Professional Documents
Culture Documents
Module Objectives
~ Security ~ What ~ What
Policy Overview
~ Implementing ~ Security
Security Policies
Is a Security Policy?
Operations Management Lifecycle Management Assets a Security Policy to Security Violations of Security Policies
~ Security ~ Types
~ Security ~ Writing
Role and Goals of a Security Policy Policy Structure Policy Team and STF Security Policies and
~ Responses
~ Security
~ Requirement
~ Developing ~ Developing
Guidelines
EC-Council
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
Module Flow
EC-Council
According to www.wikipedia.org security policy is defined as A plan of action for tackling security issues, or a set of regulations for maintaining a certain level of security Main objectives of security policy are: Confidentiality Integrity Availability
Benefits of Security Policy: Provides standard for further development Supports the security staff of the management
EC-Council
Set of objectives and rules for users and administrators Clarification of the prospects and values for the security of company resources from various threats and susceptibilities Standard document that catalogs rules for computer network access Determines the implementation of the policies and depicts the basic architecture of the company security environment
~ ~
EC-Council
EC-Council
Security personnel must distinguish various groups of people, system depending upon the value and requirements in terms of security Different security levels:
Unclassified Shared Company only Confidential
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
EC-Council
Security Framework
Commitment
Classification Security Officer Accountability Document Manager System and Issues Authority Policy Owner Fetch Information System Administrator Security Manuals and Updates
Responsibility
Review
EC-Council
Maintain an outline for the management and administration of network security Reduce risks caused by: Illegal use of the system resource Loss of sensitive, confidential data and potential property Differentiate the user access rights
EC-Council
Provides set of protocols to the administrator on: How the users work together with their systems and how those systems should be configured How to react when the system is attacked and when susceptibilities are found
EC-Council
Protection of organization computing resources Elimination of strong legal liability from employees or third parties Ensuring integrity and authorized use of data processing operations Ensuring customers integrity and preventing unauthorized modifications of the data
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
EC-Council
EC-Council
Policy team executes security engineering and security testing tasks that facilitate the launch, implementation of the security policies Responsibilities of the team are:
Developing security policies and procedures Promoting and coordinating the implementation of security policies and procedures Operational responsibility for IT infrastructure to implement all policies and procedures required to build a secure environment Receive advice and counsel from the ITS, ITS Steering, ITS Technical and ITS Advisory Groups
EC-Council
Security Officer is an intermediary between management and the end user Security Team or Task Force (STF) is responsible for the security process Functions of the STF: Define a security strategy Create a mission statement and project plan Investigate formal accreditation program Define the corporate security policy Define system specific policies Create a user awareness program Appointment of Security Auditors
EC-Council
EC-Council
Set up information security strategy and practice Create and implement employee policies in agreement with the information security policies Intimate other business associates and service providers of their responsibility to confirm that the policies are compliant with the organizations information security policies
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited
EC-Council
Implementation follows after building, revision and updating of the security policy Final version must be made available to all of the staff members in the organization For effective implementation there must rotation of the job so that data must not be handled by some few peoples Proper security awareness program, cooperation and coordination among employees is required
EC-Council
EC-Council
Planning and preparation for Incident response Evaluation and measurement for process improvement Hiring experienced, Certified people Test continuity of Operations regularly SOC analysts Processes and procedures Tools, systems Technologies
~ ~
EC-Council
Security of applications
Assess the systems Prioritizing Track and prevent Regular Supervision
EC-Council
Functionalities:
Establishing the security programs Assigning program management responsibilities Defining organization wide IT security goals and their implementation
Components:
Purpose Scope Goals Responsibilities Implementation
EC-Council
~ ~ ~
EC-Council
Securing Assets
~
Tangible Assets Hardware Digital Assets Digital Information that can be seen and mishandled
EC-Council
Designing the best possible Security Policy for the network Stakeholders of the organization must aid the security professional in steering policy development Policy development must be devised and processed entirely by the security professional and only with the stakeholders input it should be expanded
EC-Council
Make sure that an incident has occurred Offer precise, significant and appropriate information Employ controls to sustain chain of custody Safeguard particularized rights conventional by law and policy Reduce business and network services downtime Facilitate legal and law enforcement to arraign malicious bodies Offer proposals to higher officials Recognize accurate priorities
EC-Council
Review systems that impact financial management activities Proper hardware and software have been used as per requirements Any unethical use of the sources must checked
EC-Council
For the security policy to be effective, following agreements should be filled by organization:
Agreements for All Employees:
Confidentiality Agreement Badge/Password Agreement Hardware Security Agreement Software License Agreement
Summary
~
According to www.wikipedia.org security policy is defined as A plan of action for tackling security issues, or a set of regulations for maintaining a certain level of security Security Officer is an intermediary between management and the end user Security Team or Task Force (STF) is responsible for the security process The purpose of the policy is to reduce the risk caused by: Illegal use of the system resource Loss of sensitive, confidential data and potential property
~ ~ ~
EC-Council