Network Security Administrator

Module III: Security Policy

Module Objectives
~ Security ~ What ~ What

Policy Overview

~ Implementing ~ Security

Security Policies

Is a Security Policy?

Defines a Good Security Policy ? System Framework

Operations Management Lifecycle Management Assets a Security Policy to Security Violations of Security Policies

~ Security ~ Types

~ Classification ~ Security ~ Vital

~ Security ~ Writing

Role and Goals of a Security Policy Policy Structure Policy Team and STF Security Policies and

~ Responses

~ Security

~ Requirement

~ Developing ~ Developing

for the Effective Security Policy

Guidelines
EC-Council
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Module Flow

Overview and Definition of Security Policy

Purpose and Goal of Security Policy

Developing Policy Team and STF

Security Policy Structure

Developing Security Policy and Guidelines

Implementing Security Policies

Security Lifecycle Management

Security Operations Management

Types of Security Policy and Assets

Requirement for the Effective Security Policy

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Security Policy Overview

~

According to www.wikipedia.org security policy is defined as A plan of action for tackling security issues, or a set of regulations for maintaining a certain level of security Main objectives of security policy are: Confidentiality Integrity Availability

Benefits of Security Policy: Provides standard for further development Supports the security staff of the management

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

What is a Security Policy?

~ ~

Set of objectives and rules for users and administrators Clarification of the prospects and values for the security of company resources from various threats and susceptibilities Standard document that catalogs rules for computer network access Determines the implementation of the policies and depicts the basic architecture of the company security environment

~ ~

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

What Defines a Good Security Policy?

Clear communication ~ Brief and clear information ~ Defined scope and applicability ~ Enforceable by law ~ Recognizes areas of responsibility ~ Sufficient guidance ~ Top management involvement
~
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Classification Systems, Security Levels

~

Security personnel must distinguish various groups of people, system depending upon the value and requirements in terms of security Different security levels:
Unclassified Shared Company only Confidential
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Security Framework
Commitment

Classification Security Officer Accountability Document Manager System and Issues Authority Policy Owner Fetch Information System Administrator Security Manuals and Updates

Responsibility

Review

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Purpose of the Policies

~

Maintain an outline for the management and administration of network security Reduce risks caused by: Illegal use of the system resource Loss of sensitive, confidential data and potential property Differentiate the user access rights

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Vital Role of a Security Policy

~

Provides set of protocols to the administrator on: How the users work together with their systems and how those systems should be configured How to react when the system is attacked and when susceptibilities are found

Suggests the safety measures to be followed in an organization

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Goals of Security Policies

~ ~

Protection of organization computing resources Elimination of strong legal liability from employees or third parties Ensuring integrity and authorized use of data processing operations Ensuring customers integrity and preventing unauthorized modifications of the data
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Security Policy Structure

~

Guidelines should cover following points as policy structure

Detailed description of the policy issues Description about the status of the policy Applicability of the policy to the environment Functionalities of those affected by the policy Compatibility level to the policy is necessary End-consequences of non-compliance

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Developing Policy Team

~

Policy team executes security engineering and security testing tasks that facilitate the launch, implementation of the security policies Responsibilities of the team are:
Developing security policies and procedures Promoting and coordinating the implementation of security policies and procedures Operational responsibility for IT infrastructure to implement all policies and procedures required to build a secure environment Receive advice and counsel from the ITS, ITS Steering, ITS Technical and ITS Advisory Groups

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Security Task Force

~

Security Officer is an intermediary between management and the end user Security Team or Task Force (STF) is responsible for the security process Functions of the STF: Define a security strategy Create a mission statement and project plan Investigate formal accreditation program Define the corporate security policy Define system specific policies Create a user awareness program Appointment of Security Auditors

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Developing Security Policies

~

Points to be considered while developing security policy:

Recognize the roles of Clients and organizations Identify main objectives of business Determine who needs access to external resources Employ a responsible person for the enforcement of the security policy Develop a profile of possible threats Identify critical services and medium of data transfer

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Developing Security Policy Guidelines

~ ~

Set up information security strategy and practice Create and implement employee policies in agreement with the information security policies Intimate other business associates and service providers of their responsibility to confirm that the policies are compliant with the organizations information security policies
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Implementing Security Policies

~ ~ ~

Implementation follows after building, revision and updating of the security policy Final version must be made available to all of the staff members in the organization For effective implementation there must rotation of the job so that data must not be handled by some few peoples Proper security awareness program, cooperation and coordination among employees is required

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Security Operations Management

~

Documentation and Verification of Processes

Standardization of terms Including troubleshooting and investigating processes Establishment of discipline to keep track of processes

Maintenance of Infrastructure Information

System should configure required terms
Device name IP addresses License keys Configuration elements Vendor support information

Establishment of SLA with Clients

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Security Operations Management

~ ~ ~ ~

Planning and preparation for Incident response Evaluation and measurement for process improvement Hiring experienced, Certified people Test continuity of Operations regularly SOC analysts Processes and procedures Tools, systems Technologies

~ ~

Maintenance of vendor support contracts Leverage analysis tools

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Security Lifecycle Management

~

Increased challenges to security

Influence of mobile computing growth Open network access Regulation of privacy

Security of applications
Assess the systems Prioritizing Track and prevent Regular Supervision

Automating the Security Life Cycle

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Types of Security Policies - Program Level Policies

~

Functionalities:
Establishing the security programs Assigning program management responsibilities Defining organization wide IT security goals and their implementation

Components:
Purpose Scope Goals Responsibilities Implementation

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Types of Security Policies - Issue Specific Policies

Issue specific policies recognize specific areas of concern and describe the organization's status top level management Involves revision and up gradation of policies from time to time, as changes in technology and related activities take place frequently Components:
Statement of an Issue, Statement of the Organization's Position Applicability Roles and Responsibilities Points of Contact Physical security Personnel Security Communications Security Administrative Security Risk Management System Management
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

~ ~ ~

EC-Council

Securing Assets
~

Tangible Assets Hardware Digital Assets Digital Information that can be seen and mishandled

Network Assets Routers Cables Bastion Hosts Firewall

System Assets Server Software and Applications

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

EC-Council

Points to Remember While Writing a Security Policy

~ ~

Designing the best possible Security Policy for the network Stakeholders of the organization must aid the security professional in steering policy development Policy development must be devised and processed entirely by the security professional and only with the stakeholders input it should be expanded

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Defining Responses to Security Violations

~ ~ ~ ~ ~ ~ ~ ~

Make sure that an incident has occurred Offer precise, significant and appropriate information Employ controls to sustain chain of custody Safeguard particularized rights conventional by law and policy Reduce business and network services downtime Facilitate legal and law enforcement to arraign malicious bodies Offer proposals to higher officials Recognize accurate priorities

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Presenting and Reviewing the Process

Developed products incorporate security features by considering the user requirements ~ Evaluate baseline assessment performance measures ~ Review cost goals of each major investment
~ ~ ~ ~

Review systems that impact financial management activities Proper hardware and software have been used as per requirements Any unethical use of the sources must checked

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Requirements for the Effective Security Policy

~

For the security policy to be effective, following agreements should be filled by organization:
Agreements for All Employees:
Confidentiality Agreement Badge/Password Agreement Hardware Security Agreement Software License Agreement

Agreements Specific to Information Security Employees:

Security Agreement E-Mail Postmaster Agreement Network Administrator Agreement
EC-Council
Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited

Summary
~

According to www.wikipedia.org security policy is defined as A plan of action for tackling security issues, or a set of regulations for maintaining a certain level of security Security Officer is an intermediary between management and the end user Security Team or Task Force (STF) is responsible for the security process The purpose of the policy is to reduce the risk caused by: Illegal use of the system resource Loss of sensitive, confidential data and potential property

~ ~ ~

EC-Council

Copyright by EC-Council All Rights reserved. Reproduction is strictly prohibited