Guide to Network Defense and Countermeasures Second Edition Chapter 3 Security Policy...
-
date post
19-Dec-2015 -
Category
Documents
-
view
225 -
download
2
Transcript of Guide to Network Defense and Countermeasures Second Edition Chapter 3 Security Policy...
Guide to Network Defense and Countermeasures, Second Edition 2
Objectives
• Explain best practices in security policies
• Formulate a security policy and identify security policy categories
• Explain the importance of ongoing risk analysis and define incident-handling procedures
Guide to Network Defense and Countermeasures, Second Edition 3
What Makes a Good Security Policy?
• Benefits of a security policy– Provides a foundation for an organization’s overall
security stance– Gives employees guidelines on how to handle
sensitive information– Gives IT staff instructions on what defensive systems
to configure– Reduces the risk of legal liability
• A good security policy is comprehensive and flexible– It is not a single document but a group of documents
Guide to Network Defense and Countermeasures, Second Edition 4
General Security Policy Best Practices
• Basic concepts– If it is too complex, nobody will follow it– If it affects productivity negatively, it will fail– It should state clearly what can and cannot be done
on company equipment– Include generalized clauses– People need to know why a policy is important– Involve representatives of all departments– It should contain clauses stating the specific
consequences for violating the policy
Guide to Network Defense and Countermeasures, Second Edition 5
General Security Policy Best Practices (continued)
• Basic concepts (continued)– Needs support from the highest level of the company
– Employees must sign a document acknowledging the policy
• And agreement to abide by it
– Keep it updated with current technologies– Policy directives must be consistent with applicable
laws
Guide to Network Defense and Countermeasures, Second Edition 6
General Security Policy Best Practices (continued)
• Considering cyber risk insurance– Insurance policy that protects against losses to
information assets– Insurance and security policies are related
• Many answers to insurance application questions come directly from the security policy
• It could even earn your company a break on rates
Guide to Network Defense and Countermeasures, Second Edition 8
General Security Policy Best Practices (continued)
• Developing security policies from risk assessment– Steps
• Identify what needs to be protected• Define the threats faced by the network• Define the probability of those threats and their
consequences• Propose safeguards and define how to respond to
incidents– Penalties for violating the policy are stated
prominently near the top– Policy effectiveness must be monitored
Guide to Network Defense and Countermeasures, Second Edition 9
General Security Policy Best Practices (continued)
• Teaching employees about acceptable use– Issue of trust is an integral part of a security policy
– Policy should define who to trust • And what level of trust should be placed in them
– Seek for a balance between trust and issuing orders
Guide to Network Defense and Countermeasures, Second Edition 10
General Security Policy Best Practices (continued)
• Outlining penalties for violations– Policy should state what to do and not to do– Policy should also contain guidelines for the penalty
process– Establish flexible methods of punishment
• Can be applied at management’s discretion
Guide to Network Defense and Countermeasures, Second Edition 11
General Security Policy Best Practices (continued)
• Criminal computer offenses– Policy violations can become criminal offenses– Subpoena
• Order issued by a court demanding that a person appear in court or produce some form of evidence
– Search warrant• Similar to a subpoena• Compels you to cooperate with law enforcement
officers conducting an investigation– Due process
• Constitutional guarantee to a fair and impartial trial
Guide to Network Defense and Countermeasures, Second Edition 12
General Security Policy Best Practices (continued)
• Enabling Management to Set Priorities– Policy provides a way to identify the most important
security priorities– Policy lists network resources that managers find
most valuable in the organization
Guide to Network Defense and Countermeasures, Second Edition 13
General Security Policy Best Practices (continued)
• Helping network administrators do their jobs– Policy spells out mundane but important information– Privileged access policy
• Policy that covers network administrators
• Specifies whether they are allowed to
– Run network-scanning tools
– Run password-checking software
– Have root or domain administrator access
Guide to Network Defense and Countermeasures, Second Edition 14
General Security Policy Best Practices (continued)
• Using security policies to conduct risk analysis– Design and implement a security policy– Monitor your network behavior
• Response time• Traffic signatures
– Use this information in further rounds of risk analysis– Conduct a risk analysis after a major change occurs
Guide to Network Defense and Countermeasures, Second Edition 15
Formulating a Security Policy
• Start by analyzing the level of risk to the organization’s assets
• Identify safeguards to protect the assets• Identify potential need for cyber risk insurance
Guide to Network Defense and Countermeasures, Second Edition 16
Seven Steps to Creating a Security Policy
• Steps– Call for the formation of a group that meets to
formulate the security policy– Determine whether the overall approach to security
should be restrictive or permissive– Identify the assets you need to protect– Determine what needs to be logged and/or audited– List the security risks that need to be addressed– Define acceptable use of the Internet, office
computers, passwords, and other network resources– Create the policy
Guide to Network Defense and Countermeasures, Second Edition 18
Components of Security Policies
• Acceptable use policy– Establishes what is acceptable use of company
resources– Usually stated at the beginning of a security policy– Security user awareness program
• Gets employees involved and excited about the policy
• Explains how the policy benefits the employees
Guide to Network Defense and Countermeasures, Second Edition 19
Components of Security Policies (continued)
• Violations and penalties– Specifies what constitutes a violation
• And how violations are dealt with
– Can help a company avoid legal problems
Guide to Network Defense and Countermeasures, Second Edition 20
Components of Security Policies (continued)
• User accounts and password protection– Guides how user accounts are to be used– Passwords represent a first line of defense
Guide to Network Defense and Countermeasures, Second Edition 21
Components of Security Policies (continued)
• Remote access policy– Spells out the use of role-based authentication
• Gives users limited access based on their roles and what resources a role is allowed to use
– Virtual Private Networks (VPNs)• VPNs create a tunnel to transport information through
public communications media
• Data are kept safe by the use of tunneling protocols and encryption
Guide to Network Defense and Countermeasures, Second Edition 22
Components of Security Policies (continued)
• Secure use of the Internet and e-mail– Covers how employees can access and use the
Internet and e-mail• Prohibits broadcasting any e-mail messages
• Spells out whether users are allowed to download software or streaming media from the Internet
• Blocks any objectionable Web sites
Guide to Network Defense and Countermeasures, Second Edition 23
Components of Security Policies (continued)
• LAN security policy– Protects information that is processed, stored, and
transmitted on the LAN • And the LAN itself
Guide to Network Defense and Countermeasures, Second Edition 24
Components of Security Policies (continued)
• LAN security policy (continued)– Should describe the following
• Applicability
• Evaluations
• Responsibilities
• Commitment
– Can include the following employees• Functional managers
• Users
• Local administrators
• End users
Guide to Network Defense and Countermeasures, Second Edition 25
Conducting Ongoing Risk Analysis
• Re-evaluate the organization’s security policy on an ongoing basis– Decide on a routine reassessment of the risk to the
company and its assets
Guide to Network Defense and Countermeasures, Second Edition 26
Conducting Routine Security Reviews
• Security policies can specify how often risk analyses should be conducted– Identifying the people who conduct the analysis– Describing the circumstances for a new risk analysis
• Policy should be flexible enough to allow “emergency” reassessments as needed
Guide to Network Defense and Countermeasures, Second Edition 27
Working with Management
• Managers usually think in term of ROI– They should consider these other factors:
• How much information systems and data are worth
• Possible threats they have already encountered and will encounter
• Chances security threats will result in real losses
Guide to Network Defense and Countermeasures, Second Edition 28
Working with Management (continued)
• Some business activities affected by intrusions:– Costs related to financial loss and disruption– Personnel safety and personnel information– Legal and regulatory obligations– Commercial and economic interests
Guide to Network Defense and Countermeasures, Second Edition 29
Working with Management (continued)
• Dealing with the approval process– Developing a security policy can take several weeks
or several months• Take the time to do it right and cover all bases
– Policy needs to be reviewed and approved by upper management
• You might encounter resistance• A security user awareness program can help
Guide to Network Defense and Countermeasures, Second Edition 30
Working with Management (continued)
• Feeding security information to the security policy team– Inform them of any change to the organization’s
security configuration
Guide to Network Defense and Countermeasures, Second Edition 31
Responding to Security Incidents
• Escalation procedures– Levels of escalation
• Level One incidents – least severe– Managed within one working day– Requires notifying only on-duty security analyst
• Level Two incidents – moderate seriousness– Managed the same day– Requires notifying the security architect
• Level Three incidents – most serious– Managed immediately– Requires notifying the chief security officer
Guide to Network Defense and Countermeasures, Second Edition 32
Responding to Security Incidents (continued)
• Incident handling– Incident examples
• Loss of passwords – Level One incident• Burglary or other illegal building access – Level Two
incident• Property loss or theft – Level Two or Level Three
incident
Guide to Network Defense and Countermeasures, Second Edition 33
Updating the Security Policy
• Update your policy– Based on the security incidents reported
• Any changes to the policy should be broadcast to the entire staff– By e-mail or posting the changes in the intranet
• Security policy should result in actual physical changes to the organization’s security configuration– New hardware or software that makes security tasks
easier• Better protection means fewer internal or external
incidents
Guide to Network Defense and Countermeasures, Second Edition 34
Summary
• Benefits of a security policy are wide ranging
• Security policy protects a company’s overall security– States what rights employees have and how they
should handle company resources
• Cyber risk insurance is becoming necessary for businesses
• Good security policy– Based on risk assessment– Covers acceptable use of system resources– Set priorities for the most critical resources
Guide to Network Defense and Countermeasures, Second Edition 35
Summary (continued)
• Legal liabilities should be covered in a security policy
• Incidents can become legal offenses– Understand your legal obligations
• Security policy comprises a series of several specific policies– Seven steps in creating a policy
• Must present the proposal to management and gain approval– Involves explaining the expected ROI and other costs