![Page 1: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/1.jpg)
SECURITY POLICIES
Indu Ramachandran
![Page 2: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/2.jpg)
Outline General idea/Importance of security policies When security policies should be developed Who should be involved in this process Cost of security policies Available resources Security policies in detail Failure of Security policies After Security policy is written
![Page 3: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/3.jpg)
About Security Policies Increased level of threats Organization’s attitude towards security
policies Establishing Standards More than just “Keeping the bad guys out”! Management and Security policy Policies Not Procedures!!
![Page 4: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/4.jpg)
Importance of Security Policies Establishes Standards
Provides basic guidelines
Defines appropriate behavior
Helps against being sued
![Page 5: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/5.jpg)
Aspects of Security
Traditional Ideas of Security
Revised Security aspects Confidentiality
Protect objects from unauthorized release/use of info
Integrity Preserve objects / avoid unauthorized modification
![Page 6: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/6.jpg)
When should Policies be developed Ideal Scenario
Often not the case
After a Security Breach To mitigate Liability For document compliance To demonstrate quality control processes Customers/Clients requirements
![Page 7: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/7.jpg)
Who should be involved Basically EVERYONE!!!!! System users System support personnel Managers Business lawyers
![Page 8: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/8.jpg)
Importance of Involving Management
Funding and Commitment
Leadership
Authority
Responsibility/Support
![Page 9: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/9.jpg)
Do you need Sec. Policies?? Questions to answer this question…
Do workers at your organization handle information that is confidential?
Do workers at your organization access the internet?
Does your organization have trade secrets?
Custom questions to suit you!!
![Page 10: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/10.jpg)
The Security Cost Function
Cost for security Exponential increase Trade off between cost for security and cost of
violations Formula for calculating cost :
Total cost for Violations = Cost for a single Violation X
frequency of the violation
![Page 11: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/11.jpg)
GOOD NEWS!!!! You are not on your own !!!
Internet Resources The SANS institute NIST (National Inst. Of Stds. And
Technology) RFC Universities
![Page 12: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/12.jpg)
Resources (cont’d) Books
Guide for Developing Security Policies for Information Technology Systems
Information Security Policies made easy around 1360+ security templates used by several large organizations
Training Sessions SANS Institute
![Page 13: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/13.jpg)
Types of security policies Administrative Security Policy
Examples of Administrative sec policies: Users must change password each quarter Employees must not use dial out modems from
their desktops.
Technical sec policies Examples
Server will be configured to expire password each quarter
Accounts must initiate a lockout after four unsuccessful attempts to login
![Page 14: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/14.jpg)
What is in a security policy
Three Categories
First category – Parameters Section Introduction Audience Definitions
![Page 15: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/15.jpg)
What is in a security policy (cont’d)
The Second category Risk assessments
When this should be done Benefits Who should do this
Identifying Assets Threats to assets
![Page 16: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/16.jpg)
What is in a security policy (cont’d)
The Third Category Actual Policies
Examples of policies
Physical security
![Page 17: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/17.jpg)
Examples of policies (cont’d)
Authentication
Password policy
Remote Access Policy The Modem Issue
![Page 18: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/18.jpg)
Examples of policies (cont’d) Acceptable Use Policy
Examples of AU Policy at http://www.eff.org/pub/CAF/policies
Other Policies Examples of policies as well as their templates on
the SANS website. http://www.sans.org/resources/policies/
![Page 19: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/19.jpg)
What makes a good security policy Must be usable Must communicate clearly Must not impede/interfere with business Enforceable Update regularly Other factors
Interests Laws
![Page 20: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/20.jpg)
Problems with Sec. Policies
Increase in tension level
Security needs viewed differently
Too restrictive/hard to implement
Impediments productivity
![Page 21: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/21.jpg)
Conflict and Politics Management concentrates on goals for
company
Technical Personnel’s agenda
So what happens???
What do you do???
![Page 22: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/22.jpg)
Information Security Management Committee
Bridge the gap
Committee Composition
Responsibilities of the committee
![Page 23: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/23.jpg)
Real world problems caused by missing policies
At A Government Agency...
At A Local Newspaper...
![Page 24: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/24.jpg)
Why Security Policies Fail
Security is a barrier to Progress Perceived to have zero benefit Obstacles/Impediment productivity
Security is a learned behavior Not instinct Value of assets Not taken seriously
![Page 25: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/25.jpg)
Why Security Policies Fail (cont’d)
Complexity Security work is never finished
Failure to review Other reasons
Lack of stake holder support Organizational Politics
![Page 26: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/26.jpg)
Compliance & Enforcement
Training
Testing and effectiveness of the policy
Monitoring
Taking Action
![Page 27: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/27.jpg)
Review The Policy
Review Committee Good representation
Frequency of review meetings Responsibilities What to Review
![Page 28: SECURITY POLICIES Indu Ramachandran. Outline General idea/Importance of security policies When security policies should be developed Who should be involved](https://reader030.vdocuments.site/reader030/viewer/2022032707/56649e405503460f94b30d31/html5/thumbnails/28.jpg)
References Barham, Scott - Writing information security policies http://dmoz.org/Computers/Security/Policy/Sample_Poli
cies/ http://www.netiq.com/products/pub/ispme_realproblems
.asp http://www.sans.org/rr/policy/policy.php http://www.networknews.co.uk/Features/1138373 http://irm.cit.nih.gov/security/sec_policy.html http://www.cisco.com/warp/public/126/secpol.html