CN5210Tutorial 15Review• What are the information security challenges?

1. CN5210
2. Tutorial 15
3. Review
4.  
5. • What are the information security challenges?
6. Inconsistent enforcement of policies - Many organizations either haven’t enforced their policies in the past or have not done consistently –
7. IT does not know and control all devices - Use of personal mobile device at work place - What happen when you need to audit this device? –
8. Blurring internal versus external - The perimeter of the network - Perimeter has been pushed out due to extranets, partners, employees VPN –
9. Covert attacks are no longer obvious - Typical attacks virus and worms are now less attention by the attackers – Attackers do not want to erase the data or take control of the system - Slowly steal data
10.  
11. • What are the key elements for a policy
12.  
13. Purpose - State the purpose of the policy in a straight way
14. • organization’s security functions
15. • Protect efficient business operation
16. • Facilitating sharing information
17. • Safeguard business and personal information
18. • Ensure accurate information
19. • Comply with applicable laws and regulations
20.  
21. Scope – To whom the policy is applicable in what circumstances
22.  
23. Policy statements – State the main facts of the policy in unambiguous and concise way “Example: Individual user password should be change in 90 days Maintain a record of privileges allocated User should allocate resource based on legitimate needs • Version number and change record – Indicate up to date status of the policy”
24. • Terms and definition – Necessary to present the context of the policy in specific manner
25. • Approval of the policy
26.  
27.  
28. • Compare ISSP and SysSP.
29.  
30. Every organization’s ISSP has three characteristics: – Addresses specific technology-based systems – Requires frequent updates – Contains an issue statement on the organization’s position on an issue
31.  
32. Policy types
33. Statement of Purpose –
34. Scope and Applicability –
35. Definition of Technology Addressed
36. – Responsibilities
37.  
38.  
39. • Authorized Access and Usage of Equipment
40. – User Access
41. – Fair and Responsible Use
42. – Protection of Privacy
43. • Prohibited Usage of Equipment
44. – Disruptive Use or Misuse –
45. Criminal Use
46. – Offensive or Harassing Materials
47. – Copyrighted, Licensed or other Intellectual Property
48. – Other Restrictions
49.  
50. SysSPs can be separated into:
51. • Management guidance
52. • Technical specifications
53. – Maybe combined in a single policy document
54.  
55. Each type of equipment has its own type of policies
56.  
57. Two general methods of implementing such technical controls:
58. – Access control lists
59. • Include user access lists, and capability tables that govern rights and privileges, frequency
60. • Can control access to file storage systems, object brokers or other network communications devices
61. • ACLs enable administrations to restrict access according to user, computer, time, duration, etc. – Configuration rules
62. • specific configuration codes entered into security systems to guide execution of system when information is passing through it
63.  
64. • Is it measurable?
65. no because passwords can be made an saved onto the system but if they are lost or get into the wrong hands that is not the users fault so it is not measurable
66.  
67. • Is it Achievable?
68. Yes because this can be monitored and blocks can be put in place to prevent private use of the internet.
69.  
70.  
71.  
72. Exercise
73. Task 1
74. Look at facebook data use policy
75. https://en-gb.facebook.com/about/privacy/your-info
76. Look at the following sectios
77. • Things you do and information you provide.
78. • Things others do and information they provide.
79. • Your networks and connections.
80. • Device information.
81. • How can I manage or delete information about me?
82.  
83.  
84. Is this policy specific, precise, achievable and timely? Identify the key points to justify your view
85.  
86.  
87.  
88.  
89.  
90.  
91.  
92.  
93.  
94. Task 2
95. A typical e-mail policy is given by SANS institute
96. http://www.sans.org/security-resources/policies/general#email-policy
97.  
98. Use this template and develop an access control policy using following sections
99.  
100. 1.Purpose
101. 2.Scope
102. 3.Policy
103. 3.1
104. 3.2
105. 3.3
106. 3.4............
107. 4.Enforcement
108. 5.Definitions
109. 6.Revision History
110. 7. Related documents