1 / 42

Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 14 Security Policies and Training. Objectives. Define organizational security policy List the types of security policies Describe how education and training can limit the impact of social engineering.

oakes
Download Presentation

Security+ Guide to Network Security Fundamentals, Third Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training

  2. Objectives • Define organizational security policy • List the types of security policies • Describe how education and training can limit the impact of social engineering Security+ Guide to Network Security Fundamentals, Third Edition

  3. Organizational Security Policies • Plans and policies must be established by the organization • To ensure that users correctly implement the hardware and software defenses • One of the key policies is an organizational security policy Security+ Guide to Network Security Fundamentals, Third Edition

  4. What Is a Security Policy? • Security policy • A written document that states how an organization plans to protect the company’s information technology assets • An organization’s information security policy can serve several functions: • It can be an overall intention and direction • It details specific risks and how to address them • It can create a security-aware organizational culture • It can help to ensure that employee behavior is directed and monitored Security+ Guide to Network Security Fundamentals, Third Edition

  5. Balancing Trust and Control • An effective security policy must carefully balance two key elements: trust and control • Three approaches to trust: • Trust everyone all of the time • Trust no one at any time • Trust some people some of the time • Deciding on the level of control for a specific policy is not always clear • The security needs and the culture of the organization play a major role when deciding what level of control is appropriate Security+ Guide to Network Security Fundamentals, Third Edition

  6. Balancing Trust and Control (continued) Security+ Guide to Network Security Fundamentals, Third Edition

  7. Designing a Security Policy • Definition of a policy • Standard • A collection of requirements specific to the system or procedure that must be met by everyone • Guideline • A collection of suggestions that should be implemented • Policy • Document that outlines specific requirements or rules that must be met Security+ Guide to Network Security Fundamentals, Third Edition

  8. Designing a Security Policy (continued) • A policy generally has these characteristics: • Policies communicate a consensus of judgment • Policies define appropriate behavior for users • Policies identify what tools and procedures are needed • Policies provide directives for Human Resource action in response to inappropriate behavior • Policies may be helpful in the event that it is necessary to prosecute violators Security+ Guide to Network Security Fundamentals, Third Edition

  9. Designing a Security Policy (continued) • The security policy cycle • The first phase involves a risk management study • Asset identification • Threat identification • Vulnerability appraisal • Risk assessment • Risk mitigation • The second phase of the security policy cycle is to use the information from the risk management study to create the policy • The final phase is to review the policy for compliance Security+ Guide to Network Security Fundamentals, Third Edition

  10. Designing a Security Policy (continued) Security+ Guide to Network Security Fundamentals, Third Edition

  11. Designing a Security Policy (continued) • Steps in development • When designing a security policy many organizations follow a standard set of principles • It is advisable that the design of a security policy should be the work of a team • The team should first decide on the scope and goals of the policy • Statements regarding due care are often included • The obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them Security+ Guide to Network Security Fundamentals, Third Edition

  12. Designing a Security Policy (continued) Security+ Guide to Network Security Fundamentals, Third Edition

  13. Designing a Security Policy (continued) • Many organizations also follow these guidelines while developing a policy: • Notify users in advance that a new security policy is being developed and explain why the policy is needed • Provide a sample of people affected by the policy with an opportunity to review and comment on the policy • Prior to deployment, give all users at least two weeks to review and comment • Allow users the authority to carry out their responsibilities in a given policy Security+ Guide to Network Security Fundamentals, Third Edition

  14. Types of Security Policies • The term security policy becomes an umbrella term for all of the subpolicies included within it Security+ Guide to Network Security Fundamentals, Third Edition

  15. Security+ Guide to Network Security Fundamentals, Third Edition

  16. Types of Security Policies (continued) • Most organizations have security policies that address: • Acceptable use • Security-related human resources • Password management and complexity • Personally identifiable information • Disposal and destruction • Service level agreements • Classification of information • Change management • Ethics Security+ Guide to Network Security Fundamentals, Third Edition

  17. Acceptable Use Policy (AUP) • Acceptable use policy (AUP) • Defines the actions users may perform while accessing systems and networking equipment • May have an overview regarding what is covered by this policy • The AUP usually provides explicit prohibitions regarding security and proprietary information • Unacceptable use may also be outlined by the AUP • Acceptable use policies are generally considered to be the most important information security policies Security+ Guide to Network Security Fundamentals, Third Edition

  18. Security-Related Human Resource Policy • Security-related human resource policy • A policy that addresses security as it relates to human resources • Includes statements regarding how an employee’s information technology resources will be addressed • Due process • The principle of treating all accused persons in an equal fashion, using established rules and principles • Due diligence • Any investigation into suspicious employee conduct will examine all material facts Security+ Guide to Network Security Fundamentals, Third Edition

  19. Password Management and Complexity Policy • Password management and complexity policy • Can clearly address how passwords are created and managed • The policy should also specify what makes up a strong password Security+ Guide to Network Security Fundamentals, Third Edition

  20. Password Management and Complexity Policy (continued) Security+ Guide to Network Security Fundamentals, Third Edition

  21. Password Management and Complexity Policy (continued) Security+ Guide to Network Security Fundamentals, Third Edition

  22. Personally Identifiable Information (PII) Policy • Personally identifiable information (PII) policy • Outlines how the organization uses personal information it collects Security+ Guide to Network Security Fundamentals, Third Edition

  23. Personally Identifiable Information (PII) Policy (continued) Security+ Guide to Network Security Fundamentals, Third Edition

  24. Disposal and Destruction Policy • Disposal and destruction policy • Addresses the disposal of resources that are considered confidential • Often covers how long records and data will be retained • Involves how to dispose of equipment Security+ Guide to Network Security Fundamentals, Third Edition

  25. Service Level Agreement (SLA) Policy • Service level agreement (SLA) • A service contract between a vendor and a client that specifies what services will be provided, the responsibilities of each party, and any guarantees of service • Service level agreement (SLA) policy • An organizational policy that governs the conditions to be contained in an SLA • Many SLA policies contain tiers of service Security+ Guide to Network Security Fundamentals, Third Edition

  26. Service Level Agreement (SLA) Policy (continued) Security+ Guide to Network Security Fundamentals, Third Edition

  27. Classification of Information Policy • Classification of information policy • Designed to produce a standardized framework for classifying information assets • Generally, this involves creating classification categories such as high, medium, or low • And then assigning information into these categories Security+ Guide to Network Security Fundamentals

  28. Change Management Policy • Change management • Refers to a methodology for making changes and keeping track of those changes, often manually • Seeks to approach changes systematically and provide documentation of the changes • Change management policy • Outlines how an organization will manage changes in a “rational and predictable” manner so employees and clients can plan accordingly Security+ Guide to Network Security Fundamentals, Third Edition

  29. Ethics Policy • Values • A person’s fundamental beliefs and principles used to define what is good, right, and just • Morals • Values that are attributed to a system of beliefs that help the individual distinguish right from wrong • Ethics • The study of what a group of people understand to be good and right behavior and how people make those judgments Security+ Guide to Network Security Fundamentals, Third Edition

  30. Ethics Policy (continued) • Ethics policy • A written code of conduct intended to be a central guide and reference for employees in support of day-to-day decision making • Intended to clarify an organization’s mission, values, and principles, and link them with standards of professional conduct Security+ Guide to Network Security Fundamentals, Third Edition

  31. Education and Training • Education and training involve understanding the importance of organizational training • And how it can be used to reduce risks, such as social engineering Security+ Guide to Network Security Fundamentals, Third Edition

  32. Organizational Training • All computer users in an organization share a responsibility to protect the assets of that organization • Users need training in the importance of securing information, the roles that they play in security, and the steps they need to take to ward off attacks • All users need: • Continuous training in the new security defenses • To be reminded of company security policies and procedures Security+ Guide to Network Security Fundamentals, Third Edition

  33. Organizational Training (continued) • One of the challenges of organizational education and training is to understand the traits of learners Security+ Guide to Network Security Fundamentals, Third Edition

  34. Organizational Training (continued) • Training style also impacts how people learn • Most people are taught using a pedagogical approach • However, for adult learners, an andragogical approach is often preferred • There are different learning styles • Visual learners • Auditory learners • Kinesthetic Security+ Guide to Network Security Fundamentals, Third Edition

  35. Reducing Risks of Social Engineering • Social engineering • Relies on tricking and deceiving someone to provide secure information • Phishing • One of the most common forms of social engineering • Involves sending an e-mail or displaying a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information • Both the e-mails and the fake Web sites appear to be legitimate Security+ Guide to Network Security Fundamentals, Third Edition

  36. Security+ Guide to Network Security Fundamentals, Third Edition

  37. Reducing Risks of Social Engineering (continued) • Variations on phishing attacks: • Spear phishing • Pharming • Google phishing • Ways to recognize phishing messages include: • Deceptive Web links • E-mails that look like Web sites • Fake sender’s address • Generic greeting • Pop-up boxes and attachments Security+ Guide to Network Security Fundamentals, Third Edition

  38. Reducing Risks of Social Engineering (continued) • Ways to recognize phishing messages include: (continued) • Unsafe Web sites • Urgent request • Some organizations have turned to creating regular reminders to users regarding phishing attacks Security+ Guide to Network Security Fundamentals, Third Edition

  39. Security+ Guide to Network Security Fundamentals, Third Edition

  40. Reducing Risks of Social Engineering (continued) • Dumpster diving • Involves digging through trash receptacles to find computer manuals, printouts, or password lists that have been thrown away • Shoulder surfing • Watching an individual enter a security code or password on a keypad • Computer hoax • An e-mail message containing a false warning to the recipient of a malicious entity circulating through the Internet Security+ Guide to Network Security Fundamentals, Third Edition

  41. Summary • A security policy is a written document that states how an organization plans to protect the company’s information technology assets • A standard is a collection of requirements specific to the system or procedure that must be met by everyone, while a guideline is a collection of suggestions that should be implemented • A policy is a document that outlines specific requirements or rules that must be met, and is the correct means to be used for establishing security Security+ Guide to Network Security Fundamentals, Third Edition

  42. Summary (continued) • Because a security policy is so comprehensive and often detailed, most organizations choose to break the security policy down into smaller “subpolicies” • A personally identifiable information (PII) policy outlines how the organization uses information it collects • To provide users with the knowledge and skills necessary to support information security, users need to receive ongoing training • Social engineering relies on tricking and deceiving someone to provide secure information Security+ Guide to Network Security Fundamentals, Third Edition

More Related