1 / 30

Information Security Policies:

Information Security Policies:. User/Employee use policies. Overview. Format of policies Usage of policies Example of policies Policy cover areas References Homework Questions. Format of Policies. Purpose The need of the policies Scope Which part of the system is covering

mykelti
Download Presentation

Information Security Policies:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Security Policies: User/Employee use policies

  2. Overview • Format of policies • Usage of policies • Example of policies • Policy cover areas • References • Homework • Questions

  3. Format of Policies • Purpose • The need of the policies • Scope • Which part of the system is covering • Who is applying to the policies • Policy • What can or can’t use for the system • Enforcement • Action can be taken once the policy is violated • Definitions • Define keywords in the policy • Revision History • Stated when and what have been changed

  4. Usage of Policies • Policy • A document that outlines specific requirements or rules that cover a single area • Standard • A collection of system-specific or procedural-specific requirements that must be met by everyone • Guideline • A collection of system specific or procedural specific “suggestions” for best practice • Not require, but strongly recommended

  5. Example of Policies

  6. Example of Policies

  7. Example of Policies

  8. Policy cover areas • Acceptable Use • Information Sensitivity • Ethics • E-mail • Anti-Virus • Password • Connection

  9. Acceptable Use Policy • General outline for all others policies • Protecting employees, partners and companies from illegal or damaging actions • Applied to all computer related equipments • General use and ownership • Security and proprietary information • Unacceptable Use

  10. Information Sensitivity Policy • To determine what information can/can’t be disclosed to non-employee • Public • Declared for public knowledge • Freely be given to anyone without any possible damage • Confidential • Minimal Sensitivity: • General corporate information; some personal and technical information • More Sensitive: • Business, financial, and most personnel information • Most Sensitive: • Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of the company

  11. Ethics Policy • Defines the means to establish a culture of openness, trust and integrity • Executive Commitment • Honesty and integrity must be top priority • Employee Commitment • Treat everyone fairly, have mutual respect • Company Awareness • Promote a trustworthy and honest atmosphere • Maintaining Ethical Practices • Reinforce the importance of the integrity message • Unethical Behavior • Unauthorized use of company information integral to the success of the company will not be tolerated

  12. E-mail Policy • General usage • To prevent tarnishing the public image • Prohibited use • Can’t used for any disruptive or offensive messages • Personal Use • Can/Can’t use for personal usage • Monitoring • No privacy for store, send or receive massages • Monitor without prior notice

  13. E-mail Policy • Retention • Determine how long for an e-mail to retain • Four main classifications • Administrative correspondence – 4 years • Fiscal Correspondence – 4 years • General Correspondence – 1 years • Ephemeral Correspondence – Until read • Instant Messenger Correspondence • Only apply to administrative and fiscal correspondence • Encrypted Communications • Stored in decrypted format

  14. E-mail Policy • Automatically Forwarding • To prevent unauthorized or inadvertent disclose of sensitive information • When • Approved by the appropriate manger • Sensitive information defined in Information Sensitivity Policy is encrypted in accordance with Acceptable Encryption Policy

  15. Anti-Virus Policy • To prevent computer virus problems • Install anti-virus software • Update anti-virus software daily • Always maintain anti-virus software in auto-protect stage • Scan a storage media for virus before use it • Never open any e-mail from unknown source • Never download files from unknown source • Remove virus-infected computers from network until verified as virus-free

  16. Password Policy • A standard for creation of string password • Contain both upper and lower case characters • Contain digits and punctuation characters • At least eight alphanumeric characters long • Not based on personal information • Not a word in any language • Can be easily remembered • Frequency of change passwords

  17. Password Policy • Protection of passwords • Never written down or stored on-line • Don’t reveal a password over the phone • Don’t reveal a password in an email message • Don’t reveal a password to the boss • Don’t reveal a password to co-workers • Don’t hint at the format of a password • Don’t share a password with family members

  18. Connection Policy • Remote Access • Defines standards for connecting to the company’s network from any host or network externally • General • Same consideration as on-site connection • General Internet access for recreational use for immediate household is permitted • Requirement • Public/private keys with strong pass-phrases • Can’t connect to others network at the same time • Can’t provide their login or e-mail password to anyone • Installed the most up-to-date anti-virus software

  19. Connection Policy • Analog/ISDN Line • Define standards for use of analog/ISDN lines for Fax sending and receiving, and for connection to computer • Scenarios & Business Impact • Outside attacker attached to trusted network • Facsimile Machines • Physically disconnect from computer/internal network • Computer-to-Analog Line Connections • A significant security threat • Requesting an Analog/ISDN Line • Stated why other secure connections can’t be use

  20. Connection Policy • Dial-in Access • To protect information from being inadvertently compromised by authorized personnel using a dial-in connection • One-time password authentication • Connect to Company’s sensitive information • Reasonable measure to protect assets • Analog and non-GSM digital cellular phones • Signals are readily scanned unauthorized individuals • Monitor account activity • Disable account after no access for six months

  21. Connection Policy • Extranet • Describes the third party organizations connect to company network for the purpose of transacting business related to the company • In best possible way, Least Access • Valid business justification • Approved by a project manager • Point of Contact from Sponsoring Organnization • Pertain the Third Party Connection Agreement • Establishing Connectivity • Provide a complete information of the proposed access

  22. Connection Policy • Modifying Access • Notifying the extranet management group • Security and Connectivity evolve accordingly • Terminating Access • Access is no longer required • Terminating the circuit • Third Party Connection Agreement • Defines the standards and requirements, including legal requirements, needed in order to interconnect a third party organization’s network to the production network. • Must be signed by both parties

  23. Connection Policy

  24. Connection Policy • Virtual Private Network (VPN) Security • Define the requirements for Remote Access IPSec or L2TP VPN connections to the company network • Force all traffic to and from PC over VPN tunnel • Dual tunneling is not allowed • 24 hours absolute connection time limit • Automatically disconnected with 30 min. inactivity • Only approved VPN client can be used

  25. Connection Policy • Wireless Communication • Defines standards for wireless systems used to connect to the company network • Access Points and PC Cards • Register and approved by InfoSec • Approved Technology • Use approved products and security configurations • Encryption and Authentication • Drop all unauthenticated and unencrypted traffic • Setting the SSID • Should not contain any identifying informaiton

  26. Reference • The SANS Security Policy Project • http://www.sans.org/resources/policies • Information Security Policies & Computer Security Policy Directory • http://www.information-security-policies-and-standards.com • RFC 1244 – Site Security Handbook • http://www.faqs.org/rfcs/rfc1244.html • Google • http://www.google.com

  27. Reference

  28. Reference

  29. Homework • Write an full versions of the policy based on assignment 5 “Acceptable student use of the GTS” with the format that presented • Define presented usage of policies Tips: • Policy document’s format is located in slide 3 • Policy’s usage are located in slide 4 • You may find more information in SANS

  30. Questions Any questions?

More Related