390 likes | 475 Views
Guide to Network Defense and Countermeasures Second Edition. Chapter 3 Security Policy Implementation. Objectives. Explain best practices in security policies Formulate a security policy and identify security policy categories
E N D
Guide to Network Defense and CountermeasuresSecond Edition Chapter 3 Security Policy Implementation
Objectives • Explain best practices in security policies • Formulate a security policy and identify security policy categories • Explain the importance of ongoing risk analysis and define incident-handling procedures Guide to Network Defense and Countermeasures, Second Edition
What Makes a Good Security Policy? • Benefits of a security policy • Provides a foundation for an organization’s overall security stance • Gives employees guidelines on how to handle sensitive information • Gives IT staff instructions on what defensive systems to configure • Reduces the risk of legal liability • A good security policy is comprehensive and flexible • It is not a single document but a group of documents Guide to Network Defense and Countermeasures, Second Edition
General Security Policy Best Practices • Basic concepts • If it is too complex, nobody will follow it • If it affects productivity negatively, it will fail • It should state clearly what can and cannot be done on company equipment • Include generalized clauses • People need to know why a policy is important • Involve representatives of all departments • It should contain clauses stating the specific consequences for violating the policy Guide to Network Defense and Countermeasures, Second Edition
General Security Policy Best Practices (continued) • Basic concepts (continued) • Needs support from the highest level of the company • Employees must sign a document acknowledging the policy • And agreement to abide by it • Keep it updated with current technologies • Policy directives must be consistent with applicable laws Guide to Network Defense and Countermeasures, Second Edition
General Security Policy Best Practices (continued) • Considering cyber risk insurance • Insurance policy that protects against losses to information assets • Insurance and security policies are related • Many answers to insurance application questions come directly from the security policy • It could even earn your company a break on rates Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
General Security Policy Best Practices (continued) • Developing security policies from risk assessment • Steps • Identify what needs to be protected • Define the threats faced by the network • Define the probability of those threats and their consequences • Propose safeguards and define how to respond to incidents • Penalties for violating the policy are stated prominently near the top • Policy effectiveness must be monitored Guide to Network Defense and Countermeasures, Second Edition
General Security Policy Best Practices (continued) • Teaching employees about acceptable use • Issue of trust is an integral part of a security policy • Policy should define who to trust • And what level of trust should be placed in them • Seek for a balance between trust and issuing orders Guide to Network Defense and Countermeasures, Second Edition
General Security Policy Best Practices (continued) • Outlining penalties for violations • Policy should state what to do and not to do • Policy should also contain guidelines for the penalty process • Establish flexible methods of punishment • Can be applied at management’s discretion Guide to Network Defense and Countermeasures, Second Edition
General Security Policy Best Practices (continued) • Criminal computer offenses • Policy violations can become criminal offenses • Subpoena • Order issued by a court demanding that a person appear in court or produce some form of evidence • Search warrant • Similar to a subpoena • Compels you to cooperate with law enforcement officers conducting an investigation • Due process • Constitutional guarantee to a fair and impartial trial Guide to Network Defense and Countermeasures, Second Edition
General Security Policy Best Practices (continued) • Enabling Management to Set Priorities • Policy provides a way to identify the most important security priorities • Policy lists network resources that managers find most valuable in the organization Guide to Network Defense and Countermeasures, Second Edition
General Security Policy Best Practices (continued) • Helping network administrators do their jobs • Policy spells out mundane but important information • Privileged access policy • Policy that covers network administrators • Specifies whether they are allowed to • Run network-scanning tools • Run password-checking software • Have root or domain administrator access Guide to Network Defense and Countermeasures, Second Edition
General Security Policy Best Practices (continued) • Using security policies to conduct risk analysis • Design and implement a security policy • Monitor your network behavior • Response time • Traffic signatures • Use this information in further rounds of risk analysis • Conduct a risk analysis after a major change occurs Guide to Network Defense and Countermeasures, Second Edition
Formulating a Security Policy • Start by analyzing the level of risk to the organization’s assets • Identify safeguards to protect the assets • Identify potential need for cyber risk insurance Guide to Network Defense and Countermeasures, Second Edition
Seven Steps to Creating a Security Policy • Steps • Call for the formation of a group that meets to formulate the security policy • Determine whether the overall approach to security should be restrictive or permissive • Identify the assets you need to protect • Determine what needs to be logged and/or audited • List the security risks that need to be addressed • Define acceptable use of the Internet, office computers, passwords, and other network resources • Create the policy Guide to Network Defense and Countermeasures, Second Edition
Guide to Network Defense and Countermeasures, Second Edition
Components of Security Policies • Acceptable use policy • Establishes what is acceptable use of company resources • Usually stated at the beginning of a security policy • Security user awareness program • Gets employees involved and excited about the policy • Explains how the policy benefits the employees Guide to Network Defense and Countermeasures, Second Edition
Components of Security Policies (continued) • Violations and penalties • Specifies what constitutes a violation • And how violations are dealt with • Can help a company avoid legal problems Guide to Network Defense and Countermeasures, Second Edition
Components of Security Policies (continued) • User accounts and password protection • Guides how user accounts are to be used • Passwords represent a first line of defense Guide to Network Defense and Countermeasures, Second Edition
Components of Security Policies (continued) • Remote access policy • Spells out the use of role-based authentication • Gives users limited access based on their roles and what resources a role is allowed to use • Virtual Private Networks (VPNs) • VPNs create a tunnel to transport information through public communications media • Data are kept safe by the use of tunneling protocolsand encryption Guide to Network Defense and Countermeasures, Second Edition
Components of Security Policies (continued) • Secure use of the Internet and e-mail • Covers how employees can access and use the Internet and e-mail • Prohibits broadcasting any e-mail messages • Spells out whether users are allowed to download software or streaming media from the Internet • Blocks any objectionable Web sites Guide to Network Defense and Countermeasures, Second Edition
Components of Security Policies (continued) • LAN security policy • Protects information that is processed, stored, and transmitted on the LAN • And the LAN itself Guide to Network Defense and Countermeasures, Second Edition
Components of Security Policies (continued) • LAN security policy (continued) • Should describe the following • Applicability • Evaluations • Responsibilities • Commitment • Can include the following employees • Functional managers • Users • Local administrators • End users Guide to Network Defense and Countermeasures, Second Edition
Conducting Ongoing Risk Analysis • Re-evaluate the organization’s security policy on an ongoing basis • Decide on a routine reassessment of the risk to the company and its assets Guide to Network Defense and Countermeasures, Second Edition
Conducting Routine Security Reviews • Security policies can specify how often risk analyses should be conducted • Identifying the people who conduct the analysis • Describing the circumstances for a new risk analysis • Policy should be flexible enough to allow “emergency” reassessments as needed Guide to Network Defense and Countermeasures, Second Edition
Working with Management • Managers usually think in term of ROI • They should consider these other factors: • How much information systems and data are worth • Possible threats they have already encountered and will encounter • Chances security threats will result in real losses Guide to Network Defense and Countermeasures, Second Edition
Working with Management (continued) • Some business activities affected by intrusions: • Costs related to financial loss and disruption • Personnel safety and personnel information • Legal and regulatory obligations • Commercial and economic interests Guide to Network Defense and Countermeasures, Second Edition
Working with Management (continued) • Dealing with the approval process • Developing a security policy can take several weeks or several months • Take the time to do it right and cover all bases • Policy needs to be reviewed and approved by upper management • You might encounter resistance • A security user awareness program can help Guide to Network Defense and Countermeasures, Second Edition
Working with Management (continued) • Feeding security information to the security policy team • Inform them of any change to the organization’s security configuration Guide to Network Defense and Countermeasures, Second Edition
Responding to Security Incidents • Escalation procedures • Levels of escalation • Level One incidents – least severe • Managed within one working day • Requires notifying only on-duty security analyst • Level Two incidents – moderate seriousness • Managed the same day • Requires notifying the security architect • Level Three incidents – most serious • Managed immediately • Requires notifying the chief security officer Guide to Network Defense and Countermeasures, Second Edition
Responding to Security Incidents (continued) • Incident handling • Incident examples • Loss of passwords – Level One incident • Burglary or other illegal building access – Level Two incident • Property loss or theft – Level Two or Level Three incident Guide to Network Defense and Countermeasures, Second Edition
Updating the Security Policy • Update your policy • Based on the security incidents reported • Any changes to the policy should be broadcast to the entire staff • By e-mail or posting the changes in the intranet • Security policy should result in actual physical changes to the organization’s security configuration • New hardware or software that makes security tasks easier • Better protection means fewer internal or external incidents Guide to Network Defense and Countermeasures, Second Edition
Summary • Benefits of a security policy are wide ranging • Security policy protects a company’s overall security • States what rights employees have and how they should handle company resources • Cyber risk insurance is becoming necessary for businesses • Good security policy • Based on risk assessment • Covers acceptable use of system resources • Set priorities for the most critical resources Guide to Network Defense and Countermeasures, Second Edition
Summary (continued) • Legal liabilities should be covered in a security policy • Incidents can become legal offenses • Understand your legal obligations • Security policy comprises a series of several specific policies • Seven steps in creating a policy • Must present the proposal to management and gain approval • Involves explaining the expected ROI and other costs Guide to Network Defense and Countermeasures, Second Edition
Summary (continued) • Security policy sections • Acceptable use • Violations and penalties • Incident handling • Escalation procedures • Security policies should be reviewed and updated regularly Guide to Network Defense and Countermeasures, Second Edition