290 likes | 500 Views
Security Beyond the Firewall. “Protecting Information in the Enterprise”. Security Beyond the Firewall. Most organizations have the following: Firewall Antivirus software Intrusion Detection Intrusion Prevention Authentication technologies. Security Beyond the Firewall.
E N D
Security Beyond the Firewall “Protecting Information in the Enterprise”.
Security Beyond the Firewall • Most organizations have the following: • Firewall • Antivirus software • Intrusion Detection • Intrusion Prevention • Authentication technologies
Security Beyond the Firewall • However the monitoring and assessment responsibilities are either overlooked, under funded or just not done properly or at all!
Security Beyond the Firewall • An Information Security Policy is a collaboration of documents that states in writing how a company plans to protect the company’s physical and information technology assets. It is considered to be a “living document”, meaning that the document is continuously updated as technology and employee requirements change.
Security Beyond the Firewall • Most policies will include an “Acceptable Use Policy” which is a description of how the company plans to educate its employees about protecting the company’s assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure the necessary corrections will be made. • Source: searchSecurity.com
Security Beyond the Firewall • What steps are required in writing an Information Security Policy? • Commitment • Risk Assessment • Risk Mitigation • The Policy Document
Security Beyond the Firewall • COMMITMENT • You need commitment from Upper Management. • They must be made aware of the magnitude of losses in case of a security breach of the company network. • You must understand the corporate vision and business objectives and how IT fits in with corporate plans. • Analyze the following: • What are the information assets of a company in terms of hardware and software, including network as well as the future investment plan it IT/IS. • What is the company’s dependence on IT in real measurable terms like financial benefits, better service to clients, improved image and market share. • How much the company will suffer due to any loss, leakage or distortion of information.
Security Beyond the Firewall • RISK ASSESSMENT • Document every risk • A company may have encountered in the past • Companies in similar business • Companies in the same geographical area • Companies using the same technology • Any other risk that may impact the company’s business
Security Beyond the Firewall • RISK MITIGATION • Security can never be achieved through a single tier of defense. We need to have multiple layers to protect our assets. For each security risk that we have tabulated, we should identify the preventive measures that could be used to reduce the risk. The measures for risk mitigations could be: • Administrative measures • Physical Measures • Technical Measures
Security Beyond the Firewall • Administrative measures consists of policies, procedures, standards and guidelines; personnel screening, security awareness training. • Physical measures could be perimeter control measures, physical access control, intruder detection, fire protection, environmental monitoring. • Technical measures will include logical access control, network access controls, identification and authentication devices; data encryption.
Security Beyond the Firewall • Designing, documenting, implementing and monitoring security policies is a lot of administrative work. In fact, security is 75 percent administrative grind and only25 percent technical efforts. Not a very glamorous affair, but essential. Policies are the preventive controls. • Source: The importance of having an Information Security policy is now being acknowledged even by top management. But how do you go about writing an Information Security policy? by Avinash Kadam
Security Beyond the Firewall • Natural and Environmental Threats: • Disaster recovery (*Business Continuity Planning) • Backup and recovery • WAN recovery • Human Threats: • Password Security & Controls • Internet access and security
Security Beyond the Firewall • Email security: • Technical controls • Logical Access Controls • Program Change Controls • Version Controls • Application Software Security • Database Security: • Network & Telecommunication Security • Administration • Data Access Roles
Security Beyond the Firewall • Operating Systems Security: • Firewall Security • Data Classification • Web server Security • Intranet Security • Virus-Protection • E-commerce Security • Data encryption
Security Beyond the Firewall • Administrative Controls: • Physical Security • Incidence Response management • Punitive actions
Security Beyond the Firewall • THE POLICY DOCUMENT • The Information Security Policy has to be understood and followed by all employees. It should be brief but cover all aspects.
Security Beyond the Firewall • Policy Statement: • Outline the objective of the policy. Emphasize the actual risks that will be addressed by this policy. Make it as near to the company's business as possible so that the reader is convinced about the necessity of the policy. • Policy Scope: • Specify the areas of concern which the policy will address. This will list the organizational units, individuals and technical system covered by the policy. • Validity: • Define the life-span for the policy and when it will be reviewed next. The review must be done at least once a year to keep the policy current.
Security Beyond the Firewall • Owner: • Author of the policy should be a respected IS professional. This will ensure responsibility and accountability. This is even more important while drafting policies of a technical nature. • Review-details: • Record of previous review and the changes therein.
Security Beyond the Firewall • Compliance requirements: • Punitive actions that should be taken if the policy is not adhered to. This of course needs clearance from HR, but absence of this will make the polices 'best ignored practices' instead of 'best practices'.Names of the appointed persons who will enforce these policies. • Policy details: • After the above preamble, here is the real policy.
Security Beyond the Firewall • Specific issues that the policy is addressing: • Give the background, describe the risks that have been identified, state the security expectations that the policy will fulfill. • Best practices: • Give a detailed list of recommended best practices. • Mandatory practices: • This is the minimum standard which has to be implemented.
Security Beyond the Firewall • Procedure for implementation: • A step-by-step procedure which will be followed for implementation of the policy. There will be references to forms, templates, standards, guidelines etc. which could be given as annexure. • Monitoring and reporting mechanism to ensure proper implementation: • How the compliance will be monitored. How non-compliance will be reported and what actions would be taken.
Security Beyond the Firewall • Essential Policies: • List the essential policies under various and applicable controls. • Source: The importance of having an Information Security policy is now being acknowledged even by top management. But how do you go about writing an Information Security policy? by Avinash Kadam
Security Beyond the Firewall • Example of a Information Security Policy concentrating on e-mail. • The Policy Details section should cover the following: • Confidentiality of information • E-mail should not be used for confidential information exchange • Sender will be totally responsible for the content of the information • No sensitive information like password, PIN, credit card details should ever be sent by e-mail
Security Beyond the Firewall • Appropriate Use: • Use of e-mail will be restricted for business use only • No obscene or profane message should be sent • E-mail should not be used for sending spam mail • E-mail should not be used to transmit chain mails, greetings, graphics etc. • E-mails should not be automatically forwarded to addresses outside the company • Size of the e-mail should be restricted within approved limits
Security Beyond the Firewall • Management Authority: • Management could use its right to monitor the e-mails • Management could store the e-mails for retrieval at a later date for any legal purpose • Any encryption done to e-mail attachments should be with the company's approval and the encryption key should be stored for retrieval when necessary
Security Beyond the Firewall • Disclaimer Notice: • Since e-mail is not a secure medium and it is very easy to read, copy or alter an e-mail, put a disclaimer similar to the one given below. The company can at least protect itself from any misuse.
Security Beyond the Firewall • "The information in this mail is confidential and is intended solely for the addressee. Access to this mail by anyone else is unauthorized. Any copying or further distribution beyond the original recipient is not intended and may be unlawful. The opinion expressed in this mail is that of the sender and does not necessarily reflect that of the XXX company."
Security Beyond the Firewall • U.S. Federal Security Legislation and Regulations: • http://www.bakernet.com/ecommerce/fedlegis-s.htm • The U.S. National Strategy to Secure Cyberspace • http://www.whitehouse.gov/pipb/ • SANS Internet Storm Center • http://isc.incidents.org/ • InfraGard • http://www.infragard.org
Security Beyond the Firewall • Eric D. Jordan • ejordan@firmtechnology.net • Ernesto T. Negron • enegron@firmtechnology.net