Information Security Policy

Similar documents

Chapter 1 The Principles of Auditing 1

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Managing internet security

Introduction to Cyber Security / Information Security

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Security Controls What Works. Southside Virginia Community College: Security Awareness

ICANWK406A Install, configure and test network security

Information Security Program Management Standard

Law & Ethics, Policies & Guidelines, and Security Awareness

Data Security and Healthcare

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Module 1: Introduction to Designing Security

資通安全產品研發與驗證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭博仁教授 ) 景文科技大學資訊工程系

Network Security. Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ. July Network Security 08

NETWORK SECURITY GUIDELINES

IT Networking and Security

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Developing Network Security Strategies

INSIDE. Securing Network-Attached Storage Protecting NAS from viruses, intrusions, and blended threats

How to Secure Your Environment

PRINCIPLES AND PRACTICE OF INFORMATION SECURITY

Joseph Migga Kizza. A Guide to Computer Network Security. 4) Springer

Fundamentals of Network Security - Theory and Practice-

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Did you know your security solution can help with PCI compliance too?

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Basics of Internet Security

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Potential Security Vulnerabilities of a Wireless Network. Implementation in a Military Healthcare Environment. Jason Meyer. East Carolina University

INFORMATION SECURITY FOR YOUR AGENCY

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

SonicWALL PCI 1.1 Implementation Guide

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Altius IT Policy Collection Compliance and Standards Matrix

The Information Security Problem

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Information Security Law: Control of Digital Assets.

Information Security: A Perspective for Higher Education

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

HP Security Assessment Services

The Security Organization p. 1 Anecdote p. 2. Introduction

Decrease your HMI/SCADA risk

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

How-To Guide: Cyber Security. Content Provided by

INCIDENT RESPONSE CHECKLIST

WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Network Security Guidelines. e-governance

Network Access Security. Lesson 10

The Protection Mission a constant endeavor

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Commercial Practices in IA Testing Panel

BUY ONLINE FROM:

Payment Card Industry Data Security Standard

Security aspects of e-tailing. Chapter 7

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

INNOVATE. MSP Services Overview SVEN RADEMACHER THROUGH MOTIVATION

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Section 12 MUST BE COMPLETED BY: 4/22

Critical Controls for Cyber Security.

How To Protect Decd Information From Harm

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Through the Security Looking Glass. Presented by Steve Meek, CISSP

White Paper. Information Security -- Network Assessment

Network Security Administrator

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

How To Secure A Remote Worker Network

IT Networking and Security

The monsters under the bed are real World Tour

Security Policy for External Customers

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

CYBER SECURITY FOR LONG TERM EVOLUTION

Deploying Firewalls Throughout Your Organization

SECURITY. Risk & Compliance Services

Solution Brief. Secure and Assured Networking for Financial Services

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

ISO Controls and Objectives

Executive Overview...4. Importance to Citizens, Businesses and Government...5. Emergency Management and Preparedness...6

How To Protect Your Network From Attack

Effective Defense in Depth Strategies

Bellevue University Cybersecurity Programs & Courses

Office of Inspector General

Network and Security Controls

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Cisco Advanced Services for Network Security

Avaya TM G700 Media Gateway Security. White Paper

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

In-House Vs. Hosted Security. 10 Reasons Why Your is More Secure in a Hosted Environment

Avaya G700 Media Gateway Security - Issue 1.0

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Transcription:

Information Security Policy Steve R. Hutchens, CISSP EDS, Global Leader, Homeland Security

Agenda Security Architecture Threats and Vulnerabilities Design Considerations Information Security Policy Current Legislation Security Policy Benefits Questions

Definitions Threat a possible danger to a computer system Active threat alteration, not just interception, of information (ie. Changing information in transit authenticity) Passive threat interception, without alteration, of information (ie. Wire tap, eavesdropping, monitoring - confidentiality) Source: Computer Security Basics, O Reilly & Associates

Definitions Vulnerability a weakness in a computer system that may be exploited to violate system security Example: software error / function (ie. Visual Basic file execution on Microsoft e-mail message) - Configuration setting on a firewall - Undocumented features - Errors in software that permit access - Functions that are used for purposes other than intended

Security Architecture Minimize Threats to Systems Minimize Vulnerabilities / Exposures of Systems Defense in Depth Strategy People Technology Operations Layers of Security Technology Network Perimeter Communication Technology Server / Applications Technology Server / Database Technology

Security Architecture Perimeter Servers Data Network Access

Security Architecture People Security Policy Support Roles (Job function, Need to Know) Identification and Authentication Password Management Biometrics / Smartcards Digital Certificates Access Control (Read, Write, Run Apps)

Security Architecture Technology Security Policy Support Virus Protection Firewall Systems Technology Intrusion Detection Host-based Intrusion Detection Systems Network-based Intrusion Detection Systems Virtual Private Networks Encryption

Security of Connections Suppliers Headquarters Mobile Users Internet E-Commerce Providers Customers Telecommuters Business Partner

Security of Connections Suppliers Headquarters Mobile Users Internet E-Commerce Providers Customers Telecommuters Business Partner

Security Architecture Technology Network Devices (routers, switches, etc.) E-mail Servers Encryption (data & transport) Wireless LAN (secure) Demilitarized Zones

Demilitarized Zone (DMZ) Internet DMZ Router/Gateway Web Server Firewall

Security Architecture Operations Operations Procedures Disaster Recovery Planning & Testing Security Awareness Training Best-practices for Security Management Patches / Updates Maintenance Technology Refresh

Information Security Policy Defining Rules and Regulations

Policy Guidelines National Institute of Standards and Technology Industry Groups SANS Institute (SysAdmin, Audit, Network, Security) National Security Agency (NSA) for Government Systems Department / Agency Specific

Security Policy Effective Policy must Support Organizational Goals and Objectives Policy must Support Controls Necessary to Organizational Integrity: Management Controls (Risks) Operational Controls (People and Procedures) Technical Controls (Systems)

Security Policy Policy may address these issues: Duty of Loyalty Conflict of Interest Duty of Care Least Privilege Separation of Duties / Privilege Accountability Management Objectives

Types of Policy Regulatory Advisory Informative Corporate versus Departmental

Laws, Directives and Regulations Health Insurance Portability and Accountability Act (HIPAA) of 1996 Federal Information Security Management Act of 2002 (FISMA) Gramm-Leach-Bliley Act of 1999 Computer Fraud and Abuse Act Federal Privacy Act of 1974 European Union Principles on Privacy Computer Security Act of 1987 Security and Freedom Through Encryption Act Economic Espionage Act of 1996

Security Policy Benefits Policy regarding IT refresh: Old disk drives (wipe or destroy?) Desktop standards enforcement E-mail policies Warning banners Acceptable use of e-mail systems Theft of IT Assets Protection of stored information System Upgrades / Maintenance Authorized individuals Testing and Evaluation

Security Policy Benefits User Access Control Password Policy (Example) Minimum length of 8 characters Combination of numbers, letters and special characters (2day!sgr8) Force Password Change every 30 days Not a common word (Name, Date of birth, family member names, sports, etc.) Biometrics Strong Authentication Iris, Face, Finger

Security Policy Benefits Computer Crime Investigations Policy establishes what s expected of employees Policy establishes rights and privileges Computer Misuse Violations of acceptable use policy Criminal Activities Fraud Espionage Copyright violations (music, graphics) Civil activities Intellectual property violations Activist groups, many others

Thank You!