Escolar Documentos
Profissional Documentos
Cultura Documentos
Chapter 06
CIS 382
Security Policies and
Procedures
Policy
Topics to be covered
Presentations/ Assignments
Policy is important
Types of Policy
Creating Appropriate Policy
Developing/ Deploying Policy
Using Policy Effectively
4
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
Presentations/ Assignments
Security
5
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
6
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
What is Policy?
What is Policy?
8
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
What is Policy?
What is Procedure
9
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
Policy Is Important
10
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
14
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
TYPES OF POLICY
1. Information Security Policy
2. Security Policy
3. Computer Use Policy
4. Internet Use Policy
5. Mail Policy
TYPES OF PROCEDURES
1. Policy is important
2. TYPES OF POLICY/
PROCEDURES
3. Creating
Appropriate Policy
4. Developing Policy
5. Using Policy
Effectively
1.
2.
3.
4.
5.
6.
Policy is important
TYPES OF POLICY/
PROCEDURES
Creating
Appropriate Policy
Developing Policy
Using Policy
Effectively
15
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
16
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
TYPES OF POLICY
1. Information Policy
1.
Identification of Sensitive Information
2.
Classifications
Marking of Sensitive Information 3.
Storage of Sensitive Information
4.
Transmission of Sensitive Information
Destruction of Sensitive Information5.
TYPES OF POLICY
Policy is important
TYPES OF POLICY/
PROCEDURES
Creating
Appropriate Policy
Developing Policy
Using Policy
Effectively
2. Security Policy
1. Policy is important
2. TYPES OF POLICY/
PROCEDURES
3. Creating
Appropriate Policy
4. Developing Policy
5. Using Policy
Effectively
17
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
18
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
TYPES OF POLICY
3. Computer Use Policy
Ownership of Computers
Ownership of Information
Acceptable Use of Computers
No Expectation of Privacy
TYPES OF PROCEDURES
1. Policy is important
2. TYPES OF POLICY/
PROCEDURES
3. Creating
Appropriate Policy
4. Developing Policy
5. Using Policy
Effectively
1.
New Employee Procedure
2.
Transferred Employee Procedure
Employee Termination Procedure 3.
2. System Administration Procedure
Software Upgrades
Vulnerability Scans
Policy Reviews
Log Reviews
Regular Monitoring
Policy is important
TYPES OF POLICY/
PROCEDURES
Creating
Appropriate Policy
4. Developing Policy
5. Using Policy
Effectively
19
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
20
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
TYPES OF PROCEDURES
TYPES OF PROCEDURES
1. Policy is important
2. TYPES OF POLICY/
PROCEDURES
3. Creating
Appropriate Policy
4. Developing Policy
5. Using Policy
Effectively
21
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
22
Dr. Abid Ali Minhas
TYPES OF POLICY
There are many types of policies and procedures that
can be used by an organization to define how security
should work within that organization.
There is no reason that the concepts of these policies
and procedures cannot be combined or broken out in
different ways as best fits within a given organization.
For each of the policies defined, each major heading of
the policy is defined and explained.
There are three sections of each policy that are common
and these will be discussed here.
1. Purpose Look Third-Party-Network-Connectivity.pdf
2. Scope
23
3. Responsibility
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
1. Information Policy
1. Information Policy
1. Information Policy
1. Information Policy
Classifications
Two or three classification levels sufficient for most organizations.
The lowest level of information should be publicin other words,
information that can be provided to the public.
Above this, information is not releasable to the public.
This information may be called proprietary, company sensitive, or
company confidential.
Information of this type is releasable to employees or to other
organizations who have signed a non-disclosure agreement.
If this information is released to the public or to competitors, some
harm may be done to the organization.
If there is a third level of sensitive information, it may be called
restricted or protected.
Such Information is normally restricted to a limited number of
employees within the organization.
It is not released to individuals outside of the organization.
27
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
1. Information Policy
1. Information Policy
30
1. Information Policy
2. Security Policy
2. Security Policy
2. Security Policy
Access Control
34
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
2. Security Policy
2. Security Policy
Audit
Audit
36
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
2. Security Policy
2. Security Policy
Network Connectivity
Network Connectivity
Permanent Connections
Permanent network connections are those that come
into the organization over some type of permanent
communication line.
The security policy should define the type of security
device to be used on such a connection.
Most often, a firewall is the appropriate device.
Just specifying the type of device does not specify the
appropriate level of protection.
The security policy should define a basic network access
control policy to be implemented on the device as well as
a procedure for requesting and granting access that is
38
not part of the standard configuration.
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
2. Security Policy
2. Security Policy
Network Connectivity
Malicious Code
39
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
40
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
2. Security Policy
2. Security Policy
Encryption
Waivers
41
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
42
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
2. Security Policy
2. Security Policy
Waivers
Waivers
The security department should then review the waiver request and
provide its assessment of the risk and recommendations to reduce
and manage the risk.
In practice, the project manager and the security staff should work
together to address each of these areas so that when the waiver
request is complete, both are in agreement.
Finally, the waiver should be signed by the organizations officer
who is in charge of the project.
This shows that the officer understands the risk to the organization
and agrees that the business need overcomes the security
requirements.
In addition, the officers signature agrees that the steps to manage
the risk are appropriate and will be followed.
44
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
2. Security Policy
Class discussion
Appendices
Detailed security configurations for various
operating systems should be placed in
appendices or in separate configuration
procedures.
This allows these detailed documents to be
modified as necessary without changing the
organizations security policy.
45
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
46
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
Ownership of Computers
Ownership of Information
Acceptable Use of Computers
No Expectation of Privacy
48
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
Ownership of Computers
Ownership of Computers
The policy may also prohibit the use of non-organization
computers for organization business.
For example, if employees are expected to perform
some work at home, the organization will provide a
suitable computer.
It may also be appropriate to state that only organizationprovided computers can be used to connect to the
organizations internal computer systems via a remote
access system.
49
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
50
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
Ownership of Information
51
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
52
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
54
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
56
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
5. Mail Policy
5. Mail Policy
57
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
58
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
5. Mail Policy
Assignment No. 1
Discussion of
Assignment
A Guide to Security Policy
HIPAA Security Policy and Procedure Manual
Final-Course Syllabus Procedures Version
1.0F docx09012013.pdf
59
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
60
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
10
Spyware News
TYPES OF PROCEDURES
1. User Management
Procedures
2. System Administration
Procedure
Software Upgrades
Vulnerability Scans
Policy Reviews
Log Reviews
Regular Monitoring
4. Configuration Management
Procedure
61
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
62
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
63
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
64
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
65
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
66
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
11
TYPES OF PROCEDURES
1. User Management
Procedures
2. System Administration
Procedure
Software Upgrades
Vulnerability Scans
Policy Reviews
Log Reviews
Regular Monitoring
4. Configuration Management
Procedure
System Administration
Procedure
Software Upgrades
69
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
70
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
Vulnerability Scans
Policy Reviews
71
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
12
Log Reviews
Regular Monitoring
73
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
2. System Administration
Procedure
Software Upgrades
Vulnerability Scans
Policy Reviews
Log Reviews
Regular Monitoring
TYPES OF PROCEDURES
1. User Management
Procedures
74
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
4. Configuration Management
Procedure
75
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
76
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
Event Identification
13
Escalation
Security
System Administration
Legal
Human Resources
Public Relations
79
80
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
Response to Incident
81
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
82
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
Documentation
14
TYPES OF PROCEDURES
Procedure-Testing Scenario
SCENARIO
SCENARIO
SCENARIO
SCENARIO
SYSTEM
SCENARIO
SCENARIO
SCENARIO
SCENARIO
SCENARIO
SCENARIO
1. User Management
Procedures
2. System Administration
Procedure
Software Upgrades
Vulnerability Scans
Policy Reviews
Log Reviews
Regular Monitoring
4. Configuration Management
Procedure
85
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
86
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
87
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
88
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
Design Methodology
Organizations that have projects to create new systems or
capabilities should have a design methodology.
This methodology lays out the steps that the organization will follow
to bring a new project into production.
A design methodology includes many steps that are not securityrelated and thus will not be covered in this discussion.
However, the earlier Security becomes involved in a new project, the
more likely it is that proper security will be incorporated into the final
system.
For each of the design phases listed in the following sections, we
will discuss the security issues that should be examined.
1.
2.
3.
4.
Requirements Definition
Design
Test
Implementation
89
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
90
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
15
Design Methodology
Design Methodology
Requirement Definition
Design
Design Methodology
Design Methodology
Test
Implementation
94
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
95
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
96
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
16
97
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
100
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
17
Topics to be covered
Policy is important
Types of Policy
Creating Appropriate Policy
Developing/ Deploying Policy
Using Policy Effectively
103
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
104
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
1.
2.
3.
4.
5.
105
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
Topics to be covered
106
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
Policy is important
Types of Policy
Creating Appropriate Policy
Developing/ Deploying Policy
Using Policy Effectively
107
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
108
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
18
Topics to be covered
Policy is important
Types of Policy
Creating Appropriate Policy
Developing/ Deploying Policy
Using Policy Effectively
109
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
110
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
111
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
112
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
19
of North Carolina. Lays out controls for detecting and reacting to 'red
flag' situations linked to identity theft.
116
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
20
New York. Includes a set of 21 high level principles, crossreferenced to ISO/IEC 27002:2005. [PDF]
122
Word]
126
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
21
Please visit
http://help.adobe.com/en_US/acrobat/X/pr
o/using/WS58a04a822e3e50102bd61510
9794195ff-7d68.w.html
And see how adobe provide you to setup
different policies
127
128
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
129
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
130
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
END OF CHAPTER
131
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
132
CIS382 - Security Policies and Procedures Ref02Ch05-Policy
22