1 / 28

SECURITY POLICIES

SECURITY POLICIES. Indu Ramachandran. Outline. General idea/Importance of security policies When security policies should be developed Who should be involved in this process Cost of security policies Available resources Security policies in detail Failure of Security policies

Download Presentation

SECURITY POLICIES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SECURITY POLICIES Indu Ramachandran

  2. Outline • General idea/Importance of security policies • When security policies should be developed • Who should be involved in this process • Cost of security policies • Available resources • Security policies in detail • Failure of Security policies • After Security policy is written

  3. About Security Policies • Increased level of threats • Organization’s attitude towards security policies • Establishing Standards • More than just “Keeping the bad guys out”! • Management and Security policy • Policies Not Procedures!!

  4. Importance of Security Policies • Establishes Standards • Provides basic guidelines • Defines appropriate behavior • Helps against being sued

  5. Aspects of Security • Traditional Ideas of Security • Revised Security aspects • Confidentiality • Protect objects from unauthorized release/use of info • Integrity • Preserve objects / avoid unauthorized modification

  6. When should Policies be developed • Ideal Scenario • Often not the case • After a Security Breach • To mitigate Liability • For document compliance • To demonstrate quality control processes • Customers/Clients requirements

  7. Who should be involved • Basically EVERYONE!!!!! • System users • System support personnel • Managers • Business lawyers

  8. Importance of Involving Management • Funding and Commitment • Leadership • Authority • Responsibility/Support

  9. Do you need Sec. Policies?? Questions to answer this question… • Do workers at your organization handle information that is confidential? • Do workers at your organization access the internet? • Does your organization have trade secrets? Custom questions to suit you!!

  10. The Security Cost Function • Cost for security • Exponential increase • Trade off between cost for security and cost of violations • Formula for calculating cost : Total cost for Violations = Cost for a single Violation X frequency of the violation

  11. GOOD NEWS!!!! You are not on your own !!! • Internet Resources • The SANS institute • NIST (National Inst. Of Stds. And Technology) • RFC • Universities

  12. Resources (cont’d) • Books • Guide for Developing Security Policies for Information Technology Systems • Information Security Policies made easy • around 1360+ security templates • used by several large organizations • Training Sessions • SANS Institute

  13. Types of security policies • Administrative Security Policy • Examples of Administrative sec policies: • Users must change password each quarter • Employees must not use dial out modems from their desktops. • Technical sec policies • Examples • Server will be configured to expire password each quarter • Accounts must initiate a lockout after four unsuccessful attempts to login

  14. What is in a security policy Three Categories First category – Parameters Section • Introduction • Audience • Definitions

  15. What is in a security policy (cont’d) The Second category • Risk assessments • When this should be done • Benefits • Who should do this • Identifying Assets • Threats to assets

  16. What is in a security policy (cont’d) The Third Category • Actual Policies Examples of policies • Physical security

  17. Examples of policies (cont’d) • Authentication • Password policy • Remote Access Policy • The Modem Issue

  18. Examples of policies (cont’d) • Acceptable Use Policy Examples of AU Policy at http://www.eff.org/pub/CAF/policies • Other Policies Examples of policies as well as their templates on the SANS website. http://www.sans.org/resources/policies/

  19. What makes a good security policy • Must be usable • Must communicate clearly • Must not impede/interfere with business • Enforceable • Update regularly • Other factors • Interests • Laws

  20. Problems with Sec. Policies • Increase in tension level • Security needs viewed differently • Too restrictive/hard to implement • Impediments productivity

  21. Conflict and Politics • Management concentrates on goals for company • Technical Personnel’s agenda So what happens??? What do you do???

  22. Information Security Management Committee • Bridge the gap • Committee Composition • Responsibilities of the committee

  23. Real world problems caused by missing policies • At A Government Agency... • At A Local Newspaper...

  24. Why Security Policies Fail • Security is a barrier to Progress • Perceived to have zero benefit • Obstacles/Impediment productivity • Security is a learned behavior • Not instinct • Value of assets • Not taken seriously

  25. Why Security Policies Fail (cont’d) • Complexity • Security work is never finished • Failure to review • Other reasons • Lack of stake holder support • Organizational Politics

  26. Compliance & Enforcement • Training • Testing and effectiveness of the policy • Monitoring • Taking Action

  27. Review The Policy • Review Committee • Good representation • Frequency of review meetings • Responsibilities • What to Review

  28. References • Barham, Scott - Writing information security policies • http://dmoz.org/Computers/Security/Policy/Sample_Policies/ • http://www.netiq.com/products/pub/ispme_realproblems.asp • http://www.sans.org/rr/policy/policy.php • http://www.networknews.co.uk/Features/1138373 • http://irm.cit.nih.gov/security/sec_policy.html • http://www.cisco.com/warp/public/126/secpol.html

More Related