Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Basic Security Policy

advertisement 
FORESEC Academy
FORESEC Academy Security Essentials (II)
BASIC SECURITY POLICY
FORESEC Academy
Preface
It never ceases to amaze me - fact that you can’t take a
class in Information Security without being told to do this
or that in accordance with “your security policy," but
nobody ever explains what the policy is, let alone how
to write or evaluate it.
That is why we undertook this research and education
project on basic security policy. We hope you will find this
module useful and that you will participate in its
evolution. Consensus is a powerful tool. We need the
ideas and criticisms from the information security
community in order to make this, “The Roadmap,” a
usable and effective policy. Thank you!
FORESEC Academy
Objectives
 Defining Security Policy
 Using Security Policy to Manage Risk
 Identifying Security Policy
 Evaluating Security Policy
 Issue-specific Security Policy
 Exercise: Writing a Personal Security
Policy
 Contingency Planning within your Policy
FORESEC Academy
Documentation is Critical
 If it is not in writing it never
happened.
 You must clearly document:
- What is expected of users
- What you plan on doing
- How you plan on doing it
- What other people are required to do
FORESEC Academy
Defining a Policy
 Policies direct the accomplishment of
objectives
- Program Policy
- Issue-specific Policy
- System-specific Policy
An effective and realistic Security Policy is
the key to effective and achievable security.
FORESEC Academy
Defining a Policy (2)
 What makes up a policy?
-Purpose
-Related documents
-Cancellation
-Background
-Scope
-Policy statement
-Action
- Responsibility
FORESEC Academy
Defining a Policy (3)
 Who can sign the policy?
 What process is used to:
- draft a policy
- approve a policy
- implement a policy
FORESEC Academy
Risk Assessment
 What do you do?
- The “important bid” story
-When is it okay to violate or change
policy?
-Who has the authority to do it?
-What are the risks involved?
FORESEC Academy
Managing Risks in Your Job
 Identify risks
 Communicate your findings
 Update (create) policy as needed
 Develop metrics to measure
compliance
FORESEC Academy
Identifying Security Policy
 Who does the procedure?
 What is the procedure?
 When is the procedure done?
 Where is the procedure done?
 Why is the procedure done?
FORESEC Academy
Roles and Responsibilities
 Formal organizational structure
- Who has the title
- Who is listed at the top of the
organizational chart
 Informal organizational structure
- Who gets things done
- Who really makes decisions
FORESEC Academy
Levels of Policy
 Recognize that policies can exist on
different levels
- Enterprise-wide/corporate policy
- Division-wide policy
- Local policy
- Issue-specific policy
- Procedures and checklists
FORESEC Academy
Checkpoint:
Procedure Guidance
 Policies address the who, what,
and why.
 Procedures address the how,
where, and when.
FORESEC Academy
Evaluating Security Policy
 What if your existing policy is confusing and
hard to read?
 What if it doesn’t cover all the
bases?
 Use a checklist to evaluate your
policy.
FORESEC Academy
Evaluating Security Policy (2)
 Use a checklist:
- Does it contain the expected
elements?
- Is it clear?
- Is it concise?
- Is it realistic?
- Does it provide sufficient guidance?
FORESEC Academy
Evaluating Security Policy (3)
 Checklist, continued...
- Is it consistent?
- Is it forward-looking?
- Are there means to keep it current?
- Is the policy readily available to those
who need it?
FORESEC Academy
Issue-Specific Security Policy
 Anti-Virus
 Password Assessment
 Backups
 Proprietary Information
 Personal Security Policy
FORESEC Academy
Anti-virus Policy
 Define the problem
- Various practices risk the introduction of
viruses into systems and networks
 Develop a solution
- Define the scope
- Layer the defense strategy
- Identify responsibilities
- Measure the effectiveness
FORESEC Academy
Password Assessment Policy
 Define the problem
- Password assessment is a necessary part of
security, but may appear illegal if carried out
without proper authority/safeguards
 Develop a solution
- Identify the risks
- Enumerate the countermeasures
- Enable administrators to legally assess
passwords
- Escrow passwords for use during incidents
FORESEC Academy
Data Backup Policy
 Define the problem
- Backups are critical to protect information
and allow disaster recovery, but are often
performed sporadically
 Develop a solution
- Identify backups as critical
- Empower system administrators
- Provide for exceptions when necessary
- Make sure the policy is implemented
Related documents
Outline for Oral Report
Outline for Oral Report
1 ? JAN 2007 Academy and our prog* )rf I
1 ? JAN 2007 Academy and our prog* )rf I
Application-for-Student-Leadership-roles-2014
Application-for-Student-Leadership-roles-2014
Person Specification – Attendance Officer CRITERIA Essential D
Person Specification – Attendance Officer CRITERIA Essential D
9th May 2005 - School Job Network
9th May 2005 - School Job Network
Schools - Atlanta Technical College
Schools - Atlanta Technical College
*Be A Millionaire* 25 Book Campaign
*Be A Millionaire* 25 Book Campaign
Fellowship Application - Resuscitation Academy
Fellowship Application - Resuscitation Academy
Download
advertisement