Add to collection(s) Add to saved
  1. Business

download/CIS 75D 052115 Slides Infrastructure Security Policies

Security Policies and
Implementation Issues
Lesson 5
User Domain and IT Infrastructure Security
Policies
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
 Describe the different information systems
security (ISS) policies associated with the
User Domain.
 Describe the different information security
systems (ISS) policies associated with the
IT infrastructure.
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
 Reasons for governing users with policies
 Regular and privileged users
 Acceptable use policy (AUP) and privileged-level
access agreement (PAA)
 Security awareness policy (SAP)
 Differences between public and private User Domain
policies
 Elements of an infrastructure security policy
 Policies associated with various domains of a typical
IT infrastructure
 Best practices in creating and maintaining IT policies
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
DISCOVER: CONCEPTS
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Security Awareness Policy (SAP)
 Addresses:
• Basic principles of information security
• Awareness of risk and threats
• Dealing with unexpected risk
• Reporting suspicious activity, incidents, and
breaches
• Building a culture that is security and risk
aware
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Acceptable Use Policy (AUP)
 Attempts to protect an organization’s
computers and network
 Addresses password management
 Addresses software licenses
 Addresses intellectual property management
 Describes e-mail etiquette
 Describes the level of privacy an individual
should expect when using an organization’s
computer or network
 Describes noncompliance consequences
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Privileged-Level Access Agreement
(PAA)
 Acknowledges the risk associated with
elevated access in the event the credentials
are breached or abused
 Asks user to promise to use access only for
approved organization business
 Asks user to promise not to attempt to “hack”
or breach security
 Asks user to promise to protect any output from
these credentials such as reports, logs, files,
and downloads
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Policy Organization
 Requirements may cross domains
− Malware protection
− Password/Authentication requirements
 Requirements may conflict between domains
 Policies will vary among organizations
 Use standard document types to identify
domain security control requirements
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Key Purpose of an IT Infrastructure
Policy
Provide technical knowledge of:
The
interaction
of various
layers of the
network
Security Policies and Implementation Issues
The
placement
of key
controls
The types of
risks to be
detected and
guarded
against
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Three Ways to Organize Policies
Domain
Functional Area
Layers of Security
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Policy Documents
Control Standards
• Policy statements concerned with
core requirements
Baseline Standards
• Minimum security requirements for
specific technologies
Procedure
Documents
• Implementation processes; each
baseline standard needs a
procedure
Guidelines
• Recommendations
Dictionary
Security Policies and Implementation Issues
• Used in the policies that define the
scope and meaning of terms used
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Seven Domains of a Typical IT
Infrastructure
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Workstation Domain
 Control Standards
Workstation
− Device management
− User permissions
• End user devices
• Laptops, desktops, mobile devices
• Focus on physical and logical security
− Align with functional
responsibilities
 Baseline Standards
− Specific technology requirements for each device
− Review standards from vendors or organizations
 Procedures
− Step-by-step configuration instructions
 Guidelines
− Acquisitions (e.g., preferred vendors)
− Description of threats and countermeasures
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
LAN Domain
 Control Standards
LAN
• Local area network infrastructure
• Servers, network infrastructure
• Focus on connectivity and traffic
management
− Firewalls
− Denial of Service
− Align with functional
responsibilities
 Baseline Standards
− Specific technology requirements for each device
− Review standards from vendors or organizations
 Procedures
− Step-by-step configuration
 Guidelines
− Acquisitions (e.g., preferred vendors)
− Description of threats and countermeasures
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
LAN-to-WAN Domain
 Control Standards
LAN to WAN
− Access control to the
• Connects LAN to outside network (e.g.,
Internet)
• Focus on securing resources that
bridge internal and external networks
Internet
− Traffic filtering
 Baseline Standards
− Specific technology requirements for perimeter devices
 Procedures
− Step-by-step configuration
 Guidelines
− DMZ, IDS/IPS, content filtering
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
WAN Domain
 Control Standards
WAN
− WAN management,
Domain Name Services,
router security, protocols,
Web services
• Wide Area Network (e.g., Internet)
services and hardware
• Focus on WAN connection
management, DNS
 Baseline Standards
− Review standards from vendors or organizations
 Procedures
− Step-by-step configuration of routers and firewalls
− Change management
 Guidelines
− When and how Web services may be used
− DNS management within the LAN and WAN environments
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Remote Access Domain
 Control Standards
− VPN connections
Remote Access
− Multi-factor authentication
• End user remote connection technology
• Focus on authentication and connection
 Baseline Standards
− VPN gateway options
− VPN client options
 Procedures
− Step-by-step VPN configuration and debugging
 Guidelines
− Description of threats
− Security of remote computing environments, such as working from
home
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
System/Application Domain
 Control Standards
System/Application
− Firewalls
• Data processing and storage technology
• Focus on security issues associated
with applications and data
− Denial of Service
− Align with functional
responsibilities
 Baseline Standards
− Specific technology
requirements for each device
− Review standards from
vendors or organizations
 Procedures
− Step-by-step configuration
 Guidelines
− Acquisitions (e.g., preferred vendors)
− Description of threats and countermeasures
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
DISCOVER: PROCESS
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Different Types of Users Within an
Organization
Employees
Contractors
System
admins
Security
personnel
Vendors
Guests and
general
public
Control
partners
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Example of User Types
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
User Access Requirements
Users require different access
Users require information from
different systems
Data has different security
controls
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
Contingent and System Accounts
Contingent Need unlimited rights to install, configure, repair, and
recover networks and applications, and to restore data
Accounts
Credentials are prime targets for hackers
IDs are not assigned to individuals until a disaster
recovery event is declared
System
Accounts
Need elevated privileges to start, stop, and manage
system services
Accounts can be interactive or non-interactive
System accounts are also referred to as “service
accounts”
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
Creating Policy Documents
 Documents should
− Differentiate between core requirements and
technological requirements
− Follow a standard format
− Remain relevant without constant modification
− Not contain duplicate content
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
DISCOVER: ROLES
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Who Develops User Policies
 Chief financial officer (CFO)
 Chief operations officer (COO)
 Information security manager
 IT manager
 Marketing and sales manager
 Unit manager
 Materials manager
 Purchasing manager
 Inventory manager
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
Roles and Responsibilities: Who
Need Training?
All Users
Executive Managers
Program and Functional Managers
IT Security Program Managers
Auditors
IT Function Management and Operations Personnel
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 27
Roles and Responsibilities
 Information Security (IS) Manager
− Policy creation, application, and alignment with
organizational goals
 IT Auditor
− Ensuring that controls are in place per policy
 System/Application Administrator
− Applying controls to Workstation, LAN, and LANto-WAN Domains
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
DISCOVER: CONTEXTS
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 29
Differences and Similarities in User
Domain Policies
Differences
• Public organizations must follow Sarbanes Oxley
Compliance (SOX), Health Insurance Portability
and Accountability Act (HIPAA), and other
compliance laws
• Private organizations are often smaller and
easier to control from a user standpoint
• Private organizations may not follow publiccompliance laws
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 30
Differences and Similarities in User
Domain Policies
Similarities
• Private organizations may follow publiccompliance laws depending on their governance
requirements
• Public organizations may be small is size and
thus have similar control over their user
populations
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 31
DISCOVER: RATIONALE
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 32
The User as the Weakest Link in the
Security Chain
People that use computers have different skill levels, thus
have different perceptions on information security
Social engineering can occur at any time within any
organization
Human mistakes often occur and can lead to security
breaches
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 33
The User as the Weakest Link in the
Security Chain
One of the most significant threats come from within an
organization from an “Insider”
Applications have weaknesses that are not known and
these weaknesses can be exploited by users either
knowingly or unknowingly
Security awareness training can remove this weakest link
in the security chain
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 34
Lack of Controls
 With lack of controls all of the following and
more are possible:
• Workstations would have different
•
•
•
•
configurations
LANs would allow unauthorized traffic
WANs would have vulnerabilities
Network devices would not be configured the
same
Users would have access to data they are not
directly working with
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 35
Summary
 Reasons for governing users with policies
 Regular and privileged users
 Acceptable use policy (AUP) and privileged-level
access agreement (PAA)
 Security awareness policy (SAP)
 Differences between public and private User Domain
policies
 Elements of an infrastructure security policy
 Policies associated with various domains of a typical
IT infrastructure
 Best practices in creating and maintaining IT policies
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 36
OPTIONAL SLIDES
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 37
Roles and Responsibilities: Who
Needs Training?
All Users
Executive Managers
Program and Functional Managers
IT Security Program Managers
Auditors
IT Function Management and Operations Personnel
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 38
Best Practices for IT Infrastructure
Security Policies
Select a framework, such as ISO or COBIT
Develop requirements and standards
based on the framework
Review and adapt
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 39
Best Practices for IT Infrastructure
Security Policies (Continued)
Make policies/standards available to all
Keep content cohesive
Keep content coherent
Maintain the same “voice” throughout
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 40
Best Practices for IT Infrastructure
Security Policies (Continued)
Add only necessary information
Stay on message
Make your library searchable
Federate ownership to where it best belongs
Security Policies and Implementation Issues
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 41
Related documents
For Exercises 1-6, match the problem solving strategy with the
For Exercises 1-6, match the problem solving strategy with the
Chapter 9 Learning Objectives
Chapter 9 Learning Objectives
Transition Guide - Jones & Bartlett Learning
Transition Guide - Jones & Bartlett Learning
Webinar Presentation
Webinar Presentation
Public Health Program Book List for MPH Courses – Sum
Public Health Program Book List for MPH Courses – Sum
Chapter 21 Learning Objectives
Chapter 21 Learning Objectives
Chapter 1 Exercises and Answers
Chapter 1 Exercises and Answers
Chapter 5: Baseline Vital Signs and SAMPLE History
Chapter 5: Baseline Vital Signs and SAMPLE History
Overview
Overview
Download