security+ guide to network security fundamentals, third edition chapter 14 security policies and...
Post on 17-Dec-2015
221 Views
Preview:
TRANSCRIPT
Security+ Guide to Network Security Fundamentals, Third
Edition
Chapter 14Security Policies and Training
Security+ Guide to Network Security Fundamentals, Third Edition
Objectives
• Define organizational security policy
• List the types of security policies
• Describe how education and training can limit the impact of social engineering
2
Security+ Guide to Network Security Fundamentals, Third Edition
Organizational Security Policies
• Plans and policies must be established by the organization– To ensure that users correctly implement the hardware
and software defenses
• One of the key policies is an organizational security policy
3
Security+ Guide to Network Security Fundamentals, Third Edition
What Is a Security Policy?
• Security policy– A written document that states how an organization
plans to protect the company’s information technology assets
• An organization’s information security policy can serve several functions:– It can be an overall intention and direction– It details specific risks and how to address them– It can create a security-aware organizational culture– It can help to ensure that employee behavior is
directed and monitored4
Security+ Guide to Network Security Fundamentals, Third Edition
Balancing Trust and Control
• An effective security policy must carefully balance two key elements: trust and control
• Three approaches to trust:– Trust everyone all of the time– Trust no one at any time– Trust some people some of the time
• Deciding on the level of control for a specific policy is not always clear– The security needs and the culture of the organization
play a major role when deciding what level of control is appropriate
5
Security+ Guide to Network Security Fundamentals, Third Edition 6
Balancing Trust and Control (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Designing a Security Policy
• Definition of a policy– Standard
• A collection of requirements specific to the system or procedure that must be met by everyone
– Guideline• A collection of suggestions that should be implemented
– Policy• Document that outlines specific requirements or rules
that must be met
7
Security+ Guide to Network Security Fundamentals, Third Edition
Designing a Security Policy (continued)
• A policy generally has these characteristics:– Policies communicate a consensus of judgment– Policies define appropriate behavior for users– Policies identify what tools and procedures are
needed– Policies provide directives for Human Resource action
in response to inappropriate behavior– Policies may be helpful in the event that it is
necessary to prosecute violators
8
Security+ Guide to Network Security Fundamentals, Third Edition
Designing a Security Policy (continued)
• The security policy cycle– The first phase involves a risk management study
• Asset identification
• Threat identification
• Vulnerability appraisal
• Risk assessment
• Risk mitigation
– The second phase of the security policy cycle is to use the information from the risk management study to create the policy
– The final phase is to review the policy for compliance9
Security+ Guide to Network Security Fundamentals, Third Edition 10
Designing a Security Policy (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Designing a Security Policy (continued)
• Steps in development– When designing a security policy many organizations
follow a standard set of principles– It is advisable that the design of a security policy
should be the work of a team– The team should first decide on the scope and goals
of the policy– Statements regarding due care are often included
• The obligations that are imposed on owners and operators of assets to exercise reasonable care of the assets and take necessary precautions to protect them
11
Security+ Guide to Network Security Fundamentals, Third Edition 12
Designing a Security Policy (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Designing a Security Policy (continued)
• Many organizations also follow these guidelines while developing a policy:– Notify users in advance that a new security policy is
being developed and explain why the policy is needed– Provide a sample of people affected by the policy with
an opportunity to review and comment on the policy– Prior to deployment, give all users at least two weeks
to review and comment– Allow users the authority to carry out their
responsibilities in a given policy
13
Security+ Guide to Network Security Fundamentals, Third Edition
Types of Security Policies
• The term security policy becomes an umbrella term for all of the subpolicies included within it
14
Security+ Guide to Network Security Fundamentals, Third Edition 15
Security+ Guide to Network Security Fundamentals, Third Edition
Types of Security Policies (continued)
• Most organizations have security policies that address:– Acceptable use– Security-related human resources– Password management and complexity– Personally identifiable information– Disposal and destruction– Service level agreements– Classification of information– Change management– Ethics
16
Security+ Guide to Network Security Fundamentals, Third Edition
Acceptable Use Policy (AUP)
• Acceptable use policy (AUP)– Defines the actions users may perform while
accessing systems and networking equipment– May have an overview regarding what is covered by
this policy
• The AUP usually provides explicit prohibitions regarding security and proprietary information
• Unacceptable use may also be outlined by the AUP
• Acceptable use policies are generally considered to be the most important information security policies
17
Security+ Guide to Network Security Fundamentals, Third Edition
Security-Related Human Resource Policy
• Security-related human resource policy– A policy that addresses security as it relates to human
resources– Includes statements regarding how an employee’s
information technology resources will be addressed
• Due process– The principle of treating all accused persons in an
equal fashion, using established rules and principles
• Due diligence– Any investigation into suspicious employee conduct
will examine all material facts18
Security+ Guide to Network Security Fundamentals, Third Edition
Password Management and Complexity Policy
• Password management and complexity policy– Can clearly address how passwords are created and
managed
• The policy should also specify what makes up a strong password
19
Security+ Guide to Network Security Fundamentals, Third Edition 20
Password Management and Complexity Policy (continued)
Security+ Guide to Network Security Fundamentals, Third Edition 21
Password Management and Complexity Policy (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Personally Identifiable Information (PII) Policy
• Personally identifiable information (PII) policy– Outlines how the organization uses personal
information it collects
22
Security+ Guide to Network Security Fundamentals, Third Edition 23
Personally Identifiable Information (PII) Policy (continued)
Security+ Guide to Network Security Fundamentals, Third Edition
Disposal and Destruction Policy
• Disposal and destruction policy– Addresses the disposal of resources that are
considered confidential– Often covers how long records and data will be
retained– Involves how to dispose of equipment
24
Security+ Guide to Network Security Fundamentals, Third Edition
Service Level Agreement (SLA) Policy
• Service level agreement (SLA)– A service contract between a vendor and a client that
specifies what services will be provided, the responsibilities of each party, and any guarantees of service
• Service level agreement (SLA) policy– An organizational policy that governs the conditions to
be contained in an SLA
• Many SLA policies contain tiers of service
25
Security+ Guide to Network Security Fundamentals, Third Edition 26
Service Level Agreement (SLA) Policy (continued)
Classification of Information Policy
• Classification of information policy– Designed to produce a standardized framework for
classifying information assets
• Generally, this involves creating classification categories such as high, medium, or low– And then assigning information into these categories
Security+ Guide to Network Security Fundamentals 27
Security+ Guide to Network Security Fundamentals, Third Edition
Change Management Policy
• Change management– Refers to a methodology for making changes and
keeping track of those changes, often manually– Seeks to approach changes systematically and
provide documentation of the changes
• Change management policy– Outlines how an organization will manage changes in
a “rational and predictable” manner so employees and clients can plan accordingly
28
Security+ Guide to Network Security Fundamentals, Third Edition
Ethics Policy
• Values– A person’s fundamental beliefs and principles used to
define what is good, right, and just
• Morals– Values that are attributed to a system of beliefs that
help the individual distinguish right from wrong
• Ethics– The study of what a group of people understand to be
good and right behavior and how people make those judgments
29
Security+ Guide to Network Security Fundamentals, Third Edition
Ethics Policy (continued)
• Ethics policy– A written code of conduct intended to be a central
guide and reference for employees in support of day-to-day decision making
– Intended to clarify an organization’s mission, values, and principles, and link them with standards of professional conduct
30
Security+ Guide to Network Security Fundamentals, Third Edition
Education and Training
• Education and training involve understanding the importance of organizational training– And how it can be used to reduce risks, such as
social engineering
31
Security+ Guide to Network Security Fundamentals, Third Edition
Organizational Training
• All computer users in an organization share a responsibility to protect the assets of that organization– Users need training in the importance of securing
information, the roles that they play in security, and the steps they need to take to ward off attacks
• All users need:– Continuous training in the new security defenses– To be reminded of company security policies and
procedures
32
Security+ Guide to Network Security Fundamentals, Third Edition
Organizational Training (continued)
• One of the challenges of organizational education and training is to understand the traits of learners
33
Security+ Guide to Network Security Fundamentals, Third Edition
Organizational Training (continued)
• Training style also impacts how people learn
• Most people are taught using a pedagogical approach– However, for adult learners, an andragogical
approach is often preferred
• There are different learning styles– Visual learners– Auditory learners– Kinesthetic
34
Security+ Guide to Network Security Fundamentals, Third Edition
Reducing Risks of Social Engineering
• Social engineering– Relies on tricking and deceiving someone to provide
secure information
• Phishing– One of the most common forms of social engineering– Involves sending an e-mail or displaying a Web
announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information
– Both the e-mails and the fake Web sites appear to be legitimate
35
Security+ Guide to Network Security Fundamentals, Third Edition 36
Security+ Guide to Network Security Fundamentals, Third Edition
Reducing Risks of Social Engineering (continued)
• Variations on phishing attacks:– Spear phishing– Pharming– Google phishing
• Ways to recognize phishing messages include:– Deceptive Web links– E-mails that look like Web sites– Fake sender’s address– Generic greeting– Pop-up boxes and attachments
37
Security+ Guide to Network Security Fundamentals, Third Edition
Reducing Risks of Social Engineering (continued)
• Ways to recognize phishing messages include: (continued)– Unsafe Web sites– Urgent request
• Some organizations have turned to creating regular reminders to users regarding phishing attacks
38
Security+ Guide to Network Security Fundamentals, Third Edition 39
Security+ Guide to Network Security Fundamentals, Third Edition
Reducing Risks of Social Engineering (continued)
• Dumpster diving– Involves digging through trash receptacles to find
computer manuals, printouts, or password lists that have been thrown away
• Shoulder surfing– Watching an individual enter a security code or
password on a keypad
• Computer hoax– An e-mail message containing a false warning to the
recipient of a malicious entity circulating through the Internet
40
Security+ Guide to Network Security Fundamentals, Third Edition
Summary
• A security policy is a written document that states how an organization plans to protect the company’s information technology assets
• A standard is a collection of requirements specific to the system or procedure that must be met by everyone, while a guideline is a collection of suggestions that should be implemented
• A policy is a document that outlines specific requirements or rules that must be met, and is the correct means to be used for establishing security
41
Security+ Guide to Network Security Fundamentals, Third Edition
Summary (continued)
• Because a security policy is so comprehensive and often detailed, most organizations choose to break the security policy down into smaller “subpolicies”
• A personally identifiable information (PII) policy outlines how the organization uses information it collects
• To provide users with the knowledge and skills necessary to support information security, users need to receive ongoing training
• Social engineering relies on tricking and deceiving someone to provide secure information
42
top related