1 / 36

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition. Chapter 3 Security Policy Implementation. Objectives. Explain best practices in security policies Formulate a security policy and identify security policy categories

kiri
Download Presentation

Guide to Network Defense and Countermeasures Second Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Guide to Network Defense and CountermeasuresSecond Edition Chapter 3 Security Policy Implementation

  2. Objectives • Explain best practices in security policies • Formulate a security policy and identify security policy categories • Explain the importance of ongoing risk analysis and define incident-handling procedures Guide to Network Defense and Countermeasures, Second Edition

  3. What Makes a Good Security Policy? • Benefits of a security policy • Provides a foundation for an organization’s overall security stance • Gives employees guidelines on how to handle sensitive information • Gives IT staff instructions on what defensive systems to configure • Reduces the risk of legal liability • A good security policy is comprehensive and flexible • It is not a single document but a group of documents Guide to Network Defense and Countermeasures, Second Edition

  4. General Security Policy Best Practices • Basic concepts • If it is too complex, nobody will follow it • If it affects productivity negatively, it will fail • It should state clearly what can and cannot be done on company equipment • Include generalized clauses • People need to know why a policy is important • Involve representatives of all departments • It should contain clauses stating the specific consequences for violating the policy Guide to Network Defense and Countermeasures, Second Edition

  5. General Security Policy Best Practices (continued) • Basic concepts (continued) • Needs support from the highest level of the company • Employees must sign a document acknowledging the policy • And agreement to abide by it • Keep it updated with current technologies • Policy directives must be consistent with applicable laws Guide to Network Defense and Countermeasures, Second Edition

  6. General Security Policy Best Practices (continued) • Considering cyber risk insurance • Insurance policy that protects against losses to information assets • Insurance and security policies are related • Many answers to insurance application questions come directly from the security policy • It could even earn your company a break on rates Guide to Network Defense and Countermeasures, Second Edition

  7. Guide to Network Defense and Countermeasures, Second Edition

  8. General Security Policy Best Practices (continued) • Developing security policies from risk assessment • Steps • Identify what needs to be protected • Define the threats faced by the network • Define the probability of those threats and their consequences • Propose safeguards and define how to respond to incidents • Penalties for violating the policy are stated prominently near the top • Policy effectiveness must be monitored Guide to Network Defense and Countermeasures, Second Edition

  9. General Security Policy Best Practices (continued) • Teaching employees about acceptable use • Issue of trust is an integral part of a security policy • Policy should define who to trust • And what level of trust should be placed in them • Seek for a balance between trust and issuing orders Guide to Network Defense and Countermeasures, Second Edition

  10. General Security Policy Best Practices (continued) • Outlining penalties for violations • Policy should state what to do and not to do • Policy should also contain guidelines for the penalty process • Establish flexible methods of punishment • Can be applied at management’s discretion Guide to Network Defense and Countermeasures, Second Edition

  11. General Security Policy Best Practices (continued) • Criminal computer offenses • Policy violations can become criminal offenses • Subpoena • Order issued by a court demanding that a person appear in court or produce some form of evidence • Search warrant • Similar to a subpoena • Compels you to cooperate with law enforcement officers conducting an investigation • Due process • Constitutional guarantee to a fair and impartial trial Guide to Network Defense and Countermeasures, Second Edition

  12. General Security Policy Best Practices (continued) • Enabling Management to Set Priorities • Policy provides a way to identify the most important security priorities • Policy lists network resources that managers find most valuable in the organization Guide to Network Defense and Countermeasures, Second Edition

  13. General Security Policy Best Practices (continued) • Helping network administrators do their jobs • Policy spells out mundane but important information • Privileged access policy • Policy that covers network administrators • Specifies whether they are allowed to • Run network-scanning tools • Run password-checking software • Have root or domain administrator access Guide to Network Defense and Countermeasures, Second Edition

  14. General Security Policy Best Practices (continued) • Using security policies to conduct risk analysis • Design and implement a security policy • Monitor your network behavior • Response time • Traffic signatures • Use this information in further rounds of risk analysis • Conduct a risk analysis after a major change occurs Guide to Network Defense and Countermeasures, Second Edition

  15. Formulating a Security Policy • Start by analyzing the level of risk to the organization’s assets • Identify safeguards to protect the assets • Identify potential need for cyber risk insurance Guide to Network Defense and Countermeasures, Second Edition

  16. Seven Steps to Creating a Security Policy • Steps • Call for the formation of a group that meets to formulate the security policy • Determine whether the overall approach to security should be restrictive or permissive • Identify the assets you need to protect • Determine what needs to be logged and/or audited • List the security risks that need to be addressed • Define acceptable use of the Internet, office computers, passwords, and other network resources • Create the policy Guide to Network Defense and Countermeasures, Second Edition

  17. Guide to Network Defense and Countermeasures, Second Edition

  18. Components of Security Policies • Acceptable use policy • Establishes what is acceptable use of company resources • Usually stated at the beginning of a security policy • Security user awareness program • Gets employees involved and excited about the policy • Explains how the policy benefits the employees Guide to Network Defense and Countermeasures, Second Edition

  19. Components of Security Policies (continued) • Violations and penalties • Specifies what constitutes a violation • And how violations are dealt with • Can help a company avoid legal problems Guide to Network Defense and Countermeasures, Second Edition

  20. Components of Security Policies (continued) • User accounts and password protection • Guides how user accounts are to be used • Passwords represent a first line of defense Guide to Network Defense and Countermeasures, Second Edition

  21. Components of Security Policies (continued) • Remote access policy • Spells out the use of role-based authentication • Gives users limited access based on their roles and what resources a role is allowed to use • Virtual Private Networks (VPNs) • VPNs create a tunnel to transport information through public communications media • Data are kept safe by the use of tunneling protocolsand encryption Guide to Network Defense and Countermeasures, Second Edition

  22. Components of Security Policies (continued) • Secure use of the Internet and e-mail • Covers how employees can access and use the Internet and e-mail • Prohibits broadcasting any e-mail messages • Spells out whether users are allowed to download software or streaming media from the Internet • Blocks any objectionable Web sites Guide to Network Defense and Countermeasures, Second Edition

  23. Components of Security Policies (continued) • LAN security policy • Protects information that is processed, stored, and transmitted on the LAN • And the LAN itself Guide to Network Defense and Countermeasures, Second Edition

  24. Components of Security Policies (continued) • LAN security policy (continued) • Should describe the following • Applicability • Evaluations • Responsibilities • Commitment • Can include the following employees • Functional managers • Users • Local administrators • End users Guide to Network Defense and Countermeasures, Second Edition

  25. Conducting Ongoing Risk Analysis • Re-evaluate the organization’s security policy on an ongoing basis • Decide on a routine reassessment of the risk to the company and its assets Guide to Network Defense and Countermeasures, Second Edition

  26. Conducting Routine Security Reviews • Security policies can specify how often risk analyses should be conducted • Identifying the people who conduct the analysis • Describing the circumstances for a new risk analysis • Policy should be flexible enough to allow “emergency” reassessments as needed Guide to Network Defense and Countermeasures, Second Edition

  27. Working with Management • Managers usually think in term of ROI • They should consider these other factors: • How much information systems and data are worth • Possible threats they have already encountered and will encounter • Chances security threats will result in real losses Guide to Network Defense and Countermeasures, Second Edition

  28. Working with Management (continued) • Some business activities affected by intrusions: • Costs related to financial loss and disruption • Personnel safety and personnel information • Legal and regulatory obligations • Commercial and economic interests Guide to Network Defense and Countermeasures, Second Edition

  29. Working with Management (continued) • Dealing with the approval process • Developing a security policy can take several weeks or several months • Take the time to do it right and cover all bases • Policy needs to be reviewed and approved by upper management • You might encounter resistance • A security user awareness program can help Guide to Network Defense and Countermeasures, Second Edition

  30. Working with Management (continued) • Feeding security information to the security policy team • Inform them of any change to the organization’s security configuration Guide to Network Defense and Countermeasures, Second Edition

  31. Responding to Security Incidents • Escalation procedures • Levels of escalation • Level One incidents – least severe • Managed within one working day • Requires notifying only on-duty security analyst • Level Two incidents – moderate seriousness • Managed the same day • Requires notifying the security architect • Level Three incidents – most serious • Managed immediately • Requires notifying the chief security officer Guide to Network Defense and Countermeasures, Second Edition

  32. Responding to Security Incidents (continued) • Incident handling • Incident examples • Loss of passwords – Level One incident • Burglary or other illegal building access – Level Two incident • Property loss or theft – Level Two or Level Three incident Guide to Network Defense and Countermeasures, Second Edition

  33. Updating the Security Policy • Update your policy • Based on the security incidents reported • Any changes to the policy should be broadcast to the entire staff • By e-mail or posting the changes in the intranet • Security policy should result in actual physical changes to the organization’s security configuration • New hardware or software that makes security tasks easier • Better protection means fewer internal or external incidents Guide to Network Defense and Countermeasures, Second Edition

  34. Summary • Benefits of a security policy are wide ranging • Security policy protects a company’s overall security • States what rights employees have and how they should handle company resources • Cyber risk insurance is becoming necessary for businesses • Good security policy • Based on risk assessment • Covers acceptable use of system resources • Set priorities for the most critical resources Guide to Network Defense and Countermeasures, Second Edition

  35. Summary (continued) • Legal liabilities should be covered in a security policy • Incidents can become legal offenses • Understand your legal obligations • Security policy comprises a series of several specific policies • Seven steps in creating a policy • Must present the proposal to management and gain approval • Involves explaining the expected ROI and other costs Guide to Network Defense and Countermeasures, Second Edition

  36. Summary (continued) • Security policy sections • Acceptable use • Violations and penalties • Incident handling • Escalation procedures • Security policies should be reviewed and updated regularly Guide to Network Defense and Countermeasures, Second Edition

More Related