality control processes
Customers/Clients requirements
Who should be involved





Basically EVERYONE!!!!!
System users
System support personnel
Managers
Business lawyers
Importance of Involving
Management

Funding and Commitment

Leadership

Authority

Responsibility/Support
Do you need Sec. Policies??
Questions to answer this question…



Do workers at your organization handle
information that is confidential?
Do workers at your organization access the
internet?
Does your organization have trade secrets?
Custom questions to suit you!!
The Security Cost Function




Cost for security
Exponential increase
Trade off between cost for security and cost of
violations
Formula for calculating cost :
Total cost for Violations = Cost for a single Violation X
frequency of the violation
GOOD NEWS!!!!
You are not on your own !!!

Internet Resources




The SANS institute
NIST (National Inst. Of Stds. And
Technology)
RFC
Universities
Resources (cont’d)

Books


Guide for Developing Security Policies for
Information Technology Systems
Information Security Policies made easy



around 1360+ security templates
used by several large organizations
Training Sessions

SANS Institute
Types of security policies

Administrative Security Policy

Examples of Administrative sec policies:
Users must change password each quarter
 Employees must not use dial out modems from
their desktops.


Technical sec policies

Examples
Server will be configured to expire password each
quarter
 Accounts must initiate a lockout after four
unsuccessful attempts to login

What is in a security policy
Three Categories
First category – Parameters Section



Introduction
Audience
Definitions
What is in a security policy (cont’d)
The Second category

Risk assessments
 When
this should be done
 Benefits
 Who should do this


Identifying Assets
Threats to assets
What is in a security policy (cont’d)
The Third Category

Actual Policies
Examples of policies

Physical security
Examples of policies (cont’d)

Authentication

Password policy

Remote Access Policy

The Modem Issue
Examples of policies (cont’d)

Acceptable Use Policy
Examples of AU Policy at
http://www.eff.org/pub/CAF/policies

Other Policies
Examples of policies as well as their templates on
the SANS website.
http://www.sans.org/resources/policies/
What makes a good security
policy






Must be usable
Must communicate clearly
Must not impede/interfere with business
Enforceable
Update regularly
Other factors


Interests
Laws
Problems with Sec. Policies

Increase in tension level

Security needs viewed differently

Too restrictive/hard to implement

Impediments productivity
Conflict and Politics

Management concentrates on goals for
company

Technical Personnel’s agenda
So what happens???
What do you do???
Information Security
Management Committee

Bridge the gap

Committee Composition

Responsibilities of the committee
Real world problems caused by
missing policies

At A Government Agency...

At A Local Newspaper...
Why Security Policies Fail

Security is a barrier to Progress



Perceived to have zero benefit
Obstacles/Impediment productivity
Security is a learned behavior



Not instinct
Value of assets
Not taken seriously
Why Security Policies Fail (cont’d)


Complexity
Security work is never finished


Failure to review
Other reasons


Lack of stake holder support
Organizational Politics
Compliance & Enforcement

Training

Testing and effectiveness of the policy

Monitoring

Taking Action
Review The Policy

Review Committee




Good representation
Frequency of review meetings
Responsibilities
What to Review
References







Barham, Scott - Writing information security policies
http://dmoz.org/Computers/Security/Policy/Sample_Poli
cies/
http://www.netiq.com/products/pub/ispme_realproblems.
asp
http://www.sans.org/rr/policy/policy.php
http://www.networknews.co.uk/Features/1138373
http://irm.cit.nih.gov/security/sec_policy.html
http://www.cisco.com/warp/public/126/secpol.html
Related documents
Why is this class required?
Why is this class required?
Ageing poems
Ageing poems
Copies of "The Road not Taken"
Copies of "The Road not Taken"
As You Like It - Presdales School
As You Like It - Presdales School
DOC - Sans
DOC - Sans
Slide 1 - SANS Technology Institute
Slide 1 - SANS Technology Institute
Security Policy
Security Policy
Windows XP: Surviving the First Day SANS Institute Internet Storm Center
Windows XP: Surviving the First Day SANS Institute Internet Storm Center
This code will be executed whenever the image is viewed.
This code will be executed whenever the image is viewed.
SANS Institute InfoSec Reading Room Interested in learning more about security?
SANS Institute InfoSec Reading Room Interested in learning more about security?
TITLE 15 - COMMERCE AND TRADE CHAPTER 63 - TECHNOLOGY INNOVATION -HEAD-
TITLE 15 - COMMERCE AND TRADE CHAPTER 63 - TECHNOLOGY INNOVATION -HEAD-
-CITE- 15 USC Sec. 1126 ... -EXPCITE-
-CITE- 15 USC Sec. 1126 ... -EXPCITE-
Download
advertisement