1 / 12

95-841 Information Assurance Policy

95-841 Information Assurance Policy. Tim Shimeall (tjs@cert.org). Information Assurance Policy. Seminar course: Participation is Essential Sessions (after week 4) 50% lecture, 50% discussion Building, developing, evaluating IA policy Grading: Course presentation: 30% (see sign-up list)

amie
Download Presentation

95-841 Information Assurance Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 95-841 Information Assurance Policy Tim Shimeall (tjs@cert.org) 95-841

  2. Information Assurance Policy • Seminar course: Participation is Essential • Sessions (after week 4) 50% lecture, 50% discussion • Building, developing, evaluating IA policy • Grading: • Course presentation: 30% (see sign-up list) • Course participation: 30% (when not presenting) • Final paper/project: 40% (topic related policy) 95-841

  3. Presentations • Instructors will cover the background material • Student presenters will apply it to case study or other realistic scenario • Student audience will evaluate application and critique resulting policies • Presenters grade NOT based on critique results, but on level of discussion and on effectiveness at presenting applicable policy • Plan on 90 minutes, including discussion 95-841

  4. Course Content • Introduction and case study • Policy development • Policy evaluation • Building policy for case study (with instructor as stakeholder) • Larger issues (legislation and governance) • Course summary 95-841

  5. What is Information Assurance Policy? • Detailed statement regarding permissible and prohibited behavior with respect to information assets to assure confidentiality, integrity and availability of those assets • Behavior: • loading, using, disseminating data • Acquiring, using, distributing software • Acquiring, using, retiring hardware • In general: anything being done by, on or with any information processing asset • Asset: data, software, device, network, person 95-841

  6. Why Information Assurance Policy?(1) Encryption Redundancy Privacy Resources Integrity Purchasing Guidelines Communications Accountability What does Information Assurance mean??? Firewall Configuration Access Controls Backups Disaster Recovery Authorization Auditing Authentication Risk Reduction 95-841

  7. Management Top management (CXO) Legal Policy Stakeholders Users Human Resources Others (clients, partners) Database Admin System Admin Network Admin Why Information Assurance Policy (2)? 95-841

  8. Why Information Assurance Policy(3)? Janet works in accounting department of a mid-size organization Changed password: wrote the new one on a note; stuck the note to her monitor Later noticed that someone had used her account but didn’t notice any obvious damage Had heard it was bad idea to write passwords down and leave them around Remembered that an employee had been fired for some policy violation Did not report the incident. 95-841

  9. Why Information Assurance Policy?(4) Tim is a security administrator working for you in a 2000-member organization. Detects a password sniffer running on his organization’s principal server, and on a obsolete desktop used for lighting control. In a directory called “…”, he finds a file with 300 user ids and passwords for his site. He reports to you his findings and asks for more time before reporting incident. 95-841

  10. Why Information Assurance Policy?(5) • Staffing? • New Product? • New Infrastructure? • Firewalls? • Training? 95-841

  11. Why Information Assurance (6) • You work as a helpdesk manager, reporting to the CIO, for a medium sized company • An employee-owned smartphone was compromised while on travel, and through that compromise, about 3,000 customer billing records were accessed. • What should you recommend to the CIO? 95-841

  12. Going Forward From Here • Policy and Technology are inherently linked • Policy implements and enables authority • We will discuss a variety of policy aspects Developing Costing Managing Deploying User Network Site Confidentiality Integrity Availability Legislation and Governance 95-841

More Related