1 / 35

Security Awareness

Security Awareness. Chapter 6 Enterprise Security. Objectives. After completing this chapter you should be able to do the following: Define business continuity Explain how redundancy planning and disaster recovery planning benefit an organization Explain what a policy is and how it is used

annona
Download Presentation

Security Awareness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Awareness Chapter 6 Enterprise Security

  2. Objectives After completing this chapter you should be able to do the following: • Define business continuity • Explain how redundancy planning and disaster recovery planning benefit an organization • Explain what a policy is and how it is used • List the different types of security policies Security Awareness, 3rd Edition

  3. Business Continuity • Ability of an organization to maintain its operations and services in the face of a disruptive event • Computer attack • Natural disaster • Many organizations are either unprepared or have not tested their plans • Common elements • Redundancy planning • Disaster recovery procedures • Incident response procedures Security Awareness, 3rd Edition

  4. Redundancy Planning • Building excess capacity in order to protect against failures • Servers • Protect against single point of failure • Redundant servers or parts • May take too long to get back online • Server cluster • Design the network infrastructure so that multiple servers are incorporated into the network • Types: asymmetric and symmetric Security Awareness, 3rd Edition

  5. Redundancy Planning (cont’d.) Figure 6-1 Server cluster Course Technology/Cengage Learning Security Awareness, 3rd Edition

  6. Redundancy Planning (cont’d.) • Storage • Hard disk drives often are the first component of a system to fail • Implement RAID (Redundant Array of Independent Drives) technology • Uses multiple hard disk drives for increased reliability and performance Security Awareness, 3rd Edition

  7. Redundancy Planning (cont’d.) • Networks • Redundant network ensures that network services are always accessible • Virtually all network components can also be duplicated Security Awareness, 3rd Edition

  8. Redundancy Planning (cont’d.) • Power • Uninterruptible power supply (UPS) • Device that maintains power to equipment in the event of an interruption in the primary electrical power source • On-line • Off-line • Backup generator Security Awareness, 3rd Edition

  9. Redundancy Planning (cont’d.) • Sites • Hot site • Run by a commercial disaster recovery service • Allows a business to continue computer and network operations to maintain business continuity • Cold site • Provides office space • Customer must provide and install all the equipment needed to continue operations Security Awareness, 3rd Edition

  10. Redundancy Planning (cont’d.) • Warm site • All of the equipment installed • Does not have active Internet or telecommunications facilities • Does not have current backups of data Security Awareness, 3rd Edition

  11. Disaster Recovery Procedures • Procedures and processes for restoring an organization’s operations following a disaster • Focuses on restoring computing and technology resources to their former state • Planning • Disaster recovery plan (DRP) • Written document • Details the process for restoring computer and technology resources Security Awareness, 3rd Edition

  12. Disaster Recovery Procedures (cont’d.) Table 6-1 Sample educational DRP approach Course Technology/Cengage Learning Security Awareness, 3rd Edition

  13. Disaster Recovery Procedures (cont’d.) • Common features of DRP • Purpose and scope • Recovery team • Preparing for a disaster • Emergency procedures • Restoration procedures Security Awareness, 3rd Edition

  14. Disaster Recovery Procedures (cont’d.) Figure 6-2 Sample from a DRP Course Technology/Cengage Learning Security Awareness, 3rd Edition

  15. Disaster Recovery Procedures (cont’d.) • Disaster exercises • Test the effectiveness of the DRP • Objectives • Test the efficiency of interdepartmental planning and coordination in managing a disaster • Test current procedures of the DRP • Determine the strengths and weaknesses in disaster responses Security Awareness, 3rd Edition

  16. Disaster Recovery Procedures (cont’d.) • Enterprise data backups • Significantly different than those for a home user • Disk to disk (D2D) • Continuous data protection (CDP) Security Awareness, 3rd Edition

  17. Incident Response Procedures • What is forensics? • Forensics • Application of science to questions that are of interest to the legal profession • Computer forensics • Attempt to retrieve information that can be used in the pursuit of the attacker or criminal • Importance of computer forensics is due in part to • High amount of digital evidence • Increased scrutiny by the legal profession • Higher level of computer skill by criminals Security Awareness, 3rd Edition

  18. Incident Response Procedures (cont’d.) • Responding to a computer forensics incident • Secure the crime scene • Response team must be contacted immediately • Document physical surroundings • Take custody of computer • Interview users and document information • Preserve the evidence • First capture any volatile data • Random access memory (RAM) • Mirror image backup or bit-stream backup Security Awareness, 3rd Edition

  19. Incident Response Procedures (cont’d.) • Establish the chain of custody • Documents that the evidence was under strict control at all times • No unauthorized person was given the opportunity to corrupt the evidence • Examine the evidence • Mirror image is examined to reveal evidence • Mine and expose hidden clues • Windows page file • Slack • Metadata Security Awareness, 3rd Edition

  20. Figure 6-3 Slack Course Technology/Cengage Learning Security Awareness, 3rd Edition

  21. Security Policies • Plans and policies must be established by the organization • To ensure that people correctly use the hardware and software defenses • Organizational security policy Security Awareness, 3rd Edition

  22. What Is a Security Policy? • Document that outlines the protections that should be enacted • Functions • Communicates organization’s information security culture and acceptable information security behavior • Detail specific risks and how to address them • Help to create a security-aware organizational culture • Ensure that employee behavior is directed and monitored to ensure compliance with security requirements Security Awareness, 3rd Edition

  23. Balancing Trust and Control • Approaches to trust • Trust everyone all of the time • Trust no one at any time • Trust some people some of the time • Deciding on the level of control for a specific policy is not always clear • Not all users have positive attitudes toward security policies Security Awareness, 3rd Edition

  24. Balancing Trust and Control (cont’d.) Table 6-2 Possible negative attitudes toward security Course Technology/Cengage Learning Security Awareness, 3rd Edition

  25. Designing a Security Policy • Definition of a policy • Characteristics • Communicate a consensus of judgment • Define appropriate behavior for users. • Identify what tools and procedures are needed • Provide directives for Human Resource action in response to inappropriate behavior • May be helpful in the event that it is necessary to prosecute violators Security Awareness, 3rd Edition

  26. Designing a Security Policy (cont’d.) • Due care • Obligations imposed on owners and operators of assets • Exercise reasonable care of the assets and take necessary precautions to protect them • Care that a reasonable person would exercise under the circumstances • Examples Security Awareness, 3rd Edition

  27. Designing a Security Policy (cont’d.) • The security policy cycle • Three-phase cycle • Performing a risk management study • Asset identification • Threat identification • Vulnerability appraisal • Risk assessment • Risk mitigation • Creating a security policy based on the information from the risk management study • Reviewing the policy for compliance Security Awareness, 3rd Edition

  28. Designing a Security Policy (cont’d.) Figure 6-4 Security policy cycle Course Technology/Cengage Learning Security Awareness, 3rd Edition

  29. Types of Security Policies • Acceptable use policy (AUP) • Defines the actions users may perform while accessing systems and networking equipment • Unacceptable use may also be outlined by the AUP • Security-related human resource policy • Include statements regarding how an employee’s information technology resources will be addressed • Presented at an orientation session when the employee is hired • May contain due process statement Security Awareness, 3rd Edition

  30. Table 6-3 Types of security policies Course Technology/Cengage Learning Security Awareness, 3rd Edition

  31. Types of Security Policies (cont’d.) • Personally identifiable information (PII) policy • Outlines how the organization uses personal information it collects • Disposal and destruction policy • Addresses the disposal of resources that are considered confidential Security Awareness, 3rd Edition

  32. Types of Security Policies (cont’d.) Figure 6-5 Sample PII (privacy) policy Course Technology/Cengage Learning Security Awareness, 3rd Edition

  33. Types of Security Policies (cont’d.) • Ethics policy • Refocus attention on ethics in the enterprise • Written code of conduct • Central guide and reference for employees in support of day-to-day decision making Security Awareness, 3rd Edition

  34. Summary • Redundancy planning • Building excess capacity in order to protect against failures • Disaster recovery • Procedures and processes for restoring an organization’s operations following a disaster • Forensic science • Application of science to questions that are of interest to the legal profession Security Awareness, 3rd Edition

  35. Summary (cont’d.) • Security policy • Written document that states how an organization plans to protect the company’s information technology assets Security Awareness, 3rd Edition

More Related