Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- CN5210
- Tutorial 15
- Review
- • What are the information security challenges?
- Inconsistent enforcement of policies - Many organizations either haven’t enforced their policies in the past or have not done consistently –
- IT does not know and control all devices - Use of personal mobile device at work place - What happen when you need to audit this device? –
- Blurring internal versus external - The perimeter of the network - Perimeter has been pushed out due to extranets, partners, employees VPN –
- Covert attacks are no longer obvious - Typical attacks virus and worms are now less attention by the attackers – Attackers do not want to erase the data or take control of the system - Slowly steal data
- • What are the key elements for a policy
- Purpose - State the purpose of the policy in a straight way
- • organization’s security functions
- • Protect efficient business operation
- • Facilitating sharing information
- • Safeguard business and personal information
- • Ensure accurate information
- • Comply with applicable laws and regulations
- Scope – To whom the policy is applicable in what circumstances
- Policy statements – State the main facts of the policy in unambiguous and concise way “Example: Individual user password should be change in 90 days Maintain a record of privileges allocated User should allocate resource based on legitimate needs • Version number and change record – Indicate up to date status of the policy”
- • Terms and definition – Necessary to present the context of the policy in specific manner
- • Approval of the policy
- • Compare ISSP and SysSP.
- Every organization’s ISSP has three characteristics: – Addresses specific technology-based systems – Requires frequent updates – Contains an issue statement on the organization’s position on an issue
- Policy types
- Statement of Purpose –
- Scope and Applicability –
- Definition of Technology Addressed
- – Responsibilities
- • Authorized Access and Usage of Equipment
- – User Access
- – Fair and Responsible Use
- – Protection of Privacy
- • Prohibited Usage of Equipment
- – Disruptive Use or Misuse –
- Criminal Use
- – Offensive or Harassing Materials
- – Copyrighted, Licensed or other Intellectual Property
- – Other Restrictions
- SysSPs can be separated into:
- • Management guidance
- • Technical specifications
- – Maybe combined in a single policy document
- Each type of equipment has its own type of policies
- Two general methods of implementing such technical controls:
- – Access control lists
- • Include user access lists, and capability tables that govern rights and privileges, frequency
- • Can control access to file storage systems, object brokers or other network communications devices
- • ACLs enable administrations to restrict access according to user, computer, time, duration, etc. – Configuration rules
- • specific configuration codes entered into security systems to guide execution of system when information is passing through it
- • Is it measurable?
- no because passwords can be made an saved onto the system but if they are lost or get into the wrong hands that is not the users fault so it is not measurable
- • Is it Achievable?
- Yes because this can be monitored and blocks can be put in place to prevent private use of the internet.
- Exercise
- Task 1
- Look at facebook data use policy
- https://en-gb.facebook.com/about/privacy/your-info
- Look at the following sectios
- • Things you do and information you provide.
- • Things others do and information they provide.
- • Your networks and connections.
- • Device information.
- • How can I manage or delete information about me?
- Is this policy specific, precise, achievable and timely? Identify the key points to justify your view
- Task 2
- A typical e-mail policy is given by SANS institute
- http://www.sans.org/security-resources/policies/general#email-policy
- Use this template and develop an access control policy using following sections
- 1.Purpose
- 2.Scope
- 3.Policy
- 3.1
- 3.2
- 3.3
- 3.4............
- 4.Enforcement
- 5.Definitions
- 6.Revision History
- 7. Related documents
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement